-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adjust two filesystem permission rules to 600 #12737
Adjust two filesystem permission rules to 600 #12737
Conversation
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -4,7 +4,7 @@
[description]:
To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
-$ sudo chmod 0640 /etc/audit/rules.d/*.rules
+$ sudo chmod 0600 /etc/audit/rules.d/*.rules
[reference]:
CCI-000171
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- ocil:ssg-file_permissions_etc_audit_rulesd_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_etc_audit_rulesd_ocil:questionnaire:1
@@ -2,6 +2,6 @@
run the command:
$ ls -l /etc/audit/rules.d/*.rules
If properly configured, the output should indicate the following permissions:
--rw-r-----
- Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-r-----?
+-rw-------
+ Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -2,4 +2,4 @@
-find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type f -regextype posix-extended -regex '^.*rules$' -exec chmod u-xs,g-xws,o-xwrt {} \;
+find -L /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regextype posix-extended -regex '^.*rules$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_audit_rulesd
@@ -1,5 +1,5 @@
- name: Find /etc/audit/rules.d/ file(s)
- command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xws,o+xwrt -type
+ command: find -H /etc/audit/rules.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
f -regextype posix-extended -regex "^.*rules$"
register: files_found
changed_when: false
@@ -19,7 +19,7 @@
- name: Set permissions for /etc/audit/rules.d/ file(s)
file:
path: '{{ item }}'
- mode: u-xs,g-xws,o-xwrt
+ mode: u-xs,g-xwrs,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -4,7 +4,7 @@
[description]:
To properly set the permissions of /var/log/messages, run the command:
-$ sudo chmod 0640 /var/log/messages
+$ sudo chmod 0600 /var/log/messages
[reference]:
CCI-001314
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1
@@ -2,6 +2,6 @@
run the command:
$ ls -l /var/log/messages
If properly configured, the output should indicate the following permissions:
--rw-r-----
- Is it the case that /var/log/messages does not have unix mode -rw-r-----?
+-rw-------
+ Is it the case that /var/log/messages does not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -2,4 +2,4 @@
-chmod u-xs,g-xws,o-xwrt /var/log/messages
+chmod u-xs,g-xwrs,o-xwrt /var/log/messages
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages
@@ -12,10 +12,10 @@
- medium_severity
- no_reboot_needed
-- name: Ensure permission u-xs,g-xws,o-xwrt on /var/log/messages
+- name: Ensure permission u-xs,g-xwrs,o-xwrt on /var/log/messages
file:
path: /var/log/messages
- mode: u-xs,g-xws,o-xwrt
+ mode: u-xs,g-xwrs,o-xwrt
when: file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83665-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/group
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/gshadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/passwd
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -109,7 +109,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -155,7 +155,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -247,7 +247,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -293,7 +293,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a1&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat
@@ -108,7 +108,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -154,7 +154,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -245,7 +245,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -291,7 +291,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a2&03 -F path=/etc/shadow
-F auid>=1000 -F auid!=unset -F key=modify
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -22,6 +22,7 @@
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
echo '-e 2' >> $AUDIT_FILE
chmod o-rwx $AUDIT_FILE
+ chmod g-rwx $AUDIT_FILE
done
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable
@@ -78,7 +78,7 @@
path: '{{ item }}'
create: true
line: -e 2
- mode: o-rwx
+ mode: g-rwx,o-rwx
loop:
- /etc/audit/audit.rules
- /etc/audit/rules.d/immutable.rules
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids
+++ xccdf_org.ssgproject.content_rule_audit_rules_immutable_login_uids
@@ -35,6 +35,7 @@
path: /etc/audit/audit.rules
line: --loginuid-immutable
regexp: ^\s*--loginuid-immutable\s*$
+ mode: '0600'
create: true
when:
- '"audit" in ansible_facts.packages'
@@ -66,6 +67,7 @@
path: /etc/audit/rules.d/immutable.rules
line: --loginuid-immutable
regexp: ^\s*--loginuid-immutable\s*$
+ mode: '0600'
create: true
when: immutable_found_in_rules_d is defined and immutable_found_in_rules_d.matched
== 0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification
@@ -129,7 +129,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/selinux/ -p wa -k MAC-policy
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -184,7 +184,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
+++ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification_usr_share
@@ -114,7 +114,7 @@
path: '{{ all_files[0] }}'
line: -w /usr/share/selinux/ -p wa -k MAC-policy
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -163,7 +163,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_media_export
+++ xccdf_org.ssgproject.content_rule_audit_rules_media_export
@@ -120,7 +120,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -166,7 +166,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -263,7 +263,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -309,7 +309,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
@@ -413,7 +413,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -545,7 +545,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -677,7 +677,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -810,7 +810,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
@@ -117,7 +117,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -164,7 +164,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -260,7 +260,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -307,7 +307,7 @@
path: '{{ audit_file }}'
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -448,7 +448,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -505,7 +505,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -645,7 +645,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -702,7 +702,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -842,7 +842,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -899,7 +899,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -1039,7 +1039,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -1096,7 +1096,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -91,7 +91,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
+++ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification_network_scripts
@@ -90,7 +90,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sysconfig/network-scripts -p wa -k audit_rules_networkconfig_modification_network_scripts
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -129,7 +129,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -224,7 +224,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -356,7 +356,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -134,7 +134,7 @@
path: '{{ all_files[0] }}'
line: -w /var/run/utmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -191,7 +191,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -330,7 +330,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/btmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -387,7 +387,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -526,7 +526,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/wtmp -p wa -k session
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -583,7 +583,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -94,7 +94,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -135,7 +135,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -94,7 +94,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -135,7 +135,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
@@ -58,7 +58,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -60,7 +60,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
@@ -378,7 +378,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -82,6 +82,7 @@
path: /etc/audit/rules.d/privileged.rules
line: '{{ item.rule }}'
regexp: '{{ item.regex }}'
+ mode: '0600'
create: true
when:
- '"audit" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -225,7 +225,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -58,7 +58,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -212,7 +212,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -275,7 +275,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -429,7 +429,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/sudoers.d/ -p wa -k actions
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
@@ -70,6 +70,7 @@
lineinfile:
path: '{{ item }}'
create: true
+ mode: '0600'
line: -f {{ var_audit_failure_mode }}
loop:
- /etc/audit/audit.rules
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification
@@ -92,7 +92,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -224,7 +224,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -356,7 +356,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -488,7 +488,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
@@ -620,7 +620,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/group -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -93,7 +93,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -150,7 +150,7 @@
path: '{{ all_files[0] }}'
line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -213,7 +213,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_sudo_log_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_sudo_log_events
+++ xccdf_org.ssgproject.content_rule_audit_sudo_log_events
@@ -94,7 +94,7 @@
if [ ! -e "$key_rule_file" ]
then
touch "$key_rule_file"
- chmod 0640 "$key_rule_file"
+ chmod 0600 "$key_rule_file"
fi
files_to_inspect+=("$key_rule_file")
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_sudo_log_events' differs.
--- xccdf_org.ssgproject.content_rule_audit_sudo_log_events
+++ xccdf_org.ssgproject.content_rule_audit_sudo_log_events
@@ -114,7 +114,7 @@
path: '{{ all_files[0] }}'
line: -w /var/log/sudo.log -p wa -k logins
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
@@ -163,7 +163,7 @@
state: present
dest: /etc/audit/audit.rules
create: true
- mode: '0640'
+ mode: '0600'
when:
- '"audit" in ansible_facts.packages'
- '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
+++ xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
@@ -52,7 +52,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs.
--- xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
+++ xccdf_org.ssgproject.content_rule_directory_access_var_log_audit
@@ -86,7 +86,7 @@
line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r
-F auid>=1000 -F auid!=unset -F key=access-audit-trail
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -131,7 +131,7 @@
line: -a always,exit{{ syscalls | join(',') }} -F dir=/var/log/audit/ -F perm=r
-F auid>=1000 -F auid!=unset -F key=access-audit-trail
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -120,7 +120,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -169,7 +169,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -268,7 +268,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -317,7 +317,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -121,7 +121,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -171,7 +171,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -271,7 +271,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -321,7 +321,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -119,7 +119,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -168,7 +168,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -266,7 +266,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -315,7 +315,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -59,7 +59,7 @@
if [ ! -e "$file_to_inspect" ]
then
touch "$file_to_inspect"
- chmod 0640 "$file_to_inspect"
+ chmod 0600 "$file_to_inspect"
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -119,7 +119,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -168,7 +168,7 @@
line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
when:
@@ -266,7 +266,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: syscalls_found | length == 0
@@ -315,7 +315,7 @@
line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid>=1000
-F auid!=unset -F key=perm_mod
create: true
- mode: o-rwx
+ mode: g-rwx,o-rwx
state: present
when: sys
... The diff is trimmed here ... |
Change in Ansible Please consider using more suitable Ansible module than |
The fail of the Ansible hardening test could be caused by a conflict with an other rule remediation. From the test output it seems like that at the time of the remediation the files in /etc/audit/rules.d don't exist. They're probably created later by other rule remediation. It would be useful to investigate which ruels create the files in this directory and change the remediations in these rules in a way these files would be created with correct permissions.
|
The |
I think that won't fix it because the audit package is installed by default, you can see that in testout.log. The rule will be applicable in and the test result will be still the same. |
Change in Ansible Please consider using more suitable Ansible module than |
efb630e
to
72c2b64
Compare
Change in Ansible Please consider using more suitable Ansible module than |
72c2b64
to
bada4a9
Compare
Change in Ansible Please consider using more suitable Ansible module than |
bada4a9
to
4e9fa6d
Compare
4e9fa6d
to
ec0e121
Compare
Change in Ansible Please consider using more suitable Ansible module than |
1 similar comment
Change in Ansible Please consider using more suitable Ansible module than |
Code Climate has analyzed commit ec0e121 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
/test 4.13-images |
Description:
Adjust the following rules to 0600:
Rationale:
To match the exist system permissions.