All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

$ sudo chmod 0750 /home/USER

for home\_dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6 }' /etc/passwd); do
 # Only update the permissions when necessary. This will avoid changing the inode timestamp when
 # the permission is already defined as expected, therefore not impacting in possible integrity
 # check systems that also check inodes timestamps.
 find "$home\_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
done

- name: Get all local users from /etc/passwd
 ansible.builtin.getent:
 database: passwd
 split: ':'
 tags:
 - file\_permissions\_home\_directories
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Create local\_users variable from the getent output
 ansible.builtin.set\_fact:
 local\_users: '{{ ansible\_facts.getent\_passwd|dict2items }}'
 tags:
 - file\_permissions\_home\_directories
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Test for existence home directories to avoid creating them.
 ansible.builtin.stat:
 path: '{{ item.value[4] }}'
 register: path\_exists
 loop: '{{ local\_users }}'
 when:
 - item.value[1]|int >= 1000
 - item.value[1]|int != 65534
 tags:
 - file\_permissions\_home\_directories
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure interactive local users have proper permissions on their respective
 home directories
 ansible.builtin.file:
 path: '{{ item.0.value[4] }}'
 mode: u-s,g-w-s,o=-
 follow: false
 recurse: false
 loop: '{{ local\_users|zip(path\_exists.results)|list }}'
 when: item.1.stat is defined and item.1.stat.exists
 tags:
 - file\_permissions\_home\_directories
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy