Optionally search for world-writable files

The search for world-writable files is very intensive and causes some long delays when running playbooks. This patch makes it optional and updates the documentation to match. Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
2017-10-30 13:56:13 -05:00 · 2017-10-30 13:56:13 -05:00 · a84b6847fc
parent 75f78685e8
commit a84b6847fc
4 changed files with 24 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -207,6 +207,8 @@ security_search_for_invalid_owner: no                        # V-72007
 security_search_for_invalid_group_owner: no                  # V-72009
 # Set user/group owners on each home directory and set mode to 0750.
 security_set_home_directory_permissions_and_owners: no       # V-72017 / V-72019 / V-72021
+# Find all world-writable directories and display them.
+security_find_world_writable_dirs: no                        # V-72047

 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
--- a/doc/metadata/rhel7/V-72047.rst
+++ b/doc/metadata/rhel7/V-72047.rst
@ -1,6 +1,6 @@
 ---
 id: V-72047
-status: implemented
+status: opt-in
 tag: file_perms
 ---

@ -11,3 +11,14 @@ user. Those directories appear in the Ansible output.
 Deployers should review the list of directories and group owners to ensure
 that they are appropriate for the directory. Unauthorized group ownership
 could allow certain users to modify files from other users.
+
+Searching the entire filesystem for world-writable directories will consume
+a significant amount of disk I/O and could impact the performance of a
+production system. It can also delay the playbook's completion. Therefore,
+the search is disabled by default.
+
+Deployers can enable the search by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_find_world_writable_dirs: yes
--- a/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml
+++ b/releasenotes/notes/world-writable-file-search-optional-7420269230a0e22f.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Searching for world-writable files is now disabled by default. The search
+    causes delays in playbook runs and it can consume a significant amount of
+    CPU and I/O resources. Deployers can re-enable the search by setting
+    ``security_find_world_writable_dirs`` to ``yes``.
--- a/tasks/rhel7stig/file_perms.yml
+++ b/tasks/rhel7stig/file_perms.yml
@ -123,6 +123,8 @@
  changed_when: False
  failed_when: False
  check_mode: no
+  when:
+    - security_find_world_writable_dirs | bool
  tags:
    - always

@ -133,6 +135,7 @@
      {{ world_writable_dirs.stdout }}
  when:
    - world_writable_dirs is defined
+    - not world_writable_dirs | skipped
  tags:
    - medium
    - file_perms