59 lines
1.7 KiB
YAML
59 lines
1.7 KiB
YAML
---
|
|
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
|
|
# the other files inside /usr/bin (and all other directories) are
|
|
# still getting found and the permissions minimized in the next task.
|
|
# This is also the reason why there's ignore_errors: true on the task.
|
|
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
|
|
- name: find files with write-permissions for group
|
|
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
|
|
with_flattened:
|
|
- '/usr/local/sbin'
|
|
- '/usr/local/bin'
|
|
- '/usr/sbin'
|
|
- '/usr/bin'
|
|
- '/sbin'
|
|
- '/bin'
|
|
- "{{ os_env_extra_user_paths }}" # noqa 104
|
|
register: minimize_access_directories
|
|
ignore_errors: true
|
|
changed_when: false
|
|
|
|
- name: minimize access on found files
|
|
file:
|
|
path: '{{ item.1 }}'
|
|
mode: 'go-w'
|
|
state: file
|
|
with_subelements:
|
|
- "{{ minimize_access_directories.results }}"
|
|
- stdout_lines
|
|
|
|
- name: change shadow ownership to root and mode to 0600 | os-02
|
|
file:
|
|
dest: '/etc/shadow'
|
|
owner: '{{ os_shadow_perms.owner }}'
|
|
group: '{{ os_shadow_perms.group }}'
|
|
mode: '{{ os_shadow_perms.mode }}'
|
|
|
|
- name: change passwd ownership to root and mode to 0644 | os-03
|
|
file:
|
|
dest: '/etc/passwd'
|
|
owner: '{{ os_passwd_perms.owner }}'
|
|
group: '{{ os_passwd_perms.group }}'
|
|
mode: '{{ os_passwd_perms.mode }}'
|
|
|
|
- name: change su-binary to only be accessible to user and group root
|
|
file:
|
|
dest: '/bin/su'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0750'
|
|
when: '"change_user" not in os_security_users_allow'
|
|
|
|
- name: set option hidepid for proc filesystem
|
|
mount:
|
|
path: /proc
|
|
src: proc
|
|
fstype: proc
|
|
opts: '{{ proc_mnt_options }}'
|
|
state: present
|