Add multiple owner support to file_owner template #13192
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @ericeberry. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Member
|
Would be possible to merge this functionally into the existing |
784d8e6 to
b3a155b
Compare
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' differs.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -1,13 +1,20 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-chown 0 /sbin/auditctl
-chown 0 /sbin/aureport
-chown 0 /sbin/ausearch
-chown 0 /sbin/autrace
-chown 0 /sbin/auditd
-chown 0 /sbin/rsyslogd
-chown 0 /sbin/augenrules
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /sbin/auditctl
+chown $newown /sbin/aureport
+chown $newown /sbin/ausearch
+chown $newown /sbin/autrace
+chown $newown /sbin/auditd
+chown $newown /sbin/rsyslogd
+chown $newown /sbin/augenrules
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' differs.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -12,6 +12,21 @@
- medium_severity
- no_reboot_needed
+- name: Set the file_audit_tools_ownership_newown variable if represented by uid
+ set_fact:
+ file_audit_tools_ownership_newown: '0'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86259-9
+ - DISA-STIG-RHEL-08-030630
+ - NIST-800-53-AU-9
+ - configure_strategy
+ - file_audit_tools_ownership
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
@@ -28,10 +43,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/auditctl
+- name: Ensure owner on /sbin/auditctl
file:
path: /sbin/auditctl
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -62,10 +77,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/aureport
+- name: Ensure owner on /sbin/aureport
file:
path: /sbin/aureport
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -96,10 +111,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/ausearch
+- name: Ensure owner on /sbin/ausearch
file:
path: /sbin/ausearch
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -130,10 +145,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/autrace
+- name: Ensure owner on /sbin/autrace
file:
path: /sbin/autrace
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -164,10 +179,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/auditd
+- name: Ensure owner on /sbin/auditd
file:
path: /sbin/auditd
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -198,10 +213,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/rsyslogd
+- name: Ensure owner on /sbin/rsyslogd
file:
path: /sbin/rsyslogd
- owner: '0'
+ owner: '{{ file_audit_tools_ownership_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -232,20 +247,20 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/augenrules
+- name: Ensure owner on /sbin/augenrules
file:
path: /sbin/augenrules
- owner: '0'
- when:
- - '"kernel" in ansible_facts.packages'
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-86259-9
- - DISA-STIG-RHEL-08-030630
- - NIST-800-53-AU-9
- - configure_strategy
- - file_audit_tools_ownership
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
+ owner: '{{ file_audit_tools_ownership_newown }}'
+ when:
+ - '"kernel" in ansible_facts.packages'
+ - file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CCE-86259-9
+ - DISA-STIG-RHEL-08-030630
+ - NIST-800-53-AU-9
+ - configure_strategy
+ - file_audit_tools_ownership
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
@@ -1 +1,8 @@
-find -H /etc/sudoers.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/sudoers.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
@@ -1,8 +1,6 @@
-- name: Ensure owner on directory /etc/sudoers.d/
- file:
- path: /etc/sudoers.d/
- state: directory
- owner: '0'
+- name: Set the directory_owner_etc_sudoersd_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_sudoersd_newown: '0'
tags:
- CCE-86355-5
- configure_strategy
@@ -11,3 +9,17 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure owner on directory /etc/sudoers.d/
+ file:
+ path: /etc/sudoers.d/
+ state: directory
+ owner: '{{ directory_owner_etc_sudoersd_newown }}'
+ tags:
+ - CCE-86355-5
+ - configure_strategy
+ - directory_owner_etc_sudoersd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
@@ -1 +1,8 @@
-chown 0 /etc/sudoers
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/sudoers
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
@@ -1,3 +1,15 @@
+- name: Set the file_owner_etc_sudoers_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_sudoers_newown: '0'
+ tags:
+ - CCE-86416-5
+ - configure_strategy
+ - file_owner_etc_sudoers
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/sudoers
stat:
path: /etc/sudoers
@@ -11,10 +23,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/sudoers
+- name: Ensure owner on /etc/sudoers
file:
path: /etc/sudoers
- owner: '0'
+ owner: '{{ file_owner_etc_sudoers_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86416-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -1 +1,8 @@
-chown 0 /etc/issue
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/issue
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -1,3 +1,15 @@
+- name: Set the file_owner_etc_issue_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_issue_newown: '0'
+ tags:
+ - CCE-83718-7
+ - configure_strategy
+ - file_owner_etc_issue
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/issue
stat:
path: /etc/issue
@@ -11,10 +23,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/issue
+- name: Ensure owner on /etc/issue
file:
path: /etc/issue
- owner: '0'
