Skip to content

Commit

Permalink
Adjusted file mode to symbolic
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
@uk-bolly
uk-bolly committed Dec 17, 2024
1 parent edf6953 commit 49565e8
Show file tree
Hide file tree
Showing 5 changed files with 44 additions and 44 deletions.
4 changes: 2 additions & 2 deletions handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
remote_src: true
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
when:
- rhel8stig_grub2_user_cfg.stat.exists
- rhel8stig_workaround_for_disa_benchmark
Expand All @@ -125,7 +125,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
notify: restart auditd

- name: restart auditd
Expand Down
6 changes: 3 additions & 3 deletions tasks/fix-cat1.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
dest: /etc/default/grub
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
vars:
grub_cmdline_linux: "{{ rhel_08_010020_grub_cmdline_linux_audit.stdout }}"
when: rhel_08_010020_default_grub_missing_audit is changed # noqa no-handler
Expand Down Expand Up @@ -200,7 +200,7 @@
line: "GRUB2_PASSWORD={{ rhel8stig_bootloader_password_hash }}"
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
notify: confirm grub2 user cfg
when:
- not system_is_ec2
Expand Down Expand Up @@ -450,7 +450,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
with_items:
- { regexp: '^\[org/gnome/settings-daemon/plugins/media-keys\]', line: '[org/gnome/settings-daemon/plugins/media-keys]', insertafter: 'EOF' }
- { regexp: 'logout=', line: "logout=''", insertafter: '\[org/gnome/settings-daemon/plugins/media-keys\]' }
Expand Down
68 changes: 34 additions & 34 deletions tasks/fix-cat2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@
content: "{{ rhel8stig_logon_banner }}"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: restart sshd
with_items:
- /etc/issue
Expand All @@ -150,7 +150,7 @@
regexp: 'banner-message-enabled='
line: banner-message-enable=true
create: true
mode: '0644'
mode: 'u-x,go-wx'
owner: root
group: root
insertafter: '[org/gnome/login-screen]'
Expand All @@ -173,7 +173,7 @@
[org/gnome/login-screen]
banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}'
banner-message-enable=true
mode: '0644'
mode: 'u-x,go-wx'
owner: root
group: root
vars:
Expand All @@ -197,7 +197,7 @@
regexp: ^(?!#).*\/var\/log\/secure
line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
create: true
mode: '0644'
mode: 'u-x,go-wx'
notify: restart rsyslog
when:
- rhel_08_010070
Expand Down Expand Up @@ -242,7 +242,7 @@
ansible.builtin.file:
path: "{{ rhel8stig_path_to_sshkey }}"
state: directory
mode: '0700'
mode: 'u+x,go-rwx'

- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair"
community.crypto.openssh_keypair:
Expand Down Expand Up @@ -339,7 +339,7 @@
dest: /etc/grub.d/01_users
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
notify: confirm grub2 user cfg
when:
- rhel_08_010141 or
Expand All @@ -364,7 +364,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010151
tags:
Expand All @@ -384,7 +384,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010152
tags:
Expand Down Expand Up @@ -512,7 +512,7 @@
- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files"
ansible.builtin.file:
path: "{{ item }}"
mode: '1777'
mode: '+t'
with_items:
- "{{ rhel_08_010190_world_writable_files.stdout_lines }}"
when:
Expand Down Expand Up @@ -672,7 +672,7 @@
content: |
[org/gnome/desktop/screensaver]
lock-delay=uint32 5
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020031
Expand All @@ -693,7 +693,7 @@
content: |
[org/gnome/login-screen]
disable-user-list=true
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_020032
- rhel8stig_always_configure_dconf
Expand Down Expand Up @@ -756,7 +756,7 @@
dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081
content: |
/org/gnome/desktop/session/idle-delay
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020081
Expand All @@ -775,7 +775,7 @@
dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082
content: |
/org/gnome/desktop/screensaver/lock-enabled
mode: '0644'
mode: 'u-x,go-wx'
notify: dconf update
when:
- rhel_08_020082
Expand Down Expand Up @@ -2171,7 +2171,7 @@
- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions"
ansible.builtin.file:
path: "{{ item }}"
mode: '0755'
mode: 'u+x,go-w'
state: file
with_items:
- "{{ rhel_08_010660_change_perms }}"
Expand Down Expand Up @@ -2363,7 +2363,7 @@
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_010680_networkmanager_check.stdout == '0'
- rhel8_stig_use_resolv_template
Expand Down Expand Up @@ -3259,7 +3259,7 @@
regexp: '^lock-enabled'
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
line: |
[org/gnome/desktop/screensaver]
# Set this to true to lock the screen when the screensaver activates
Expand Down Expand Up @@ -3315,7 +3315,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
loop:
- { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' }
- { regexp: '^bind X lock-session', line: 'bind X lock-session' }
Expand Down Expand Up @@ -3370,7 +3370,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
line: |
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Expand Down Expand Up @@ -3401,7 +3401,7 @@
line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
when: rhel_08_020050_removal_action_file.stdout_lines | length == 0
notify: dconf update
when:
Expand Down Expand Up @@ -3430,7 +3430,7 @@
create: true
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
regexp: '^idle-delay'
line: |
[org/gnome/desktop/session]
Expand All @@ -3446,7 +3446,7 @@
line: idle-delay=uint32 900
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}"
when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0
notify: dconf update
Expand Down Expand Up @@ -3478,7 +3478,7 @@
line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_020070
tags:
Expand All @@ -3497,7 +3497,7 @@
line: /org/gnome/desktop/screensaver/lock-delay
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
when:
- rhel_08_020080
- "'dconf' in ansible_facts.packages"
Expand All @@ -3518,7 +3518,7 @@
line: "{{ item.line }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' }
- { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' }
Expand Down Expand Up @@ -4070,7 +4070,7 @@
insertafter: "{{ item.insertafter }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
notify: restart sssd
with_items:
- { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
Expand All @@ -4082,7 +4082,7 @@
line: auth sufficient pam_sss.so try_cert_auth
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: restart sssd
when: rhel_08_020250_sc_auth_sss.stdout | length == 0

Expand Down Expand Up @@ -4198,7 +4198,7 @@
insertafter: "{{ item.insertafter }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
- { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' }
Expand Down Expand Up @@ -4528,7 +4528,7 @@
ansible.builtin.file:
path: "{{ rhel08_030070_auditlog_location.stdout }}"
state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}"
mode: o-x,go-rwx
mode: 'o-x,go-rwx'
when:
- rhel_08_030070
tags:
Expand Down Expand Up @@ -4656,7 +4656,7 @@
- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms"
ansible.builtin.file:
path: "{{ rhel_08_030120_audit_log_dir.stdout }}"
mode: go-rwx
mode: 'go-rwx'
state: directory
when: rhel_08_030120_audit_log_dir.stdout | length > 0
when:
Expand Down Expand Up @@ -5434,7 +5434,7 @@
- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
ansible.builtin.file:
path: "{{ item }}"
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
with_items:
- /etc/audit/rules.d/audit.rules
- /etc/audit/auditd.conf
Expand All @@ -5461,7 +5461,7 @@
- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools"
ansible.builtin.file:
path: "{{ item }}"
mode: go-w
mode: 'go-w'
with_items:
- "{{ rhel_08_030620_tools.stdout_lines }}"
when:
Expand Down Expand Up @@ -5532,7 +5532,7 @@
line: "{{ item }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
with_items:
- "# Audit Tools"
- /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
Expand Down Expand Up @@ -5657,7 +5657,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
Expand Down Expand Up @@ -6130,7 +6130,7 @@
create: true
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
notify: change_requires_reboot

- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module"
Expand Down
6 changes: 3 additions & 3 deletions tasks/fix-cat3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- rhel_08_020024
tags:
Expand Down Expand Up @@ -382,7 +382,7 @@
create: true
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
when:
- rhel_08_030603
tags:
Expand Down Expand Up @@ -628,7 +628,7 @@
dest: /etc/aide.conf
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
when:
- rhel_08_040300
- rhel_08_040310
Expand Down
4 changes: 2 additions & 2 deletions tasks/prelim.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@
ansible.builtin.file:
path: /etc/dconf/db/local.d/locks
state: directory
mode: '0755'
mode: 'u+x,go-w'
when:
- rhel8stig_always_configure_dconf
when:
Expand Down Expand Up @@ -459,7 +459,7 @@
ansible.builtin.file:
path: "{{ rhel8stig_pam_faillock.dir }}"
state: directory
mode: '0755'
mode: 'u+x,go-w'
owner: root
group: root
recurse: true
Expand Down

0 comments on commit 49565e8

Please sign in to comment.