rewrite user home dir hardening #584

DonEstefan · 2022-10-04T18:12:40Z

enforces home dir ownership (in addition to folder permissions)
home dir locations are read from PAM instead of expecting them to be in "/home/*". This is more reliable and obsoletes a workaround for the "/home/lost+found" home dir of the non-existing "lost+found" user.

Before merging you might want to spend some extra thoughts on testing (I tested RHEL8 only).

rndmh3ro · 2022-10-20T12:42:30Z

I finally found some time to look at your PR.

~~The tests fail - it seems the variable regular_users is undefined.~~ I just noticed that this PR builds upon the others.

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

molecule/os_hardening/prepare_tasks/ignore_home_folders.yml

molecule/os_hardening/verify_tasks/ignore_home_folders.yml

roles/os_hardening/tasks/user_accounts.yml

Co-authored-by: schurzi <github@drachen-server.de>

rewrite user home dir hardening

e88aa40

github-actions bot added the os_hardening label Oct 4, 2022

rndmh3ro and others added 4 commits January 27, 2023 11:38

Merge branch 'master' into user_handling_rewrite

a0b7b02

delete duplicate var that was missed in a merge conflict

c0e0e19

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

linting

e3dd59b

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

add tests for home rewrites

778677b

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

rndmh3ro requested a review from schurzi January 27, 2023 12:28

rndmh3ro approved these changes Jan 27, 2023

View reviewed changes

schurzi requested changes Jan 27, 2023

View reviewed changes

Apply suggestions from code review

3239169

Co-authored-by: schurzi <github@drachen-server.de>

rndmh3ro added enhancement minor labels Jan 28, 2023

rndmh3ro merged commit 16e00b0 into dev-sec:master Jan 28, 2023

Provide feedback