+ owner: '{{ file_owner_etc_issue_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83718-7
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -1 +1,8 @@
-chown 0 /etc/issue.net
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/issue.net
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -1,3 +1,17 @@
+- name: Set the file_owner_etc_issue_net_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_issue_net_newown: '0'
+ tags:
+ - CCE-86054-4
+ - PCI-DSSv4-1.2
+ - PCI-DSSv4-1.2.8
+ - configure_strategy
+ - file_owner_etc_issue_net
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/issue.net
stat:
path: /etc/issue.net
@@ -13,10 +27,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/issue.net
+- name: Ensure owner on /etc/issue.net
file:
path: /etc/issue.net
- owner: '0'
+ owner: '{{ file_owner_etc_issue_net_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86054-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_motd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_motd
@@ -1 +1,8 @@
-chown 0 /etc/motd
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/motd
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_motd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_motd
@@ -1,3 +1,15 @@
+- name: Set the file_owner_etc_motd_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_motd_newown: '0'
+ tags:
+ - CCE-83738-5
+ - configure_strategy
+ - file_owner_etc_motd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/motd
stat:
path: /etc/motd
@@ -11,10 +23,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/motd
+- name: Ensure owner on /etc/motd
file:
path: /etc/motd
- owner: '0'
+ owner: '{{ file_owner_etc_motd_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83738-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ] && { ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} ); }; then
-chown 0 /boot/grub2/grub.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /boot/grub2/grub.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,6 +1,32 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-80805-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_grub2_cfg_newown variable if represented by uid
+ set_fact:
+ file_owner_grub2_cfg_newown: '0'
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
tags:
- CCE-80805-5
- CJIS-5.5.2.2
@@ -44,10 +70,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/grub2/grub.cfg
+- name: Ensure owner on /boot/grub2/grub.cfg
file:
path: /boot/grub2/grub.cfg
- owner: '0'
+ owner: '{{ file_owner_grub2_cfg_newown }}'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ] && { ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} ); }; then
-chown 0 /boot/grub2/user.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /boot/grub2/user.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1,6 +1,32 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86015-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_user_cfg_newown variable if represented by uid
+ set_fact:
+ file_owner_user_cfg_newown: '0'
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
tags:
- CCE-86015-5
- CJIS-5.5.2.2
@@ -44,10 +70,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/grub2/user.cfg
+- name: Ensure owner on /boot/grub2/user.cfg
file:
path: /boot/grub2/user.cfg
- owner: '0'
+ owner: '{{ file_owner_user_cfg_newown }}'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
-chown 0 /boot/efi/EFI/redhat/grub.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /boot/efi/EFI/redhat/grub.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,6 +1,27 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-85913-2
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_efi_grub2_cfg_newown variable if represented by uid
+ set_fact:
+ file_owner_efi_grub2_cfg_newown: '0'
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85913-2
- CJIS-5.5.2.2
@@ -37,10 +58,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/efi/EFI/redhat/grub.cfg
+- name: Ensure owner on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
- owner: '0'
+ owner: '{{ file_owner_efi_grub2_cfg_newown }}'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
-chown 0 /boot/efi/EFI/redhat/user.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /boot/efi/EFI/redhat/user.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,6 +1,27 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86021-3
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_efi_user_cfg_newown variable if represented by uid
+ set_fact:
+ file_owner_efi_user_cfg_newown: '0'
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86021-3
- CJIS-5.5.2.2
@@ -37,10 +58,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/efi/EFI/redhat/user.cfg
+- name: Ensure owner on /boot/efi/EFI/redhat/user.cfg
file:
path: /boot/efi/EFI/redhat/user.cfg
- owner: '0'
+ owner: '{{ file_owner_efi_user_cfg_newown }}'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-find -H /etc/ipsec.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/ipsec.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86302-7
+ - configure_strategy
+ - directory_owner_etc_ipsecd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the directory_owner_etc_ipsecd_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_ipsecd_newown: '0'
+ when: '"libreswan" in ansible_facts.packages'
tags:
- CCE-86302-7
- configure_strategy
@@ -14,7 +27,7 @@
file:
path: /etc/ipsec.d/
state: directory
- owner: '0'
+ owner: '{{ directory_owner_etc_ipsecd_newown }}'
when: '"libreswan" in ansible_facts.packages'
tags:
