From fce1e4fb59384a702d63c88e1bb0970cdd8d0c67 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 18 Nov 2016 16:15:36 -0600
Subject: [PATCH] Verify that home directories exist [+Docs]

This patch adds tasks which verify that the home directory for each
interactive user actually exists on the filesystem. Users with
missing home directories are printed in the Ansible output.

Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: Ia561bfe1352ef9bdc5be9de4cb23e1bf15a4cbbc
---
 doc/metadata/rhel7/RHEL-07-020640.rst |  9 +++++---
 tasks/rhel7stig/auth.yml              | 31 ++++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/doc/metadata/rhel7/RHEL-07-020640.rst b/doc/metadata/rhel7/RHEL-07-020640.rst
index 482b2df5..b3328dac 100644
--- a/doc/metadata/rhel7/RHEL-07-020640.rst
+++ b/doc/metadata/rhel7/RHEL-07-020640.rst
@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-020640
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+Each interactive user on the system is checked to verify that their assigned
+home directory exists on the filesystem. If a home directory is missing, the
+name of the user and their assigned home directory is printed in the Ansible
+console output.
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 29b8bf38..5c85682f 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 - name: Get a list of users on the system to use throughout the auth tasks
-  action: get_users
+  get_users:
+    min_uid: 1000
   register: user_list
   check_mode: no
   tags:
@@ -196,3 +197,31 @@
     - auth
     - medium
     - RHEL-07-020630
+
+- name: Check each user to see if its home directory exists on the filesystem
+  stat:
+    path: "{{ item['dir'] }}"
+  when:
+    - item['dir'] != ''
+  with_items: "{{ user_list.users }}"
+  register: home_directory_checks
+  tags:
+    - auth
+    - medium
+    - RHEL-07-020640
+
+- name: RHEL-07-020640 - All local interactive user home directories defined in the /etc/passwd file must exist.
+  debug:
+    msg: |
+      These users have a home directory assigned, but the directory does not exist:
+      {% for check in home_directory_checks.results %}
+      {% if not check.stat.exists %}
+      {{ check.item.name }} ({{ check.item.dir }} does not exist)
+      {% endif %}
+      {% endfor %}
+  when:
+    - home_directory_checks.results | selectattr('stat.exists', 'sameas', false) | list | length > 0
+  tags:
+    - auth
+    - medium
+    - RHEL-07-020640