2015-05-26 19:53:55 +00:00
|
|
|
---
|
2017-08-04 19:45:04 +00:00
|
|
|
- name: remove suid/sgid bit from binaries in blacklist | os-06
|
|
|
|
file:
|
2017-08-05 19:43:28 +00:00
|
|
|
path: '{{ item }}'
|
2017-08-04 19:45:04 +00:00
|
|
|
mode: 'a-s'
|
|
|
|
state: 'file'
|
|
|
|
follow: 'yes'
|
2016-05-19 16:56:14 +00:00
|
|
|
failed_when: false
|
2017-06-27 10:09:35 +00:00
|
|
|
with_flattened:
|
2015-05-31 15:51:57 +00:00
|
|
|
- '{{ os_security_suid_sgid_system_blacklist }}'
|
|
|
|
- '{{ os_security_suid_sgid_blacklist }}'
|
2015-05-26 19:53:55 +00:00
|
|
|
|
2017-08-04 19:45:04 +00:00
|
|
|
- name: find binaries with suid/sgid set | os-06
|
2015-05-31 15:51:57 +00:00
|
|
|
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
|
|
|
register: sbit_binaries
|
2019-06-06 09:45:04 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
2020-08-22 06:53:44 +00:00
|
|
|
changed_when: false
|
2015-05-31 15:51:57 +00:00
|
|
|
|
2017-08-04 19:45:04 +00:00
|
|
|
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
2015-05-31 15:51:57 +00:00
|
|
|
set_fact:
|
|
|
|
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
2019-06-06 09:45:04 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
2015-05-31 15:51:57 +00:00
|
|
|
|
2017-08-04 19:45:04 +00:00
|
|
|
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
|
|
|
file:
|
2017-08-05 19:43:28 +00:00
|
|
|
path: '{{ item }}'
|
2017-08-04 19:45:04 +00:00
|
|
|
mode: 'a-s'
|
|
|
|
state: 'file'
|
|
|
|
follow: 'yes'
|
2017-06-27 10:09:35 +00:00
|
|
|
with_flattened:
|
|
|
|
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
2019-06-06 09:45:04 +00:00
|
|
|
when: os_security_suid_sgid_remove_from_unknown | bool
|