- CCE-86302-7
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-chown 0 /etc/ipsec.conf
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/ipsec.conf
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86389-4
+ - configure_strategy
+ - file_owner_etc_ipsec_conf
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_etc_ipsec_conf_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_ipsec_conf_newown: '0'
+ when: '"libreswan" in ansible_facts.packages'
tags:
- CCE-86389-4
- configure_strategy
@@ -24,10 +37,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/ipsec.conf
+- name: Ensure owner on /etc/ipsec.conf
file:
path: /etc/ipsec.conf
- owner: '0'
+ owner: '{{ file_owner_etc_ipsec_conf_newown }}'
when:
- '"libreswan" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-chown 0 /etc/ipsec.secrets
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/ipsec.secrets
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86400-9
+ - configure_strategy
+ - file_owner_etc_ipsec_secrets
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_etc_ipsec_secrets_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_ipsec_secrets_newown: '0'
+ when: '"libreswan" in ansible_facts.packages'
tags:
- CCE-86400-9
- configure_strategy
@@ -24,10 +37,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/ipsec.secrets
+- name: Ensure owner on /etc/ipsec.secrets
file:
path: /etc/ipsec.secrets
- owner: '0'
+ owner: '{{ file_owner_etc_ipsec_secrets_newown }}'
when:
- '"libreswan" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
-find -H /etc/iptables/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/iptables/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86429-8
+ - configure_strategy
+ - directory_owner_etc_iptables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the directory_owner_etc_iptables_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_iptables_newown: '0'
+ when: '"iptables" in ansible_facts.packages'
tags:
- CCE-86429-8
- configure_strategy
@@ -14,7 +27,7 @@
file:
path: /etc/iptables/
state: directory
- owner: '0'
+ owner: '{{ directory_owner_etc_iptables_newown }}'
when: '"iptables" in ansible_facts.packages'
tags:
- CCE-86429-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then
-find -H /etc/nftables/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/nftables/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86311-8
+ - configure_strategy
+ - directory_owner_etc_nftables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the directory_owner_etc_nftables_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_nftables_newown: '0'
+ when: '"nftables" in ansible_facts.packages'
tags:
- CCE-86311-8
- configure_strategy
@@ -14,7 +27,7 @@
file:
path: /etc/nftables/
state: directory
- owner: '0'
+ owner: '{{ directory_owner_etc_nftables_newown }}'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-86311-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
@@ -1 +1,8 @@
-chown 0 /etc/crypttab
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/crypttab
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
@@ -1,3 +1,15 @@
+- name: Set the file_owner_etc_crypttab_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_crypttab_newown: '0'
+ tags:
+ - CCE-86365-4
+ - configure_strategy
+ - file_owner_etc_crypttab
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/crypttab
stat:
path: /etc/crypttab
@@ -11,10 +23,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/crypttab
+- name: Ensure owner on /etc/crypttab
file:
path: /etc/crypttab
- owner: '0'
+ owner: '{{ file_owner_etc_crypttab_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86365-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,2 +1,9 @@
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
-find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L 0 {} \;
+find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,5 +1,17 @@
+- name: Set the file_owner_systemmap_newown variable if represented by uid
+ set_fact:
+ file_owner_systemmap_newown: '0'
+ tags:
+ - CCE-86586-5
+ - configure_strategy
+ - file_owner_systemmap
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+
- name: Find /boot/ file(s) matching ^.*System\.map.*$
- command: find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
+ command: find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
-regex "^.*System\.map.*$"
register: files_found
changed_when: false
@@ -17,7 +29,7 @@
- name: Ensure owner on /boot/ file(s) matching ^.*System\.map.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ file_owner_systemmap_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -1 +1,8 @@
-chown 0 /etc/group-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/group-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -1,3 +1,19 @@
+- name: Set the file_owner_backup_etc_group_newown variable if represented by uid
+ set_fact:
+ file_owner_backup_etc_group_newown: '0'
+ tags:
+ - CCE-83473-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/group-
stat:
path: /etc/group-
@@ -15,10 +31,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/group-
+- name: Ensure owner on /etc/group-
file:
path: /etc/group-
- owner: '0'
+ owner: '{{ file_owner_backup_etc_group_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83473-9
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -1 +1,8 @@
-chown 0 /etc/gshadow-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/gshadow-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -1,3 +1,17 @@
+- name: Set the file_owner_backup_etc_gshadow_newown variable if represented by uid
+ set_fact:
+ file_owner_backup_etc_gshadow_newown: '0'
+ tags:
+ - CCE-83533-0
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7
+ - configure_strategy
+ - file_owner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/gshadow-
stat:
path: /etc/gshadow-
@@ -13,10 +27,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/gshadow-
+- name: Ensure owner on /etc/gshadow-
file:
path: /etc/gshadow-
- owner: '0'
+ owner: '{{ file_owner_backup_etc_gshadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83533-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -1 +1,8 @@
-chown 0 /etc/passwd-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/passwd-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -1,3 +1,19 @@
+- name: Set the file_owner_backup_etc_passwd_newown variable if represented by uid
+ set_fact:
+ file_owner_backup_etc_passwd_newown: '0'
+ tags:
+ - CCE-83326-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/passwd-
stat:
path: /etc/passwd-
@@ -15,10 +31,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/passwd-
+- name: Ensure owner on /etc/passwd-
file:
path: /etc/passwd-
- owner: '0'
+ owner: '{{ file_owner_backup_etc_passwd_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83326-9
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -1 +1,8 @@
-chown 0 /etc/shadow-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/shadow-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -1,3 +1,19 @@
+- name: Set the file_owner_backup_etc_shadow_newown variable if represented by uid
+ set_fact:
+ file_owner_backup_etc_shadow_newown: '0'
+ tags:
+ - CCE-83413-5
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shadow-
stat:
path: /etc/shadow-
@@ -15,10 +31,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shadow-
+- name: Ensure owner on /etc/shadow-
file:
path: /etc/shadow-
- owner: '0'
+ owner: '{{ file_owner_backup_etc_shadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83413-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -1 +1,8 @@
-chown 0 /etc/group
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/group
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -1,3 +1,21 @@
+- name: Set the file_owner_etc_group_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_group_newown: '0'
+ tags:
+ - CCE-80801-4
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/group
stat:
path: /etc/group
@@ -17,10 +35,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/group
+- name: Ensure owner on /etc/group
file:
path: /etc/group
- owner: '0'
+ owner: '{{ file_owner_etc_group_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80801-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -1 +1,8 @@
-chown 0 /etc/gshadow
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/gshadow
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -1,3 +1,17 @@
+- name: Set the file_owner_etc_gshadow_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_gshadow_newown: '0'
+ tags:
+ - CCE-80802-2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
@@ -13,10 +27,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/gshadow
+- name: Ensure owner on /etc/gshadow
file:
path: /etc/gshadow
- owner: '0'
+ owner: '{{ file_owner_etc_gshadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80802-2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -1 +1,8 @@
-chown 0 /etc/passwd
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/passwd
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -1,3 +1,21 @@
+- name: Set the file_owner_etc_passwd_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_passwd_newown: '0'
+ tags:
+ - CCE-80803-0
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
@@ -17,10 +35,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/passwd
+- name: Ensure owner on /etc/passwd
file:
path: /etc/passwd
- owner: '0'
+ owner: '{{ file_owner_etc_passwd_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80803-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -1 +1,8 @@
-chown 0 /etc/shadow
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/shadow
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -1,3 +1,21 @@
+- name: Set the file_owner_etc_shadow_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_shadow_newown: '0'
+ tags:
+ - CCE-80804-8
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
@@ -17,10 +35,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shadow
+- name: Ensure owner on /etc/shadow
file:
path: /etc/shadow
- owner: '0'
+ owner: '{{ file_owner_etc_shadow_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80804-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -1 +1,8 @@
-chown 0 /etc/shells
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/shells
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -1,3 +1,17 @@
+- name: Set the file_owner_etc_shells_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_shells_newown: '0'
+ tags:
+ - CCE-87055-0
+ - NIST-800-53-AC-3
+ - NIST-800-53-MP-2
+ - configure_strategy
+ - file_owner_etc_shells
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shells
stat:
path: /etc/shells
@@ -13,10 +27,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shells
+- name: Ensure owner on /etc/shells
file:
path: /etc/shells
- owner: '0'
+ owner: '{{ file_owner_etc_shells_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-87055-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log
@@ -1 +1,8 @@
