From 964b1a5bd70a6a3691e550cfbaed55c330b58019 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Fri, 9 Oct 2015 13:48:22 -0500 Subject: [PATCH] V-38643: World writable files Implements: blueprint security-hardening Change-Id: I1096ad2c31a33205ee4130d0e02e8bd9504a6b92 --- doc/source/developer-notes/V-38643.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 doc/source/developer-notes/V-38643.rst diff --git a/doc/source/developer-notes/V-38643.rst b/doc/source/developer-notes/V-38643.rst new file mode 100644 index 00000000..f47d7db3 --- /dev/null +++ b/doc/source/developer-notes/V-38643.rst @@ -0,0 +1,19 @@ +**Exception** + +Searching for world-writable files on a host deployed with openstack-ansible +can be very time consuming and it can create unneccessary I/O load on hosts. +Deployers are urged to check for world-writable files on a regular basis in +directories where those files might be a concern (especially web accessible +directories). + +The command provided with the STIG is helpful for finding these types of files: + +.. code-block:: bash + + find ${MOUNT_POINT} -xdev -type f -perm -002 + +Running ``find /`` isn't recommended on systems without LVM storage for +containers since it will eventually search through the filesystems of the LXC +containers that are deployed by openstack-ansible. The ``-xdev`` option +prevents ``find`` from wandering into other mounted filesystems and will +prevent it from searching through containers in logical volumes.