Skip to content

Commit b6b87a9

Browse files
frederickw082922frederickw082922
authored
Merge pull request #323 from ansible-lockdown/pub_7.1.2_enhance
enhanced 7.1.12 ability to exclude filesystem types variable
2 parents 7f918c0 + cda171c commit b6b87a9

2 files changed

Lines changed: 11 additions & 4 deletions

File tree

defaults/main.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1314,9 +1314,16 @@ ubtu22cis_dotperm_ansiblemanaged: true
13141314

13151315
## Section 7
13161316

1317-
# 7.1.12 Ensure no files or directories without an owner and a group exist
1318-
ubtu22cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*")
1319-
1317+
# 7.1.12
1318+
# Ensure no files or directories without an owner and a group exist
1319+
# Extend the list as required adding the the current list e.g. "-a ! -path "/somedir/*"
1320+
# Note Ensure to document all exclusions that do not match the benchmark
1321+
ubtu22cis_exclude_unowned_search_path: '\( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*" \)'
1322+
1323+
# This can be extended as seen fit
1324+
# NFS added as starter to be extended with "-a -not -fstype CIFS"
1325+
# Note Ensure to document all exclusions that do not match the benchmark
1326+
ubtu22cis_exclude_unowned_filesystem_types: '\( -not -fstype nfs \)'
13201327
# Control 7.1.12
13211328
# The value of this variable specifies the owner that will be set for unowned files and directories.
13221329
ubtu22cis_unowned_owner: root

tasks/section_7/cis_7.1.x.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@
220220
warn_control_id: '7.1.12'
221221
block:
222222
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
223-
ansible.builtin.command: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs'
223+
ansible.builtin.command: find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) {{ ubtu22cis_exclude_unowned_filesystem_types }}
224224
changed_when: false
225225
failed_when: false
226226
check_mode: false

0 commit comments

Comments
 (0)