From a84b6847fc98ba7d5da3fba0f9579ca0671119c3 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 30 Oct 2017 13:56:13 -0500 Subject: [PATCH] Optionally search for world-writable files The search for world-writable files is very intensive and causes some long delays when running playbooks. This patch makes it optional and updates the documentation to match. Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16 --- defaults/main.yml | 2 ++ doc/metadata/rhel7/V-72047.rst | 13 ++++++++++++- ...table-file-search-optional-7420269230a0e22f.yaml | 7 +++++++ tasks/rhel7stig/file_perms.yml | 3 +++ 4 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 08182fdd..9b28ea4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -207,6 +207,8 @@ security_search_for_invalid_owner: no # V-72007 security_search_for_invalid_group_owner: no # V-72009 # Set user/group owners on each home directory and set mode to 0750. security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021 +# Find all world-writable directories and display them. +security_find_world_writable_dirs: no # V-72047 ## Graphical interfaces (graphical) # Disable automatic gdm logins diff --git a/doc/metadata/rhel7/V-72047.rst b/doc/metadata/rhel7/V-72047.rst index 18b4ace4..77608859 100644 --- a/doc/metadata/rhel7/V-72047.rst +++ b/doc/metadata/rhel7/V-72047.rst @@ -1,6 +1,6 @@ --- id: V-72047 -status: implemented +status: opt-in tag: file_perms --- @@ -11,3 +11,14 @@ user. Those directories appear in the Ansible output. Deployers should review the list of directories and group owners to ensure that they are appropriate for the directory. Unauthorized group ownership could allow certain users to modify files from other users. + +Searching the entire filesystem for world-writable directories will consume +a significant amount of disk I/O and could impact the performance of a +production system. It can also delay the playbook's completion. Therefore, +the search is disabled by default. + +Deployers can enable the search by setting the following Ansible variable: + +.. code-block:: yaml + + security_find_world_writable_dirs: yes diff --git a/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml new file mode 100644 index 00000000..a5cc973c --- /dev/null +++ b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Searching for world-writable files is now disabled by default. The search + causes delays in playbook runs and it can consume a significant amount of + CPU and I/O resources. Deployers can re-enable the search by setting + ``security_find_world_writable_dirs`` to ``yes``. diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 52c2a412..2325cc30 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -123,6 +123,8 @@ changed_when: False failed_when: False check_mode: no + when: + - security_find_world_writable_dirs | bool tags: - always @@ -133,6 +135,7 @@ {{ world_writable_dirs.stdout }} when: - world_writable_dirs is defined + - not world_writable_dirs | skipped tags: - medium - file_perms