openstack/ansible-hardening
Code Issues Proposed changes

Disable file perm/ownership reset

Browse Source 
Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.

This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.

Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
This commit is contained in:
Major Hayden 2017-03-03 10:30:49 -06:00
parent 00b687dbae
commit 7caec98c14
4 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -510,7 +510,7 @@ security_rhel7_remove_shosts_files: yes # RHEL-07-040330
## File permissions (file_perms) ## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages. # Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: yes # RHEL-07-010010 security_reset_perm_ownership: no # RHEL-07-010010
# Search for files/directories owned by invalid users or groups. # Search for files/directories owned by invalid users or groups.
security_search_for_invalid_owner: no # RHEL-07-020360 security_search_for_invalid_owner: no # RHEL-07-020360
security_search_for_invalid_group_owner: no # RHEL-07-020370 security_search_for_invalid_group_owner: no # RHEL-07-020370

11
doc/metadata/rhel7/RHEL-07-010010.rst
View File

@ -1,6 +1,6 @@
--- ---
id: RHEL-07-010010 id: RHEL-07-010010
status: implemented - red hat only status: opt-in
tag: file_perms tag: file_perms
--- ---
@ -14,8 +14,13 @@ The STIG requires that all files owned by an installed package must have their
permissions, user ownership, and group ownership set back to the vendor permissions, user ownership, and group ownership set back to the vendor
defaults. defaults.
Deployers may opt-out of the change by setting the following Ansible variable: Although this is a good practice, it can cause issues if permissions or
ownership were intentionally set after the packages were installed. It also
causes significant delays in deployments. Therefore, this STIG is not applied
by default.
Deployers may opt in for the change by setting the following Ansible variable:
.. code-block:: yaml .. code-block:: yaml
security_reset_perm_ownership: no security_reset_perm_ownership: yes

6
releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml Normal file
View File

@ -0,0 +1,6 @@
---
security:
- |
The security role will no longer fix file permissions and ownership based
on the contents of the RPM database by default. Deployers can opt in for
these changes by setting ``security_reset_perm_ownership`` to ``yes``.

1
tests/test.yml
View File

@ -95,3 +95,4 @@
security_rhel7_initialize_aide: yes security_rhel7_initialize_aide: yes
security_require_grub_authentication: yes security_require_grub_authentication: yes
security_set_home_directory_permissions_and_owners_recursively: no security_set_home_directory_permissions_and_owners_recursively: no
security_reset_perm_ownership: yes