Create home directories by default [+Docs]

This patch adds a task to adjust /etc/login.defs so that home
directories are created by default for all new user accounts.
This is the standard for CentOS/RHEL, but this involves a change
for Ubuntu systems.

Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: If88719fed6def2d13d5b5798eaed98baf7971889

defaults/main.yml

@@ -468,6 +468,8 @@ security_require_sha512_password_storage: yes                # RHEL-07-010180
 security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
 # Set a maximum lifetime limit for user passwords.
 #security_password_max_lifetime_days: 60                     # RHEL-07-010220
+# Create home directories for new users by default.
+security_create_home_directory_default: yes                  # RHEL-07-020630
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.

doc/metadata/rhel7/RHEL-07-020630.rst

@@ -1,7 +1,21 @@
 ---
 id: RHEL-07-020630
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security
+role. This ensures that home directories are created each time a new user
+account is created.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_create_home_directory_default: no
+
+.. note::
+
+    On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directores are
+    always created with new users by default. Home directories are not created
+    by default on Ubuntu systems.

tasks/rhel7stig/auth.yml

@@ -183,3 +183,16 @@
     - auth
     - medium
     - RHEL-07-020620
+
+- name: RHEL-07-020630 - All local interactive user accounts, upon creation, must be assigned a home directory.
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^(#)?CREATE_HOME"
+    line: "CREATE_HOME yes"
+    state: present
+  when:
+    - security_create_home_directory_default | bool
+  tags:
+    - auth
+    - medium
+    - RHEL-07-020630