{"id":172,"sha1":"4c4264eead2058d7e277c69dd9b66c119d3ec2fd","playbook":{"id":2,"items":{"plays":18,"tasks":608,"results":2412,"hosts":15,"files":158,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-hosts.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:40:18.992997Z","ended":"2025-12-08T13:50:25.791366Z","duration":"00:10:06.798369","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: V-71849 - Get packages with incorrect file permissions or ownership\n  ansible.builtin.shell: \"grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'\"\n  register: rpmverify_package_list\n  changed_when: false\n  when:\n    - not check_mode | bool\n    - ansible_facts['pkg_mgr'] == 'dnf'\n    - security_reset_perm_ownership | bool\n  tags:\n    - file_perms\n    - high\n    - V-71849\n\n- name: V-71849 - Reset file permissions/ownership to vendor values\n  shell: \"rpm {{ item[0] }} `rpm -qf {{ item[1] }}`\" # noqa: command-instead-of-shell command-instead-of-module risky-shell-pipe\n  changed_when: false\n  with_nested:\n    - [\"--setperms\", \"--setugids\"]\n    - \"{{ rpmverify_package_list.stdout_lines | default([]) }}\"\n  when:\n    - not check_mode | bool\n    - ansible_facts['pkg_mgr'] == 'dnf'\n    - rpmverify_package_list is defined\n    - rpmverify_package_list.stdout_lines | length > 0\n  async: 300\n  poll: 0\n  tags:\n    - file_perms\n    - high\n    - V-71849\n    # don't trigger ANSIBLE0013\n    - skip_ansible_lint\n\n- name: Search for files/directories with an invalid owner\n  ansible.builtin.command: find / -xdev -nouser -fstype local\n  register: invalid_owner_files\n  changed_when: false\n  when:\n    - security_search_for_invalid_owner | bool\n  tags:\n    - always\n\n- name: V-72007 - All files and directories must have a valid owner.\n  ansible.builtin.debug:\n    msg: |\n      Files and directories were found that are owned by an invalid user:\n      {{ invalid_owner_files.stdout_lines | join('\\n') }}\n  when:\n    - invalid_owner_files is defined\n    - invalid_owner_files.stdout_lines is defined\n    - invalid_owner_files.stdout_lines | length > 0\n  tags:\n    - file_perms\n    - medium\n    - V-72007\n\n- name: Search for files/directories with an invalid group owner\n  ansible.builtin.command: find / -xdev -nogroup -fstype local\n  register: invalid_group_owner_files\n  changed_when: false\n  when:\n    - security_search_for_invalid_group_owner | bool\n  tags:\n    - always\n\n- name: V-72009 - All files and directories must have a valid group owner.\n  ansible.builtin.debug:\n    msg: |\n      Files and directories were found that are owned by an invalid group:\n      {{ invalid_group_owner_files.stdout_lines | join('\\n') }}\n  when:\n    - invalid_group_owner_files is defined\n    - invalid_group_owner_files.stdout_lines is defined\n    - invalid_group_owner_files.stdout_lines | length > 0\n  tags:\n    - file_perms\n    - medium\n    - V-72009\n\n- name: Set proper owner, group owner, and permissions on home directories\n  ansible.builtin.file:\n    dest: \"{{ item.dir }}\"\n    owner: \"{{ item.name }}\"\n    group: \"{{ item.group.name }}\"\n    mode: \"g-ws,o-rwxt\"\n  when:\n    - item.uid >= 1000\n    - item.name != 'nobody'\n    - security_set_home_directory_permissions_and_owners | bool\n  with_items: \"{{ hardening_user_list.users | selectattr('uid', 'greaterthan', 999) | list }}\"\n  tags:\n    - medium\n    - file_perms\n    - V-72017\n    - V-72019\n    - V-72021\n\n- name: Find all world-writable directories\n  ansible.builtin.shell: \"find / -perm -002 -type d -exec ls -lLd {} \\\\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root\"\n  register: world_writable_dirs\n  changed_when: false\n  failed_when: false\n  check_mode: false\n  when:\n    - security_find_world_writable_dirs | bool\n  tags:\n    - always\n\n- name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group.\n  ansible.builtin.debug:\n    msg: |\n      The group owners on the following world-writable directories should be examined:\n      {{ world_writable_dirs.stdout }}\n  when:\n    - world_writable_dirs is defined\n    - world_writable_dirs is not skipped\n  tags:\n    - medium\n    - file_perms\n    - V-72047\n\n- name: Check if /etc/cron.allow exists\n  ansible.builtin.stat:\n    path: /etc/cron.allow\n  register: cron_allow_check\n  tags:\n    - always\n\n- name: Set owner/group owner on /etc/cron.allow\n  ansible.builtin.file:\n    path: /etc/cron.allow\n    owner: root\n    group: root\n  when:\n    - cron_allow_check is defined\n    - cron_allow_check.stat.exists\n  tags:\n    - medium\n    - file_perms\n    - V-72053\n    - V-72055\n","created":"2025-12-08T13:49:59.237161Z","updated":"2025-12-08T13:49:59.237173Z","path":"/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/file_perms.yml"}