Ensure All World-Writable Directories Are Owned by root User

An XCCDF Rule

Description

All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user.

Rationale

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

ID: xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
Severity: Medium
References: BP28(R40)

CCI-000366

SRG-OS-000138-GPOS-00069 SRG-OS-000480-GPOS-00227
Updated: about 1 year ago

- name: Ensure All World-Writable Directories Are Owned by root User - Define Excluded
    (Non-Local) File Systems and Paths
  ansible.builtin.set_fact:
    excluded_fstypes:
    - afs
    - ceph    - cifs
    - smb3
    - smbfs
    - sshfs
    - ncpfs
    - ncp
    - nfs
    - nfs4
    - gfs
    - gfs2
    - glusterfs
    - gpfs
    - pvfs2
    - ocfs2
    - lustre
    - davfs
    - fuse.sshfs
    excluded_paths:
    - dev
    - proc
    - run
    - sys
    search_paths: []
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Find Relevant
    Root Directories Ignoring Pre-Defined Excluded Paths
  ansible.builtin.find:
    paths: /
    file_type: directory
    excludes: '{{ excluded_paths }}'
    hidden: true
    recurse: false
  register: result_relevant_root_dirs
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Include Relevant
    Root Directories in a List of Paths to be Searched
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.path]) }}'
  loop: '{{ result_relevant_root_dirs.files }}'
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
    Paths List with Local Partitions Mount Points
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.mount]) }}'
  loop: '{{ ansible_mounts }}'
  when:
  - item.fstype not in excluded_fstypes
  - item.mount != '/'
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Increment Search
    Paths List with Local NFS File System Targets
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
  loop: '{{ ansible_mounts }}'
  when: item.device is search("localhost:")
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Define Rule
    Specific Facts
  ansible.builtin.set_fact:
    world_writable_dirs: []
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Find All Uncompliant
    Directories in Local File Systems
  ansible.builtin.command:
    cmd: find {{ item }} -xdev -type d -perm -0002 -uid +0
  loop: '{{ search_paths }}'
  changed_when: false
  register: result_found_dirs
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Create List
    of World Writable Directories Not Owned by root
  ansible.builtin.set_fact:
    world_writable_dirs: '{{ world_writable_dirs | union(item.stdout_lines) | list
      }}'
  loop: '{{ result_found_dirs.results }}'
  when: item is not skipped
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure All World-Writable Directories Are Owned by root User - Ensure root
    Ownership on Local World Writable Directories
  ansible.builtin.file:
    path: '{{ item }}'
    owner: root
  loop: '{{ world_writable_dirs }}'
  tags:
  - dir_perms_world_writable_root_owned
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy


# At least under containerized env /proc can have files w/o possilibity to
# modify even as root. And touching /proc is not good idea anyways.
find / -path /proc -prune -o \
    -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs \
    -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 \    -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs \
    -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs \
    -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \;

Ensure All World-Writable Directories Are Owned by root User

Description

Rationale

Remediation - Ansible

Remediation - Shell Script