From 18108933e73880871269c869f4ffd4ae78cd3a04 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 12:05:54 +0100 Subject: [PATCH 01/10] added gather package facts Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index dadcac28..9086f6cf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,6 +34,12 @@ tags: - always +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always + # - name: Install OpenSCAP and run a report # import_tasks: audit_oscap_scan_before.yml # when: rhel8stig_oscap_scan From 4f63dc060e0d4fc81c9d886f716904f037eb8a94 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 12:06:09 +0100 Subject: [PATCH 02/10] updated controls for pkgs to use facts Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7c821037..4602720c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,20 +1,11 @@ --- - name: "PRELIM | dconf" block: - - name: "PRELIM | Check for dconf availability" - command: rpm -q dconf - args: - warn: no - changed_when: no - check_mode: no - failed_when: rhel8stig_dconf_audit.rc >= 2 - register: rhel8stig_dconf_audit - - name: "PRELIM | Install dconf" dnf: name: dconf when: - - rhel8stig_dconf_audit.rc == 1 + - "'dconf' not in ansible_facts.packages" - rhel8stig_gui - name: dconf directory structure @@ -110,6 +101,7 @@ dnf: name: cronie when: + - "'cronie' not in ansible_facts.packages" - rhel_08_010360 tags: - cat2 @@ -233,6 +225,7 @@ changed_when: not rhel8stig_aide_db_status.stat.exists notify: "{{ rhel8stig_aide_handler }}" when: + - "'aide' not in ansible_facts.packages" - rhel_08_010360 or rhel_08_010380 or rhel_08_040310 @@ -247,11 +240,10 @@ - name: "PRELIM | RHEL-08-010170 | RHEL-08-010450 | Install SELinux related dependencies" dnf: - name: - - libselinux-utils - # - policycoreutils-python-utils - # - selinux-policy-targeted + name: libselinux-utils + state: present when: + - "'libselinux-utils' not in ansible_facts.packages" - rhel_08_010170 or rhel_08_010450 @@ -260,6 +252,9 @@ - name: "PRELIM | Install SSH" dnf: name: openssh-server + state: present + when: + - "'openssh-server' not in ansible_facts.packages" - name: PRELIM | Start SSH service: @@ -309,16 +304,14 @@ - RHEL-08-010770 - complexity-high -- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" +- name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | set sssd.conf location" block: - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" - shell: find / -name sssd.conf - args: - warn: no - changed_when: false - failed_when: false - register: rhel8stig_sssd_conf + stat: + path: "{{ rhel8stig_sssd_conf }}" + register: sssd_conf_present when: + - "'sssd' in ansible_facts.packages" - rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or @@ -326,10 +319,10 @@ - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: - msg: "Warning!! sssd config file has not been found, some items will skip" + msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: - - rhel8stig_sssd_conf.stdout | length == 0 + - not sssd_conf.stat.exists - name: "PRELIM | Gather interactive user ID min" block: From 9f83eaccc45e87b4b3fb341adb7622dde57bbb7e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 12:06:31 +0100 Subject: [PATCH 03/10] added sssd_conf variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 13816818..e778ab5f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -425,6 +425,9 @@ rhel8stig_min_supported_os_ver: # If system is not router, run tasks that disable router functions. rhel8stig_system_is_router: no +# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 +rhel8stig_sssd_conf: /etc/sssd/sssd.conf + rhel8stig_time_service: chronyd rhel8stig_firewall_service: firewalld From 734e3c3b530a7114036ece74c2d6676763ac6339 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 12:09:00 +0100 Subject: [PATCH 04/10] added sssd conf variable Signed-off-by: Mark Bolwell --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index feddcc62..06e89ef7 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ Role Variables | `rhel_08_######` | [see defaults/main.yml](./defaults/main.yml) | Individual variables to enable/disable each STIG ID. | | `rhel8stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment | | `rhel8stig_system_is_router` | `no` | Run tasks that disable router functions. | +| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf | | `rhel8stig_time_service` | `chronyd` | Set to `ntpd` or `chronyd`. | | `rhel8stig_firewall_service` | `firewalld` | Set to `firewalld` or `iptables`. | | `rhel8stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. | From c21350b81992432dc89992a088f8aebd08b0524c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 17:11:29 +0100 Subject: [PATCH 05/10] logic around installed pkgs and files Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4602720c..405e5be6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,6 +49,7 @@ dnf: name: grub2-tools when: + - "'grub2-tools' not in ansible_facts.packages" - rhel_08_010020 or rhel_08_010140 or rhel_08_010150 @@ -309,7 +310,7 @@ - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location" stat: path: "{{ rhel8stig_sssd_conf }}" - register: sssd_conf_present + register: rhel8stig_sssd_conf_present when: - "'sssd' in ansible_facts.packages" - rhel_08_010400 or @@ -317,12 +318,20 @@ rhel_08_020250 or rhel_08_020290 + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | sssd install status | Warning if not found" + debug: + msg: "Warning!! The package sssd is found not be be installed, some items will skip" + changed_when: true + when: + - "'sssd' not in ansible_facts.packages" + - name: "PRELIM | RHEL-08-010400 | RHEL-08-020250 | RHEL-08-020290 | Get sssd.conf location | Warning if not found" debug: msg: "Warning!! The configured sssd config file {{ rhel8stig_sssd_conf }} has not been found, some items will skip" changed_when: true when: - - not sssd_conf.stat.exists + - "'sssd' in ansible_facts.packages" + - not rhel8stig_sssd_conf_present.stat.exists - name: "PRELIM | Gather interactive user ID min" block: From b2f46835bef0c955cd00d8c19e96fef876b8389c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 May 2021 17:12:06 +0100 Subject: [PATCH 06/10] logic and variable usage for sssd Signed-off-by: Mark Bolwell --- README.md | 7 ++++++- defaults/main.yml | 12 +++++++++--- handlers/main.yml | 2 +- tasks/fix-cat2.yml | 32 ++++++++++++++++++-------------- 4 files changed, 34 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 06e89ef7..4286e932 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,6 @@ Role Variables | `rhel_08_######` | [see defaults/main.yml](./defaults/main.yml) | Individual variables to enable/disable each STIG ID. | | `rhel8stig_gui` | `no` | Whether or not to run tasks related to auditing/patching the desktop environment | | `rhel8stig_system_is_router` | `no` | Run tasks that disable router functions. | -| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf | | `rhel8stig_time_service` | `chronyd` | Set to `ntpd` or `chronyd`. | | `rhel8stig_firewall_service` | `firewalld` | Set to `firewalld` or `iptables`. | | `rhel8stig_tftp_required` | `no` | If set to `no`, remove `tftp` client and server packages. | @@ -58,6 +57,12 @@ Role Variables | `rhel8stig_password_complexity.maxrepeat` | `3` | Maximum number of allowed same consecutive characters in a new password. | | `rhel8stig_password_complexity.maxclassrepeat` | `4` | Maximum number of allowed same consecutive characters in the same **class** in the new password. | | `rhel8stig_password_complexity.minlen` | `15` | Minimum number of characters in a new password. | +| `rhel8stig_sssd_conf` | [see defaults/main.yml](./defaults/main.yml) | Default location for sssd.conf | +| `rhel8stig_sssd_domain` | testing.test | Domain to be used in sssd | +| `rhel8stig_sssd.certmap` | certmap/{{ rhel8stig_sssd_domain }}/rule_name | certmap rule for sssd | +| `rhel8stig_sssd.matchrule` | =.*EDIPI@mil | match rule in relationship to domain e.g. CN etc | +| `rhel8stig_sssd.maprule` | (userCertificate;binary={cert!bin}) | map cert auth requirements into sssd rule | +| `rhel8stig_sssd.domains` | testing.test | comma seperated list of domains using sssd | | `rhel8stig_shell_session_timeout` | `file: /etc/profile` `timeout: 600` | Dictionary of session timeout setting and file (TMOUT setting can be set in multiple files) | | `rhel8stig_interactive_uid_start` | `1000` | Interactive user start point (UID_MIN) from /etc/login.defs | | `rhel8stig_ntp_server_name: server.name` | `server.name` | The NTP Server Name | diff --git a/defaults/main.yml b/defaults/main.yml index e778ab5f..98ab2b5a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -425,9 +425,6 @@ rhel8stig_min_supported_os_ver: # If system is not router, run tasks that disable router functions. rhel8stig_system_is_router: no -# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 -rhel8stig_sssd_conf: /etc/sssd/sssd.conf - rhel8stig_time_service: chronyd rhel8stig_firewall_service: firewalld @@ -521,6 +518,15 @@ rhel8stig_password_complexity: minlen: 15 dictcheck: 1 +# rhel_08_010400 or rhel_08_020090 or rhel_08_020250 or rhel_08_020290 +rhel8stig_sssd_conf: /etc/sssd/sssd.conf +rhel8stig_sssd_domain: testing.test +rhel8stig_sssd: + certmap: "certmap/{{ rhel8stig_sssd_domain }}/rule_name" + matchrule: "=.*EDIPI@mil" + maprule: (userCertificate;binary={cert!bin}) + domains: "{{ rhel8stig_sssd_domain }}" + # RHEL-08-020070 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/handlers/main.yml b/handlers/main.yml index 29e79fbb..f7b6d545 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -17,7 +17,7 @@ name: sssd state: restarted when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" - name: restart snmpd service: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ef9dcaaa..43b62659 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -680,7 +680,7 @@ - name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication." lineinfile: - path: '{{ rhel8stig_sssd_conf.stdout }}' + path: '{{ rhel8stig_sssd_conf }}' regexp: '^certificate_verification = {{ item }}' state: absent with_items: @@ -689,7 +689,8 @@ - no_verification notify: restart sssd when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_010400 tags: - RHEL-08-010400 @@ -2556,20 +2557,21 @@ - name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication." lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" owner: root group: root mode: 0640 with_items: - - { regexp: '^\[certmap/testing.test/rule_name]', line: '[certmap/testing.test/rule_name]' } - - { regexp: '^matchrule =', line: 'matchrule =.