diff --git a/rules/S2612/ansible/metadata.json b/rules/S2612/ansible/metadata.json new file mode 100644 index 00000000000..dc42ee2376c --- /dev/null +++ b/rules/S2612/ansible/metadata.json @@ -0,0 +1,33 @@ +{ + "tags": [ + "cwe" + ], + "securityStandards": { + "CERT": [ + + ], + "CWE": [ + 732, + 266 + ], + "OWASP": [ + + ], + "OWASP Top 10 2021": [ + + ], + "PCI DSS 3.2": [ + + ], + "PCI DSS 4.0": [ + + ], + "ASVS 4.0": [ + + ], + "STIG ASD_V5R3": [ + "V-222430" + ] + }, + "quickfix": "unknown" +} diff --git a/rules/S2612/ansible/rule.adoc b/rules/S2612/ansible/rule.adoc new file mode 100644 index 00000000000..7cd8afaa010 --- /dev/null +++ b/rules/S2612/ansible/rule.adoc @@ -0,0 +1,86 @@ +include::../description.adoc[] + +== Ask Yourself Whether + +* The Ansible host is designed to have multiple users. +* Services are run by dedicated low-privileged users to achieve privileges separation. + +There is a risk if you answered yes to any of those questions. + +include::../recommended.adoc[] + +To be secure, remove the unnecessary permissions. If required, use `owner` and `group` to +set the target user and group. + +== Sensitive Code Example + +[source,yaml] +---- +--- +- name: My deployment + hosts: all + tasks: + - name: Create /etc/demo with permissions + ansible.builtin.file: + path: /etc/demo + state: directory + mode: '0777' # Sensitive + + - name: Copy demo3.conf and set symbolic permissions + ansible.builtin.copy: + src: /files/demo.conf + dest: /etc/demo/demo.conf + mode: 'a=r,u+w' # Sensitive +---- + +== Compliant Solution + +[source,yaml] +---- +--- +- name: My deployment + hosts: all + tasks: + - name: Create /etc/demo with permissions + ansible.builtin.file: + path: /etc/demo + state: directory + mode: '0770' + + - name: Copy demo3.conf and set symbolic permissions + ansible.builtin.copy: + src: /files/demo.conf + dest: /etc/demo/demo.conf + mode: 'g=r,u+w,o=' +---- + +== See + +* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource] +* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/[Ansible.Builtin module] +* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/community/general/[Community.General module] +* GNU Coreutils - https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html[chmod command] +* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions. + + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Make sure granting access to others is safe here. + +== Highlighting + +* Highlight the `mode` value. + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] + +endif::env-github,rspecator-view[]