Disable file perm/ownership reset

Although setting file permissions and ownership based on the contents of the RPM database is a good practice, it causes significant deployment delays and can cause issues if a system administrator has intentionally changed file permissions or ownership to meet their specific needs. This patch disables the tasks that set the permissions/ownership back to their original values but leaves them enabled in the gate job. Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
2017-03-03 10:30:49 -06:00 · 2017-03-03 10:30:49 -06:00 · 7caec98c14
commit 7caec98c14
parent 00b687dbae
4 changed files with 16 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -510,7 +510,7 @@ security_rhel7_remove_shosts_files: yes                      # RHEL-07-040330

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
-security_reset_perm_ownership: yes                           # RHEL-07-010010
+security_reset_perm_ownership: no                            # RHEL-07-010010
 # Search for files/directories owned by invalid users or groups.
 security_search_for_invalid_owner: no                        # RHEL-07-020360
 security_search_for_invalid_group_owner: no                  # RHEL-07-020370
--- a/doc/metadata/rhel7/RHEL-07-010010.rst
+++ b/doc/metadata/rhel7/RHEL-07-010010.rst
@ -1,6 +1,6 @@
 ---
 id: RHEL-07-010010
-status: implemented - red hat only
+status: opt-in
 tag: file_perms
 ---

@ -14,8 +14,13 @@ The STIG requires that all files owned by an installed package must have their
 permissions, user ownership, and group ownership set back to the vendor
 defaults.

-Deployers may opt-out of the change by setting the following Ansible variable:
+Although this is a good practice, it can cause issues if permissions or
+ownership were intentionally set after the packages were installed. It also
+causes significant delays in deployments. Therefore, this STIG is not applied
+by default.
+
+Deployers may opt in for the change by setting the following Ansible variable:

 .. code-block:: yaml

-   security_reset_perm_ownership: no
+   security_reset_perm_ownership: yes
--- a/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml
+++ b/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The security role will no longer fix file permissions and ownership based
+    on the contents of the RPM database by default. Deployers can opt in for
+    these changes by setting ``security_reset_perm_ownership`` to ``yes``.
--- a/tests/test.yml
+++ b/tests/test.yml
@ -95,3 +95,4 @@
    security_rhel7_initialize_aide: yes
    security_require_grub_authentication: yes
    security_set_home_directory_permissions_and_owners_recursively: no
+    security_reset_perm_ownership: yes