2017-04-24 12:22:51 +00:00
|
|
|
---
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: remove suid/sgid bit from binaries in blacklist | os-06
|
|
|
|
|
file:
|
|
|
|
|
path: '{{ item }}'
|
|
|
|
|
mode: 'a-s'
|
|
|
|
|
state: 'file'
|
|
|
|
|
follow: 'yes'
|
2017-04-24 12:22:51 +00:00
|
|
|
failed_when: false
|
2018-12-17 12:50:15 +00:00
|
|
|
with_flattened:
|
2017-04-24 12:22:51 +00:00
|
|
|
- '{{ os_security_suid_sgid_system_blacklist }}'
|
|
|
|
|
- '{{ os_security_suid_sgid_blacklist }}'
|
|
|
|
|
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: find binaries with suid/sgid set | os-06
|
2017-04-24 12:22:51 +00:00
|
|
|
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
|
|
|
|
register: sbit_binaries
|
2020-05-15 20:41:39 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
2017-04-24 12:22:51 +00:00
|
|
|
changed_when: False
|
|
|
|
|
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
2017-04-24 12:22:51 +00:00
|
|
|
set_fact:
|
|
|
|
|
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
2020-05-15 20:41:39 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
2017-04-24 12:22:51 +00:00
|
|
|
|
2018-12-17 12:50:15 +00:00
|
|
|
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
|
|
|
|
file:
|
|
|
|
|
path: '{{ item }}'
|
|
|
|
|
mode: 'a-s'
|
|
|
|
|
state: 'file'
|
|
|
|
|
follow: 'yes'
|
|
|
|
|
with_flattened:
|
|
|
|
|
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
2020-05-15 20:41:39 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
