ansible-collection-hardening/tasks/suid_sgid.yml

---
- name: remove suid/sgid bit from binaries in blacklist
  file: path='{{item}}' mode='a-s' state=file follow=yes
  ignore_errors: true
  with_items:
    - '{{ os_security_suid_sgid_system_blacklist }}'
    - '{{ os_security_suid_sgid_blacklist }}'

- name: find binaries with suid/sgid set
  shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
  register: sbit_binaries
  when: os_security_suid_sgid_remove_from_unknown
  changed_when: False

- name: gather files from which to remove suids/sgids and remove system white-listed files
  set_fact:
    suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
  when: os_security_suid_sgid_remove_from_unknown

- name: remove suid/sgid bit from all binaries except in system and user whitelist
  file: path='{{item}}' mode='a-s' state=file follow=yes
  with_items:
    - '{{ suid | default(omit) | difference(os_security_suid_sgid_whitelist) }}'
  when: os_security_suid_sgid_remove_from_unknown
Add separated files 2015-05-26 19:53:55 +00:00			`---`
Add remove suid/sgid function 2015-05-31 15:51:57 +00:00			`- name: remove suid/sgid bit from binaries in blacklist`
List-cleanup and follow symlinks added - This change alters the black- and white-listed list for suid/sgid-management to be a proper yaml-formatted list. - Furthermore "follow symlinks" was added to the tasks that remove suid/sgid because otherwise the suid/sgid from the link-targets would not be removed. 2015-06-23 10:54:48 +00:00			`file: path='{{item}}' mode='a-s' state=file follow=yes`
Add remove suid/sgid function 2015-05-31 15:51:57 +00:00			`ignore_errors: true`
			`with_items:`
			`- '{{ os_security_suid_sgid_system_blacklist }}'`
			`- '{{ os_security_suid_sgid_blacklist }}'`
Add separated files 2015-05-26 19:53:55 +00:00
Add remove suid/sgid function 2015-05-31 15:51:57 +00:00			`- name: find binaries with suid/sgid set`
			`shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null`
			`register: sbit_binaries`
			`when: os_security_suid_sgid_remove_from_unknown`
Use changed_when to avoid changed tasks When a shell or command task, that only fetches data, gets executed, the task will be marked as change, even though nothing changed. This commit changes the behaviour of tasks that only fetch data. For more info see here: http://docs.ansible.com/playbooks_error_handling.html#overriding-the-changed-result 2015-06-17 17:17:04 +00:00			`changed_when: False`
Add remove suid/sgid function 2015-05-31 15:51:57 +00:00
			`- name: gather files from which to remove suids/sgids and remove system white-listed files`
			`set_fact:`
			`suid: '{{ sbit_binaries.stdout_lines \| difference(os_security_suid_sgid_system_whitelist) }}'`
			`when: os_security_suid_sgid_remove_from_unknown`

Remove duplicate whitelist-check 2015-06-01 19:36:37 +00:00			`- name: remove suid/sgid bit from all binaries except in system and user whitelist`
List-cleanup and follow symlinks added - This change alters the black- and white-listed list for suid/sgid-management to be a proper yaml-formatted list. - Furthermore "follow symlinks" was added to the tasks that remove suid/sgid because otherwise the suid/sgid from the link-targets would not be removed. 2015-06-23 10:54:48 +00:00			`file: path='{{item}}' mode='a-s' state=file follow=yes`
Add remove suid/sgid function 2015-05-31 15:51:57 +00:00			`with_items:`
set suid-var to default=omit this prevents the task "remove suid/sgid bit from all binaries except in system and user whitelist" from failing when the suid-var is not set and `os_security_suid_sgid_remove_from_unknown` is not set either. See: https://github.com/ansible/ansible/issues/11964 2016-01-20 20:04:16 +00:00			`- '{{ suid \| default(omit) \| difference(os_security_suid_sgid_whitelist) }}'`
Add missing condition 2015-06-01 21:46:05 +00:00			`when: os_security_suid_sgid_remove_from_unknown`