From c229c4318e34088c883e7a8f15f54e71cc909580 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 18 Nov 2016 07:22:34 -0600
Subject: [PATCH] Find files/dirs without valid owners [+Docs]

This patch adds tasks that search the filesystem for files/directories
without a valid user or group owner. Running find is disruptive to some
systems, so this is disabled by default. The following controls are
covered:

  - RHEL-07-020360
  - RHEL-07-020370

Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: I5626c107663d8f3f12d71cc649de242dc4ee3409
---
 defaults/main.yml                     |  3 ++
 doc/metadata/rhel7/RHEL-07-020360.rst | 17 ++++++++--
 doc/metadata/rhel7/RHEL-07-020370.rst | 17 ++++++++--
 tasks/rhel7stig/file_perms.yml        | 48 +++++++++++++++++++++++++++
 tests/test.yml                        |  2 ++
 5 files changed, 81 insertions(+), 6 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4ece7f04..f5adb49f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -474,6 +474,9 @@ security_create_home_directory_default: yes                  # RHEL-07-020630
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                           # RHEL-07-010010
+# Search for files/directories owned by invalid users or groups.
+security_search_for_invalid_owner: no                        # RHEL-07-020360
+security_search_for_invalid_group_owner: no                  # RHEL-07-020370
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
diff --git a/doc/metadata/rhel7/RHEL-07-020360.rst b/doc/metadata/rhel7/RHEL-07-020360.rst
index 6db16371..69d0cd40 100644
--- a/doc/metadata/rhel7/RHEL-07-020360.rst
+++ b/doc/metadata/rhel7/RHEL-07-020360.rst
@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020360
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_owner: yes
+
+Any files or directories without a valid user owner are displayed in the
+Ansible output.
diff --git a/doc/metadata/rhel7/RHEL-07-020370.rst b/doc/metadata/rhel7/RHEL-07-020370.rst
index d7a10dfb..1d25b19f 100644
--- a/doc/metadata/rhel7/RHEL-07-020370.rst
+++ b/doc/metadata/rhel7/RHEL-07-020370.rst
@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020370
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid group owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_group_owner: yes
+
+Any files or directories without a valid group owner are displayed in the
+Ansible output.
diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml
index 0119117c..b7f0f7de 100644
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@@ -48,6 +48,54 @@
     # don't trigger ANSIBLE0013
     - skip_ansible_lint
 
+- name: Search for files/directories with an invalid owner
+  command: find / -xdev -nouser -fstype local
+  args:
+    warn: no
+  register: invalid_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020360 - All files and directories must have a valid owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid user:
+      {{ invalid_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_owner_files is defined
+    - invalid_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020360
+
+- name: Search for files/directories with an invalid group owner
+  command: find / -xdev -nogroup -fstype local
+  args:
+    warn: no
+  register: invalid_group_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_group_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020370 - All files and directories must have a valid group owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid group:
+      {{ invalid_group_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_group_owner_files is defined
+    - invalid_group_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020370
+
 - name: Check if cn_map file is present
   stat:
     path: /etc/pam_pkcs11/cn_map
diff --git a/tests/test.yml b/tests/test.yml
index 85c11803..38bb531d 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -81,3 +81,5 @@
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true
     security_enable_virus_scanner: yes
+    security_search_for_invalid_owner: yes
+    security_search_for_invalid_group_owner: yes