Merge fixes from v0.1.61 stabilization into master (#2)#8428
Merged
Conversation
Although we already exclude the user with username 'nobody', in some systems (at least RHEL7) the user 'nobody' has uid 99, and the user 'nfsnobody' has uid 65534. This patch excludes the user with name nfsnobody from the check on RHEL7 systems.
…_nobody RHEL7 - exclude the user 'nfsnobody' from accounts_users_home_files_*
Introduce new abrt related rules to replace obsolete packages
Key fingerprint: DA7F68E3872D6E7BDCE05225E7EB5F3ACDD9699F
Update RHEL9 auxiliary gpg key to auxiliary key 3
Add test to check if OVAL is verifying ownership of files in directories deeper into the library dirs tree.
In file_owner, file_groupowner and file_permissions template, 'recursive' and 'file_regex' should not be mutually exclusive. The template as it was could not recurse in the specified 'filepath' and match the file againt 'file_regex'.
explicit rule ordering for sshd_set_keepalive* and sshd_set_idle_timeout
The remediation performs a 'find' followed by a 'chwon' While 'find' doesn't follow symlinks by default, 'chown' does follow, so 'chown' will try to change owner of a non existent file while 'find' pointed out that the symlink has wrong owner. While this doesn't affect the result of the evaluation, this avoids messages like these in the HTML report: chown: cannot dereference '/lib/faulty_symlink': No such file or directory chown: cannot dereference '/usr/lib/faulty_symlink': No such file or directory
This changes the remediation to only apply the chwon command on files that are not compliant, this optimizes the remediation a bit.
Make Ansible remediation the follwing templates handle 'file_regex' and 'recurse' independently: - file_owner - file_groupowner - file_permissions The template deals with files when 'file_regex' is set, otherwise it deals with directories. When 'recurse' is true, the check and remediation will travel down the directory tree, otherwise only the first level is checked.
This not only speeds up the Ansible remediation but also ensures that we only touch files that should be modified.
Make Bash remediation of the following templates handle 'file_regex' and 'recurse' independently: -file_owner -file_groupowner -file_permissions
The following templates act only on files or on directories under the specified filepath.
Add beginning of string anchor to optimize regular expression matching.
After templates file_owner, file_groupowner and file_permissions was updated to handle simultaneous use of `recurse` and `file_regex` in commit 4c71f7e and 4c71f7e, the rule changed to file_permissions_library_dirs only handle only file permissions, not directory permissions (which is kind of expected). The rule for directorires is dir_permissions_library_dirs
Surround mode with quotes so it is interpreted as string
…se_and_symlink File owners, groupowners, permissions should be able to recurse and file_regex
The remediations should remediate regular files. No symlinks or the files they are pointing to should be changed. There are symlinks in `/lib/.buid-id/' that point to installed binaries. For example (the IDs will vary): '/lib/.build-id/a4/67cb9c8fa7306d41b96a820b0178f3a9c66055' -> '../../../../usr/bin/passwd' '/lib/.build-id/a4/8e8ae0d029dbbc1c1b0bb0fcea424860a6c412' -> '../../../../usr/bin/sudo' '/lib/.build-id/a4/2c53d4543f5c0bb8db47d65e4b766d12f3b7bd' -> '../../../../usr/lib64/python3.9/lib-dynload/_lsprof.cpython-39-x86_64-linux-gnu.so'
This test sets expectation on behavior of the rule. Symlinks are ignored, even when they have incompliant owner, and point to nowhere.
…_shall_act_on_files File permissions library dirs shall act on files when 'file_regex' is set
In rule 'file_permissions_library_dirs', when navigating '/lib', the
task finds hardlinks and trips on them:
"failed: [rhel9] (item={'path': '/lib/locale/en_AG/LC_COLLATE', 'mode':
'0644' .... "msg": "src is required for creating new hardlinks"}"
This ensure that the Ansible task acts on regular files, and not on
the hardlink or symlinks.
…-hardlink-issue Ansible: When 'file_regex` is set, only operate on files
Exclude user `nfsnobody` when checking home directories
|
Start a new ephemeral environment with changes proposed in this pull request: |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -1,19 +1,18 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q audit; then
-readarray -t files < <(find /etc/audit/)
+readarray -t files < <(find /etc/audit/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^audit(\.rules|d\.conf)$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^audit(\.rules|d\.conf)$'; then
+ chgrp 0 "$file"
fi
done
-
-readarray -t files < <(find /etc/audit/rules.d/)
+readarray -t files < <(find /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*\.rules$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^.*\.rules$'; then
+ chgrp 0 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -29,9 +29,12 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when:
+ - '"audit" in ansible_facts.packages'
+ - item.gid != 0
with_items:
- '{{ files_found.files }}'
- when: '"audit" in ansible_facts.packages'
tags:
- configure_strategy
- file_groupownership_audit_configuration
@@ -60,9 +63,12 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when:
+ - '"audit" in ansible_facts.packages'
+ - item.gid != 0
with_items:
- '{{ files_found.files }}'
- when: '"audit" in ansible_facts.packages'
tags:
- configure_strategy
- file_groupownership_audit_configuration
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -1,19 +1,17 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q audit; then
-readarray -t files < <(find /etc/audit/)
+readarray -t files < <(find /etc/audit/ -maxdepth 1 -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^audit(\.rules|d\.conf)$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^audit(\.rules|d\.conf)$'; then
+ chown 0 "$file"
fi
done
-
-
-readarray -t files < <(find /etc/audit/rules.d/)
+readarray -t files < <(find /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*\.rules$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^.*\.rules$'; then
+ chown 0 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -25,13 +25,16 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
+- name: Ensure owner on /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when:
+ - '"audit" in ansible_facts.packages'
+ - item.uid != 0
with_items:
- '{{ files_found.files }}'
- when: '"audit" in ansible_facts.packages'
tags:
- configure_strategy
- file_ownership_audit_configuration
@@ -56,13 +59,16 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
+- name: Ensure owner on /etc/audit/rules.d/ file(s) matching ^.*\.rules$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when:
+ - '"audit" in ansible_facts.packages'
+ - item.uid != 0
with_items:
- '{{ files_found.files }}'
- when: '"audit" in ansible_facts.packages'
tags:
- configure_strategy
- file_ownership_audit_configuration
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,9 @@
-readarray -t files < <(find /etc/audit/rules.d/)
+readarray -t files < <(find /etc/audit/rules.d/ -maxdepth 1 -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*rules$'; then
- chmod 0640 $file
+ if basename "$file" | grep -qE '^.*rules$'; then
+ chmod 0640 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs:
--- old datastream
+++ new datastream
@@ -20,6 +20,8 @@
file:
path: '{{ item.path }}'
mode: '0640'
+ state: file
+ when: item.mode != '0640'
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-chgrp 0 /var/log/
+find -L /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /var/log/
- stat:
+- name: Ensure group owner on /var/log/
+ file:
path: /var/log/
- register: file_exists
+ state: directory
+ group: '0'
tags:
- CCE-83659-3
- DISA-STIG-RHEL-08-010260
@@ -11,18 +12,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /var/log/
- file:
- path: /var/log/
- group: '0'
- when: file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-83659-3
- - DISA-STIG-RHEL-08-010260
- - configure_strategy
- - file_groupowner_var_log
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-chown 0 /var/log/
+find -L /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /var/log/
- stat:
+- name: Ensure owner on directory /var/log/
+ file:
path: /var/log/
- register: file_exists
+ state: directory
+ owner: '0'
tags:
- CCE-83661-9
- DISA-STIG-RHEL-08-010250
@@ -11,18 +12,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /var/log/
- file:
- path: /var/log/
- owner: '0'
- when: file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-83661-9
- - DISA-STIG-RHEL-08-010250
- - configure_strategy
- - file_owner_var_log
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-chmod 0755 /var/log/
+find -L /var/log/ -maxdepth 1 -type d -exec chmod 0755 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /var/log/
- stat:
+- name: Set permissions for /var/log/
+ file:
path: /var/log/
- register: file_exists
+ state: directory
+ mode: '0755'
tags:
- CCE-83663-5
- DISA-STIG-RHEL-08-010240
@@ -11,18 +12,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0755 on /var/log/
- file:
- path: /var/log/
- mode: '0755'
- when: file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-83663-5
- - DISA-STIG-RHEL-08-010240
- - configure_strategy
- - file_permissions_var_log
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,16 +1,10 @@
-find -L /lib/ -type d -exec chgrp 0 {} \;
+find -L /lib/ -type d -exec chgrp 0 {} \;
+find -L /lib64/ -type d -exec chgrp 0 {} \;
+find -L /usr/lib/ -type d -exec chgrp 0 {} \;
-find -L /lib64/ -type d -exec chgrp 0 {} \;
-
-
-
-find -L /usr/lib/ -type d -exec chgrp 0 {} \;
-
-
-
-find -L /usr/lib64/ -type d -exec chgrp 0 {} \;
+find -L /usr/lib64/ -type d -exec chgrp 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,24 +1,14 @@
-find -L /bin/ -type d -exec chown 0 {} \;
+find -L /bin/ -type d -exec chown 0 {} \;
+find -L /sbin/ -type d -exec chown 0 {} \;
+find -L /usr/bin/ -type d -exec chown 0 {} \;
-find -L /sbin/ -type d -exec chown 0 {} \;
+find -L /usr/sbin/ -type d -exec chown 0 {} \;
+find -L /usr/local/bin/ -type d -exec chown 0 {} \;
-
-find -L /usr/bin/ -type d -exec chown 0 {} \;
-
-
-
-find -L /usr/sbin/ -type d -exec chown 0 {} \;
-
-
-
-find -L /usr/local/bin/ -type d -exec chown 0 {} \;
-
-
-
-find -L /usr/local/sbin/ -type d -exec chown 0 {} \;
+find -L /usr/local/sbin/ -type d -exec chown 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-- name: Ensure owner on /bin/ recursively
+- name: Ensure owner on directory /bin/ recursively
file:
path: /bin/
state: directory
@@ -12,7 +12,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /sbin/ recursively
+- name: Ensure owner on directory /sbin/ recursively
file:
path: /sbin/
state: directory
@@ -26,7 +26,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/bin/ recursively
+- name: Ensure owner on directory /usr/bin/ recursively
file:
path: /usr/bin/
state: directory
@@ -40,7 +40,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/sbin/ recursively
+- name: Ensure owner on directory /usr/sbin/ recursively
file:
path: /usr/sbin/
state: directory
@@ -54,7 +54,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/local/bin/ recursively
+- name: Ensure owner on directory /usr/local/bin/ recursively
file:
path: /usr/local/bin/
state: directory
@@ -68,7 +68,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/local/sbin/ recursively
+- name: Ensure owner on directory /usr/local/sbin/ recursively
file:
path: /usr/local/sbin/
state: directory
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,16 +1,10 @@
-find -L /lib/ -type d -exec chown 0 {} \;
+find -L /lib/ -type d -exec chown 0 {} \;
+find -L /lib64/ -type d -exec chown 0 {} \;
+find -L /usr/lib/ -type d -exec chown 0 {} \;
-find -L /lib64/ -type d -exec chown 0 {} \;
-
-
-
-find -L /usr/lib/ -type d -exec chown 0 {} \;
-
-
-
-find -L /usr/lib64/ -type d -exec chown 0 {} \;
+find -L /usr/lib64/ -type d -exec chown 0 {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-- name: Ensure owner on /lib/ recursively
+- name: Ensure owner on directory /lib/ recursively
file:
path: /lib/
state: directory
@@ -16,7 +16,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /lib64/ recursively
+- name: Ensure owner on directory /lib64/ recursively
file:
path: /lib64/
state: directory
@@ -34,7 +34,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/lib/ recursively
+- name: Ensure owner on directory /usr/lib/ recursively
file:
path: /usr/lib/
state: directory
@@ -52,7 +52,7 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on /usr/lib64/ recursively
+- name: Ensure owner on directory /usr/lib64/ recursively
file:
path: /usr/lib64/
state: directory
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,24 +1,14 @@
-find -L /bin/ -type d -exec chmod 0755 {} \;
+find -L /bin/ -type d -exec chmod 0755 {} \;
+find -L /sbin/ -type d -exec chmod 0755 {} \;
+find -L /usr/bin/ -type d -exec chmod 0755 {} \;
-find -L /sbin/ -type d -exec chmod 0755 {} \;
+find -L /usr/sbin/ -type d -exec chmod 0755 {} \;
+find -L /usr/local/bin/ -type d -exec chmod 0755 {} \;
-
-find -L /usr/bin/ -type d -exec chmod 0755 {} \;
-
-
-
-find -L /usr/sbin/ -type d -exec chmod 0755 {} \;
-
-
-
-find -L /usr/local/bin/ -type d -exec chmod 0755 {} \;
-
-
-
-find -L /usr/local/sbin/ -type d -exec chmod 0755 {} \;
+find -L /usr/local/sbin/ -type d -exec chmod 0755 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,36 +1,30 @@
-readarray -t files < <(find /lib/)
+readarray -t files < <(find /lib/ -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chown 0 "$file"
fi
done
-
-
-readarray -t files < <(find /lib64/)
+readarray -t files < <(find /lib64/ -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chown 0 "$file"
fi
done
-
-
-readarray -t files < <(find /usr/lib/)
+readarray -t files < <(find /usr/lib/ -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chown 0 "$file"
fi
done
-
-
-readarray -t files < <(find /usr/lib64/)
+readarray -t files < <(find /usr/lib64/ -type f ! -uid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chown 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chown 0 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,9 @@
-- name: Find /lib/ file(s) matching ^.*$
+- name: Find /lib/ file(s) matching ^.*$ recursively
find:
paths: /lib/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -19,10 +20,12 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /lib/ file(s) matching ^.*$
+- name: Ensure owner on /lib/ file(s) matching ^.*$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when: item.uid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -39,11 +42,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /lib64/ file(s) matching ^.*$
+- name: Find /lib64/ file(s) matching ^.*$ recursively
find:
paths: /lib64/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -60,10 +64,12 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /lib64/ file(s) matching ^.*$
+- name: Ensure owner on /lib64/ file(s) matching ^.*$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when: item.uid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -80,11 +86,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /usr/lib/ file(s) matching ^.*$
+- name: Find /usr/lib/ file(s) matching ^.*$ recursively
find:
paths: /usr/lib/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -101,10 +108,12 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /usr/lib/ file(s) matching ^.*$
+- name: Ensure owner on /usr/lib/ file(s) matching ^.*$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when: item.uid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -121,11 +130,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /usr/lib64/ file(s) matching ^.*$
+- name: Find /usr/lib64/ file(s) matching ^.*$ recursively
find:
paths: /usr/lib64/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -142,10 +152,12 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /usr/lib64/ file(s) matching ^.*$
+- name: Ensure owner on /usr/lib64/ file(s) matching ^.*$
file:
path: '{{ item.path }}'
owner: '0'
+ state: file
+ when: item.uid != 0
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,36 +1,30 @@
-readarray -t files < <(find /lib/)
+readarray -t files < <(find /lib/ -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0755 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0755 "$file"
fi
done
-
-
-readarray -t files < <(find /lib64/)
+readarray -t files < <(find /lib64/ -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0755 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0755 "$file"
fi
done
-
-
-readarray -t files < <(find /usr/lib/)
+readarray -t files < <(find /usr/lib/ -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0755 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0755 "$file"
fi
done
-
-
-readarray -t files < <(find /usr/lib64/)
+readarray -t files < <(find /usr/lib64/ -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0755 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0755 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,8 +1,9 @@
-- name: Find /lib/ file(s)
+- name: Find /lib/ file(s) recursively
find:
paths: /lib/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -23,6 +24,8 @@
file:
path: '{{ item.path }}'
mode: '0755'
+ state: file
+ when: item.mode != '0755'
with_items:
- '{{ files_found.files }}'
tags:
@@ -39,11 +42,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /lib64/ file(s)
+- name: Find /lib64/ file(s) recursively
find:
paths: /lib64/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -64,6 +68,8 @@
file:
path: '{{ item.path }}'
mode: '0755'
+ state: file
+ when: item.mode != '0755'
with_items:
- '{{ files_found.files }}'
tags:
@@ -80,11 +86,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /usr/lib/ file(s)
+- name: Find /usr/lib/ file(s) recursively
find:
paths: /usr/lib/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -105,6 +112,8 @@
file:
path: '{{ item.path }}'
mode: '0755'
+ state: file
+ when: item.mode != '0755'
with_items:
- '{{ files_found.files }}'
tags:
@@ -121,11 +130,12 @@
- medium_severity
- no_reboot_needed
-- name: Find /usr/lib64/ file(s)
+- name: Find /usr/lib64/ file(s) recursively
find:
paths: /usr/lib64/
patterns: ^.*$
use_regex: true
+ recurse: true
hidden: true
register: files_found
tags:
@@ -146,6 +156,8 @@
file:
path: '{{ item.path }}'
mode: '0755'
+ state: file
+ when: item.mode != '0755'
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,36 +1,33 @@
-readarray -t files < <(find /lib/)
+readarray -t files < <(find /lib/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chgrp 0 "$file"
fi
done
-
-readarray -t files < <(find /lib64/)
+readarray -t files < <(find /lib64/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chgrp 0 "$file"
fi
done
-
-readarray -t files < <(find /usr/lib/)
+readarray -t files < <(find /usr/lib/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chgrp 0 "$file"
fi
done
-
-readarray -t files < <(find /usr/lib64/)
+readarray -t files < <(find /usr/lib64/ -maxdepth 1 -type f ! -gid 0)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chgrp 0 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chgrp 0 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -21,6 +21,8 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when: item.gid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -58,6 +60,8 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when: item.gid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -95,6 +99,8 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when: item.gid != 0
with_items:
- '{{ files_found.files }}'
tags:
@@ -132,6 +138,8 @@
file:
path: '{{ item.path }}'
group: '0'
+ state: file
+ when: item.gid != 0
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp 0 /etc/cron.d/
+find -L /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.d/
- stat:
+- name: Ensure group owner on /etc/cron.d/
+ file:
path: /etc/cron.d/
- register: file_exists
+ state: directory
+ group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82268-4
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /etc/cron.d/
- file:
- path: /etc/cron.d/
- group: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82268-4
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_groupowner_cron_d
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp 0 /etc/cron.daily/
+find -L /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.daily/
- stat:
+- name: Ensure group owner on /etc/cron.daily/
+ file:
path: /etc/cron.daily/
- register: file_exists
+ state: directory
+ group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82234-6
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /etc/cron.daily/
- file:
- path: /etc/cron.daily/
- group: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82234-6
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_groupowner_cron_daily
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp 0 /etc/cron.hourly/
+find -L /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.hourly/
- stat:
+- name: Ensure group owner on /etc/cron.hourly/
+ file:
path: /etc/cron.hourly/
- register: file_exists
+ state: directory
+ group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82227-0
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /etc/cron.hourly/
- file:
- path: /etc/cron.hourly/
- group: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82227-0
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_groupowner_cron_hourly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp 0 /etc/cron.monthly/
+find -L /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.monthly/
- stat:
+- name: Ensure group owner on /etc/cron.monthly/
+ file:
path: /etc/cron.monthly/
- register: file_exists
+ state: directory
+ group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82256-9
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /etc/cron.monthly/
- file:
- path: /etc/cron.monthly/
- group: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82256-9
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_groupowner_cron_monthly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chgrp 0 /etc/cron.weekly/
+find -L /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.weekly/
- stat:
+- name: Ensure group owner on /etc/cron.weekly/
+ file:
path: /etc/cron.weekly/
- register: file_exists
+ state: directory
+ group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82244-5
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure group owner 0 on /etc/cron.weekly/
- file:
- path: /etc/cron.weekly/
- group: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82244-5
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_groupowner_cron_weekly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chown 0 /etc/cron.d/
+find -L /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.d/
- stat:
+- name: Ensure owner on directory /etc/cron.d/
+ file:
path: /etc/cron.d/
- register: file_exists
+ state: directory
+ owner: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82272-6
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /etc/cron.d/
- file:
- path: /etc/cron.d/
- owner: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82272-6
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_owner_cron_d
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chown 0 /etc/cron.daily/
+find -L /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.daily/
- stat:
+- name: Ensure owner on directory /etc/cron.daily/
+ file:
path: /etc/cron.daily/
- register: file_exists
+ state: directory
+ owner: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82237-9
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /etc/cron.daily/
- file:
- path: /etc/cron.daily/
- owner: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82237-9
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_owner_cron_daily
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chown 0 /etc/cron.hourly/
+find -L /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.hourly/
- stat:
+- name: Ensure owner on directory /etc/cron.hourly/
+ file:
path: /etc/cron.hourly/
- register: file_exists
+ state: directory
+ owner: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82209-8
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /etc/cron.hourly/
- file:
- path: /etc/cron.hourly/
- owner: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82209-8
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_owner_cron_hourly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chown 0 /etc/cron.monthly/
+find -L /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.monthly/
- stat:
+- name: Ensure owner on directory /etc/cron.monthly/
+ file:
path: /etc/cron.monthly/
- register: file_exists
+ state: directory
+ owner: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82260-1
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /etc/cron.monthly/
- file:
- path: /etc/cron.monthly/
- owner: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82260-1
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_owner_cron_monthly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chown 0 /etc/cron.weekly/
+find -L /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.weekly/
- stat:
+- name: Ensure owner on directory /etc/cron.weekly/
+ file:
path: /etc/cron.weekly/
- register: file_exists
+ state: directory
+ owner: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82247-8
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure owner 0 on /etc/cron.weekly/
- file:
- path: /etc/cron.weekly/
- owner: '0'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82247-8
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_owner_cron_weekly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chmod 0700 /etc/cron.d/
+find -L /etc/cron.d/ -maxdepth 1 -type d -exec chmod 0700 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.d/
- stat:
+- name: Set permissions for /etc/cron.d/
+ file:
path: /etc/cron.d/
- register: file_exists
+ state: directory
+ mode: '0700'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82277-5
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0700 on /etc/cron.d/
- file:
- path: /etc/cron.d/
- mode: '0700'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82277-5
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_permissions_cron_d
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chmod 0700 /etc/cron.daily/
+find -L /etc/cron.daily/ -maxdepth 1 -type d -exec chmod 0700 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.daily/
- stat:
+- name: Set permissions for /etc/cron.daily/
+ file:
path: /etc/cron.daily/
- register: file_exists
+ state: directory
+ mode: '0700'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82240-3
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0700 on /etc/cron.daily/
- file:
- path: /etc/cron.daily/
- mode: '0700'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82240-3
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_permissions_cron_daily
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chmod 0700 /etc/cron.hourly/
+find -L /etc/cron.hourly/ -maxdepth 1 -type d -exec chmod 0700 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.hourly/
- stat:
+- name: Set permissions for /etc/cron.hourly/
+ file:
path: /etc/cron.hourly/
- register: file_exists
+ state: directory
+ mode: '0700'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82230-4
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0700 on /etc/cron.hourly/
- file:
- path: /etc/cron.hourly/
- mode: '0700'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82230-4
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_permissions_cron_hourly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chmod 0700 /etc/cron.monthly/
+find -L /etc/cron.monthly/ -maxdepth 1 -type d -exec chmod 0700 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.monthly/
- stat:
+- name: Set permissions for /etc/cron.monthly/
+ file:
path: /etc/cron.monthly/
- register: file_exists
+ state: directory
+ mode: '0700'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82263-5
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0700 on /etc/cron.monthly/
- file:
- path: /etc/cron.monthly/
- mode: '0700'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82263-5
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_permissions_cron_monthly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-chmod 0700 /etc/cron.weekly/
+find -L /etc/cron.weekly/ -maxdepth 1 -type d -exec chmod 0700 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,8 @@
-- name: Test for existence /etc/cron.weekly/
- stat:
+- name: Set permissions for /etc/cron.weekly/
+ file:
path: /etc/cron.weekly/
- register: file_exists
+ state: directory
+ mode: '0700'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82253-6
@@ -13,21 +14,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Ensure permission 0700 on /etc/cron.weekly/
- file:
- path: /etc/cron.weekly/
- mode: '0700'
- when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-82253-6
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - configure_strategy
- - file_permissions_cron_weekly
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,9 @@
-readarray -t files < <(find /etc/httpd/conf.d/)
+readarray -t files < <(find /etc/httpd/conf.d/ -maxdepth 1 -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0640 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0640 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs:
--- old datastream
+++ new datastream
@@ -21,6 +21,8 @@
file:
path: '{{ item.path }}'
mode: '0640'
+ state: file
+ when: item.mode != '0640'
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs:
--- old datastream
+++ new datastream
@@ -1,9 +1,9 @@
-readarray -t files < <(find /etc/httpd/conf/)
+readarray -t files < <(find /etc/httpd/conf/ -maxdepth 1 -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*$'; then
- chmod 0640 $file
+ if basename "$file" | grep -qE '^.*$'; then
+ chmod 0640 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs:
--- old datastream
+++ new datastream
@@ -21,6 +21,8 @@
file:
path: '{{ item.path }}'
mode: '0640'
+ state: file
+ when: item.mode != '0640'
with_items:
- '{{ files_found.files }}'
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-readarray -t files < <(find /etc/ssh/)
+readarray -t files < <(find /etc/ssh/ -maxdepth 1 -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*_key$'; then
- chmod 0600 $file
+ if basename "$file" | grep -qE '^.*_key$'; then
+ chmod 0600 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' differs:
--- old datastream
+++ new datastream
@@ -25,9 +25,12 @@
file:
path: '{{ item.path }}'
mode: '0600'
+ state: file
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - item.mode != '0600'
with_items:
- '{{ files_found.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82424-3
- DISA-STIG-RHEL-08-010490
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-readarray -t files < <(find /etc/ssh/)
+readarray -t files < <(find /etc/ssh/ -maxdepth 1 -type f)
for file in "${files[@]}"; do
- if basename $file | grep -qE '^.*.pub$'; then
- chmod 0644 $file
+ if basename "$file" | grep -qE '^.*.pub$'; then
+ chmod 0644 "$file"
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs:
--- old datastream
+++ new datastream
@@ -25,9 +25,12 @@
file:
path: '{{ item.path }}'
mode: '0644'
+ state: file
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - item.mode != '0644'
with_items:
- '{{ files_found.files }}'
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-82428-4
- DISA-STIG-RHEL-08-010480 |
Revert changes from OL8 STIG profile that cause conflict with master
Mab879
approved these changes
Mar 25, 2022
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Member
|
Waving OpenShift CI tests. Appears to be a infra issue. Waving SSGTS as the failures are due using Fedora as base. Tests pass locally. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: