Add RSPEC for S2612

rules/S2612/ansible/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S2612/ansible/rule.adoc

@@ -0,0 +1,95 @@
+include::../description.adoc[]
+
+== Ask Yourself Whether
+
+* The Ansible host is designed to have multiple users.
+* Services are run by dedicated low-privileged users to achieve privileges separation.
+
+There is a risk if you answered yes to any of those questions.
+
+include::../recommended.adoc[]
+
+To be secure, remove the unnecessary permissions. If required, use `owner` and `group` to
+set the target user and group.
+
+== Sensitive Code Example
+
+[source,yaml]
+----
+---
+- name: My deployment
+  hosts: all
+  tasks:
+    - name: Create /etc/demo with permissions
+      ansible.builtin.file:
+        path: /etc/demo
+        state: directory
+        mode: '0777'
+
+    - name: Copy demo3.conf without setting permissions (default permissions)
+      ansible.builtin.copy:
+        src: /files/demo.conf
+        dest: /etc/demo/demo.conf
+----
+
+== Compliant Solution
+
+[source,yaml]
+----
+---
+- name: My deployment
+  hosts: all
+  tasks:
+    - name: Create /etc/demo with permissions
+      ansible.builtin.file:
+        path: /etc/demo
+        state: directory
+        mode: '0770'
+
+    - name: Copy demo3.conf without setting permissions (default permissions)
+      ansible.builtin.copy:
+        src: /files/demo.conf
+        dest: /etc/demo/demo.conf
+        mode: '0640'
+----
+
+== See
+
+* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource]
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/assemble_module.html#parameter-mode[mode] - Ansible Assemble module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html#parameter-mode[mode] - Ansible Copy module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html#parameter-mode[mode] - Ansible File module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html#parameter-mode[mode] - Ansible Get URL module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html#parameter-mode[mode] - Ansible Replace module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html#parameter-mode[mode] - Ansible Template module
+* https://docs.ansible.com/ansible/latest/collections/community/general/archive_module.html#parameter-mode[mode] - Ansible Archive module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/unarchive_module.html#parameter-mode[mode] - Ansible Unarchive module
+* https://docs.ansible.com/ansible/latest/collections/community/general/ini_file_module.html#parameter-mode[mode] - Ansible INI File module
+* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/blockinfile_module.html#parameter-mode[mode] - Ansible Blockinfile module
+* https://man.archlinux.org/man/core/man-pages/chmod.1p.en[chmod reference] - `chmod` command
+* https://man.archlinux.org/man/chown.1.en[chown reference] - `chown` command
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Make sure granting access to others is safe here.
+
+== Highlighting
+
+* If `mode` is used, highlight the `mode` value.
+* Otherwise, highlight the Ansible module.
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]