Skip to content

Commit

Permalink
Modify S2612: add Ansible (#4356)
Browse files Browse the repository at this point in the history
  • Loading branch information
sebastien-andrivet-sonarsource authored Oct 8, 2024
1 parent 62638f5 commit 51c5882
Show file tree
Hide file tree
Showing 2 changed files with 119 additions and 0 deletions.
33 changes: 33 additions & 0 deletions rules/S2612/ansible/metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"tags": [
"cwe"
],
"securityStandards": {
"CERT": [

],
"CWE": [
732,
266
],
"OWASP": [

],
"OWASP Top 10 2021": [

],
"PCI DSS 3.2": [

],
"PCI DSS 4.0": [

],
"ASVS 4.0": [

],
"STIG ASD_V5R3": [
"V-222430"
]
},
"quickfix": "unknown"
}
86 changes: 86 additions & 0 deletions rules/S2612/ansible/rule.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
include::../description.adoc[]

== Ask Yourself Whether

* The Ansible host is designed to have multiple users.
* Services are run by dedicated low-privileged users to achieve privileges separation.

There is a risk if you answered yes to any of those questions.

include::../recommended.adoc[]

To be secure, remove the unnecessary permissions. If required, use `owner` and `group` to
set the target user and group.

== Sensitive Code Example

[source,yaml]
----
---
- name: My deployment
hosts: all
tasks:
- name: Create /etc/demo with permissions
ansible.builtin.file:
path: /etc/demo
state: directory
mode: '0777' # Sensitive
- name: Copy demo3.conf and set symbolic permissions
ansible.builtin.copy:
src: /files/demo.conf
dest: /etc/demo/demo.conf
mode: 'a=r,u+w' # Sensitive
----

== Compliant Solution

[source,yaml]
----
---
- name: My deployment
hosts: all
tasks:
- name: Create /etc/demo with permissions
ansible.builtin.file:
path: /etc/demo
state: directory
mode: '0770'
- name: Copy demo3.conf and set symbolic permissions
ansible.builtin.copy:
src: /files/demo.conf
dest: /etc/demo/demo.conf
mode: 'g=r,u+w,o='
----

== See

* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource]
* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/[Ansible.Builtin module]
* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/community/general/[Community.General module]
* GNU Coreutils - https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html[chmod command]
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure granting access to others is safe here.

== Highlighting

* Highlight the `mode` value.

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]

0 comments on commit 51c5882

Please sign in to comment.