dev-sec · rndmh3ro · Jan 28, 2023 · Sep 14, 2022 · Jan 27, 2023 · Jan 27, 2023
diff --git a/molecule/os_hardening/converge.yml b/molecule/os_hardening/converge.yml
@@ -31,6 +31,7 @@
     os_users_without_password_ageing: ['pw_no_ageing']
     os_netrc_enabled: false
     os_ignore_users: ["shell_sys_acc"]
+    os_ignore_home_folder_users: ["user_with_777_home"]
     sysctl_config:
       net.ipv4.ip_forward: 0
       net.ipv6.conf.all.forwarding: 0

diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
@@ -59,11 +59,11 @@
       include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: include netrc prepare tasks
-      include_tasks: prepare_tasks/netrc.yml
-
-    - name: include password ageing prepare tasks
-      include_tasks: prepare_tasks/pw_ageing.yml
-
-    - name: include system account shell prepare tasks
-      include_tasks: prepare_tasks/sys_account_shell.yml
+    - name: include preparation tasks
+      ansible.builtin.include_tasks:
+        file: "{{ item }}"
+      loop:
+        - prepare_tasks/netrc.yml
+        - prepare_tasks/pw_ageing.yml
+        - prepare_tasks/sys_account_shell.yml
+        - prepare_tasks/ignore_home_folders.yml
diff --git a/molecule/os_hardening/prepare_tasks/ignore_home_folders.yml b/molecule/os_hardening/prepare_tasks/ignore_home_folders.yml
@@ -0,0 +1,9 @@
+---
+- name: Create user those home-folder should not be touched
+  ansible.builtin.user:
+    name: "user_with_777_home"
+
+- name: Change mode of user to 777
+  ansible.builtin.file:
+    path: /home/user_with_777_home
+    mode: "0777"
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
@@ -37,14 +37,14 @@
         name: procps
       when: ansible_facts.os_family == 'Debian'
 
-    - name: include system account shell tests
-      include_tasks: verify_tasks/sys_account_shell.yml
-
-    - name: include password ageing tests
-      include_tasks: verify_tasks/pw_ageing.yml
-
-    - name: include netrc tests
-      include_tasks: verify_tasks/netrc.yml
+    - name: include verification tasks
+      ansible.builtin.include_tasks:
+        file: "{{ item }}"
+      loop: 
+        - verify_tasks/sys_account_shell.yml
+        - verify_tasks/pw_ageing.yml
+        - verify_tasks/netrc.yml
+        - verify_tasks/ignore_home_folders.yml
 
     - name: include PAM tests
       include_tasks: verify_tasks/pam.yml

diff --git a/molecule/os_hardening/verify_tasks/ignore_home_folders.yml b/molecule/os_hardening/verify_tasks/ignore_home_folders.yml
@@ -0,0 +1,10 @@
+---
+- name: Get properties of user user_with_777_home's home folder
+  ansible.builtin.stat:
+    path: /home/user_with_777_home
+  register: stats
+
+- name: Check that the home-folder has mode 777
+  ansible.builtin.assert:
+    that:
+      - stats.stat.mode == "0777"
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -231,9 +231,12 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_users`
   - Default: `['vagrant', 'kitchen']`
   - Description: Specify system accounts whose login should not be disabled and password not changed
+- `os_chmod_home_folders`
+  - Default: `true`
+  - Description: Set to `false` to disable "chmod 700" of home folders for regular users
 - `os_ignore_home_folder_users`
-  - Default: `lost+found`
-  - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+  - Default: `[]`
+  - Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. 
 - `os_chmod_rootuser_home_folder`
   - Default: `true`
   - Description: Set to `false` to disable "chmod 700" of root's home folder

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -14,14 +14,15 @@ os_auth_pam_pwquality_options: try_first_pass retry=3 authtok_type= # Used in RH
 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 os_chfn_restrict: ""
 
-# Set to false to disable chmod userhome folders to 700
+# Set to `false` to disable "chmod 700" of home folders for regular users
 os_chmod_rootuser_home_folder: true
 os_chmod_home_folders: true
+# Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled.
+os_ignore_home_folder_users: []
 
 # May contain: change_user
 os_security_users_allow: []
-# Specify user home folders in /home that shouldn't be chmodded to 700
-os_ignore_home_folder_users: [lost+found]
+
 # Set to false to disable password age enforcement on existing users
 os_rootuser_pw_ageing: false
 

diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml
@@ -96,19 +96,13 @@
   when:
     - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked)
 
-- name: Get all home directories in /home, but skip ignored users
-  ansible.builtin.find:
-    paths: /home/
-    recurse: false
-    file_type: directory
-    excludes: "{{ os_ignore_home_folder_users | join(',') }}"
-  register: home_directories
-  when: os_chmod_home_folders | bool
-
-- name: Set ownership of /home directories to 0700
+- name: Limit access to home directories of regular (non-system, non-root) accounts
   ansible.builtin.file:
     mode: 0700
-    path: "{{ item.path }}"
+    owner: "{{ item }}"
+    path: "{{ getent_passwd[item][4] }}"
     state: directory
-  loop: "{{ home_directories.files }}"
-  when: os_chmod_home_folders | bool
+  loop: "{{ regular_users }}"
+  when:
+    - os_chmod_home_folders | bool
+    - item not in os_ignore_home_folder_users | default([])