From 4b50ad4b4621f9eb20c68d60a47213213c250015 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 29 Jan 2021 16:04:11 +0100
Subject: [PATCH 1/5] remove bogus output of ansible remediation for
 dir_perms_world_writable_root_owned

---
 .../ansible/shared.yml                               | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
index 893bc9e713c8..ec697f5b60e1 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
@@ -47,9 +47,17 @@
     recurse: yes
   register: found_dirs
 
+- name: "Create list of world writable directories"
+  set_fact:
+    world_writable_dirs: "{{ found_dirs.files | selectattr('woth') | list }}"
+
+- name: "debug"
+  debug:
+    msg: "{{ world_writable_dirs }}"
+
 - name: "Change owner to root on directories which are world writable"
   file:
     path: '{{ item.path }}'
     owner: root
-  loop:  '{{ found_dirs.files }}'
-  when: item.woth
+  loop:  '{{ world_writable_dirs }}'
+  ignore_errors: yes

From 274e50c0c7b002b514dd03bbd746648dc18cc1a6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 29 Jan 2021 17:16:39 +0100
Subject: [PATCH 2/5] change ansible remediation back to shell command

previous implementation was causing dead ansible workers
---
 .../ansible/shared.yml                        | 63 ++++---------------
 1 file changed, 11 insertions(+), 52 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 190351af363e..103e09c23c7e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -4,57 +4,15 @@
 # complexity = low
 # disruption = low
 
-- name: "Configure excluded (non local) file systems"
-  set_fact:
-    excluded_fstypes:
-      - afs
-      - ceph
-      - cifs
-      - smb3
-      - smbfs
-      - sshfs
-      - ncpfs
-      - ncp
-      - nfs
-      - nfs4
-      - gfs
-      - gfs2
-      - glusterfs
-      - gpfs
-      - pvfs2
-      - ocfs2
-      - lustre
-      - davfs
-      - fuse.sshfs
-
-- name: "Create empty list of excluded paths"
-  set_fact:
-    excluded_paths: []
-
-- name: "Create empty list of suid / sgid binaries"
-  set_fact:
-    suid_sgid_binaries: []
-
-- name: "Detect nonlocal file systems and add them to excluded paths"
-  set_fact: 
-    excluded_paths: "{{ excluded_paths | union([item.mount]) }}"
-  loop: "{{ ansible_mounts }}"
-  when: item.fstype in excluded_fstypes
-
-- name: "Find all files excluding non-local partitions"
-  find:
-    paths: "/"
-    excludes: excluded_paths
-    file_type: file
-    hidden: yes
-    recurse: yes
-  register: found_files
-
-- name: "construct list of suid or sgid binaries"
-  set_fact:
-    suid_sgid_binaries: "{{ suid_sgid_binaries | union([item.path]) }}"
-  when: item.mode is match("2.*") or item.mode is match("4.*")
-  loop: '{{ found_files.files }}'
+- name: Search for privileged commands
+  shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
+  args:
+    warn: False
+    executable: /bin/bash
+  check_mode: no
+  register: find_result
+  changed_when: false
+  failed_when: false
 
 # Inserts/replaces the rule in /etc/audit/rules.d
 
@@ -64,7 +22,8 @@
     recurse: no
     contains: "^.*path={{ item }} .*$"
     patterns: "*.rules"
-  loop: "{{ suid_sgid_binaries }}"
+  with_items:
+    - "{{ find_result.stdout_lines }}"
   register: files_result
 
 - name: Overwrites the rule in rules.d

From 261330d89a00914464e9af43ee595b2319fe9df1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Feb 2021 08:36:50 +0100
Subject: [PATCH 3/5] remove debug task

---
 .../dir_perms_world_writable_root_owned/ansible/shared.yml    | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
index ec697f5b60e1..b49e8cd0eff3 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
@@ -51,10 +51,6 @@
   set_fact:
     world_writable_dirs: "{{ found_dirs.files | selectattr('woth') | list }}"
 
-- name: "debug"
-  debug:
-    msg: "{{ world_writable_dirs }}"
-
 - name: "Change owner to root on directories which are world writable"
   file:
     path: '{{ item.path }}'

From ddbccc617279a183edd2724ef8c7abae2b8b7aa8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Feb 2021 09:33:11 +0100
Subject: [PATCH 4/5] fix find command in remediations

---
 .../audit_rules_privileged_commands/ansible/shared.yml          | 2 +-
 .../perform_audit_rules_privileged_commands_remediation.sh      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 103e09c23c7e..2b01924384f0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -5,7 +5,7 @@
 # disruption = low
 
 - name: Search for privileged commands
-  shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
+  shell: find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null
   args:
     warn: False
     executable: /bin/bash
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index a072471f1392..66328901b73e 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -57,7 +57,7 @@ fi
 # Obtain the list of SUID/SGID binaries on the particular system (split by newline)
 # into privileged_binaries array
 privileged_binaries=()
-readarray -t privileged_binaries < <(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)
+readarray -t privileged_binaries < <(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null)
 
 # Keep list of SUID/SGID binaries that have been already handled within some previous iteration
 declare -a sbinaries_to_skip=()

From 63fc69556e8e17bd0bc30f66144179de9d3374f4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Feb 2021 09:33:29 +0100
Subject: [PATCH 5/5] fix find command in test

---
 .../tests/generate_privileged_commands_rule.sh                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
index 6a8d84148946..a8f5d834ccdb 100755
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
@@ -3,6 +3,6 @@
 AUID=$1
 KEY=$2
 RULEPATH=$3
-for file in $(find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do
+for file in $(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null); do
      echo "-a always,exit -F path=$file -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
 done