-find -H /var/log/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /var/log/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log
@@ -1,8 +1,6 @@
-- name: Ensure owner on directory /var/log/
- file:
- path: /var/log/
- state: directory
- owner: '0'
+- name: Set the file_owner_var_log_newown variable if represented by uid
+ set_fact:
+ file_owner_var_log_newown: '0'
tags:
- CCE-83661-9
- DISA-STIG-RHEL-08-010250
@@ -12,3 +10,18 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure owner on directory /var/log/
+ file:
+ path: /var/log/
+ state: directory
+ owner: '{{ file_owner_var_log_newown }}'
+ tags:
+ - CCE-83661-9
+ - DISA-STIG-RHEL-08-010250
+ - configure_strategy
+ - file_owner_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_messages
@@ -1,3 +1,16 @@
+- name: Set the file_owner_var_log_messages_newown variable if represented by uid
+ set_fact:
+ file_owner_var_log_messages_newown: '0'
+ tags:
+ - CCE-83662-7
+ - DISA-STIG-RHEL-08-010220
+ - configure_strategy
+ - file_owner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /var/log/messages
stat:
path: /var/log/messages
@@ -12,10 +25,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /var/log/messages
+- name: Ensure owner on /var/log/messages
file:
path: /var/log/messages
- owner: '0'
+ owner: '{{ file_owner_var_log_messages_newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83662-7
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -1,6 +1,34 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the syslog user is defined
+ getent:
+ database: passwd
+ key: syslog
+ ignore_errors: true
+ when: '"rsyslog" in ansible_facts.packages'
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_var_log_syslog_newown variable if syslog found
+ set_fact:
+ file_owner_var_log_syslog_newown: syslog
+ when:
+ - '"rsyslog" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["syslog"] is defined
tags:
- configure_strategy
- file_owner_var_log_syslog
@@ -22,10 +50,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner syslog on /var/log/syslog
+- name: Ensure owner on /var/log/syslog
file:
path: /var/log/syslog
- owner: syslog
+ owner: '{{ file_owner_var_log_syslog_newown }}'
when:
- '"rsyslog" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
@@ -1,6 +1,13 @@
-find -H /bin/ -type d -exec chown -L 0 {} \;
-find -H /sbin/ -type d -exec chown -L 0 {} \;
-find -H /usr/bin/ -type d -exec chown -L 0 {} \;
-find -H /usr/sbin/ -type d -exec chown -L 0 {} \;
-find -H /usr/local/bin/ -type d -exec chown -L 0 {} \;
-find -H /usr/local/sbin/ -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/local/bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/local/sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
@@ -1,9 +1,20 @@
+- name: Set the dir_ownership_binary_dirs_newown variable if represented by uid
+ set_fact:
+ dir_ownership_binary_dirs_newown: '0'
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Ensure owner on directory /bin/ recursively
file:
path: /bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -17,7 +28,7 @@
path: /sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -31,7 +42,7 @@
path: /usr/bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -45,7 +56,7 @@
path: /usr/sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -59,7 +70,7 @@
path: /usr/local/bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -73,7 +84,7 @@
path: /usr/local/sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_binary_dirs_newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -1,4 +1,11 @@
-find -H /lib/ -type d -exec chown -L 0 {} \;
-find -H /lib64/ -type d -exec chown -L 0 {} \;
-find -H /usr/lib/ -type d -exec chown -L 0 {} \;
-find -H /usr/lib64/ -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /lib/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /lib64/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/lib/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/lib64/ -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -1,9 +1,24 @@
+- name: Set the dir_ownership_library_dirs_newown variable if represented by uid
+ set_fact:
+ dir_ownership_library_dirs_newown: '0'
+ tags:
+ - CCE-89021-0
+ - DISA-STIG-RHEL-08-010341
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Ensure owner on directory /lib/ recursively
file:
path: /lib/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_library_dirs_newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -21,7 +36,7 @@
path: /lib64/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_library_dirs_newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -39,7 +54,7 @@
path: /usr/lib/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_library_dirs_newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -57,7 +72,7 @@
path: /usr/lib64/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ dir_ownership_library_dirs_newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/sysctl.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/sysctl.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86329-0
+ - configure_strategy
+ - directory_owner_etc_sysctld
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the directory_owner_etc_sysctld_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_sysctld_newown: '0'
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86329-0
- configure_strategy
@@ -14,7 +27,7 @@
file:
path: /etc/sysctl.d/
state: directory
- owner: '0'
+ owner: '{{ directory_owner_etc_sysctld_newown }}'
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86329-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,8 +1,15 @@
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
-find /lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,5 +1,22 @@
+- name: Set the file_ownership_library_dirs_newown variable if represented by uid
+ set_fact:
+ file_ownership_library_dirs_newown: '0'
+ tags:
+ - CCE-80807-1
+ - DISA-STIG-RHEL-08-010340
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Find /lib/ file(s) matching ^.*$ recursively
- command: find /lib/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
+ command: find /lib/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -21,7 +38,7 @@
- name: Ensure owner on /lib/ file(s) matching ^.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
@@ -40,7 +57,7 @@
- no_reboot_needed
- name: Find /lib64/ file(s) matching ^.*$ recursively
- command: find /lib64/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
+ command: find /lib64/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -62,7 +79,7 @@
- name: Ensure owner on /lib64/ file(s) matching ^.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
@@ -81,7 +98,7 @@
- no_reboot_needed
- name: Find /usr/lib/ file(s) matching ^.*$ recursively
- command: find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
+ command: find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -103,7 +120,7 @@
- name: Ensure owner on /usr/lib/ file(s) matching ^.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
@@ -122,7 +139,8 @@
- no_reboot_needed
- name: Find /usr/lib64/ file(s) matching ^.*$ recursively
- command: find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex "^.*$"
+ command: find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex
+ "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -144,7 +162,7 @@
- name: Ensure owner on /usr/lib64/ file(s) matching ^.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ file_ownership_library_dirs_newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/selinux/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/selinux/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_selinux
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86270-6
+ - configure_strategy
+ - directory_owner_etc_selinux
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the directory_owner_etc_selinux_newown variable if represented by uid
+ set_fact:
+ directory_owner_etc_selinux_newown: '0'
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86270-6
- configure_strategy
@@ -14,7 +27,7 @@
file:
path: /etc/selinux/
state: directory
- owner: '0'
+ owner: '{{ directory_owner_etc_selinux_newown }}'
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86270-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-chown 0 /etc/sestatus.conf
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+chown $newown /etc/sestatus.conf
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sestatus_conf
@@ -1,6 +1,19 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86285-4
+ - configure_strategy
+ - file_owner_etc_sestatus_conf
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the file_owner_etc_sestatus_conf_newown variable if represented by uid
+ set_fact:
+ file_owner_etc_sestatus_conf_newown: '0'
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86285-4
- configure_strategy
@@ -24,10 +37,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/sestatus.conf
+- name: Ensure owner on /etc/sestatus.conf
file:
path: /etc/sestatus.conf
- owner: '0'
+ owner: '{{ file_owner_etc_sestatus_conf_newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_cron_d
+++ xccdf_org.ssgproject.content_rule_file_owner_cron_d
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+if [[ -z ${newown} ]]; then
+ echo "0 is not a defined user on the system"
+ exit 1
+fi
+find -H /etc/cron.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_cron_d
+++ xccdf_org.ssgproject.content_rule_file_owner_cron_d
@@ -1,6 +1,23 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-82272-6
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+
... The diff is trimmed here ... |
|
Change in Ansible Please consider using more suitable Ansible module than |
Contributor
Author
Merge complete |
b3a155b to
3ce8d3d
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
3ce8d3d to
f9d77a3
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
mpurg
requested changes
Mar 31, 2025
Contributor
mpurg
left a comment
There was a problem hiding this comment.
Few changes, please have a look.
The title of the PR also needs to be updated since the changes were merged into the file_owner template
...x_os/guide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_auth/rule.yml
Outdated
Show resolved
Hide resolved
...uide/system/permissions/files/permissions_var_log_dir/file_owner_var_log_cloud_init/rule.yml
Outdated
Show resolved
Hide resolved
...e/system/permissions/files/permissions_var_log_dir/file_owner_var_log_localmessages/rule.yml
Outdated
Show resolved
Hide resolved
f9d77a3 to
1acd4f3
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
1acd4f3 to
27b6aca
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
27b6aca to
1ba7d49
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
1ba7d49 to
5e359eb
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
5e359eb to
387df65
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
dodys
requested changes
Apr 3, 2025
Updates from code review
387df65 to
5092026
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit 5092026 and detected 8 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: