Merge pull request #15 from pan-net-security/feature-integration

add exclude path /var/lib
pan-net-security · Oct 21, 2019 · 37eec5a · 37eec5a
2 parents 35c383a + 5d4fe29
commit 37eec5a
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/T-Sec.LinuxOS.Compliance/tasks/hardening_linux(06)regular.yml b/T-Sec.LinuxOS.Compliance/tasks/hardening_linux(06)regular.yml
@@ -100,20 +100,19 @@
   changed_when: False
   check_mode: no
 
+# /var/lib can contain:
+# - systemd DynamicUsers
+# - docker volumes
 - name: req-69.1 No files and directories without assigned user or group must exist.
-  shell: find / -nouser 2>/dev/null
+  shell: find / -not -path "/var/lib/*" -nouser 2>/dev/null
   register: files_no_user
   failed_when:
     - files_no_user.stdout != ''
-    # relates to ownership and drop of use of `DynamicUser` in systemd
-    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918190
-    # https://github.com/systemd/systemd/pull/11356/files
-    - "'/var/lib/private/systemd/timesync' not in files_no_user.split('\n')|d([])"
   changed_when: False
   check_mode: no
 
 - name: req-69.2 No files and directories without assigned user or group must exist.
-  shell: find / -nogroup 2>/dev/null
+  shell: find / -not -path "/var/lib/*" -nogroup 2>/dev/null
   register: files_no_group
   failed_when:
     - files_no_group.stdout != ''