2017-04-24 12:22:51 +00:00
|
|
|
---
|
|
|
|
|
# Using a two-pass approach for checking directories in order to support symlinks.
|
2018-12-17 12:50:15 +00:00
|
|
|
- include_tasks: find_files.yml
|
|
|
|
|
loop_control:
|
|
|
|
|
loop_var: outer_item
|
|
|
|
|
loop:
|
2017-04-24 12:22:51 +00:00
|
|
|
- '/usr/local/sbin'
|
|
|
|
|
- '/usr/local/bin'
|
|
|
|
|
- '/usr/sbin'
|
|
|
|
|
- '/usr/bin'
|
|
|
|
|
- '/sbin'
|
|
|
|
|
- '/bin'
|
2018-12-17 12:50:15 +00:00
|
|
|
- '{{ os_env_extra_user_paths }}'
|
2017-04-24 12:22:51 +00:00
|
|
|
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: change shadow ownership to root and mode to 0600 | os-02
|
|
|
|
|
file:
|
|
|
|
|
dest: '/etc/shadow'
|
|
|
|
|
owner: '{{ os_shadow_perms.owner }}'
|
|
|
|
|
group: '{{ os_shadow_perms.group }}'
|
|
|
|
|
mode: '{{ os_shadow_perms.mode }}'
|
2017-04-24 12:22:51 +00:00
|
|
|
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: change passwd ownership to root and mode to 0644 | os-03
|
|
|
|
|
file:
|
|
|
|
|
dest: '/etc/passwd'
|
|
|
|
|
owner: '{{ os_passwd_perms.owner }}'
|
|
|
|
|
group: '{{ os_passwd_perms.group }}'
|
|
|
|
|
mode: '{{ os_passwd_perms.mode }}'
|
2017-04-24 12:22:51 +00:00
|
|
|
|
|
|
|
|
- name: change su-binary to only be accessible to user and group root
|
2018-12-17 12:50:15 +00:00
|
|
|
file:
|
|
|
|
|
dest: '/bin/su'
|
|
|
|
|
owner: 'root'
|
|
|
|
|
group: 'root'
|
|
|
|
|
mode: '0750'
|
|
|
|
|
when: '"change_user" not in os_security_users_allow'
|
