public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml

---
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
# the other files inside /usr/bin (and all other directories) are
# still getting found and the permissions minimized in the next task.
# This is also the reason why there's ignore_errors: true on the task.
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
  shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
  with_flattened:
    - '/usr/local/sbin'
    - '/usr/local/bin'
    - '/usr/sbin'
    - '/usr/bin'
    - '/sbin'
    - '/bin'
    - "{{ os_env_extra_user_paths }}" # noqa 104
  register: minimize_access_directories
  ignore_errors: true
  changed_when: false

- name: minimize access on found files
  file:
    path: '{{ item.1 }}'
    mode: 'go-w'
    state: file
  with_subelements:
    - "{{ minimize_access_directories.results }}"
    - stdout_lines

- name: change shadow ownership to root and mode to 0600 | os-02
  file:
    dest: '/etc/shadow'
    owner: '{{ os_shadow_perms.owner }}'
    group: '{{ os_shadow_perms.group }}'
    mode: '{{ os_shadow_perms.mode }}'

- name: change passwd ownership to root and mode to 0644 | os-03
  file:
    dest: '/etc/passwd'
    owner: '{{ os_passwd_perms.owner }}'
    group: '{{ os_passwd_perms.group }}'
    mode: '{{ os_passwd_perms.mode }}'

- name: change su-binary to only be accessible to user and group root
  file:
    dest: '/bin/su'
    owner: 'root'
    group: 'root'
    mode: '0750'
  when: '"change_user" not in os_security_users_allow'

- name: set option hidepid for proc filesystem
  mount:
    path: /proc
    src: proc
    fstype: proc
    opts: '{{ proc_mnt_options }}'
    state: present