From 1832189d433d608daad1be403b7c30f7ffef5486 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 02:32:23 -0400 Subject: [PATCH 01/14] Use Packer Ansible to use symbolic permissions Since symbolic permissions are more clear than implicit ones, and since our ansible-lint rules are changing to forbid implicit permissions, we need to update them for any Ansible playbooks used in our Packer configuration. --- packer/ansible/create_credentials_directory.yml | 2 +- packer/ansible/create_cyhy_user.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packer/ansible/create_credentials_directory.yml b/packer/ansible/create_credentials_directory.yml index a11c3925..55e5aa50 100644 --- a/packer/ansible/create_credentials_directory.yml +++ b/packer/ansible/create_credentials_directory.yml @@ -7,7 +7,7 @@ - name: Create the /etc/cyhy directory ansible.builtin.file: group: "{{ cyhy_user_username }}" - mode: 0750 + mode: u=rwx,g=rx,o= owner: "{{ cyhy_user_username }}" path: /etc/cyhy state: directory diff --git a/packer/ansible/create_cyhy_user.yml b/packer/ansible/create_cyhy_user.yml index 07cea13c..f67aac66 100644 --- a/packer/ansible/create_cyhy_user.yml +++ b/packer/ansible/create_cyhy_user.yml @@ -16,7 +16,7 @@ - name: Modify permissions on the home directory ansible.builtin.file: - mode: 0750 + mode: u=rwx,g=rx,o= path: "{{ user_info.home }}" - name: Add the SSH public key as an authorized key From 70434ce5f65e4a9d5f6c60513a1e1d74d5666a49 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:44:12 -0400 Subject: [PATCH 02/14] Use symbolic file permissions in the `code_gov_update` role --- ansible/roles/code_gov_update/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/roles/code_gov_update/tasks/main.yml b/ansible/roles/code_gov_update/tasks/main.yml index 20ab720c..c9efda3b 100644 --- a/ansible/roles/code_gov_update/tasks/main.yml +++ b/ansible/roles/code_gov_update/tasks/main.yml @@ -5,7 +5,7 @@ - name: Create the secrets directory ansible.builtin.file: group: cyhy - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: cyhy path: /var/cyhy/code-gov-update/secrets state: directory @@ -14,7 +14,7 @@ ansible.builtin.template: dest: /var/cyhy/code-gov-update/secrets/scraper.json group: cyhy - mode: 0440 + mode: u=r,g=r,o= owner: cyhy src: scraper.json.j2 @@ -22,7 +22,7 @@ ansible.builtin.template: dest: /var/cyhy/code-gov-update/secrets/aws_config group: cyhy - mode: 0440 + mode: u=r,g=r,o= owner: cyhy src: aws_config.j2 From 597250c8e9d39cb7d7efb718c1062befae140180 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:51:13 -0400 Subject: [PATCH 03/14] Use symbolic file permissions in the `cyhy_archive` role --- ansible/roles/cyhy_archive/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/cyhy_archive/tasks/main.yml b/ansible/roles/cyhy_archive/tasks/main.yml index 25dff2e2..643d13af 100644 --- a/ansible/roles/cyhy_archive/tasks/main.yml +++ b/ansible/roles/cyhy_archive/tasks/main.yml @@ -4,7 +4,7 @@ - name: Create the /var/lib/mongodb/cyhy_archives directory ansible.builtin.file: group: cyhy - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: cyhy path: /var/lib/mongodb/cyhy_archives state: directory From 5314d26f99d41f09aa7dc6fa9c64aa65eefb3d1b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:26:57 -0400 Subject: [PATCH 04/14] Use symbolic file permissions in the `cyhy_commander` role --- ansible/roles/cyhy_commander/tasks/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ansible/roles/cyhy_commander/tasks/main.yml b/ansible/roles/cyhy_commander/tasks/main.yml index 9f13b43f..8c2942aa 100644 --- a/ansible/roles/cyhy_commander/tasks/main.yml +++ b/ansible/roles/cyhy_commander/tasks/main.yml @@ -7,7 +7,7 @@ content: "{{ cyhy_commander_ssh_private_key }}" dest: /var/cyhy/.ssh/id_ed25519 group: cyhy - mode: 0600 + mode: u=rw,g=,o= owner: cyhy # @@ -16,7 +16,7 @@ - name: Create the configuration file for cyhy-commander ansible.builtin.template: dest: /etc/cyhy/commander.conf - mode: 0644 + mode: u=rw,g=r,o=r src: commander.conf.j2 # @@ -25,7 +25,7 @@ - name: Create empty ssh config file ansible.builtin.file: group: cyhy - mode: 0644 + mode: u=rw,g=r,o=r owner: cyhy path: /var/cyhy/.ssh/config state: touch @@ -41,7 +41,7 @@ # - name: Create the directories needed to import places data ansible.builtin.file: - mode: 0755 + mode: u=rwx,g=rx,o=rx path: "{{ item }}" state: directory loop: @@ -51,19 +51,19 @@ - name: Download load_places.sh from GitHub ansible.builtin.get_url: dest: /tmp/cyhy-places/scripts/load_places.sh - mode: 0755 + mode: u=rwx,g=rx,o=rx url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/var/load_places.sh" - name: Download GNIS_data_import.py from GitHub ansible.builtin.get_url: dest: /tmp/cyhy-places/scripts/GNIS_data_import.py - mode: 0755 + mode: u=rwx,g=rx,o=rx url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/var/GNIS_data_import.py" - name: Download ADDL_CYHY_PLACES.txt from GitHub ansible.builtin.get_url: dest: /tmp/cyhy-places/extras/ADDL_CYHY_PLACES.txt - mode: 0644 + mode: u=rw,g=r,o=r url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/extras/ADDL_CYHY_PLACES.txt" - name: Check if cyhy.conf already exists @@ -84,7 +84,7 @@ ansible.builtin.template: dest: /etc/cyhy/cyhy.conf group: cyhy - mode: 0660 + mode: u=rw,g=rw,o= owner: cyhy src: cyhy.conf.j2 when: not cyhy_commander_cyhy_conf_result.stat.exists From e7524b21209afe51aa71649478f473af31f55770 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:34:12 -0400 Subject: [PATCH 05/14] Use symbolic file permissions in the `cyhy_dashboard` role --- ansible/roles/cyhy_dashboard/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/cyhy_dashboard/tasks/main.yml b/ansible/roles/cyhy_dashboard/tasks/main.yml index c0567db4..0798173e 100644 --- a/ansible/roles/cyhy_dashboard/tasks/main.yml +++ b/ansible/roles/cyhy_dashboard/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create the /var/cyhy/web directory ansible.builtin.file: group: cyhy - mode: 0750 + mode: u=rwx,g=rx,o= owner: cyhy path: /var/cyhy/web state: directory @@ -10,7 +10,7 @@ - name: Create secret key file for webd ansible.builtin.file: group: cyhy - mode: 0664 + mode: u=rw,g=rw,o=r owner: cyhy path: /var/cyhy/web/secret_key state: touch @@ -30,7 +30,7 @@ ansible.builtin.template: dest: /etc/cyhy/cyhy.conf group: cyhy - mode: 0660 + mode: u=rw,g=rw,o= owner: cyhy src: cyhy.conf.j2 @@ -43,7 +43,7 @@ - name: Copy webd service file ansible.builtin.copy: dest: /etc/systemd/system/ncats-webd.service - mode: 0644 + mode: u=rw,g=r,o=r src: ncats-webd.service - name: Start webd service @@ -54,7 +54,7 @@ - name: Copy webui service file ansible.builtin.copy: dest: /etc/systemd/system/ncats-webui.service - mode: 0644 + mode: u=rw,g=r,o=r src: ncats-webui.service - name: Start webui service From 73fb69f26f5a6e9f4461aac7edce8dceb35c7a54 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:42:38 -0400 Subject: [PATCH 06/14] Use symbolic file permissions in the `cyhy_feeds` role --- ansible/roles/cyhy_feeds/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/roles/cyhy_feeds/tasks/main.yml b/ansible/roles/cyhy_feeds/tasks/main.yml index 2ae4f640..3bdb4da7 100644 --- a/ansible/roles/cyhy_feeds/tasks/main.yml +++ b/ansible/roles/cyhy_feeds/tasks/main.yml @@ -4,7 +4,7 @@ content: "{{ cyhy_feeds_config }}" dest: "/var/cyhy/scripts/cyhy-feeds/cyhy-data-extract.cfg" group: cyhy - mode: 0444 + mode: u=r,g=r,o=r owner: cyhy # @@ -14,7 +14,7 @@ ansible.builtin.template: dest: /var/cyhy/scripts/cyhy-feeds/aws_config group: cyhy - mode: 0440 + mode: u=r,g=r,o= owner: cyhy src: aws_config.j2 @@ -26,7 +26,7 @@ ansible.builtin.template: dest: "/var/cyhy/scripts/cyhy-feeds/{{ item.filename }}" group: cyhy - mode: 0660 + mode: u=rw,g=rw,o= owner: cyhy src: mongodb_credentials.yml.j2 loop: From ac7d64695e062ad0b5468464a67df1f00d9a9e61 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:36:43 -0400 Subject: [PATCH 07/14] Use symbolic file permissions in the `cyhy_mailer` role --- ansible/roles/cyhy_mailer/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/roles/cyhy_mailer/tasks/main.yml b/ansible/roles/cyhy_mailer/tasks/main.yml index 8d6587f0..bd01c269 100644 --- a/ansible/roles/cyhy_mailer/tasks/main.yml +++ b/ansible/roles/cyhy_mailer/tasks/main.yml @@ -10,7 +10,7 @@ - name: Create the secrets directory for cyhy-mailer ansible.builtin.file: group: cyhy - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: cyhy path: /var/cyhy/cyhy-mailer/secrets state: directory @@ -19,7 +19,7 @@ ansible.builtin.template: dest: /var/cyhy/cyhy-mailer/secrets/database_creds.yml group: cyhy - mode: 0444 + mode: u=r,g=r,o=r owner: cyhy src: database_creds.yml.j2 @@ -27,7 +27,7 @@ ansible.builtin.template: dest: /var/cyhy/cyhy-mailer/secrets/aws_config group: cyhy - mode: 0444 + mode: u=r,g=r,o=r owner: cyhy src: aws_config.j2 @@ -40,7 +40,7 @@ - name: Create a symlink for the docker compose override file ansible.builtin.file: group: cyhy - mode: 0664 + mode: u=rw,g=rw,o=r owner: cyhy path: /var/cyhy/cyhy-mailer/docker-compose.override.yml src: /var/cyhy/cyhy-mailer/{{ cyhy_mailer_docker_compose_override_file_for_mailer }} From 604e945d3b88a49e20709934f09ee61c842e9ed0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:47:43 -0400 Subject: [PATCH 08/14] Use symbolic file permissions in the `cyhy_ops` role --- ansible/roles/cyhy_ops/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/cyhy_ops/tasks/main.yml b/ansible/roles/cyhy_ops/tasks/main.yml index 2d20cc93..d6df25d7 100644 --- a/ansible/roles/cyhy_ops/tasks/main.yml +++ b/ansible/roles/cyhy_ops/tasks/main.yml @@ -10,7 +10,7 @@ - name: Create the /home/cyhy_ops/.ssh directory ansible.builtin.file: group: cyhy_ops - mode: 0700 + mode: u=rwx,g=,o= owner: cyhy_ops path: /home/cyhy_ops/.ssh state: directory @@ -23,7 +23,7 @@ create: true group: cyhy_ops line: "{{ lookup('aws_ssm', '/ssh/public_keys/' + item) }}" - mode: 0600 + mode: u=rw,g=,o= owner: cyhy_ops path: /home/cyhy_ops/.ssh/authorized_keys loop: "{{ cyhy_ops_users }}" From 2cfbaac06325d23f6e734e881a23d148a2d375cc Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:50:38 -0400 Subject: [PATCH 09/14] Use symbolic file permissions in the `cyhy_reporter` role --- ansible/roles/cyhy_reporter/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/cyhy_reporter/tasks/main.yml b/ansible/roles/cyhy_reporter/tasks/main.yml index ff1ae617..f9fa740d 100644 --- a/ansible/roles/cyhy_reporter/tasks/main.yml +++ b/ansible/roles/cyhy_reporter/tasks/main.yml @@ -6,7 +6,7 @@ ansible.builtin.template: dest: /etc/cyhy/cyhy.conf group: cyhy - mode: 0660 + mode: u=rw,g=rw,o= owner: cyhy src: cyhy.conf.j2 From 001339404793c37e6e901ed94820650545e7d4fa Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:46:12 -0400 Subject: [PATCH 10/14] Use symbolic file permissions in the `mgmt_ops` role --- ansible/roles/mgmt_ops/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/mgmt_ops/tasks/main.yml b/ansible/roles/mgmt_ops/tasks/main.yml index a1306279..64ee92f9 100644 --- a/ansible/roles/mgmt_ops/tasks/main.yml +++ b/ansible/roles/mgmt_ops/tasks/main.yml @@ -10,7 +10,7 @@ - name: Create the /home/mgmt_ops/.ssh directory ansible.builtin.file: group: mgmt_ops - mode: 0700 + mode: u=rwx,g=,o= owner: mgmt_ops path: /home/mgmt_ops/.ssh state: directory @@ -23,7 +23,7 @@ create: true group: mgmt_ops line: "{{ lookup('aws_ssm', '/ssh/public_keys/' + item) }}" - mode: 0600 + mode: u=rw,g=,o= owner: mgmt_ops path: /home/mgmt_ops/.ssh/authorized_keys loop: "{{ mgmt_ops_users }}" From 38367a3f88cb6a3ef3bacd95727ba675a00a38fd Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:50:01 -0400 Subject: [PATCH 11/14] Use symbolic file permissions in the `mongo` role --- ansible/roles/mongo/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/mongo/tasks/main.yml b/ansible/roles/mongo/tasks/main.yml index b515620b..2467b9a5 100644 --- a/ansible/roles/mongo/tasks/main.yml +++ b/ansible/roles/mongo/tasks/main.yml @@ -61,7 +61,7 @@ - name: Copy mongo configuration file ansible.builtin.template: dest: /etc/mongod.conf - mode: 0644 + mode: u=rw,g=r,o=r src: mongod.conf - name: Restart mongod service to use new configuration From 8085af0371c18567ee26d7dc2cc15e4fd8933aa0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:40:44 -0400 Subject: [PATCH 12/14] Use symbolic file permissions in the `nessus` role --- ansible/roles/nessus/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/roles/nessus/tasks/main.yml b/ansible/roles/nessus/tasks/main.yml index 642d00d8..61076156 100644 --- a/ansible/roles/nessus/tasks/main.yml +++ b/ansible/roles/nessus/tasks/main.yml @@ -98,20 +98,20 @@ ansible.builtin.template: dest: /etc/cyhy/nessus_api.yml group: cyhy - mode: 0640 + mode: u=rw,g=r,o= owner: cyhy src: nessus_api.yml.j2 - name: Copy the nessus_base.py Python file for configuring Nessus ansible.builtin.copy: dest: /tmp/nessus_base.py - mode: 0644 + mode: u=rw,g=r,o=r src: nessus_base.py - name: Copy base Nessus scan policy to instance tmp ansible.builtin.template: dest: /tmp/cyhy-base-nessus8-policy.xml - mode: 0644 + mode: u=rw,g=r,o=r src: cyhy-base-nessus8-policy.xml.j2 - name: Wait for Nessus port to be open From be7b80aa4bebb8f2c200ca65f9fc775b8cff41dd Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:38:57 -0400 Subject: [PATCH 13/14] Use symbolic file permissions in the `orchestrator` role --- ansible/roles/orchestrator/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/roles/orchestrator/tasks/main.yml b/ansible/roles/orchestrator/tasks/main.yml index 5c75c575..70448e02 100644 --- a/ansible/roles/orchestrator/tasks/main.yml +++ b/ansible/roles/orchestrator/tasks/main.yml @@ -6,7 +6,7 @@ ansible.builtin.file: path: /var/cyhy/orchestrator/secrets group: cyhy - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: cyhy state: directory @@ -14,7 +14,7 @@ ansible.builtin.template: dest: "/var/cyhy/orchestrator/secrets/{{ item.filename }}" group: cyhy - mode: 0440 + mode: u=r,g=r,o= owner: cyhy src: mongodb_credentials.yml.j2 loop: @@ -41,7 +41,7 @@ ansible.builtin.template: dest: /var/cyhy/orchestrator/secrets/aws_config group: cyhy - mode: 0440 + mode: u=r,g=r,o= owner: cyhy src: aws_config.j2 From 7ca25edf567d4105380f929bdafa3ef25778a8a7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 May 2025 16:49:26 -0400 Subject: [PATCH 14/14] Use symbolic file permissions in the `swap` role --- ansible/roles/swap/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/swap/tasks/main.yml b/ansible/roles/swap/tasks/main.yml index f890a3d6..3da8ef01 100644 --- a/ansible/roles/swap/tasks/main.yml +++ b/ansible/roles/swap/tasks/main.yml @@ -13,7 +13,7 @@ - name: Set swapfile permissions ansible.builtin.file: - mode: 0600 + mode: u=rw,g=,o= path: "{{ swap_swapfile_location }}" - name: Create swapfile