add hardening of root user account(s) (#579)

roles/os_hardening/README.md

@@ -230,6 +230,15 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+- `os_chmod_rootuser_home_folder`
+  - Default: `true`
+  - Description: Set to `false` to disable "chmod 700" of root's home folder
+- `os_rootuser_pw_ageing`
+  - Default: `false`
+  - Description: Set to true to enforce password age settings for root user(s)
+- `os_remove_additional_root_users`
+  - Default: `false`
+  - Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted.
 - `os_cron_enabled`
   - Default: `true`
   - Description: Set to false to disable installing and configuring cron.
@@ -241,7 +250,7 @@ We know that this is the case on Raspberry Pi.
   - Description: Set to false to disable installing and configuring limits.
 - `os_login_defs_enabled`
   - Default: `true`
-  - Description: Set to false to disable installing and configuring login_defs.
+  - Description: Set to false to disable installing and configuring login_defs for newly created users.
 - `os_minimize_access_enabled`
   - Default: `true`
   - Description: Set to false to disable installing and configuring minimize_access.

roles/os_hardening/defaults/main.yml

@@ -15,13 +15,21 @@ os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 
 os_chfn_restrict: ''
 
-# Set to false to disable chmod /home folders to 700
+# Set to false to disable chmod userhome folders to 700
+os_chmod_rootuser_home_folder: true
 os_chmod_home_folders: true
 
 # May contain: change_user
 os_security_users_allow: []
 # Specify user home folders in /home that shouldn't be chmodded to 700
 os_ignore_home_folder_users: ['lost+found']
+
+# Set to false to disable password age enforcement on existing users
+os_rootuser_pw_ageing: false
+
+# When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted.
+os_remove_additional_root_users: false
+
 # Specify system accounts whose login should not be disabled and password not changed
 os_ignore_users: ['vagrant', 'kitchen']
 os_security_kernel_enable_module_loading: true
@@ -338,7 +346,7 @@ os_ctrlaltdel_disabled: false
 # Set to false to disable installing and configuring limits.
 os_limits_enabled: true
 
-# Set to false to disable installing and configuring login_defs.
+# Set to false to disable installing and configuring login_defs for newly created users.
 os_login_defs_enabled: true
 
 # Set to false to disable installing and configuring minimize_access.

roles/os_hardening/tasks/user_accounts.yml

@@ -1,4 +1,45 @@
 ---
+- name: Read local linux user database
+  getent:
+    database: passwd
+    #creates a dict for each user containing UID/HOMEDIR etc...
+  when: getent_passwd is undefined # skip this task if "getent" has run before
+
+- name: extract root account(s) from local user database
+  loop: "{{ getent_passwd.keys()|list }}"
+  when:
+    - getent_passwd[item][1]|int == 0
+  set_fact:
+    root_users: "{{ root_users|default([]) + [item] }}"
+
+- name: set ownership of root user home directory(s) to 0700
+  file:
+    mode: 0700
+    owner: "{{ item }}"
+    path: "{{ getent_passwd[item][4] }}"
+    state: directory
+  loop: "{{ root_users }}"
+  when:
+    - os_chmod_rootuser_home_folder | bool
+
+- name: set password ageing for root user(s)
+  user:
+    name: "{{ item }}"
+    password_expire_min: "{{ os_auth_pw_min_age }}"
+    password_expire_max: "{{ os_auth_pw_max_age }}"
+  loop: "{{ root_users }}"
+  when: os_rootuser_pw_ageing|bool
+
+- name: remove additional users with UID=0 ("root" user is not touched)
+  user:
+    name: "{{ item }}"
+    state: absent
+  loop: "{{ root_users }}"
+  when:
+    - os_remove_additional_root_users|bool
+    - root_users|length > 1
+    - item != "root"
+
 - name: Get UID_MIN from login.defs
   shell: awk '/^\s*UID_MIN\s*([0-9]*).*?$/ {print $2}' /etc/login.defs
   args: