From 384c097f8a4d415f76d102010bf7111fcd01c4b9 Mon Sep 17 00:00:00 2001 From: Claudius Heine Date: Thu, 21 Oct 2021 09:51:20 +0200 Subject: [PATCH] feat(os_hardening): extend file permission tasks to cover more files (#489) The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: #488 Signed-off-by: Claudius Heine --- roles/os_hardening/tasks/minimize_access.yml | 28 ++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index e332c3ad..3d28f148 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -27,19 +27,43 @@ - "{{ minimize_access_directories.results }}" - stdout_lines +- name: Find shadow files + stat: + path: "{{ item }}" + loop: + - '/etc/shadow' + - '/etc/gshadow' + - '/etc/shadow-' + - '/etc/gshadow-' + register: minimize_access_shadow_files + - name: Change shadow ownership to root and mode to 0600 | os-02 file: - dest: '/etc/shadow' + dest: "{{ item.item }}" owner: '{{ os_shadow_perms.owner }}' group: '{{ os_shadow_perms.group }}' mode: '{{ os_shadow_perms.mode }}' + when: item.stat.exists + loop: "{{ minimize_access_shadow_files.results }}" + +- name: Find passwd files + stat: + path: "{{ item }}" + loop: + - '/etc/passwd' + - '/etc/group' + - '/etc/passwd-' + - '/etc/group-' + register: minimize_access_passwd_files - name: Change passwd ownership to root and mode to 0644 | os-03 file: - dest: '/etc/passwd' + dest: "{{ item.item }}" owner: '{{ os_passwd_perms.owner }}' group: '{{ os_passwd_perms.group }}' mode: '{{ os_passwd_perms.mode }}' + when: item.stat.exists + loop: "{{ minimize_access_passwd_files.results }}" - name: Change su-binary to only be accessible to user and group root file: