/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/file_perms.yml
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: V-71849 - Get packages with incorrect file permissions or ownership
  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
  args:
    warn: no
  register: rpmverify_package_list
  changed_when: False
  when:
    - not check_mode | bool
    - ansible_pkg_mgr in ['yum', 'zypper']
    - security_reset_perm_ownership | bool
  tags:
    - file_perms
    - high
    - V-71849

- name: V-71849 - Reset file permissions/ownership to vendor values
  shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`"
  args:
    warn: no
  changed_when: false
  with_nested:
    - ['--setperms', '--setugids']
    - "{{ rpmverify_package_list.stdout_lines | default([]) }}"
  when:
    - not check_mode | bool
    - ansible_pkg_mgr in ['yum', 'zypper']
    - rpmverify_package_list is defined
    - rpmverify_package_list.stdout_lines | length > 0
  async: 300
  poll: 0
  tags:
    - file_perms
    - high
    - V-71849
    # don't trigger ANSIBLE0013
    - skip_ansible_lint

- name: Search for files/directories with an invalid owner
  command: find / -xdev -nouser -fstype local
  args:
    warn: no
  register: invalid_owner_files
  changed_when: false
  when:
    - security_search_for_invalid_owner | bool
  tags:
    - always

- name: V-72007 - All files and directories must have a valid owner.
  debug:
    msg: |
      Files and directories were found that are owned by an invalid user:
      {{ invalid_owner_files.stdout_lines | join('\n') }}
  when:
    - invalid_owner_files is defined
    - invalid_owner_files.stdout_lines is defined
    - invalid_owner_files.stdout_lines | length > 0
  tags:
    - file_perms
    - medium
    - V-72007

- name: Search for files/directories with an invalid group owner
  command: find / -xdev -nogroup -fstype local
  args:
    warn: no
  register: invalid_group_owner_files
  changed_when: false
  when:
    - security_search_for_invalid_group_owner | bool
  tags:
    - always

- name: V-72009 - All files and directories must have a valid group owner.
  debug:
    msg: |
      Files and directories were found that are owned by an invalid group:
      {{ invalid_group_owner_files.stdout_lines | join('\n') }}
  when:
    - invalid_group_owner_files is defined
    - invalid_group_owner_files.stdout_lines is defined
    - invalid_group_owner_files.stdout_lines | length > 0
  tags:
    - file_perms
    - medium
    - V-72009

- name: Set proper owner, group owner, and permissions on home directories
  file:
    dest: "{{ item.dir }}"
    owner: "{{ item.name }}"
    group: "{{ item.group.name }}"
    mode: "g-ws,o-rwxt"
  when:
    - item.uid >= 1000
    - item.name != 'nobody'
    - security_set_home_directory_permissions_and_owners | bool
  with_items: "{{ user_list.users | selectattr('uid', 'greaterthan', 999) | list }}"
  tags:
    - medium
    - file_perms
    - V-72017
    - V-72019
    - V-72021

- name: Find all world-writable directories
  shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
  register: world_writable_dirs
  changed_when: False
  failed_when: False
  check_mode: no
  when:
    - security_find_world_writable_dirs | bool
  tags:
    - always

- name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
  debug:
    msg: |
      The group owners on the following world-writable directories should be examined:
      {{ world_writable_dirs.stdout }}
  when:
    - world_writable_dirs is defined
    - world_writable_dirs is not skipped
  tags:
    - medium
    - file_perms
    - V-72047

- name: Check if /etc/cron.allow exists
  stat:
    path: /etc/cron.allow
  register: cron_allow_check
  tags:
    - always

- name: Set owner/group owner on /etc/cron.allow
  file:
    path: /etc/cron.allow
    owner: root
    group: root
  when:
    - cron_allow_check is defined
    - cron_allow_check.stat.exists
  tags:
    - medium
    - file_perms
    - V-72053
    - V-72055