file_owner, file_groupowner, file_permission changed to not follow symlinks#8466
Merged
mildas merged 4 commits intoComplianceAsCode:stabilization-v0.1.61from Mar 31, 2022
Conversation
Otherwise, don't follow any symlink enconutered. Following symlinks is problematic as it can alter permissions of binaries in the system: '/lib/.build-id/a4/8e8ae0d029dbbc1c1b0bb0fcea424860a6c412' -> '../../../../usr/bin/sudo'
Add various tests that setup symlinks to files and directories with correct and incorrect permissions. As noted in 6a3f401, the check should not follow symlinks. These tests define the expected behavior of the check, witch is to not follow symlinks nor report symlinks as collected objects.
Recursing a directory using pattern match works, but this approach makes OVAL overlook that some paths are symlinks. So, although the check was not reporting symlinks, it was following them down. The OVAL was following symlinks to directories and collecting files in them, as evidenced by fails in test scenario dir_symlink_incorrect_file.pass.sh, which was failing. The way to recurse down a directory and avoid symlinks is by defining a behavior.
|
Start a new ephemeral environment with changes proposed in this pull request: |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -10,7 +10,7 @@
- no_reboot_needed
- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
- command: find -L /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex "^audit(\.rules|d\.conf)$"
+ command: find -H /etc/audit/ -maxdepth 1 -type f ! -gid 0 -regex "^audit(\.rules|d\.conf)$"
register: files_found
changed_when: false
failed_when: false
@@ -41,7 +41,7 @@
- no_reboot_needed
- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
- command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex "^.*\.rules$"
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -gid 0 -regex "^.*\.rules$"
register: files_found
changed_when: false
failed_when: false
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration' differs:
--- old datastream
+++ new datastream
@@ -10,7 +10,7 @@
- no_reboot_needed
- name: Find /etc/audit/ file(s) matching ^audit(\.rules|d\.conf)$
- command: find -L /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex "^audit(\.rules|d\.conf)$"
+ command: find -H /etc/audit/ -maxdepth 1 -type f ! -uid 0 -regex "^audit(\.rules|d\.conf)$"
register: files_found
changed_when: false
failed_when: false
@@ -41,7 +41,7 @@
- no_reboot_needed
- name: Find /etc/audit/rules.d/ file(s) matching ^.*\.rules$
- command: find -L /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.rules$"
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -type f ! -uid 0 -regex "^.*\.rules$"
register: files_found
changed_when: false
failed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs:
--- old datastream
+++ new datastream
@@ -2,4 +2,4 @@
-find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /etc/audit/rules.d/ file(s)
- command: find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type
f -regex "^.*rules$"
register: files_found
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-find -L /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /var/log/ -maxdepth 1 -type d -exec chgrp 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,4 @@
-find -L /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /var/log/ -maxdepth 1 -type d -exec chown 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log' differs:
--- old datastream
+++ new datastream
@@ -2,4 +2,4 @@
-find -L /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /var/log/ -maxdepth 1 -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
-find -L /lib/ -type d -exec chgrp 0 {} \;
+find -H /lib/ -type d -exec chgrp 0 {} \;
-find -L /lib64/ -type d -exec chgrp 0 {} \;
+find -H /lib64/ -type d -exec chgrp 0 {} \;
-find -L /usr/lib/ -type d -exec chgrp 0 {} \;
+find -H /usr/lib/ -type d -exec chgrp 0 {} \;
-find -L /usr/lib64/ -type d -exec chgrp 0 {} \;
+find -H /usr/lib64/ -type d -exec chgrp 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,14 +1,14 @@
-find -L /bin/ -type d -exec chown 0 {} \;
+find -H /bin/ -type d -exec chown 0 {} \;
-find -L /sbin/ -type d -exec chown 0 {} \;
+find -H /sbin/ -type d -exec chown 0 {} \;
-find -L /usr/bin/ -type d -exec chown 0 {} \;
+find -H /usr/bin/ -type d -exec chown 0 {} \;
-find -L /usr/sbin/ -type d -exec chown 0 {} \;
+find -H /usr/sbin/ -type d -exec chown 0 {} \;
-find -L /usr/local/bin/ -type d -exec chown 0 {} \;
+find -H /usr/local/bin/ -type d -exec chown 0 {} \;
-find -L /usr/local/sbin/ -type d -exec chown 0 {} \;
+find -H /usr/local/sbin/ -type d -exec chown 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,10 +1,10 @@
-find -L /lib/ -type d -exec chown 0 {} \;
+find -H /lib/ -type d -exec chown 0 {} \;
-find -L /lib64/ -type d -exec chown 0 {} \;
+find -H /lib64/ -type d -exec chown 0 {} \;
-find -L /usr/lib/ -type d -exec chown 0 {} \;
+find -H /usr/lib/ -type d -exec chown 0 {} \;
-find -L /usr/lib64/ -type d -exec chown 0 {} \;
+find -H /usr/lib64/ -type d -exec chown 0 {} \;
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs' differs:
--- old datastream
+++ new datastream
@@ -2,14 +2,14 @@
-find -L /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-find -L /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/local/bin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/local/sbin/ -perm /u+s,g+ws,o+wt -type d -exec chmod u-s,g-ws,o-wt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /lib/ file(s) matching ^.*$ recursively
- command: find -L /lib/ -type f ! -uid 0 -regex "^.*$"
+ command: find -H /lib/ -type f ! -uid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -40,7 +40,7 @@
- no_reboot_needed
- name: Find /lib64/ file(s) matching ^.*$ recursively
- command: find -L /lib64/ -type f ! -uid 0 -regex "^.*$"
+ command: find -H /lib64/ -type f ! -uid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -81,7 +81,7 @@
- no_reboot_needed
- name: Find /usr/lib/ file(s) matching ^.*$ recursively
- command: find -L /usr/lib/ -type f ! -uid 0 -regex "^.*$"
+ command: find -H /usr/lib/ -type f ! -uid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -122,7 +122,7 @@
- no_reboot_needed
- name: Find /usr/lib64/ file(s) matching ^.*$ recursively
- command: find -L /usr/lib64/ -type f ! -uid 0 -regex "^.*$"
+ command: find -H /usr/lib64/ -type f ! -uid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -2,10 +2,10 @@
-find -L /lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
-find -L /lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
-find -L /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
+find -H /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex '^.*$' -exec chmod u-s,g-ws,o-wt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_library_dirs' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /lib/ file(s) recursively
- command: find -L /lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -40,7 +40,7 @@
- no_reboot_needed
- name: Find /lib64/ file(s) recursively
- command: find -L /lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -81,7 +81,7 @@
- no_reboot_needed
- name: Find /usr/lib/ file(s) recursively
- command: find -L /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /usr/lib/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -122,7 +122,7 @@
- no_reboot_needed
- name: Find /usr/lib64/ file(s) recursively
- command: find -L /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
+ command: find -H /usr/lib64/ -perm /u+s,g+ws,o+wt -type f -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /lib/ file(s) matching ^.*$
- command: find -L /lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
+ command: find -H /lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -36,7 +36,7 @@
- root_permissions_syslibrary_files
- name: Find /lib64/ file(s) matching ^.*$
- command: find -L /lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
+ command: find -H /lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -73,7 +73,7 @@
- root_permissions_syslibrary_files
- name: Find /usr/lib/ file(s) matching ^.*$
- command: find -L /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
+ command: find -H /usr/lib/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -110,7 +110,7 @@
- root_permissions_syslibrary_files
- name: Find /usr/lib64/ file(s) matching ^.*$
- command: find -L /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
+ command: find -H /usr/lib64/ -maxdepth 1 -type f ! -gid 0 -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
+find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /etc/cron.d/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /etc/cron.hourly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /etc/cron.monthly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \;
+find -H /etc/cron.weekly/ -maxdepth 1 -type d -exec chown 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_d' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
+find -H /etc/cron.d/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_daily' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
+find -H /etc/cron.daily/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
+find -H /etc/cron.hourly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
+find -H /etc/cron.monthly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
+find -H /etc/cron.weekly/ -maxdepth 1 -perm /u+s,g+xwrs,o+xwrt -type d -exec chmod u-s,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs:
--- old datastream
+++ new datastream
@@ -2,4 +2,4 @@
-find -L /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_d_files' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /etc/httpd/conf.d/ file(s)
- command: find -L /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f
+ command: find -H /etc/httpd/conf.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f
-regex "^.*$"
register: files_found
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs:
--- old datastream
+++ new datastream
@@ -2,4 +2,4 @@
-find -L /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex '^.*$' -exec chmod u-xs,g-xws,o-xwrt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /etc/httpd/conf/ file(s)
- command: find -L /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex
+ command: find -H /etc/httpd/conf/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regex
"^.*$"
register: files_found
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regex '^.*_key$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
+find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regex '^.*_key$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /etc/ssh/ file(s)
- command: find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regex
+ command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regex
"^.*_key$"
register: files_found
changed_when: false
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
+find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex '^.*.pub$' -exec chmod u-xs,g-xws,o-xwt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,5 @@
- name: Find /etc/ssh/ file(s)
- command: find -L /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex "^.*.pub$"
+ command: find -H /etc/ssh/ -maxdepth 1 -perm /u+xs,g+xws,o+xwt -type f -regex "^.*.pub$"
register: files_found
changed_when: false
failed_when: false |
ggbecker
approved these changes
Mar 31, 2022
mildas
approved these changes
Mar 31, 2022
yuumasato
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
findcommand level.Rationale:
Given the symlinks and hardlinks we can find in
/lib,/lib64,/usr/liband/usr/lib64I believe these templates should not follow symlinks (may be arguable for other paths).Fixes Make handling of symlinks in file_ownership_library_dirs and similar rules consistent #8412