Merge "Optionally search for world-writable files"
This commit is contained in:
Zuul
Gerrit Code Review
commit
dc194a1ac4
@ -207,6 +207,8 @@ security_search_for_invalid_owner: no # V-72007
|
|||||||
security_search_for_invalid_group_owner: no # V-72009
|
security_search_for_invalid_group_owner: no # V-72009
|
||||||
# Set user/group owners on each home directory and set mode to 0750.
|
# Set user/group owners on each home directory and set mode to 0750.
|
||||||
security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021
|
security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021
|
||||||
|
# Find all world-writable directories and display them.
|
||||||
|
security_find_world_writable_dirs: no # V-72047
|
||||||
|
|
||||||
## Graphical interfaces (graphical)
|
## Graphical interfaces (graphical)
|
||||||
# Disable automatic gdm logins
|
# Disable automatic gdm logins
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
id: V-72047
|
id: V-72047
|
||||||
status: implemented
|
status: opt-in
|
||||||
tag: file_perms
|
tag: file_perms
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -11,3 +11,14 @@ user. Those directories appear in the Ansible output.
|
|||||||
Deployers should review the list of directories and group owners to ensure
|
Deployers should review the list of directories and group owners to ensure
|
||||||
that they are appropriate for the directory. Unauthorized group ownership
|
that they are appropriate for the directory. Unauthorized group ownership
|
||||||
could allow certain users to modify files from other users.
|
could allow certain users to modify files from other users.
|
||||||
|
|
||||||
|
Searching the entire filesystem for world-writable directories will consume
|
||||||
|
a significant amount of disk I/O and could impact the performance of a
|
||||||
|
production system. It can also delay the playbook's completion. Therefore,
|
||||||
|
the search is disabled by default.
|
||||||
|
|
||||||
|
Deployers can enable the search by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_find_world_writable_dirs: yes
|
||||||
|
|||||||
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Searching for world-writable files is now disabled by default. The search
|
||||||
|
causes delays in playbook runs and it can consume a significant amount of
|
||||||
|
CPU and I/O resources. Deployers can re-enable the search by setting
|
||||||
|
``security_find_world_writable_dirs`` to ``yes``.
|
||||||
@ -123,6 +123,8 @@
|
|||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
when:
|
||||||
|
- security_find_world_writable_dirs | bool
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -133,6 +135,7 @@
|
|||||||
{{ world_writable_dirs.stdout }}
|
{{ world_writable_dirs.stdout }}
|
||||||
when:
|
when:
|
||||||
- world_writable_dirs is defined
|
- world_writable_dirs is defined
|
||||||
|
- not world_writable_dirs | skipped
|
||||||
tags:
|
tags:
|
||||||
- medium
|
- medium
|
||||||
- file_perms
|
- file_perms
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user