Merge pull request ComplianceAsCode#6558 from vojtapolasek/fix_world_…

…writable_dirs_root_ansible fix remediations of dir_perms_world_writable_root_owned
brett060102 · Jan 25, 2021 · ebba138 · ebba138
2 parents 6a2b3e9 + c1a4898
commit ebba138
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 3 deletions.
diff --git a/..._os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml b/..._os/guide/system/permissions/files/dir_perms_world_writable_root_owned/ansible/shared.yml
@@ -4,5 +4,52 @@
 # complexity = low
 # disruption = medium
 
-- name: "Find all world writable files not owned by root on local partitions and change their owner to root"
-  shell: find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type d -perm -0002 -uid +0 -exec chown root {} \;
+
+- name: "Configure excluded (non local) file systems"
+  set_fact:
+    excluded_fstypes:
+      - afs
+      - ceph
+      - cifs
+      - smb3
+      - smbfs
+      - sshfs
+      - ncpfs
+      - ncp
+      - nfs
+      - nfs4
+      - gfs
+      - gfs2
+      - glusterfs
+      - gpfs
+      - pvfs2
+      - ocfs2
+      - lustre
+      - davfs
+      - fuse.sshfs
+
+- name: "Create empty list of excluded paths"
+  set_fact:
+    excluded_paths: "[]"
+
+- name: "Detect nonlocal file systems and add them to excluded paths"
+  set_fact: 
+    excluded_paths: "{{ excluded_paths | union([item.mount]) }}"
+  loop: "{{ ansible_mounts }}"
+  when: item.fstype in excluded_fstypes
+
+- name: "Find all directories excluding non-local partitions"
+  find:
+    paths: "/"
+    excludes: excluded_paths
+    file_type: directory
+    hidden: yes
+    recurse: yes
+  register: found_dirs
+
+- name: "Change owner to root on directories which are world writable"
+  file:
+    path: '{{ item.path }}'
+    owner: root
+  loop:  '{{ found_dirs.files }}'
+  when: item.woth
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/bash/shared.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 # platform = Red Hat Virtualization 4,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Fedora,Oracle Linux 7,Oracle Linux 8,WRLinux 1019
 
-find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -type d -perm -0002 -uid +0 -exec chown root {} \;
+find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;
diff --git a/...ble_root_owned/tests/all_files_ok.pass.sh → ...able_root_owned/tests/all_dirs_ok.pass.sh b/...ble_root_owned/tests/all_files_ok.pass.sh → ...able_root_owned/tests/all_dirs_ok.pass.sh
diff --git a/...orld_writable_file_owned_by_uid_2.fail.sh → ...world_writable_dir_owned_by_uid_2.fail.sh b/...orld_writable_file_owned_by_uid_2.fail.sh → ...world_writable_dir_owned_by_uid_2.fail.sh