From 8cdc2853f8406c52b1b70473cabffa5b9de63dd1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 22 Jan 2021 14:28:14 +0100 Subject: [PATCH 1/5] rewrite ansible remediation --- .../ansible/shared.yml | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml index 0aa03aca8fa2..39707ab52bc6 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml @@ -4,5 +4,52 @@ # complexity = low # disruption = medium -- name: "Find all world writable files not owned by root on local partitions and change their owner to root" - shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type d -perm -0002 -uid +0 -exec chown root {} \; + +- name: "Configure excluded (non local) file systems" + set_fact: + excluded_fs: + - afs + - ceph + - cifs + - smb3 + - smbfs + - sshfs + - ncpfs + - ncp + - nfs + - nfs4 + - gfs + - gfs2 + - glusterfs + - gpfs + - pvfs2 + - ocfs2 + - lustre + - davfs + - fuse.sshfs + +- name: "Create empty list of excluded paths" + set_fact: + excluded_paths: "[]" + +- name: "Detect nonlocal file systems and add them to excluded paths" + set_fact: + excluded_paths: "{{ excluded_paths | union([item.mount]) }}" + loop: "{{ ansible_mounts }}" + when: item.fstype is in excluded_fs + +- name: "Find all directories excluding non-local partitions" + find: + paths: "/" + excludes: excluded_paths + file_type: directory + hidden: yes + recurse: yes + register: found_dirs + +- name: "Change owner to root on directories which are world writable" + file: + path: '{{ item.path }}' + owner: root + loop: '{{ found_dirs.files }}' + when: item.woth is defined and item.woth is true From 91739bbcf8b22e90e910bf43a4d8a1c4164796c7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 22 Jan 2021 14:28:46 +0100 Subject: [PATCH 2/5] rename tests --- .../tests/{all_files_ok.pass.sh => all_dirs_ok.pass.sh} | 0 ...by_uid_2.fail.sh => world_writable_dir_owned_by_uid_2.fail.sh} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/{all_files_ok.pass.sh => all_dirs_ok.pass.sh} (100%) rename linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/{world_writable_file_owned_by_uid_2.fail.sh => world_writable_dir_owned_by_uid_2.fail.sh} (100%) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/all_files_ok.pass.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/all_dirs_ok.pass.sh similarity index 100% rename from linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/all_files_ok.pass.sh rename to linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/all_dirs_ok.pass.sh diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/world_writable_file_owned_by_uid_2.fail.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/world_writable_dir_owned_by_uid_2.fail.sh similarity index 100% rename from linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/world_writable_file_owned_by_uid_2.fail.sh rename to linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/tests/world_writable_dir_owned_by_uid_2.fail.sh From 106b3a15340a93b5294f91b01414b9f653f0f3b9 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 22 Jan 2021 14:41:26 +0100 Subject: [PATCH 3/5] add fuse.sshfs to excluded file systems --- .../files/dir_perms_world_writable_root_owned/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh index 808170251cdc..0e120f9643ba 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh @@ -1,4 +1,4 @@ #!/bin/bash # platform = Red Hat Virtualization 4,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Fedora,Oracle Linux 7,Oracle Linux 8,WRLinux 1019 -find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type d -perm -0002 -uid +0 -exec chown root {} \; +find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; From 6b6ccc8e9e4af4fca4af0979b0a3dd92ebb9e06b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 25 Jan 2021 09:16:01 +0100 Subject: [PATCH 4/5] small fixes to ansible --- .../dir_perms_world_writable_root_owned/ansible/shared.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml index 39707ab52bc6..85ec1907665a 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml @@ -7,7 +7,7 @@ - name: "Configure excluded (non local) file systems" set_fact: - excluded_fs: + excluded_fstypes: - afs - ceph - cifs @@ -36,7 +36,7 @@ set_fact: excluded_paths: "{{ excluded_paths | union([item.mount]) }}" loop: "{{ ansible_mounts }}" - when: item.fstype is in excluded_fs + when: item.fstype is in excluded_fstypes - name: "Find all directories excluding non-local partitions" find: @@ -52,4 +52,4 @@ path: '{{ item.path }}' owner: root loop: '{{ found_dirs.files }}' - when: item.woth is defined and item.woth is true + when: item.woth is true From c1a4898083aa7576b09baf784f8fb714e481dac0 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 25 Jan 2021 11:12:28 +0100 Subject: [PATCH 5/5] fix ansible incompatibilities --- .../dir_perms_world_writable_root_owned/ansible/shared.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml index 85ec1907665a..d5c0a647816d 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml @@ -36,7 +36,7 @@ set_fact: excluded_paths: "{{ excluded_paths | union([item.mount]) }}" loop: "{{ ansible_mounts }}" - when: item.fstype is in excluded_fstypes + when: item.fstype in excluded_fstypes - name: "Find all directories excluding non-local partitions" find: @@ -52,4 +52,4 @@ path: '{{ item.path }}' owner: root loop: '{{ found_dirs.files }}' - when: item.woth is true + when: item.woth