Implement file_owner2 template #13192
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @ericeberry. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Would be possible to merge this functionally into the existing |
ericeberry
force-pushed
the
owner-template
branch
from
784d8e6 to
b3a155b
Compare
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' differs.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -1,13 +1,16 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-chown 0 /sbin/auditctl
-chown 0 /sbin/aureport
-chown 0 /sbin/ausearch
-chown 0 /sbin/autrace
-chown 0 /sbin/auditd
-chown 0 /sbin/rsyslogd
-chown 0 /sbin/augenrules
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /sbin/auditctl
+chown $newown /sbin/aureport
+chown $newown /sbin/ausearch
+chown $newown /sbin/autrace
+chown $newown /sbin/auditd
+chown $newown /sbin/rsyslogd
+chown $newown /sbin/augenrules
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership' differs.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -12,6 +12,40 @@
- medium_severity
- no_reboot_needed
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86259-9
+ - DISA-STIG-RHEL-08-030630
+ - NIST-800-53-AU-9
+ - configure_strategy
+ - file_audit_tools_ownership
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"kernel" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86259-9
+ - DISA-STIG-RHEL-08-030630
+ - NIST-800-53-AU-9
+ - configure_strategy
+ - file_audit_tools_ownership
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /sbin/auditctl
stat:
path: /sbin/auditctl
@@ -28,10 +62,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/auditctl
+- name: Ensure owner on /sbin/auditctl
file:
path: /sbin/auditctl
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -62,10 +96,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/aureport
+- name: Ensure owner on /sbin/aureport
file:
path: /sbin/aureport
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -96,10 +130,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/ausearch
+- name: Ensure owner on /sbin/ausearch
file:
path: /sbin/ausearch
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -130,10 +164,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/autrace
+- name: Ensure owner on /sbin/autrace
file:
path: /sbin/autrace
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -164,10 +198,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/auditd
+- name: Ensure owner on /sbin/auditd
file:
path: /sbin/auditd
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -198,10 +232,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/rsyslogd
+- name: Ensure owner on /sbin/rsyslogd
file:
path: /sbin/rsyslogd
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"kernel" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
@@ -232,20 +266,20 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /sbin/augenrules
+- name: Ensure owner on /sbin/augenrules
file:
path: /sbin/augenrules
- owner: '0'
- when:
- - '"kernel" in ansible_facts.packages'
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-86259-9
- - DISA-STIG-RHEL-08-030630
- - NIST-800-53-AU-9
- - configure_strategy
- - file_audit_tools_ownership
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
+ owner: '{{ newown }}'
+ when:
+ - '"kernel" in ansible_facts.packages'
+ - file_exists.stat is defined and file_exists.stat.exists
+ tags:
+ - CCE-86259-9
+ - DISA-STIG-RHEL-08-030630
+ - NIST-800-53-AU-9
+ - configure_strategy
+ - file_audit_tools_ownership
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
@@ -1 +1,4 @@
-find -H /etc/sudoers.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /etc/sudoers.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sudoersd
@@ -1,8 +1,8 @@
-- name: Ensure owner on directory /etc/sudoers.d/
- file:
- path: /etc/sudoers.d/
- state: directory
- owner: '0'
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
tags:
- CCE-86355-5
- configure_strategy
@@ -11,3 +11,30 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86355-5
+ - configure_strategy
+ - directory_owner_etc_sudoersd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /etc/sudoers.d/
+ file:
+ path: /etc/sudoers.d/
+ state: directory
+ owner: '{{ newown }}'
+ tags:
+ - CCE-86355-5
+ - configure_strategy
+ - directory_owner_etc_sudoersd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
@@ -1 +1,4 @@
-chown 0 /etc/sudoers
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/sudoers
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_sudoers
@@ -1,3 +1,30 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-86416-5
+ - configure_strategy
+ - file_owner_etc_sudoers
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86416-5
+ - configure_strategy
+ - file_owner_etc_sudoers
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/sudoers
stat:
path: /etc/sudoers
@@ -11,10 +38,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/sudoers
+- name: Ensure owner on /etc/sudoers
file:
path: /etc/sudoers
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86416-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -1 +1,4 @@
-chown 0 /etc/issue
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/issue
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -1,3 +1,30 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83718-7
+ - configure_strategy
+ - file_owner_etc_issue
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83718-7
+ - configure_strategy
+ - file_owner_etc_issue
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/issue
stat:
path: /etc/issue
@@ -11,10 +38,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/issue
+- name: Ensure owner on /etc/issue
file:
path: /etc/issue
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83718-7
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -1 +1,4 @@
-chown 0 /etc/issue.net
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/issue.net
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -1,3 +1,34 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-86054-4
+ - PCI-DSSv4-1.2
