--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: V-71849 - Get packages with incorrect file permissions or ownership shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" args: warn: no register: rpmverify_package_list changed_when: False when: - not check_mode | bool - ansible_pkg_mgr in ['yum', 'zypper'] - security_reset_perm_ownership | bool tags: - file_perms - high - V-71849 - name: V-71849 - Reset file permissions/ownership to vendor values shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" args: warn: no changed_when: false with_nested: - ['--setperms', '--setugids'] - "{{ rpmverify_package_list.stdout_lines | default([]) }}" when: - not check_mode | bool - ansible_pkg_mgr in ['yum', 'zypper'] - rpmverify_package_list is defined - rpmverify_package_list.stdout_lines | length > 0 async: 300 poll: 0 tags: - file_perms - high - V-71849 # don't trigger ANSIBLE0013 - skip_ansible_lint - name: Search for files/directories with an invalid owner command: find / -xdev -nouser -fstype local args: warn: no register: invalid_owner_files changed_when: false when: - security_search_for_invalid_owner | bool tags: - always - name: V-72007 - All files and directories must have a valid owner. debug: msg: | Files and directories were found that are owned by an invalid user: {{ invalid_owner_files.stdout_lines | join('\n') }} when: - invalid_owner_files is defined - invalid_owner_files.stdout_lines is defined - invalid_owner_files.stdout_lines | length > 0 tags: - file_perms - medium - V-72007 - name: Search for files/directories with an invalid group owner command: find / -xdev -nogroup -fstype local args: warn: no register: invalid_group_owner_files changed_when: false when: - security_search_for_invalid_group_owner | bool tags: - always - name: V-72009 - All files and directories must have a valid group owner. debug: msg: | Files and directories were found that are owned by an invalid group: {{ invalid_group_owner_files.stdout_lines | join('\n') }} when: - invalid_group_owner_files is defined - invalid_group_owner_files.stdout_lines is defined - invalid_group_owner_files.stdout_lines | length > 0 tags: - file_perms - medium - V-72009 - name: Set proper owner, group owner, and permissions on home directories file: dest: "{{ item.dir }}" owner: "{{ item.name }}" group: "{{ item.group.name }}" mode: "g-ws,o-rwxt" when: - item.uid >= 1000 - item.name != 'nobody' - security_set_home_directory_permissions_and_owners | bool with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}" tags: - medium - file_perms - V-72017 - V-72019 - V-72021 - name: Find all world-writable directories shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" register: world_writable_dirs changed_when: False failed_when: False check_mode: no when: - security_find_world_writable_dirs | bool tags: - always - name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group. debug: msg: | The group owners on the following world-writable directories should be examined: {{ world_writable_dirs.stdout }} when: - world_writable_dirs is defined - not world_writable_dirs | skipped tags: - medium - file_perms - V-72047 - name: Check if /etc/cron.allow exists stat: path: /etc/cron.allow register: cron_allow_check tags: - always - name: Set owner/group owner on /etc/cron.allow file: path: /etc/cron.allow owner: root group: root when: - cron_allow_check is defined - cron_allow_check.stat.exists tags: - medium - file_perms - V-72053 - V-72055