SonarSource · sebastien-andrivet-sonarsource · Oct 8, 2024 · Oct 1, 2024 · Oct 1, 2024 · Oct 8, 2024
diff --git a/rules/S2612/ansible/metadata.json b/rules/S2612/ansible/metadata.json
@@ -0,0 +1,33 @@
+{
+  "tags": [
+    "cwe"
+  ],
+  "securityStandards": {
+    "CERT": [
+
+    ],
+    "CWE": [
+      732,
+      266
+    ],
+    "OWASP": [
+
+    ],
+    "OWASP Top 10 2021": [
+
+    ],
+    "PCI DSS 3.2": [
+
+    ],
+    "PCI DSS 4.0": [
+
+    ],
+    "ASVS 4.0": [
+
+    ],
+    "STIG ASD_V5R3": [
+      "V-222430"
+    ]
+  },
+  "quickfix": "unknown"
+}
diff --git a/rules/S2612/ansible/rule.adoc b/rules/S2612/ansible/rule.adoc
@@ -0,0 +1,86 @@
+include::../description.adoc[]
+
+== Ask Yourself Whether
+
+* The Ansible host is designed to have multiple users.
+* Services are run by dedicated low-privileged users to achieve privileges separation.
+
+There is a risk if you answered yes to any of those questions.
+
+include::../recommended.adoc[]
+
+To be secure, remove the unnecessary permissions. If required, use `owner` and `group` to
+set the target user and group.
+
+== Sensitive Code Example
+
+[source,yaml]
+----
+---
+- name: My deployment
+  hosts: all
+  tasks:
+    - name: Create /etc/demo with permissions
+      ansible.builtin.file:
+        path: /etc/demo
+        state: directory
+        mode: '0777' # Sensitive
+
+    - name: Copy demo3.conf and set symbolic permissions
+      ansible.builtin.copy:
+        src: /files/demo.conf
+        dest: /etc/demo/demo.conf
+        mode: 'a=r,u+w' # Sensitive
+----
+
+== Compliant Solution
+
+[source,yaml]
+----
+---
+- name: My deployment
+  hosts: all
+  tasks:
+    - name: Create /etc/demo with permissions
+      ansible.builtin.file:
+        path: /etc/demo
+        state: directory
+        mode: '0770'
+
+    - name: Copy demo3.conf and set symbolic permissions
+      ansible.builtin.copy:
+        src: /files/demo.conf
+        dest: /etc/demo/demo.conf
+        mode: 'g=r,u+w,o='
+----
+
+== See
+
+* CWE - https://cwe.mitre.org/data/definitions/284[CWE-732 - Incorrect Permission Assignment for Critical Resource]
+* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/[Ansible.Builtin module]
+* Ansible Community Documentation - https://docs.ansible.com/ansible/latest/collections/community/general/[Community.General module]
+* GNU Coreutils - https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html[chmod command]
+* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222430[Application Security and Development: V-222430] - The application must execute without excessive account permissions.
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Make sure granting access to others is safe here.
+
+== Highlighting
+
+* Highlight the `mode` value.
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]