*EDIPI@mil' } - - { regexp: '^maprule =', line: 'maprule = (userCertificate;binary={cert!bin})' } - - { regexp: 'dmains =', line: 'dmains = testing.test' } + - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } + - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } + - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } + - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains}}' } notify: restart sssd when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020090 tags: - RHEL-08-020090 @@ -2878,13 +2880,13 @@ - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf" lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0644 + mode: 0640 notify: restart sssd with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } @@ -2936,7 +2938,8 @@ notify: restart sssd when: rhel_08_020250_system_auth_sss.stdout | length > 0 when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020250 tags: - RHEL-08-020250 @@ -2985,18 +2988,19 @@ - name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day." lineinfile: - path: "{{ rhel8stig_sssd_conf.stdout }}" + path: "{{ rhel8stig_sssd_conf }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" owner: root group: root - mode: 0644 + mode: 0640 with_items: - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' } - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' } when: - - rhel8stig_sssd_conf.stdout | length > 0 + - "'sssd' in ansible_facts.packages" + - rhel8stig_sssd_conf_present.stat.exists - rhel_08_020290 tags: - RHEL-08-020290 From 02d2bb99042c15de3360f3c574c3141e16133f92 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 May 2021 07:44:28 +0100 Subject: [PATCH 07/10] updated dconf logic and pkg facts update Signed-off-by: Mark Bolwell --- handlers/main.yml | 5 ++++- tasks/fix-cat2.yml | 15 +++++++++++---- tasks/prelim.yml | 6 ++++++ 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index f7b6d545..d6f21c68 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -112,7 +112,10 @@ - name: dconf update command: dconf update - when: rhel8stig_has_dconf_command + when: + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + - name: prereport score debug: diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 43b62659..5e653f73 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -76,7 +76,9 @@ notify: dconf update when: - rhel_08_010050 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-010050 @@ -2378,7 +2380,9 @@ notify: dconf update when: - rhel_08_020030 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-020030 - gui @@ -2513,7 +2517,9 @@ when: rhel_08_020060_idle_delay_param.stdout | length > 0 when: - rhel_08_020060 - - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf + tags: - RHEL-08-020060 - gui @@ -2551,7 +2557,8 @@ - /org/gnome/desktop/lockdown/disable-lock-screen when: - rhel_08_020080 - # - rhel8stig_dconf_available + - "'dconf' in ansible_facts.packages" + - rhel8stig_always_configure_dconf tags: - RHEL-08-020080 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 405e5be6..154e6988 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -363,3 +363,9 @@ rhel_08_040283 or rhel_08_040284 or rhel_08_040285 + +- name: Gather the package facts + package_facts: + manager: auto + tags: + - always From 33ce77dacc21124467aa0bd896401bb7e562096c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 25 Jun 2021 09:43:39 +0100 Subject: [PATCH 08/10] thanks to dcarlojr and rx294 Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- tasks/fix-cat2.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a1d0352a..afd65723 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -263,7 +263,7 @@ - name: "HIGH | RHEL-08-020330 | PATCH | RHEL 8 must not have accounts configured with blank or null passwords. | Remove nullok" replace: path: "{{ item }}" - regexp: 'nullok ' + regexp: ' nullok' replace: '' with_items: - /etc/pam.d/system-auth diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 5e653f73..753fb2c7 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1893,7 +1893,7 @@ lineinfile: path: "/etc/security/faillock.conf" regexp: '^fail_interval =|^\# fail_interval =' - line: "fail_interval = {{ rhel8stig_pam_faillock.interval }} }}" + line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}" with_items: - system-auth - password-auth @@ -5380,11 +5380,11 @@ tags: - RHEL-08-040330 -- name: "MEDIUM | RHEL-08-040340 | PATCH | Remote X connections for interactive users must be encrypted in RHEL 8." +- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements." lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^#?X11Forwarding' - line: 'X11Forwarding yes' + line: 'X11Forwarding no' create: yes owner: root group: root From bc37d975847b4f728710b442f0d8e031a66916fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 25 Jun 2021 09:54:00 +0100 Subject: [PATCH 09/10] lint update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 753fb2c7..7115e320 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2574,7 +2574,7 @@ - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' } - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' } - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' } - - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains}}' } + - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' } notify: restart sssd when: - "'sssd' in ansible_facts.packages" From 008494f28d4a8ff05266ae0251f89b4ef924b6cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 25 Jun 2021 11:19:48 +0100 Subject: [PATCH 10/10] logic in 010295 - thanks #31 djcarlojr Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7115e320..59595d09 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -439,8 +439,9 @@ - name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package" lineinfile: path: /etc/crypto-policies/back-ends/gnutls.config - regexp: '^\+VERS-ALL:' - line: "+VERS-ALL:{{ rhel8stig_gnutls_encryption }}" + regexp: '^(.*\+VERS-ALL:)' + line: '\1{{ rhel8stig_gnutls_encryption }}' + backrefs: true create: yes owner: root group: root