diff --git a/defaults/main.yml b/defaults/main.yml index 4ece7f04..f5adb49f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -474,6 +474,9 @@ security_create_home_directory_default: yes # RHEL-07-020630 ## File permissions (file_perms) # Reset file permissions and ownership for files installed via RPM packages. security_reset_perm_ownership: yes # RHEL-07-010010 +# Search for files/directories owned by invalid users or groups. +security_search_for_invalid_owner: no # RHEL-07-020360 +security_search_for_invalid_group_owner: no # RHEL-07-020370 ## Graphical interfaces (graphical) # Disable automatic gdm logins diff --git a/doc/metadata/rhel7/RHEL-07-020360.rst b/doc/metadata/rhel7/RHEL-07-020360.rst index 6db16371..69d0cd40 100644 --- a/doc/metadata/rhel7/RHEL-07-020360.rst +++ b/doc/metadata/rhel7/RHEL-07-020360.rst @@ -1,7 +1,18 @@ --- id: RHEL-07-020360 -status: not implemented -tag: misc +status: opt-in +tag: file_perms --- -This STIG requirement is not yet implemented. +Searching an entire filesystem with ``find`` reduces system performance and +might impact certain applications negatively. Therefore, the search for files +and directories with an invalid owner is **disabled by default**. + +Deployers can opt in for this search by setting the following Ansible variable: + +.. code-block:: yaml + + security_search_for_invalid_owner: yes + +Any files or directories without a valid user owner are displayed in the +Ansible output. diff --git a/doc/metadata/rhel7/RHEL-07-020370.rst b/doc/metadata/rhel7/RHEL-07-020370.rst index d7a10dfb..1d25b19f 100644 --- a/doc/metadata/rhel7/RHEL-07-020370.rst +++ b/doc/metadata/rhel7/RHEL-07-020370.rst @@ -1,7 +1,18 @@ --- id: RHEL-07-020370 -status: not implemented -tag: misc +status: opt-in +tag: file_perms --- -This STIG requirement is not yet implemented. +Searching an entire filesystem with ``find`` reduces system performance and +might impact certain applications negatively. Therefore, the search for files +and directories with an invalid group owner is **disabled by default**. + +Deployers can opt in for this search by setting the following Ansible variable: + +.. code-block:: yaml + + security_search_for_invalid_group_owner: yes + +Any files or directories without a valid group owner are displayed in the +Ansible output. diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 0119117c..b7f0f7de 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -48,6 +48,54 @@ # don't trigger ANSIBLE0013 - skip_ansible_lint +- name: Search for files/directories with an invalid owner + command: find / -xdev -nouser -fstype local + args: + warn: no + register: invalid_owner_files + changed_when: false + when: + - security_search_for_invalid_owner | bool + tags: + - always + +- name: RHEL-07-020360 - All files and directories must have a valid owner. + debug: + msg: | + Files and directories were found that are owned by an invalid user: + {{ invalid_owner_files.stdout_lines | join('\n') }} + when: + - invalid_owner_files is defined + - invalid_owner_files.stdout_lines is defined + tags: + - file_perms + - medium + - RHEL-07-020360 + +- name: Search for files/directories with an invalid group owner + command: find / -xdev -nogroup -fstype local + args: + warn: no + register: invalid_group_owner_files + changed_when: false + when: + - security_search_for_invalid_group_owner | bool + tags: + - always + +- name: RHEL-07-020370 - All files and directories must have a valid group owner. + debug: + msg: | + Files and directories were found that are owned by an invalid group: + {{ invalid_group_owner_files.stdout_lines | join('\n') }} + when: + - invalid_group_owner_files is defined + - invalid_group_owner_files.stdout_lines is defined + tags: + - file_perms + - medium + - RHEL-07-020370 + - name: Check if cn_map file is present stat: path: /etc/pam_pkcs11/cn_map diff --git a/tests/test.yml b/tests/test.yml index 85c11803..38bb531d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -81,3 +81,5 @@ security_unattended_upgrades_enabled: true security_unattended_upgrades_notifications: true security_enable_virus_scanner: yes + security_search_for_invalid_owner: yes + security_search_for_invalid_group_owner: yes