Improve Ansible remediation for dir_perms_world_writable_sticky_bits

[marcusburghardt]

Description:

Use the same macro introduced by #10912

Rationale:

• Better alignment in Ansible remediation.
• Fixes RHEL 9 ACSC ISM Official Profile - Ansible Remediation Role - set -o pipefail issue #10046

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits' differs.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
@@ -1,8 +1,32 @@
-- name: Get all world-writable directories with no sticky bits set
-  shell: |
-    set -o pipefail
-    df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
-  register: dir_output
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Excluded
+    (Non-Local) File Systems and Paths
+  ansible.builtin.set_fact:
+    excluded_fstypes:
+    - afs
+    - ceph
+    - cifs
+    - smb3
+    - smbfs
+    - sshfs
+    - ncpfs
+    - ncp
+    - nfs
+    - nfs4
+    - gfs
+    - gfs2
+    - glusterfs
+    - gpfs
+    - pvfs2
+    - ocfs2
+    - lustre
+    - davfs
+    - fuse.sshfs
+    excluded_paths:
+    - dev
+    - proc
+    - run
+    - sys
+    search_paths: []
   tags:
   - CCE-80783-4
   - DISA-STIG-RHEL-08-010190
@@ -15,12 +39,15 @@
   - no_reboot_needed
   - restrict_strategy
 
-- name: Ensure sticky bit is set
-  file:
-    path: '{{ item }}'
-    mode: a+t
-  with_items:
-  - '{{ dir_output.stdout_lines }}'
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find Relevant
+    Root Directories Ignoring Pre-Defined Excluded Paths
+  ansible.builtin.find:
+    paths: /
+    file_type: directory
+    excludes: '{{ excluded_paths }}'
+    hidden: true
+    recurse: false
+  register: result_relevant_root_dirs
   tags:
   - CCE-80783-4
   - DISA-STIG-RHEL-08-010190
@@ -32,3 +59,129 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Include
+    Relevant Root Directories in a List of Paths to be Searched
+  ansible.builtin.set_fact:
+    search_paths: '{{ search_paths | union([item.path]) }}'
+  loop: '{{ result_relevant_root_dirs.files }}'
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
+    Search Paths List with Local Partitions Mount Points
+  ansible.builtin.set_fact:
+    search_paths: '{{ search_paths | union([item.mount]) }}'
+  loop: '{{ ansible_mounts }}'
+  when:
+  - item.fstype not in excluded_fstypes
+  - item.mount != '/'
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Increment
+    Search Paths List with Local NFS File System Targets
+  ansible.builtin.set_fact:
+    search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
+  loop: '{{ ansible_mounts }}'
+  when: item.device is search("localhost:")
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Define Rule
+    Specific Facts
+  ansible.builtin.set_fact:
+    world_writable_dirs: []
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Find All
+    Uncompliant Directories in Local File Systems
+  ansible.builtin.command:
+    cmd: find {{ item }} -xdev -type d ( -perm -0002 -a ! -perm -1000 )
+  loop: '{{ search_paths }}'
+  changed_when: false
+  register: result_found_dirs
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Create List
+    of World Writable Directories Without Sticky Bit
+  ansible.builtin.set_fact:
+    world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
+      }}'
+  loop: '{{ result_found_dirs.results }}'
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy
+
+- name: Verify that All World-Writable Directories Have Sticky Bits Set - Ensure Sticky
+    Bit is Set on Local World Writable Directories
+  ansible.builtin.file:
+    path: '{{ item }}'
+    mode: a+t
+  loop: '{{ world_writable_dirs }}'
+  tags:
+  - CCE-80783-4
+  - DISA-STIG-RHEL-08-010190
+  - NIST-800-53-AC-6(1)
+  - NIST-800-53-CM-6(a)
+  - dir_perms_world_writable_sticky_bits
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - restrict_strategy

[codeclimate]

Code Climate has analyzed commit fa862b6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

[jan-cerny]

@marcusburghardt I think we need a test scenario that would cover the issue.

[marcusburghardt]

@marcusburghardt I think we need a test scenario that would cover the issue.

Which issue @jan-cerny ? I changed only the Ansible remediation in order to not use the shell module and be more efficient. I preserved the test scenario scripts. I think they are enough and aligned to the OVAL. Which specific test are do you suggest to include?

[jan-cerny]

@jan-cerny I mean that this PR fixes an issue that is linked: #10046. It would be useful to have a test scenario that reproduces the issue and use this test scenario as a regression test.

[marcusburghardt]

@jan-cerny I mean that this PR fixes an issue that is linked: #10046. It would be useful to have a test scenario that reproduces the issue and use this test scenario as a regression test.

The issue mentioned there was extinct by the Ansible remediation refactoring. It was caused by a shell task using set -o pipefail which is no longer the case. To create a test scenario for this we would need a wrong and fictitious Ansible playbook, but this wouldn't bring value. However it would be interesting to review all other rules in the project to review and potentially remove the set -o pipefail from Ansible tasks. We can do this in a separate PR and update the relvant productization test to not accept this command anymore. What do you think?

[jan-cerny]

@marcusburghardt Great, thanks for looking into the test options. This makes sense to me.