fix descrptions in readme (#693)

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
2024-11-10 09:14:18 +00:00 · 2023-08-24 15:21:57 +02:00 · 2023-08-24 15:21:57 +02:00 · 9c5b619149
commit 9c5b619149
parent ff4f2ee7f4
2 changed files with 29 additions and 27 deletions
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@ -54,19 +54,18 @@ We disable the following filesystems, because they're most likely not used:
 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.

 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
-| Platform  | Versions             |
-| --------- | -------------------- |
-| EL        | 7, 8, 9              |
-| Ubuntu    | bionic, focal, jammy |
-| Debian    | buster, bullseye     |
-| Amazon    |                      |
-| Fedora    |                      |
-| ArchLinux |                      |
-| SmartOS   |                      |
-| opensuse  |                      |
+- EL
+  - 7, 8, 9
+- Ubuntu
+  - bionic, focal, jammy
+- Debian
+  - buster, bullseye
+- Amazon
+- Fedora
+- ArchLinux
+- SmartOS
+- opensuse

 ## Role Variables

@ -290,14 +289,14 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
  - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
  - Type: bool
  - Required: no
- `os_env_user_paths`
-  - Default: `[/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]`
-  - Description: Specify paths to the user's `PATH` variable.
-  - Type: list
-  - Required: no
 - `os_env_extra_user_paths`
  - Default: `"[]"`
-  - Description: add additional paths to the user's `PATH` variable (default is empty).
+  - Description: Specify additional paths that should be checked for binaries where access will be minimized
+  - Type: list
+  - Required: no
+- `os_env_user_paths`
+  - Default: `["/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"]`
+  - Description: Specify paths that should be checked for binaries where access will be minimized
  - Type: list
  - Required: no
 - `os_filesystem_whitelist`
--- a/roles/os_hardening/meta/argument_specs.yml
+++ b/roles/os_hardening/meta/argument_specs.yml
@ -8,11 +8,14 @@ argument_specs:
        default: false
        type: bool
        description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
+      os_env_user_paths:
+        default: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]
+        type: list
+        description: Specify paths that should be checked for binaries where access will be minimized
      os_env_extra_user_paths:
        default: '[]'
        type: list
-        description: add additional paths to the user's `PATH` variable (default is
-          empty).
+        description: Specify additional paths that should be checked for binaries where access will be minimized
      os_auth_pw_max_age:
        default: 60
        type: int
@ -235,7 +238,7 @@ argument_specs:
        default: SUSPEND
        type: str
        description: This parameter tells the system what action to take when the
-          system has detected  that  it is low on disk space. Valid values are ignore,
+          system has detected that it is low on disk space. Valid values are ignore,
          syslog, rotate, email, exec, suspend, single, and halt.
      os_auditd_space_left:
        default: 75
@ -451,11 +454,11 @@ argument_specs:
        type: str
        description: Configure file system for fstab entry /dev
      os_mnt_dev_dump:
-        default: 0
+        default: '0'
        type: str
        description: Configure dump for fstab entry /var/tmp.
      os_mnt_dev_passno:
-        default: 0
+        default: '0'
        type: str
        description: Configure passno for fstab entry /var/tmp.
      os_mnt_dev_shm_dir_mode:
@ -479,11 +482,11 @@ argument_specs:
        type: str
        description: Configure file system for fstab entry /dev/shm
      os_mnt_dev_shm_dump:
-        default: 0
+        default: '0'
        type: str
        description: Configure dump for fstab entry /var/tmp.
      os_mnt_dev_shm_passno:
-        default: 0
+        default: '0'
        type: str
        description: Configure passno for fstab entry /var/tmp.
      os_mnt_home_dir_mode:
@ -539,11 +542,11 @@ argument_specs:
        type: str
        description: Configure file system for fstab entry /run
      os_mnt_run_dump:
-        default: 0
+        default: '0'
        type: str
        description: Configure dump for fstab entry /var/tmp.
      os_mnt_run_passno:
-        default: 0
+        default: '0'
        type: str
        description: Configure passno for fstab entry /var/tmp.
      os_mnt_tmp_dir_mode: