From acdd6d5f0cd7cc8fea63e316eac51c494e7528d4 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 18 Nov 2016 14:43:16 -0600
Subject: [PATCH] Create home directories by default [+Docs]

This patch adds a task to adjust /etc/login.defs so that home
directories are created by default for all new user accounts.
This is the standard for CentOS/RHEL, but this involves a change
for Ubuntu systems.

Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: If88719fed6def2d13d5b5798eaed98baf7971889
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-020630.rst | 20 +++++++++++++++++---
 tasks/rhel7stig/auth.yml              | 13 +++++++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 5d0820a3..4ece7f04 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -468,6 +468,8 @@ security_require_sha512_password_storage: yes                # RHEL-07-010180
 security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
 # Set a maximum lifetime limit for user passwords.
 #security_password_max_lifetime_days: 60                     # RHEL-07-010220
+# Create home directories for new users by default.
+security_create_home_directory_default: yes                  # RHEL-07-020630
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
diff --git a/doc/metadata/rhel7/RHEL-07-020630.rst b/doc/metadata/rhel7/RHEL-07-020630.rst
index 0826c51a..ccbec73b 100644
--- a/doc/metadata/rhel7/RHEL-07-020630.rst
+++ b/doc/metadata/rhel7/RHEL-07-020630.rst
@@ -1,7 +1,21 @@
 ---
 id: RHEL-07-020630
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The ``CREATE_HOME`` variable is set to ``yes`` by the tasks in the security
+role. This ensures that home directories are created each time a new user
+account is created.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_create_home_directory_default: no
+
+.. note::
+
+    On CentOS 7 and Red Hat Enterprise Linux 7 systems, home directores are
+    always created with new users by default. Home directories are not created
+    by default on Ubuntu systems.
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 8c72628d..29b8bf38 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -183,3 +183,16 @@
     - auth
     - medium
     - RHEL-07-020620
+
+- name: RHEL-07-020630 - All local interactive user accounts, upon creation, must be assigned a home directory.
+  lineinfile:
+    dest: /etc/login.defs
+    regexp: "^(#)?CREATE_HOME"
+    line: "CREATE_HOME yes"
+    state: present
+  when:
+    - security_create_home_directory_default | bool
+  tags:
+    - auth
+    - medium
+    - RHEL-07-020630