Security: Add tasks for RHEL-07-010010

This patch adds tasks to check for files which have had their permissions or ownership modified since they were installed. To avoid running RPM verification multiple times, the report is gathered up front one time and then parsed quickly with grep in subsequent tasks. Implements: blueprint security-rhel7-stig Change-Id: I170176319ac6dcda5f736fa90eb4eb47c4ce76b8
2016-10-12 12:35:16 -05:00 · 2016-10-12 12:35:16 -05:00 · 6971f039d7
commit 6971f039d7
parent eed96b4bf0
4 changed files with 105 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -381,3 +381,7 @@ security_unattended_upgrades_notifications: false
 #  the development work is complete.
 #
 ###############################################################################
+
+## File permissions (file_perms)
+# Reset file permissions and ownership for files installed via RPM packages.
+security_reset_perm_ownership: yes                # RHEL-07-010010
--- a/doc/metadata/rhel7/RHEL-07-010010.rst
+++ b/doc/metadata/rhel7/RHEL-07-010010.rst
@ -1,7 +1,21 @@
 ---
 id: RHEL-07-010010
-status: not implemented
-tag: misc
+status: implemented - red hat
+tag: file_perms
 ---

-This STIG requirement is not yet implemented.
+.. note::
+
+    Ubuntu's ``debsums`` command does not support verification of permissions
+    and ownership for files that were installed by packages. This STIG
+    requirement will be skipped on Ubuntu.
+
+The STIG requires that all files owned by an installed package must have their
+permissions, user ownership, and group ownership set back to the vendor
+defaults.
+
+Deployers may opt-out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_reset_perm_ownership: no
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@ -0,0 +1,44 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: RHEL-07-010010 - Get packages with incorrect file permissions or ownership
+  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  args:
+    warn: no
+  register: rhel_07_010010_packages
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+    - security_reset_perm_ownership | bool
+  tags:
+    - high
+    - RHEL-07-010010
+
+- name: RHEL-07-010010 - Reset file permissions/ownership to vendor values
+  shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`"
+  args:
+    warn: no
+  with_nested:
+    - ['--setperms', '--setugids']
+    - "{{ rhel_07_010010_packages.stdout_lines | default([]) }}"
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+    - rhel_07_010010_packages is defined
+    - rhel_07_010010_packages.stdout_lines | length > 0
+  tags:
+    - high
+    - RHEL-07-010010
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@ -13,6 +13,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Not yet implemented
-  debug:
-    msg: "The RHEL 7 STIG is not yet implemented."
+- name: Create temporary directory to hold any temporary files
+  command: "mktemp -d"
+  register: mktemp_result
+  changed_when: False
+  when:
+    - not check_mode | bool
+
+- name: Set a fact for the temporary directory
+  set_fact:
+    temp_dir: "{{ mktemp_result.stdout }}"
+  changed_when: False
+  when:
+    - not check_mode | bool
+
+# Multiple tasks will need the output of RPM verification, so let's do the
+# lookup one time and then grep over the output in subsequent tasks.
+- name: Verify all installed RPM packages
+  shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
+  args:
+    warn: no
+  failed_when: False
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - always
+    - skip_ansible_lint
+
+- include: file_perms.yml
+  tags:
+    - file_perms
+
+- name: Remove the temporary directory
+  file:
+    path: "{{ temp_dir }}"
+    state: absent
+  changed_when: False
+  when:
+    - not check_mode | bool