diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index d0ee43fb1b74..1de4f43b4966 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -259,6 +259,8 @@ - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -294,6 +296,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. @@ -329,6 +333,8 @@ they must be of the same length. - **filepath** - File path to be checked. If the file path ends with `/` it describes a directory. Can also be a list of paths. + If **file_regex** is not specified, the rule will only check + and remediate directories. - **filepath_is_regex** - If set to `"true"` the OVAL will consider the value of **filepath** as a regular expression. diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index b6bc18e8310f..c22f6f8b0a4e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -69,5 +69,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ fileuid: '0' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh new file mode 100644 index 000000000000..b6f1634368cd --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/dir/" + +mkdir $TESTDIR +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh new file mode 100644 index 000000000000..174a855fae84 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_symlink.fail.sh @@ -0,0 +1,16 @@ +# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu + +useradd user_test + +TESTDIR="/usr/lib/" + +# The remediation performs a 'find' followed by a 'chwon' +# While 'find' doesn't follow symlinks by default, 'chown' does follow, +# so 'chown' will try to change owner of a non existent file while 'find' +# pointed out that the symlink has wrong owner. +ln -s $TESTDIR/mising_test_file $TESTDIR/faulty_symlink +chown -h user_test $TESTDIR/faulty_symlink + +# The Check ignores symlink, so we need to put a reason to run the remediations +touch $TESTDIR/test_me +chown user_test $TESTDIR/test_me diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 5a708cf78c33..8535a3f10fe3 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -70,5 +70,6 @@ template: - /lib64/ - /usr/lib/ - /usr/lib64/ + recursive: 'true' file_regex: ^.*$ filemode: '0755' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh index 913e75e7b178..7b0320fce482 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh @@ -2,6 +2,5 @@ DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do - find "$dirPath" -type d -exec chmod go-w '{}' \; find "$dirPath" -type f -exec chmod go+w '{}' \; done diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template index 0b4ab594155c..8e8bbde440c0 100644 --- a/shared/templates/file_groupowner/ansible.template +++ b/shared/templates/file_groupowner/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -19,18 +24,22 @@ file: path: "{{ item.path }}" group: "{{{ FILEGID }}}" + when: item.gid != {{{ FILEGID }}} with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure group owner on {{{ path }}} recursively +- name: Ensure group owner on {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} group: "{{{ FILEGID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_groupowner/bash.template b/shared/templates/file_groupowner/bash.template index 982d2f3c6a61..f27d098e3ec2 100644 --- a/shared/templates/file_groupowner/bash.template +++ b/shared/templates/file_groupowner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -gid {{{ FILEGID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chgrp {{{ FILEGID }}} $file + chgrp -h {{{ FILEGID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chgrp {{{ FILEGID }}} {} \; {{% else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chgrp {{{ FILEGID }}} {} \; +{{%- endif %}} +{{%- else %}} chgrp {{{ FILEGID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template index 64a494471a88..276965ad77ca 100644 --- a/shared/templates/file_groupowner/oval.template +++ b/shared/templates/file_groupowner/oval.template @@ -32,14 +32,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} + {{%- if RECURSIVE %}} + ^{{{ filepath[:-1] }}} + {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} - {{{ filepath[:-1] }}} - {{%- else %}} - {{{ filepath[:-1] }}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template index dba9e65a2774..a0d6c51c6139 100644 --- a/shared/templates/file_owner/ansible.template +++ b/shared/templates/file_owner/ansible.template @@ -5,32 +5,41 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}{{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found -- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} +- name: Ensure owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}} file: path: "{{ item.path }}" owner: "{{{ FILEUID }}}" + when: item.uid != {{{ FILEUID }}} with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Ensure owner on {{{ path }}} recursively +- name: Ensure owner on directory {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} owner: "{{{ FILEUID }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_owner/bash.template b/shared/templates/file_owner/bash.template index 27b5a2addbf7..07dc5f66997b 100644 --- a/shared/templates/file_owner/bash.template +++ b/shared/templates/file_owner/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}} ! -uid {{{ FILEUID }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chown {{{ FILEUID }}} $file + chown -h {{{ FILEUID }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chown {{{ FILEUID }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chown {{{ FILEUID }}} {} \; +{{%- endif %}} +{{%- else %}} chown {{{ FILEUID }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template index 777831d790d2..090ea49863a6 100644 --- a/shared/templates/file_owner/oval.template +++ b/shared/templates/file_owner/oval.template @@ -31,14 +31,14 @@ {{%- if IS_DIRECTORY -%}} - {{%- if FILE_REGEX %}} + {{%- if RECURSIVE %}} + ^{{{ filepath[:-1] }}} + {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} - {{{ filepath[:-1] }}} - {{%- else %}} - {{{ filepath[:-1] }}} {{%- endif %}} {{%- else %}} diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template index 6d4dedcee511..4570ace9471d 100644 --- a/shared/templates/file_permissions/ansible.template +++ b/shared/templates/file_permissions/ansible.template @@ -5,13 +5,18 @@ # disruption = low {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} +{{% if IS_DIRECTORY %}} +{{% if FILE_REGEX %}} + +- name: Find {{{ path }}} file(s){{% if RECURSIVE %}} recursively{{% endif %}} -- name: Find {{{ path }}} file(s) find: paths: "{{{ path }}}" patterns: {{{ FILE_REGEX[loop.index0] }}} use_regex: yes +{{% if RECURSIVE %}} + recurse: yes +{{% endif %}} hidden: yes register: files_found @@ -19,18 +24,22 @@ file: path: "{{ item.path }}" mode: "{{{ FILEMODE }}}" + when: item.mode != '{{{ FILEMODE}}}' with_items: - "{{ files_found.files }}" -{{% elif IS_DIRECTORY and RECURSIVE %}} +{{% else %}} -- name: Set permissions for {{{ path }}} recursively +- name: Set permissions for {{{ path }}}{{% if RECURSIVE %}} recursively{{% endif %}} file: path: "{{{ path }}}" state: directory +{{% if RECURSIVE %}} recurse: yes +{{% endif %}} mode: "{{{ FILEMODE }}}" +{{% endif %}} {{% else %}} - name: Test for existence {{{ path }}} diff --git a/shared/templates/file_permissions/bash.template b/shared/templates/file_permissions/bash.template index e0d8fe95c4f0..78e8a4557c3a 100644 --- a/shared/templates/file_permissions/bash.template +++ b/shared/templates/file_permissions/bash.template @@ -4,17 +4,25 @@ # complexity = low # disruption = low +{{%- if RECURSIVE %}} +{{% set FIND_RECURSE_ARGS="" %}} +{{%- else %}} +{{% set FIND_RECURSE_ARGS="-maxdepth 1" %}} +{{%- endif %}} + {{% for path in FILEPATH %}} -{{% if IS_DIRECTORY and FILE_REGEX %}} -readarray -t files < <(find {{{ path }}}) +{{%- if IS_DIRECTORY %}} +{{%- if FILE_REGEX %}} +readarray -t files < <(find {{{ path }}} {{{ FIND_RECURSE_ARGS }}}) for file in "${files[@]}"; do if basename $file | grep -qE '{{{ FILE_REGEX[loop.index0] }}}'; then - chmod {{{ FILEMODE }}} $file + chmod {{{ FILEMODE }}} "$file" fi done -{{% elif IS_DIRECTORY and RECURSIVE %}} -find -L {{{ path }}} -type d -exec chmod {{{ FILEMODE }}} {} \; -{{% else %}} +{{%- else %}} +find -L {{{ path }}} {{{ FIND_RECURSE_ARGS }}} -type d -exec chmod {{{ FILEMODE }}} {} \; +{{%- endif %}} +{{%- else %}} chmod {{{ FILEMODE }}} {{{ path }}} -{{% endif %}} +{{%- endif %}} {{% endfor %}} diff --git a/shared/templates/file_permissions/oval.template b/shared/templates/file_permissions/oval.template index 6b3616a7f428..a22bb1046877 100644 --- a/shared/templates/file_permissions/oval.template +++ b/shared/templates/file_permissions/oval.template @@ -45,14 +45,14 @@ {{%- if IS_DIRECTORY %}} - {{%- if FILE_REGEX %}} + {{%- if RECURSIVE %}} + ^{{{ filepath[:-1] }}} + {{%- else %}} {{{ filepath[:-1] }}} + {{%- endif %}} + {{%- if FILE_REGEX %}} {{{ FILE_REGEX[loop.index0] }}} - {{%- elif RECURSIVE %}} - {{{ filepath[:-1] }}} - {{%- else %}} - {{{ filepath[:-1] }}} {{%- endif %}} {{%- else %}}