public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml

---
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
# the other files inside /usr/bin (and all other directories) are
# still getting found and the permissions minimized in the next task.
# This is also the reason why there's ignore_errors: true on the task.
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
  shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
  with_flattened:
    - '/usr/local/sbin'
    - '/usr/local/bin'
    - '/usr/sbin'
    - '/usr/bin'
    - '/sbin'
    - '/bin'
    - "{{ os_env_extra_user_paths }}" # noqa 104
  register: minimize_access_directories
  ignore_errors: true
  changed_when: false

- name: minimize access on found files
  file:
    path: '{{ item.1 }}'
    mode: 'go-w'
    state: file
  with_subelements:
    - "{{ minimize_access_directories.results }}"
    - stdout_lines

- name: change shadow ownership to root and mode to 0600 | os-02
  file:
    dest: '/etc/shadow'
    owner: '{{ os_shadow_perms.owner }}'
    group: '{{ os_shadow_perms.group }}'
    mode: '{{ os_shadow_perms.mode }}'

- name: change passwd ownership to root and mode to 0644 | os-03
  file:
    dest: '/etc/passwd'
    owner: '{{ os_passwd_perms.owner }}'
    group: '{{ os_passwd_perms.group }}'
    mode: '{{ os_passwd_perms.mode }}'

- name: change su-binary to only be accessible to user and group root
  file:
    dest: '/bin/su'
    owner: 'root'
    group: 'root'
    mode: '0750'
  when: '"change_user" not in os_security_users_allow'
Ansible deployment 2017-04-24 12:22:51 +00:00			`---`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"`
			`# the other files inside /usr/bin (and all other directories) are`
			`# still getting found and the permissions minimized in the next task.`
			`# This is also the reason why there's ignore_errors: true on the task.`
			`# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219`
			`- name: find files with write-permissions for group`
			`shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305`
			`with_flattened:`
Ansible deployment 2017-04-24 12:22:51 +00:00			`- '/usr/local/sbin'`
			`- '/usr/local/bin'`
			`- '/usr/sbin'`
			`- '/usr/bin'`
			`- '/sbin'`
			`- '/bin'`
Updated Ansible setup 2020-05-15 20:41:39 +00:00			`- "{{ os_env_extra_user_paths }}" # noqa 104`
			`register: minimize_access_directories`
			`ignore_errors: true`
			`changed_when: false`

			`- name: minimize access on found files`
			`file:`
			`path: '{{ item.1 }}'`
			`mode: 'go-w'`
			`state: file`
			`with_subelements:`
			`- "{{ minimize_access_directories.results }}"`
			`- stdout_lines`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`- name: change shadow ownership to root and mode to 0600 \| os-02`
			`file:`
			`dest: '/etc/shadow'`
			`owner: '{{ os_shadow_perms.owner }}'`
			`group: '{{ os_shadow_perms.group }}'`
			`mode: '{{ os_shadow_perms.mode }}'`
Ansible deployment 2017-04-24 12:22:51 +00:00
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`- name: change passwd ownership to root and mode to 0644 \| os-03`
			`file:`
			`dest: '/etc/passwd'`
			`owner: '{{ os_passwd_perms.owner }}'`
			`group: '{{ os_passwd_perms.group }}'`
			`mode: '{{ os_passwd_perms.mode }}'`
Ansible deployment 2017-04-24 12:22:51 +00:00
			`- name: change su-binary to only be accessible to user and group root`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`file:`
			`dest: '/bin/su'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0750'`
			`when: '"change_user" not in os_security_users_allow'`