Merge "Find files/dirs without valid owners [+Docs]"

defaults/main.yml

@@ -474,6 +474,9 @@ security_create_home_directory_default: yes                  # RHEL-07-020630
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                           # RHEL-07-010010
+# Search for files/directories owned by invalid users or groups.
+security_search_for_invalid_owner: no                        # RHEL-07-020360
+security_search_for_invalid_group_owner: no                  # RHEL-07-020370
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins

doc/metadata/rhel7/RHEL-07-020360.rst

@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020360
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_owner: yes
+
+Any files or directories without a valid user owner are displayed in the
+Ansible output.

doc/metadata/rhel7/RHEL-07-020370.rst

@@ -1,7 +1,18 @@
 ---
 id: RHEL-07-020370
-status: not implemented
-tag: misc
+status: opt-in
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+Searching an entire filesystem with ``find`` reduces system performance and
+might impact certain applications negatively. Therefore, the search for files
+and directories with an invalid group owner is **disabled by default**.
+
+Deployers can opt in for this search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_search_for_invalid_group_owner: yes
+
+Any files or directories without a valid group owner are displayed in the
+Ansible output.

tasks/rhel7stig/file_perms.yml

@@ -48,6 +48,54 @@
     # don't trigger ANSIBLE0013
     - skip_ansible_lint
 
+- name: Search for files/directories with an invalid owner
+  command: find / -xdev -nouser -fstype local
+  args:
+    warn: no
+  register: invalid_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020360 - All files and directories must have a valid owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid user:
+      {{ invalid_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_owner_files is defined
+    - invalid_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020360
+
+- name: Search for files/directories with an invalid group owner
+  command: find / -xdev -nogroup -fstype local
+  args:
+    warn: no
+  register: invalid_group_owner_files
+  changed_when: false
+  when:
+    - security_search_for_invalid_group_owner | bool
+  tags:
+    - always
+
+- name: RHEL-07-020370 - All files and directories must have a valid group owner.
+  debug:
+    msg: |
+      Files and directories were found that are owned by an invalid group:
+      {{ invalid_group_owner_files.stdout_lines | join('\n') }}
+  when:
+    - invalid_group_owner_files is defined
+    - invalid_group_owner_files.stdout_lines is defined
+  tags:
+    - file_perms
+    - medium
+    - RHEL-07-020370
+
 - name: Check if cn_map file is present
   stat:
     path: /etc/pam_pkcs11/cn_map

tests/test.yml

@@ -81,3 +81,5 @@
     security_unattended_upgrades_enabled: true
     security_unattended_upgrades_notifications: true
     security_enable_virus_scanner: yes
+    security_search_for_invalid_owner: yes
+    security_search_for_invalid_group_owner: yes