file_perms - Filesystem permissions¶

Deployer/Auditor notes¶

The STIG requires that all files owned by an installed package must have their permissions, user ownership, and group ownership set back to the vendor defaults.

Although this is a good practice, it can cause issues if permissions or ownership were intentionally set after the packages were installed. It also causes significant delays in deployments. Therefore, this STIG is not applied by default.

Deployers may opt in for the change by setting the following Ansible variable:

security_reset_perm_ownership: yes

Deployer/Auditor notes¶

Searching an entire filesystem with find reduces system performance and might impact certain applications negatively. Therefore, the search for files and directories with an invalid owner is disabled by default.

Deployers can opt in for this search by setting the following Ansible variable:

security_search_for_invalid_owner: yes

Any files or directories without a valid user owner are displayed in the Ansible output.

Deployer/Auditor notes¶

Searching an entire filesystem with find reduces system performance and might impact certain applications negatively. Therefore, the search for files and directories with an invalid group owner is disabled by default.

Deployers can opt in for this search by setting the following Ansible variable:

security_search_for_invalid_group_owner: yes

Any files or directories without a valid group owner are displayed in the Ansible output.

Deployer/Auditor notes¶

Although the STIG requires that all home directories have the proper owner, group owner, and permissions, these changes might be disruptive in some environments. These tasks are not executed by default.

Deployers can opt in for the following changes to each home directory:

• Permissions are set to 0750 at a maximum. If permissions are already more restrictive than 0750, the permissions are left unchanged.
• User ownership is set to the UID of the user.
• Group ownership is set to the GID of the user.

Deployers can opt in for these changes by setting the following Ansible variable:

security_set_home_directory_permissions_and_owners: yes

Deployer/Auditor notes¶

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:

• All local interactive user home directories must have mode 0750 or less permissive. (V-72017)

Deployer/Auditor notes¶

This control is implemented by the tasks for another control. Refer to the documentation for more details on the change and how to opt out:

• All local interactive user home directories must have mode 0750 or less permissive. (V-72017)

Deployer/Auditor notes¶

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.

Deployer/Auditor notes¶

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.

Deployer/Auditor notes¶

Although the STIG has requirements for ownership and permissions of files and directories in each user’s home directory, broad changes to these settings might cause disruptions to users on a system. Therefore, these changes are left to deployers to examine and adjust manually.

Deployer/Auditor notes¶

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.

Deployer/Auditor notes¶

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.

Deployer/Auditor notes¶

Although the STIG requires that all initialization files for interactive users have proper owners, group owners, and permissions, these changes are often disruptive for users. The tasks in the security role do not make any changes to user initialization files.

Deployers should review the content and discretionary access controls applied to each user’s initialization files in their home directory.

Deployer/Auditor notes¶

Deployers should manually search their system for world-writable programs and change the permissions on those programs. They are easily found with this command:

find / -perm -002 -type f

World-writable executables should not be needed under almost all circumstances.

Deployer/Auditor notes¶

The tasks in the security role examine the world-writable directories on the system and report any directories that are not group-owned by the root user. Those directories appear in the Ansible output.

Deployers should review the list of directories and group owners to ensure that they are appropriate for the directory. Unauthorized group ownership could allow certain users to modify files from other users.

Searching the entire filesystem for world-writable directories will consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook’s completion. Therefore, the search is disabled by default.

Deployers can enable the search by setting the following Ansible variable:

security_find_world_writable_dirs: yes

Deployer/Auditor notes¶

Although the STIG requires that all local interactive user accounts have a umask of 077, this change can be disruptive for users and the applications they run. This change cannot be applied in an automated way.

Deployers should review user initialization files regularly to ensure that the umask is not specified. This allows the system-wide setting of 077 to be applied to all user sessions.

Deployer/Auditor notes¶

The tasks in the security role check for the existence of /etc/cron.allow and set both the user and group ownership to root. This is the default on Ubuntu, CentOS, Red Hat Enterprise Linux systems, openSUSE Leap and SUSE Linux Enterprise 12 already.