Skip to content

Commit

Permalink
updated file mode
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
@uk-bolly
uk-bolly committed Dec 17, 2024
1 parent 045e81b commit 17b0a56
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 40 deletions.
4 changes: 2 additions & 2 deletions tasks/Cat2/RHEL-09-21xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
content: "{{ rhel9stig_logon_banner }}"
dest: "{{ item }}"
group: root
mode: '0644'
mode: 'u-x,go-wx'
owner: root
notify: Sshd_restart
loop:
Expand Down Expand Up @@ -158,7 +158,7 @@
owner: root
src: "{{ item.file }}.j2"
loop:
- { file: 'boot/grub2/user.cfg', mode: '0644' }
- { file: 'boot/grub2/user.cfg', mode: 'u-x,go-wx' }

- name: "MEDIUM | RHEL-09-212010 | AUDIT | RHEL 9 must require a boot loader superuser password.| warning"
when: not rhel9stig_set_bootloader_password
Expand Down
37 changes: 18 additions & 19 deletions tasks/Cat2/RHEL-09-23xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -871,7 +871,7 @@
- name: "MEDIUM | RHEL-09-232010 | PATCH | RHEL 9 system commands must have mode 755 or less permissive."
when: rhel9stig_system_command_permissions.stdout | length > 0
ansible.builtin.file:
mode: '0755'
mode: 'u+x,go-w'
path: "{{ item }}"
loop:
- "{{ rhel9stig_system_command_permissions.stdout_lines }}"
Expand All @@ -898,7 +898,7 @@
- name: "MEDIUM | RHEL-09-232015 | PATCH | RHEL 9 library directories must have mode 755 or less permissive."
when: rhel9stig_library_directory_perms.stdout | length > 0
ansible.builtin.file:
mode: '0755'
mode: 'u+x,go-w'
path: "{{ item }}"
loop:
- "{{ rhel9stig_library_directory_perms.stdout_lines }}"
Expand All @@ -925,7 +925,7 @@
- name: "MEDIUM | RHEL-09-232020 | PATCH | RHEL 9 library files must have mode 755 or less permissive."
when: rhel9stig_library_directory_perms.stdout | length > 0
ansible.builtin.file:
mode: '0755'
mode: 'u+x,go-w'
path: "{{ item }}"
loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}"

Expand All @@ -942,7 +942,7 @@
- V-257885
- NIST800-53R4_SI-11
ansible.builtin.file:
mode: u=rwx,g-w,o-w
mode: 'u+x,go-w'
modification_time: preserve
path: /var/log
state: directory
Expand All @@ -960,7 +960,7 @@
- V-257886
- NIST800-53R4_SI-11
ansible.builtin.file:
mode: u=rw,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
modification_time: preserve
path: /var/log/messages
state: file
Expand All @@ -977,7 +977,7 @@
- V-257887
- NIST800-53R4_AU-9
ansible.builtin.file:
mode: u=rwx,g-w,o-w
mode: 'u+x,go-w'
modification_time: preserve
owner: root
path: "{{ item }}"
Expand All @@ -1002,7 +1002,7 @@
- V-257888
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: u=rwx,go-rwx
mode: 'u+x,go-rwx'
modification_time: preserve
owner: root
path: "/etc/{{ item }}"
Expand Down Expand Up @@ -1039,7 +1039,7 @@
- name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions"
ansible.builtin.file:
path: "{{ item.path }}"
mode: g-wx,o-rwx
mode: 'g-wx,o-rwx'
follow: false
loop: "{{ user_dot_files.files }}"
loop_control:
Expand Down Expand Up @@ -1067,11 +1067,10 @@
- name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed"
when:
- item.stat.path is defined
- item.stat.mode > '0750'
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory
mode: u=rwx,g-w,o-rwx
mode: 'u+x,g-w,o-rwx'
loop: "{{ rhel9stig_home_dir_perms.results }}"
loop_control:
label: "{{ item }}"
Expand Down Expand Up @@ -1117,7 +1116,7 @@
- V-257891
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: u=rw,go-wx
mode: 'u-x,go-wx'
path: /etc/group

- name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access."
Expand All @@ -1132,7 +1131,7 @@
- V-257892
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: u=rw,go-wx
mode: 'u-x,go-wx'
path: /etc/group-

- name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access."
Expand All @@ -1147,7 +1146,7 @@
- V-257893
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: '0000'
mode: 'ugo-rwx'
path: /etc/gshadow

- name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access."
Expand All @@ -1162,7 +1161,7 @@
- V-257894
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: '0000'
mode: 'ugo-rwx'
path: /etc/gshadow-

- name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access."
Expand All @@ -1177,7 +1176,7 @@
- V-257895
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: u=rw,go-wx
mode: 'u-x,go-wx'
path: /etc/passwd

- name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access."
Expand All @@ -1192,7 +1191,7 @@
- V-257896
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: u=rw,go-wx
mode: 'u-x,go-wx'
path: /etc/passwd-

- name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access."
Expand All @@ -1207,7 +1206,7 @@
- V-257897
- NIST800-53R4_CM-6
ansible.builtin.file:
mode: '0000'
mode: 'ugo-rwx'
path: /etc/shadow-

- name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root."
Expand Down Expand Up @@ -1996,7 +1995,7 @@
- NIST800-53R4_CM-6
ansible.builtin.file:
path: /etc/crontab
mode: '0600'
mode: 'u-x,go-rwx'

