Adjust two filesystem permission rules to 600 #12737
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mab879
added
RHEL
Mab879
changed the title
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -4,7 +4,7 @@
[description]:
To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
-$ sudo chmod 0640 /etc/audit/rules.d/*.rules
+$ sudo chmod 0600 /etc/audit/rules.d/*.rules
[reference]:
CCI-000171
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- ocil:ssg-file_permissions_etc_audit_rulesd_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_etc_audit_rulesd_ocil:questionnaire:1
@@ -2,6 +2,6 @@
run the command:
$ ls -l /etc/audit/rules.d/*.rules
If properly configured, the output should indicate the following permissions:
--rw-r-----
- Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----?
+-rw-------
+ Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -2,4 +2,4 @@
-find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regextype posix-extended -regex '^.*rules$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -1,5 +1,5 @@
- name: Find /etc/audit/rules.d/ file(s)
- command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
f -regextype posix-extended -regex "^.*rules$"
register: files_found
changed_when: false
@@ -19,7 +19,7 @@
- name: Set permissions for /etc/audit/rules.d/ file(s)
file:
path: '{{ item }}'
- mode: u-xs,g-xws,o-xwrt
+ mode: u-xs,g-xwrs,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -4,7 +4,7 @@
[description]:
To properly set the permissions of /var/log/messages, run the command:
-$ sudo chmod 0640 /var/log/messages
+$ sudo chmod 0600 /var/log/messages
[reference]:
CCI-001314
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1
@@ -2,6 +2,6 @@
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
--rw-r-----
- Is it the case that /var/log/messages does not have unix mode -rw-r-----?
+-rw-------
+ Is it the case that /var/log/messages does not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -2,4 +2,4 @@
-chmod u-xs,g-xws,o-xwrt /var/log/messages
+chmod u-xs,g-xwrs,o-xwrt /var/log/messages
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -12,10 +12,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/messages
+- name: Ensure permission u-xs,g-xwrs,o-xwrt on /var/log/messages
file:
path: /var/log/messages
- mode: u-xs,g-xws,o-xwrt
+ mode: u-xs,g-xwrs,o-xwrt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83665-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -22,6 +22,7 @@
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
echo '-e 2' >> $AUDIT_FILE
chmod o-rwx $AUDIT_FILE
+ chmod g-rwx $AUDIT_FILE
done
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -78,7 +78,7 @@
path: '{{ item }}'
create: true
line: -e 2
- mode: o-rwx
+ mode: g-rwx,o-rwx
loop:
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids
@@ -35,6 +35,7 @@
path: /etc/audit/audit.rules
line: --loginuid-immutable
regexp: ^\s*--loginuid-immutable\s*$
+ mode: '0600'
create: true
when:
- '"audit" in ansible_facts.packages'
@@ -66,6 +67,7 @@
path: /etc/audit/rules.d/immutable.rules
line: --loginuid-immutable
regexp: ^\s*--loginuid-immutable\s*$
+ mode: '0600'
create: true
when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched
== 0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -129,7 +129,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/selinux/ -p wa -k MAC-policy
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -184,7 +184,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -114,7 +114,7 @@
path: '{{ all_files[0] }}'
line: -w /usr/share/selinux/ -p wa -k MAC-policy
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -163,7 +163,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -120,7 +120,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -166,7 +166,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -263,7 +263,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -309,7 +309,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
@@ -413,7 +413,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -545,7 +545,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -677,7 +677,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -810,7 +810,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -117,7 +117,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -164,7 +164,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -260,7 +260,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -307,7 +307,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -448,7 +448,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -505,7 +505,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -645,7 +645,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -702,7 +702,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -842,7 +842,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -899,7 +899,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -1039,7 +1039,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -1096,7 +1096,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -91,7 +91,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -90,7 +90,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -129,7 +129,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -224,7 +224,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -356,7 +356,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -134,7 +134,7 @@
path: '{{ all_files[0] }}'
line: -w /var/run/utmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -191,7 +191,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -330,7 +330,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/btmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -387,7 +387,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -526,7 +526,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/wtmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -583,7 +583,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -94,7 +94,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -135,7 +135,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -94,7 +94,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -135,7 +135,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -60,7 +60,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
@@ -378,7 +378,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -82,6 +82,7 @@
path: /etc/audit/rules.d/privileged.rules
line: '{{ item.rule }}'
regexp: '{{ item.regex }}'
+ mode: '0600'
create: true
when:
- '"audit" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -225,7 +225,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -58,7 +58,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -212,7 +212,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -275,7 +275,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -429,7 +429,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
@@ -70,6 +70,7 @@
lineinfile:
path: '{{ item }}'
create: true
+ mode: '0600'
line: -f {{ var_audit_failure_mode }}
loop:
- /etc/audit/audit.rules
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -224,7 +224,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -356,7 +356,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -488,7 +488,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -620,7 +620,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_sudo_log_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_sudo_log_events
+++ xccdf_org.ssgproject.content_rule_audit_sudo_log_events
@@ -94,7 +94,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_sudo_log_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_sudo_log_events
+++ xccdf_org.ssgproject.content_rule_audit_sudo_log_events
@@ -114,7 +114,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/sudo.log -p wa -k logins
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -163,7 +163,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
+++ xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
@@ -52,7 +52,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
+++ xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
@@ -86,7 +86,7 @@
line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r
-F auid>=1000 -F auid!=unset -F key=access-audit-trail
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -131,7 +131,7 @@
line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r
-F auid>=1000 -F auid!=unset -F key=access-audit-trail
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -120,7 +120,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -169,7 +169,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -268,7 +268,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -317,7 +317,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -121,7 +121,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -171,7 +171,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -271,7 +271,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -321,7 +321,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -119,7 +119,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -168,7 +168,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -266,7 +266,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -315,7 +315,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -119,7 +119,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -168,7 +168,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -266,7 +266,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -315,7 +315,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: sys
... The diff is trimmed here ... |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
The fail of the Ansible hardening test could be caused by a conflict with an other rule remediation. From the test output it seems like that at the time of the remediation the files in /etc/audit/rules.d don't exist. They're probably created later by other rule remediation. It would be useful to investigate which ruels create the files in this directory and change the remediations in these rules in a way these files would be created with correct permissions. |
|
The |
|
I think that won't fix it because the audit package is installed by default, you can see that in testout.log. The rule will be applicable in and the test result will be still the same. |
|
Change in Ansible Please consider using more suitable Ansible module than |
Mab879
force-pushed
the
adjust_filesystem_permissions
branch
from
efb630e to
72c2b64
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
Mab879
force-pushed
the
adjust_filesystem_permissions
branch
from
72c2b64 to
bada4a9
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
Mab879
force-pushed
the
adjust_filesystem_permissions
branch
from
bada4a9 to
4e9fa6d
Compare
Mab879
force-pushed
the
adjust_filesystem_permissions
branch
from
4e9fa6d to
ec0e121
Compare
|
Change in Ansible Please consider using more suitable Ansible module than |
1 similar comment
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit ec0e121 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
|
/test 4.13-images |
jan-cerny
approved these changes
Dec 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Adjust the following rules to 0600:
Rationale:
To match the exist system permissions.