Merge pull request #185 from whitehat237/devel

uk-bolly · web-flow · commit 7e6ca37f447c · 2023-03-17T08:39:01.000Z
Adds default variables and task to modify getent user enumeration com…
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -477,6 +477,17 @@ rhel8stig_smartcard: false
 # Configure your smartcard driver
 rhel8stig_smartcarddriver: cackey
 
+#Whether or not system uses remote automounted home directories via autofs
+rhel8stig_autofs_remote_home_dirs: false
+
+#The local mount point used by autofs to mount remote home directory to.  This location will be excluded during getent user enumeration, if rhel8stig_autofs_remote_home_dirs is true
+rhel8stig_auto_mount_home_dirs_local_mount_point: "/home/"
+
+#The default shell command to gather local interactive user directories
+## NOTE: You will need to adjust the UID range in parenthesis below.
+## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below.
+local_interactive_user_dir_command: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
+
 # IPv6 required
 rhel8stig_ipv6_required: true
 
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -116,11 +116,26 @@
       - RHEL-08-010750
       - RHEL-08-020320
 
-## NOTE: You will need to adjust the UID range in parenthases below.
-## ALSO NOTE: We weed out any user with a home dir not in standard locations because interactive users shouldn't have those paths as a home dir. Add or removed directory paths as needed below.
+- name: "PRELIM | RHEL-08-010690 Ensure user enumeration command is modified when autofs remote home directories are in use"
+  block:
+      - name: Ensure that rhel8stig_auto_mount_home_dirs_local_mount_point is defined and not length zero
+        assert:
+          that:
+              - rhel8stig_auto_mount_home_dirs_local_mount_point is defined
+              - rhel8stig_auto_mount_home_dirs_local_mount_point | length > 0
+
+      - name: Modify local_interactive_user_dir_command to exclude remote automounted home directories
+        set_fact:
+            local_interactive_user_dir_command: "{{ local_interactive_user_dir_command }} | grep -v '{{ rhel8stig_auto_mount_home_dirs_local_mount_point }}"
+
+  when:
+    - rhel8stig_autofs_remote_home_dirs
+  tags:
+    - RHEL-08-010690
+    - complexity-high
+
 - name: "PRELIM | RHEL-08-010690 | Gather local interactive user directories"
-  # shell: "getent passwd { {{ rhel8stig_int_gid }}..65535} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
-  shell: "getent passwd {% raw %}{{% endraw %}{{ rhel8stig_int_gid }}..24339{% raw %}}{% endraw %} | cut -d: -f6 | sort -u | grep -v '/var/' | grep -v '/nonexistent/*' | grep -v '/run/*'"
+  shell: "{{ local_interactive_user_dir_command }}"
   register: rhel_08_010690_getent
   changed_when: false
   failed_when: false