- name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access."
when:
Expand All @@ -2011,4 +2010,4 @@
- NIST800-53R4_CM-6
ansible.builtin.file:
path: /etc/shadow
mode: '0000'
mode: 'ugo-rwx'
12 changes: 5 additions & 7 deletions tasks/Cat2/RHEL-09-25xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@
ansible.builtin.template:
dest: /etc/chrony.conf
src: etc/chrony.conf.j2
mode: '0644'
mode: 'u-x,go-wx'

# Required before 252035 to set DNS value in NetworkManager
- name: "MEDIUM | RHEL-09-252040 | PATCH | RHEL 9 must configure a DNS processing mode set be Network Manager."
Expand Down Expand Up @@ -339,7 +339,7 @@
rhel9stig_network_manager_dns.stdout == 'unmanaged'
ansible.builtin.template:
dest: /etc/resolv.conf
mode: '0644'
mode: 'u-x,go-wx'
src: etc/resolv.conf.j2

- name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured."
Expand Down Expand Up @@ -1242,7 +1242,7 @@
- NIST800-53R4_CM-6
- ssh
ansible.builtin.file:
mode: go-rwx
mode: 'u-x,go-rwx'
path: "{{ rhel9stig_sshd_config_file }}"

- name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive."
Expand All @@ -1264,9 +1264,8 @@
register: rhel9stig_private_ssh_keys

- name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive."
when: item.mode > '0640'
ansible.builtin.file:
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
path: "{{ item.path }}"
loop: "{{ rhel9stig_private_ssh_keys.files }}"

Expand All @@ -1289,9 +1288,8 @@
register: rhel9stig_pub_ssh_keys

- name: "MEDIUM | RHEL-09-255125 | PATCH | RHEL 9 SSH public host key files must have mode 0644 or less permissive."
when: item.mode > '0644'
ansible.builtin.file:
mode: u-x,g-wx,o-wx
mode: 'u-x,go-wx'
path: "{{ item.path }}"
loop: "{{ rhel9stig_pub_ssh_keys.files }}"

Expand Down
4 changes: 2 additions & 2 deletions tasks/Cat2/RHEL-09-27xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
path: "/etc/dconf/db/{{ item }}.d/locks/session"
line: /org/gnome/login-screen/banner-message-enable
create: true
mode: '0644'
mode: 'u-x,go-wx'
modification_time: preserve
state: present
loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
Expand All @@ -72,7 +72,7 @@
notify: Update_dconf
community.general.ini_file:
create: true
mode: '0644'
mode: 'u-x,go-wx'
option: automount-open
path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
section: 'org/gnome/desktop/media-handling'
Expand Down
10 changes: 5 additions & 5 deletions tasks/Cat2/RHEL-09-4xxxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -583,7 +583,7 @@
- name: "MEDIUM | RHEL-09-411115 | AUDIT | Local RHEL 9 initialization files must not execute world-writable programs."
when: rhel9stig_user_exec_ww_files is defined
ansible.builtin.file:
mode: go-w
mode: 'go-wx'
path: "{{ item }}"
loop: "{{ rhel9stig_user_exec_ww_files.stdout_lines }}"

Expand Down Expand Up @@ -622,7 +622,7 @@
dest: /etc/profile.d/tmux.sh
group: root
owner: root
mode: '0755'
mode: 'u+x,go-w'
src: etc/profile.d/tmux.sh.j2

- name: "MEDIUM | RHEL-09-412020 | PATCH | RHEL 9 must have the tmux package installed."
Expand All @@ -641,7 +641,7 @@
regexp: "{{ item }}"
line: "{{ item }}"
create: true
mode: '0644'
mode: 'u-x,go-wx'
state: present
loop:
- 'set -g lock-command vlock'
Expand All @@ -664,7 +664,7 @@
dest: /etc/tmux.conf
group: root
owner: root
mode: '0644'
mode: 'u-x,go-wx'
src: etc/tmux.conf.j2

- name: "MEDIUM | RHEL-09-412035 | PATCH | RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity."
Expand All @@ -685,7 +685,7 @@
dest: /etc/profile.d/tmout.sh
group: root
owner: root
mode: '0755'
mode: 'u+x,go-w'
src: etc/profile.d/tmout.sh.j2

- name: "MEDIUM | RHEL-09-412045 | PATCH | RHEL 9 must log username information when unsuccessful logon attempts occur."
Expand Down
2 changes: 1 addition & 1 deletion tasks/Cat2/RHEL-09-61xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -890,7 +890,7 @@
group: root
option: certificate_verification
owner: root
mode: '0600'
mode: 'u-x,go-rwx'
path: /etc/sssd/conf.d/certificate_verification.conf
section: 'sssd'
value: 'ocsp_dgst=sha512'
Expand Down
8 changes: 4 additions & 4 deletions tasks/Cat2/RHEL-09-65xxxx.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -870,7 +870,7 @@
- auditd
ansible.builtin.file:
path: "{{ discovered_auditd_logfile.stdout }}"
mode: go-rwx
mode: 'go-rwx'

- name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records."
when:
Expand Down Expand Up @@ -941,12 +941,12 @@
block:
- name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
ansible.builtin.file:
mode: '0640'
mode: 'u-x,g-w,o-rwx'
path: /etc/audit/auditd.conf

- name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
ansible.builtin.file:
mode: '0640'
mode: 'u-x,g-w,o-rwx'
path: "{{ item }}"
with_fileglob:
- "etc/audit/rules.d/*.rules"
Expand All @@ -965,7 +965,7 @@
- auditd
ansible.builtin.file:
path: /etc/audit/auditd.conf
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'

- name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure."
when:
Expand Down

0 comments on commit 17b0a56

Please sign in to comment.