Merge "Optionally search for world-writable files"

2017-11-06 16:44:10 +00:00 · 2017-11-06 16:44:10 +00:00 · dc194a1ac4
parent 6bd3cc9115 a84b6847fc
commit dc194a1ac4
4 changed files with 24 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -207,6 +207,8 @@ security_search_for_invalid_owner: no                        # V-72007
 security_search_for_invalid_group_owner: no                  # V-72009
 # Set user/group owners on each home directory and set mode to 0750.
 security_set_home_directory_permissions_and_owners: no       # V-72017 / V-72019 / V-72021
+# Find all world-writable directories and display them.
+security_find_world_writable_dirs: no                        # V-72047

 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
--- a/doc/metadata/rhel7/V-72047.rst
+++ b/doc/metadata/rhel7/V-72047.rst
@ -1,6 +1,6 @@
 ---
 id: V-72047
-status: implemented
+status: opt-in
 tag: file_perms
 ---

@ -11,3 +11,14 @@ user. Those directories appear in the Ansible output.
 Deployers should review the list of directories and group owners to ensure
 that they are appropriate for the directory. Unauthorized group ownership
 could allow certain users to modify files from other users.
+
+Searching the entire filesystem for world-writable directories will consume
+a significant amount of disk I/O and could impact the performance of a
+production system. It can also delay the playbook's completion. Therefore,
+the search is disabled by default.
+
+Deployers can enable the search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_find_world_writable_dirs: yes
--- a/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml
+++ b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Searching for world-writable files is now disabled by default. The search
+    causes delays in playbook runs and it can consume a significant amount of
+    CPU and I/O resources. Deployers can re-enable the search by setting
+    ``security_find_world_writable_dirs`` to ``yes``.
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@ -123,6 +123,8 @@
  changed_when: False
  failed_when: False
  check_mode: no
+  when:
+    - security_find_world_writable_dirs | bool
  tags:
    - always

@ -133,6 +135,7 @@
      {{ world_writable_dirs.stdout }}
  when:
    - world_writable_dirs is defined
+    - not world_writable_dirs | skipped
  tags:
    - medium
    - file_perms