---
- name: remove suid/sgid bit from binaries in blacklist
  file: path='{{item}}' mode='a-s' state=file follow=yes
  failed_when: false
  with_items:
    - '{{ os_security_suid_sgid_system_blacklist }}'
    - '{{ os_security_suid_sgid_blacklist }}'

- name: find binaries with suid/sgid set
  shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
  register: sbit_binaries
  when: os_security_suid_sgid_remove_from_unknown
  changed_when: False

- name: gather files from which to remove suids/sgids and remove system white-listed files
  set_fact:
    suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
  when: os_security_suid_sgid_remove_from_unknown

- name: remove suid/sgid bit from all binaries except in system and user whitelist
  file: path='{{item}}' mode='a-s' state=file follow=yes
  with_items:
    - '{{ suid | default(omit) | difference(os_security_suid_sgid_whitelist) }}'
  when: os_security_suid_sgid_remove_from_unknown