From 7caec98c145d585721267b4f9d882538385d93b0 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 3 Mar 2017 10:30:49 -0600
Subject: [PATCH] Disable file perm/ownership reset

Although setting file permissions and ownership based on the contents
of the RPM database is a good practice, it causes significant
deployment delays and can cause issues if a system administrator has
intentionally changed file permissions or ownership to meet their
specific needs.

This patch disables the tasks that set the permissions/ownership back
to their original values but leaves them enabled in the gate job.

Change-Id: I185f6755d9bddf58e23d6512f4728522c36306c0
---
 defaults/main.yml                                     |  2 +-
 doc/metadata/rhel7/RHEL-07-010010.rst                 | 11 ++++++++---
 ...ble-rpm-perms-fix-by-default-b164e39717f0ada7.yaml |  6 ++++++
 tests/test.yml                                        |  1 +
 4 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 7168d6b0..321e1f24 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -510,7 +510,7 @@ security_rhel7_remove_shosts_files: yes                      # RHEL-07-040330
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
-security_reset_perm_ownership: yes                           # RHEL-07-010010
+security_reset_perm_ownership: no                            # RHEL-07-010010
 # Search for files/directories owned by invalid users or groups.
 security_search_for_invalid_owner: no                        # RHEL-07-020360
 security_search_for_invalid_group_owner: no                  # RHEL-07-020370
diff --git a/doc/metadata/rhel7/RHEL-07-010010.rst b/doc/metadata/rhel7/RHEL-07-010010.rst
index 884f02e6..3cea70f8 100644
--- a/doc/metadata/rhel7/RHEL-07-010010.rst
+++ b/doc/metadata/rhel7/RHEL-07-010010.rst
@@ -1,6 +1,6 @@
 ---
 id: RHEL-07-010010
-status: implemented - red hat only
+status: opt-in
 tag: file_perms
 ---
 
@@ -14,8 +14,13 @@ The STIG requires that all files owned by an installed package must have their
 permissions, user ownership, and group ownership set back to the vendor
 defaults.
 
-Deployers may opt-out of the change by setting the following Ansible variable:
+Although this is a good practice, it can cause issues if permissions or
+ownership were intentionally set after the packages were installed. It also
+causes significant delays in deployments. Therefore, this STIG is not applied
+by default.
+
+Deployers may opt in for the change by setting the following Ansible variable:
 
 .. code-block:: yaml
 
-   security_reset_perm_ownership: no
+   security_reset_perm_ownership: yes
diff --git a/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml b/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml
new file mode 100644
index 00000000..2d0a96e6
--- /dev/null
+++ b/releasenotes/notes/disable-rpm-perms-fix-by-default-b164e39717f0ada7.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The security role will no longer fix file permissions and ownership based
+    on the contents of the RPM database by default. Deployers can opt in for
+    these changes by setting ``security_reset_perm_ownership`` to ``yes``.
diff --git a/tests/test.yml b/tests/test.yml
index dc4bf98c..61c0fbc3 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -95,3 +95,4 @@
     security_rhel7_initialize_aide: yes
     security_require_grub_authentication: yes
     security_set_home_directory_permissions_and_owners_recursively: no
+    security_reset_perm_ownership: yes