-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
62638f5
commit 51c5882
Showing
2 changed files
with
119 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
{ | ||
"tags": [ | ||
"cwe" | ||
], | ||
"securityStandards": { | ||
"CERT": [ | ||
|
||
], | ||
"CWE": [ | ||
732, | ||
266 | ||
], | ||
"OWASP": [ | ||
|
||
], | ||
"OWASP Top 10 2021": [ | ||
|
||
], | ||
"PCI DSS 3.2": [ | ||
|
||
], | ||
"PCI DSS 4.0": [ | ||
|
||
], | ||
"ASVS 4.0": [ | ||
|
||
], | ||
"STIG ASD_V5R3": [ | ||
"V-222430" | ||
] | ||
}, | ||
"quickfix": "unknown" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
include::../description.adoc[] | ||
|
||
== Ask Yourself Whether | ||
|
||
* The Ansible host is designed to have multiple users. | ||
* Services are run by dedicated low-privileged users to achieve privileges separation. | ||
|
||
There is a risk if you answered yes to any of those questions. | ||
|
||
include::../recommended.adoc[] | ||
|
||
To be secure, remove the unnecessary permissions. If required, use `owner` and `group` to | ||
set the target user and group. | ||
|
||
== Sensitive Code Example | ||
|
||
[source,yaml] | ||
---- | ||
--- | ||
- name: My deployment | ||
hosts: all | ||
tasks: | ||
- name: Create /etc/demo with permissions | ||
ansible.builtin.file: | ||
path: /etc/demo | ||
state: directory | ||
mode: '0777' # Sensitive | ||
- name: Copy demo3.conf and set symbolic permissions | ||
ansible.builtin.copy: | ||
src: /files/demo.conf | ||
dest: /etc/demo/demo.conf | ||
mode: 'a=r,u+w' # Sensitive | ||
---- | ||
|
||
== Compliant Solution | ||
|
||
[source,yaml] | ||
---- | ||
--- | ||
- name: My deployment | ||
hosts: all | ||
tasks: | ||
- name: Create /etc/demo with permissions | ||
ansible.builtin.file: | ||
path: /etc/demo | ||
state: directory | ||
mode: '0770' | ||
- name: Copy demo3.conf and set symbolic permissions | ||
ansible.builtin.copy: | ||
src: /files/demo.conf | ||
dest: /etc/demo/demo.conf | ||
mode: 'g=r,u+w,o=' | ||
---- | ||
|
||
== See | ||
|
||
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource] | ||
* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/[Ansible.Builtin module] | ||
* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/community/general/[Community.General module] | ||
* GNU Coreutils - https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html[chmod command] | ||
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. | ||
|
||
|
||
ifdef::env-github,rspecator-view[] | ||
|
||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
=== Message | ||
|
||
Make sure granting access to others is safe here. | ||
|
||
== Highlighting | ||
|
||
* Highlight the `mode` value. | ||
|
||
''' | ||
== Comments And Links | ||
(visible only on this page) | ||
|
||
include::../comments-and-links.adoc[] | ||
|
||
endif::env-github,rspecator-view[] |