+ - PCI-DSSv4-1.2.8
+ - configure_strategy
+ - file_owner_etc_issue_net
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86054-4
+ - PCI-DSSv4-1.2
+ - PCI-DSSv4-1.2.8
+ - configure_strategy
+ - file_owner_etc_issue_net
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/issue.net
stat:
path: /etc/issue.net
@@ -13,10 +44,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/issue.net
+- name: Ensure owner on /etc/issue.net
file:
path: /etc/issue.net
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86054-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_motd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_motd
@@ -1 +1,4 @@
-chown 0 /etc/motd
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/motd
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_motd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_motd
@@ -1,3 +1,30 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83738-5
+ - configure_strategy
+ - file_owner_etc_motd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83738-5
+ - configure_strategy
+ - file_owner_etc_motd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/motd
stat:
path: /etc/motd
@@ -11,10 +38,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/motd
+- name: Ensure owner on /etc/motd
file:
path: /etc/motd
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83738-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ] && { ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} ); }; then
-chown 0 /boot/grub2/grub.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /boot/grub2/grub.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,6 +1,61 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-80805-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
+ tags:
+ - CCE-80805-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-80805-5
- CJIS-5.5.2.2
@@ -44,10 +99,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/grub2/grub.cfg
+- name: Ensure owner on /boot/grub2/grub.cfg
file:
path: /boot/grub2/grub.cfg
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ] && { ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} ); }; then
-chown 0 /boot/grub2/user.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /boot/grub2/user.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1,6 +1,61 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86015-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
+ tags:
+ - CCE-86015-5
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
+ and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
+ )
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86015-5
- CJIS-5.5.2.2
@@ -44,10 +99,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/grub2/user.cfg
+- name: Ensure owner on /boot/grub2/user.cfg
file:
path: /boot/grub2/user.cfg
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
-chown 0 /boot/efi/EFI/redhat/grub.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /boot/efi/EFI/redhat/grub.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,6 +1,51 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-85913-2
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ tags:
+ - CCE-85913-2
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_grub2_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-85913-2
- CJIS-5.5.2.2
@@ -37,10 +82,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/efi/EFI/redhat/grub.cfg
+- name: Ensure owner on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
-chown 0 /boot/efi/EFI/redhat/user.cfg
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /boot/efi/EFI/redhat/user.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,6 +1,51 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86021-3
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ tags:
+ - CCE-86021-3
+ - CJIS-5.5.2.2
+ - NIST-800-171-3.4.5
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-7.1
+ - configure_strategy
+ - file_owner_efi_user_cfg
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86021-3
- CJIS-5.5.2.2
@@ -37,10 +82,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /boot/efi/EFI/redhat/user.cfg
+- name: Ensure owner on /boot/efi/EFI/redhat/user.cfg
file:
path: /boot/efi/EFI/redhat/user.cfg
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-find -H /etc/ipsec.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /etc/ipsec.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_ipsecd
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86302-7
+ - configure_strategy
+ - directory_owner_etc_ipsecd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"libreswan" in ansible_facts.packages'
+ tags:
+ - CCE-86302-7
+ - configure_strategy
+ - directory_owner_etc_ipsecd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"libreswan" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86302-7
- configure_strategy
@@ -14,7 +44,7 @@
file:
path: /etc/ipsec.d/
state: directory
- owner: '0'
+ owner: '{{ newown }}'
when: '"libreswan" in ansible_facts.packages'
tags:
- CCE-86302-7
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-chown 0 /etc/ipsec.conf
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/ipsec.conf
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_conf
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86389-4
+ - configure_strategy
+ - file_owner_etc_ipsec_conf
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"libreswan" in ansible_facts.packages'
+ tags:
+ - CCE-86389-4
+ - configure_strategy
+ - file_owner_etc_ipsec_conf
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"libreswan" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86389-4
- configure_strategy
@@ -24,10 +54,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/ipsec.conf
+- name: Ensure owner on /etc/ipsec.conf
file:
path: /etc/ipsec.conf
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"libreswan" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q libreswan; then
-chown 0 /etc/ipsec.secrets
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/ipsec.secrets
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_ipsec_secrets
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86400-9
+ - configure_strategy
+ - file_owner_etc_ipsec_secrets
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"libreswan" in ansible_facts.packages'
+ tags:
+ - CCE-86400-9
+ - configure_strategy
+ - file_owner_etc_ipsec_secrets
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"libreswan" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86400-9
- configure_strategy
@@ -24,10 +54,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/ipsec.secrets
+- name: Ensure owner on /etc/ipsec.secrets
file:
path: /etc/ipsec.secrets
- owner: '0'
+ owner: '{{ newown }}'
when:
- '"libreswan" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q iptables; then
-find -H /etc/iptables/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /etc/iptables/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_iptables
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86429-8
+ - configure_strategy
+ - directory_owner_etc_iptables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"iptables" in ansible_facts.packages'
+ tags:
+ - CCE-86429-8
+ - configure_strategy
+ - directory_owner_etc_iptables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"iptables" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86429-8
- configure_strategy
@@ -14,7 +44,7 @@
file:
path: /etc/iptables/
state: directory
- owner: '0'
+ owner: '{{ newown }}'
when: '"iptables" in ansible_facts.packages'
tags:
- CCE-86429-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q nftables; then
-find -H /etc/nftables/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /etc/nftables/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_nftables
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86311-8
+ - configure_strategy
+ - directory_owner_etc_nftables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"nftables" in ansible_facts.packages'
+ tags:
+ - CCE-86311-8
+ - configure_strategy
+ - directory_owner_etc_nftables
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"nftables" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86311-8
- configure_strategy
@@ -14,7 +44,7 @@
file:
path: /etc/nftables/
state: directory
- owner: '0'
+ owner: '{{ newown }}'
when: '"nftables" in ansible_facts.packages'
tags:
- CCE-86311-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
@@ -1 +1,4 @@
-chown 0 /etc/crypttab
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/crypttab
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_crypttab
@@ -1,3 +1,30 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-86365-4
+ - configure_strategy
+ - file_owner_etc_crypttab
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86365-4
+ - configure_strategy
+ - file_owner_etc_crypttab
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/crypttab
stat:
path: /etc/crypttab
@@ -11,10 +38,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/crypttab
+- name: Ensure owner on /etc/crypttab
file:
path: /etc/crypttab
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86365-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,2 +1,5 @@
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
-find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L 0 {} \;
+find -L /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended -regex '^.*System\.map.*$' -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_systemmap' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_systemmap
+++ xccdf_org.ssgproject.content_rule_file_owner_systemmap
@@ -1,5 +1,32 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-86586-5
+ - configure_strategy
+ - file_owner_systemmap
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-86586-5
+ - configure_strategy
+ - file_owner_systemmap
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+
- name: Find /boot/ file(s) matching ^.*System\.map.*$
- command: find -H /boot/ -maxdepth 1 -type f ! -user 0 -regextype posix-extended
+ command: find -H /boot/ -maxdepth 1 -type f ! -user {{ newown }} -regextype posix-extended
-regex "^.*System\.map.*$"
register: files_found
changed_when: false
@@ -17,7 +44,7 @@
- name: Ensure owner on /boot/ file(s) matching ^.*System\.map.*$
file:
path: '{{ item }}'
- owner: '0'
+ owner: '{{ newown }}'
state: file
with_items:
- '{{ files_found.stdout_lines }}'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -1 +1,4 @@
-chown 0 /etc/group-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/group-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -1,3 +1,38 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83473-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83473-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/group-
stat:
path: /etc/group-
@@ -15,10 +50,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/group-
+- name: Ensure owner on /etc/group-
file:
path: /etc/group-
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83473-9
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -1 +1,4 @@
-chown 0 /etc/gshadow-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/gshadow-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -1,3 +1,34 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83533-0
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7
+ - configure_strategy
+ - file_owner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83533-0
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7
+ - configure_strategy
+ - file_owner_backup_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/gshadow-
stat:
path: /etc/gshadow-
@@ -13,10 +44,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/gshadow-
+- name: Ensure owner on /etc/gshadow-
file:
path: /etc/gshadow-
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83533-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -1 +1,4 @@
-chown 0 /etc/passwd-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/passwd-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -1,3 +1,38 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83326-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83326-9
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/passwd-
stat:
path: /etc/passwd-
@@ -15,10 +50,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/passwd-
+- name: Ensure owner on /etc/passwd-
file:
path: /etc/passwd-
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83326-9
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -1 +1,4 @@
-chown 0 /etc/shadow-
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/shadow-
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -1,3 +1,38 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83413-5
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83413-5
+ - NIST-800-53-AC-6 (1)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_backup_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shadow-
stat:
path: /etc/shadow-
@@ -15,10 +50,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shadow-
+- name: Ensure owner on /etc/shadow-
file:
path: /etc/shadow-
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83413-5
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -1 +1,4 @@
-chown 0 /etc/group
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/group
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -1,3 +1,42 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-80801-4
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-80801-4
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_group
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/group
stat:
path: /etc/group
@@ -17,10 +56,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/group
+- name: Ensure owner on /etc/group
file:
path: /etc/group
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80801-4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -1 +1,4 @@
-chown 0 /etc/gshadow
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/gshadow
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -1,3 +1,34 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-80802-2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-80802-2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_etc_gshadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/gshadow
stat:
path: /etc/gshadow
@@ -13,10 +44,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/gshadow
+- name: Ensure owner on /etc/gshadow
file:
path: /etc/gshadow
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80802-2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -1 +1,4 @@
-chown 0 /etc/passwd
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/passwd
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -1,3 +1,42 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-80803-0
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-80803-0
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_passwd
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/passwd
stat:
path: /etc/passwd
@@ -17,10 +56,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/passwd
+- name: Ensure owner on /etc/passwd
file:
path: /etc/passwd
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80803-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -1 +1,4 @@
-chown 0 /etc/shadow
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/shadow
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -1,3 +1,42 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-80804-8
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-80804-8
+ - CJIS-5.5.2.2
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-8.7.c
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - configure_strategy
+ - file_owner_etc_shadow
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shadow
stat:
path: /etc/shadow
@@ -17,10 +56,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shadow
+- name: Ensure owner on /etc/shadow
file:
path: /etc/shadow
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80804-8
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -1 +1,4 @@
-chown 0 /etc/shells
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+chown $newown /etc/shells
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -1,3 +1,34 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-87055-0
+ - NIST-800-53-AC-3
+ - NIST-800-53-MP-2
+ - configure_strategy
+ - file_owner_etc_shells
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-87055-0
+ - NIST-800-53-AC-3
+ - NIST-800-53-MP-2
+ - configure_strategy
+ - file_owner_etc_shells
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /etc/shells
stat:
path: /etc/shells
@@ -13,10 +44,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /etc/shells
+- name: Ensure owner on /etc/shells
file:
path: /etc/shells
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-87055-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log
@@ -1 +1,4 @@
-find -H /var/log/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /var/log/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log
@@ -1,8 +1,8 @@
-- name: Ensure owner on directory /var/log/
- file:
- path: /var/log/
- state: directory
- owner: '0'
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
tags:
- CCE-83661-9
- DISA-STIG-RHEL-08-010250
@@ -12,3 +12,32 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83661-9
+ - DISA-STIG-RHEL-08-010250
+ - configure_strategy
+ - file_owner_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Ensure owner on directory /var/log/
+ file:
+ path: /var/log/
+ state: directory
+ owner: '{{ newown }}'
+ tags:
+ - CCE-83661-9
+ - DISA-STIG-RHEL-08-010250
+ - configure_strategy
+ - file_owner_var_log
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_messages
@@ -1,3 +1,32 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-83662-7
+ - DISA-STIG-RHEL-08-010220
+ - configure_strategy
+ - file_owner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-83662-7
+ - DISA-STIG-RHEL-08-010220
+ - configure_strategy
+ - file_owner_var_log_messages
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Test for existence /var/log/messages
stat:
path: /var/log/messages
@@ -12,10 +41,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner 0 on /var/log/messages
+- name: Ensure owner on /var/log/messages
file:
path: /var/log/messages
- owner: '0'
+ owner: '{{ newown }}'
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83662-7
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
+++ xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog
@@ -1,6 +1,34 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the syslog user is defined
+ getent:
+ database: passwd
+ key: syslog
+ ignore_errors: true
+ when: '"rsyslog" in ansible_facts.packages'
+ tags:
+ - configure_strategy
+ - file_owner_var_log_syslog
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if syslog found
+ set_fact:
+ newown: syslog
+ when:
+ - '"rsyslog" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["syslog"] is defined
tags:
- configure_strategy
- file_owner_var_log_syslog
@@ -22,10 +50,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner syslog on /var/log/syslog
+- name: Ensure owner on /var/log/syslog
file:
path: /var/log/syslog
- owner: syslog
+ owner: '{{ newown }}'
when:
- '"rsyslog" in ansible_facts.packages'
- file_exists.stat is defined and file_exists.stat.exists
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
@@ -1,6 +1,9 @@
-find -H /bin/ -type d -exec chown -L 0 {} \;
-find -H /sbin/ -type d -exec chown -L 0 {} \;
-find -H /usr/bin/ -type d -exec chown -L 0 {} \;
-find -H /usr/sbin/ -type d -exec chown -L 0 {} \;
-find -H /usr/local/bin/ -type d -exec chown -L 0 {} \;
-find -H /usr/local/sbin/ -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/local/bin/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/local/sbin/ -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs
@@ -1,9 +1,34 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - configure_strategy
+ - dir_ownership_binary_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Ensure owner on directory /bin/ recursively
file:
path: /bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -17,7 +42,7 @@
path: /sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -31,7 +56,7 @@
path: /usr/bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -45,7 +70,7 @@
path: /usr/sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -59,7 +84,7 @@
path: /usr/local/bin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
@@ -73,7 +98,7 @@
path: /usr/local/sbin/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- configure_strategy
- dir_ownership_binary_dirs
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -1,4 +1,7 @@
-find -H /lib/ -type d -exec chown -L 0 {} \;
-find -H /lib64/ -type d -exec chown -L 0 {} \;
-find -H /usr/lib/ -type d -exec chown -L 0 {} \;
-find -H /usr/lib64/ -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /lib/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /lib64/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/lib/ -type d ! -user 0 -exec chown -L $newown {} \;
+find -H /usr/lib64/ -type d ! -user 0 -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs
@@ -1,9 +1,42 @@
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ tags:
+ - CCE-89021-0
+ - DISA-STIG-RHEL-08-010341
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when: ansible_facts.getent_passwd["0"] is defined
+ tags:
+ - CCE-89021-0
+ - DISA-STIG-RHEL-08-010341
+ - NIST-800-53-CM-5(6)
+ - NIST-800-53-CM-5(6).1
+ - configure_strategy
+ - dir_ownership_library_dirs
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
- name: Ensure owner on directory /lib/ recursively
file:
path: /lib/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -21,7 +54,7 @@
path: /lib64/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -39,7 +72,7 @@
path: /usr/lib/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
@@ -57,7 +90,7 @@
path: /usr/lib64/
state: directory
recurse: true
- owner: '0'
+ owner: '{{ newown }}'
tags:
- CCE-89021-0
- DISA-STIG-RHEL-08-010341
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
@@ -1,7 +1,10 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/sysctl.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
+find -H /etc/sysctl.d/ -maxdepth 1 -type d ! -user 0 -exec chown -L $newown {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld' differs.
--- xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
+++ xccdf_org.ssgproject.content_rule_directory_owner_etc_sysctld
@@ -1,6 +1,36 @@
- name: Gather the package facts
package_facts:
manager: auto
+ tags:
+ - CCE-86329-0
+ - configure_strategy
+ - directory_owner_etc_sysctld
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Check that the 0 user is defined
+ getent:
+ database: passwd
+ key: 0
+ ignore_errors: true
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86329-0
+ - configure_strategy
+ - directory_owner_etc_sysctld
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+
+- name: Set the newown variable if 0 found
+ set_fact:
+ newown: '0'
+ when:
+ - '"kernel" in ansible_facts.packages'
+ - ansible_facts.getent_passwd["0"] is defined
tags:
- CCE-86329-0
- configure_strategy
@@ -14,7 +44,7 @@
file:
path: /etc/sysctl.d/
state: directory
- owner: '0'
+ owner: '{{ newown }}'
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86329-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,8 +1,11 @@
+if id "0" >/dev/null 2>&1; then
+ newown="0"
+fi
-find /lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /usr/lib/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
-find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
+find /usr/lib64/ -type f ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown -L $newown {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_ownership_library_dirs' differs.
--- xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
+++ xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
@@ -1,5 +1,43 @@
+- name: Check that the
... The diff is trimmed here ... |
|
Change in Ansible Please consider using more suitable Ansible module than |
Merge complete |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: