public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml

51 lines
1.5 KiB
YAML
Raw Normal View History

2017-04-24 12:22:51 +00:00
---
2020-05-15 20:41:39 +00:00
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
# the other files inside /usr/bin (and all other directories) are
# still getting found and the permissions minimized in the next task.
# This is also the reason why there's ignore_errors: true on the task.
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
with_flattened:
2017-04-24 12:22:51 +00:00
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
2020-05-15 20:41:39 +00:00
- "{{ os_env_extra_user_paths }}" # noqa 104
register: minimize_access_directories
ignore_errors: true
changed_when: false
- name: minimize access on found files
file:
path: '{{ item.1 }}'
mode: 'go-w'
state: file
with_subelements:
- "{{ minimize_access_directories.results }}"
- stdout_lines
2017-04-24 12:22:51 +00:00
2018-12-17 12:50:15 +00:00
- name: change shadow ownership to root and mode to 0600 | os-02
file:
dest: '/etc/shadow'
owner: '{{ os_shadow_perms.owner }}'
group: '{{ os_shadow_perms.group }}'
mode: '{{ os_shadow_perms.mode }}'
2017-04-24 12:22:51 +00:00
2018-12-17 12:50:15 +00:00
- name: change passwd ownership to root and mode to 0644 | os-03
file:
dest: '/etc/passwd'
owner: '{{ os_passwd_perms.owner }}'
group: '{{ os_passwd_perms.group }}'
mode: '{{ os_passwd_perms.mode }}'
2017-04-24 12:22:51 +00:00
- name: change su-binary to only be accessible to user and group root
2018-12-17 12:50:15 +00:00
file:
dest: '/bin/su'
owner: 'root'
group: 'root'
mode: '0750'
when: '"change_user" not in os_security_users_allow'