Find files/dirs without valid owners [+Docs]

This patch adds tasks that search the filesystem for files/directories without a valid user or group owner. Running find is disruptive to some systems, so this is disabled by default. The following controls are covered: - RHEL-07-020360 - RHEL-07-020370 Docs are included. Implements: blueprint security-rhel7-stig Change-Id: I5626c107663d8f3f12d71cc649de242dc4ee3409
2016-11-18 07:22:34 -06:00 · 2016-11-18 07:22:34 -06:00 · c229c4318e
commit c229c4318e
parent fce1e4fb59
5 changed files with 81 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -474,6 +474,9 @@ security_create_home_directory_default: yes                  # RHEL-07-020630
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                           # RHEL-07-010010
+# Search for files/directories owned by invalid users or groups.
+security_search_for_invalid_owner: no                        # RHEL-07-020360
+security_search_for_invalid_group_owner: no                  # RHEL-07-020370

 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
--- a/doc/metadata/rhel7/RHEL-07-020360.rst
+++ b/doc/metadata/rhel7/RHEL-07-020360.rst
@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020360
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---

-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_owner: yes
+
+Any files or directories without a valid user owner are displayed in the
+Ansible output.
--- a/doc/metadata/rhel7/RHEL-07-020370.rst
+++ b/doc/metadata/rhel7/RHEL-07-020370.rst
@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020370
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---

-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid group owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_group_owner: yes
+
+Any files or directories without a valid group owner are displayed in the
+Ansible output.
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@ -48,6 +48,54 @@
    # don't trigger ANSIBLE0013
    - skip_ansible_lint

+- name: Search for files/directories with an invalid owner
+  command: find / -xdev -nouser -fstype local
+  args:
+    warn: no
+  register: invalid_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020360 - All files and directories must have a valid owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid user:
+      {{ invalid_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_owner_files is defined
+    - invalid_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020360
+
+- name: Search for files/directories with an invalid group owner
+  command: find / -xdev -nogroup -fstype local
+  args:
+    warn: no
+  register: invalid_group_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_group_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020370 - All files and directories must have a valid group owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid group:
+      {{ invalid_group_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_group_owner_files is defined
+    - invalid_group_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020370
+
 - name: Check if cn_map file is present
  stat:
    path: /etc/pam_pkcs11/cn_map
--- a/tests/test.yml
+++ b/tests/test.yml
@ -81,3 +81,5 @@
    security_unattended_upgrades_enabled: true
    security_unattended_upgrades_notifications: true
    security_enable_virus_scanner: yes
+    security_search_for_invalid_owner: yes
+    security_search_for_invalid_group_owner: yes