All Interactive Users Home Directories Must Exist
Description
Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
Rationale
If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access.
Shell script
The following script can be run on the host to remediate the issue.
for user in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $1}' /etc/passwd); do
mkhomedir\_helper $user 0077;
done
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Get all local users from /etc/passwd
ansible.builtin.getent:
database: passwd
split: ':'
tags:
- accounts\_user\_interactive\_home\_directory\_exists
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Create local\_users variable from the getent output
ansible.builtin.set\_fact:
local\_users: '{{ ansible\_facts.getent\_passwd|dict2items }}'
tags:
- accounts\_user\_interactive\_home\_directory\_exists
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Ensure interactive users have a home directory exists
ansible.builtin.user:
name: '{{ item.key }}'
create\_home: true
loop: '{{ local\_users }}'
when:
- item.value[2]|int >= 1000
- item.value[2]|int != 65534
tags:
- accounts\_user\_interactive\_home\_directory\_exists
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
