Find world-writable dirs with bad group owners

This patch adds tasks that find bad group owners on world-writable
directories.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Icab3c6d21c4fa2746e7fa3f75ae2c92ef77abc81

doc/metadata/rhel7/RHEL-07-021050.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-021050
-status: not implemented
+status: implemented
-tag: misc
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role examine the world-writable directories on the
+system and report any directories that are not group-owned by the ``root``
+user. Those directories appear in the Ansible output.
+
+Deployers should review the list of directories and group owners to ensure
+that they are appropriate for the directory. Unauthorized group ownership
+could allow certain users to modify files from other users.

tasks/rhel7stig/file_perms.yml

@@ -113,6 +113,27 @@
     - RHEL-07-020660
     - RHEL-07-020670
 
+- name: Find all world-writable directories
+  shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
+  register: world_writable_dirs
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-021050 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
+  debug:
+    msg: |
+      The group owners on the following world-writable directories should be examined:
+      {{ world_writable_dirs.stdout }}
+  when:
+    - world_writable_dirs is defined
+  tags:
+    - medium
+    - file_perms
+    - RHEL-07-021050
+
 - name: Check if cn_map file is present
   stat:
     path: /etc/pam_pkcs11/cn_map