Preserve default ownership and dir mode for /var/log on Ubuntu (#615)

* Preserve default ownership and dir mode for /var/log on Ubuntu

Signed-off-by: stdtom <stdtom@gmx.net>

* linting

Signed-off-by: stdtom <stdtom@gmx.net>

* Define vars for each OS instead of using defaults.

Signed-off-by: stdtom <stdtom@gmx.net>

* Fix values for os_mnt_var_log_dir_mode and os_mnt_var_log_group

Signed-off-by: stdtom <stdtom@gmx.net>

Signed-off-by: stdtom <stdtom@gmx.net>

roles/os_hardening/defaults/main.yml

@@ -406,7 +406,6 @@ os_selinux_enabled: true
 os_sha_crypt_min_rounds: "640000"
 os_sha_crypt_max_rounds: "640000"
 
-os_mnt_boot_dir_mode: '0700'
 os_mnt_boot_enabled: false
 os_mnt_boot_src: ""
 os_mnt_boot_options: 'rw,nosuid,nodev,noexec'
@@ -414,7 +413,6 @@ os_mnt_boot_filesystem: ""
 os_mnt_boot_dump: ""
 os_mnt_boot_passno: ""
 
-os_mnt_dev_dir_mode: '0755'
 os_mnt_dev_enabled: true
 os_mnt_dev_src: "devtmpfs"
 os_mnt_dev_options: 'rw,nosuid,noexec'
@@ -422,7 +420,6 @@ os_mnt_dev_filesystem: "devtmpfs"
 os_mnt_dev_dump: ""
 os_mnt_dev_passno: ""
 
-os_mnt_dev_shm_dir_mode: '1777'
 os_mnt_dev_shm_enabled: true
 os_mnt_dev_shm_src: "tmpfs"
 os_mnt_dev_shm_options: 'rw,nosuid,nodev,noexec'
@@ -430,7 +427,6 @@ os_mnt_dev_shm_filesystem: "tmpfs"
 os_mnt_dev_shm_dump: ""
 os_mnt_dev_shm_passno: ""
 
-os_mnt_home_dir_mode: '0755'
 os_mnt_home_enabled: false
 os_mnt_home_src: ""
 os_mnt_home_options: 'rw,nosuid,nodev'
@@ -438,7 +434,6 @@ os_mnt_home_filesystem: ""
 os_mnt_home_dump: ""
 os_mnt_home_passno: ""
 
-os_mnt_run_dir_mode: '0755'
 os_mnt_run_enabled: true
 os_mnt_run_src: "tmpfs"
 os_mnt_run_options: 'rw,nosuid,nodev'
@@ -446,7 +441,6 @@ os_mnt_run_filesystem: "tmpfs"
 os_mnt_run_dump: ""
 os_mnt_run_passno: ""
 
-os_mnt_tmp_dir_mode: '1777'
 os_mnt_tmp_enabled: false
 os_mnt_tmp_src: ""
 os_mnt_tmp_options: 'rw,nosuid,nodev,noexec'
@@ -454,7 +448,6 @@ os_mnt_tmp_filesystem: ""
 os_mnt_tmp_dump: ""
 os_mnt_tmp_passno: ""
 
-os_mnt_var_dir_mode: '0755'
 os_mnt_var_enabled: false
 os_mnt_var_src: ""
 os_mnt_var_options: 'rw,nosuid,nodev'
@@ -462,7 +455,6 @@ os_mnt_var_filesystem: ""
 os_mnt_var_dump: ""
 os_mnt_var_passno: ""
 
-os_mnt_var_log_dir_mode: '0755'
 os_mnt_var_log_enabled: false
 os_mnt_var_log_src: ""
 os_mnt_var_log_options: 'rw,nosuid,nodev,noexec'
@@ -470,7 +462,6 @@ os_mnt_var_log_filesystem: ""
 os_mnt_var_log_dump: ""
 os_mnt_var_log_passno: ""
 
-os_mnt_var_log_audit_dir_mode: '0700'
 os_mnt_var_log_audit_enabled: false
 os_mnt_var_log_audit_src: ""
 os_mnt_var_log_audit_options: 'rw,nosuid,nodev,noexec'
@@ -478,7 +469,6 @@ os_mnt_var_log_audit_filesystem: ""
 os_mnt_var_log_audit_dump: ""
 os_mnt_var_log_audit_passno: ""
 
-os_mnt_var_tmp_dir_mode: '1777'
 os_mnt_var_tmp_enabled: false
 os_mnt_var_tmp_src: ""
 os_mnt_var_tmp_options: 'rw,nosuid,nodev,noexec'

roles/os_hardening/tasks/minimize_access.yml

@@ -92,15 +92,15 @@
 - name: Minimize access for filesystems
   include_tasks: minimize_access_fs.yml
   loop:
-    - { path: '/boot', src: '{{ os_mnt_boot_src }}', fstype: '{{ os_mnt_boot_filesystem }}', opts: '{{ os_mnt_boot_options }}', enabled: "{{ os_mnt_boot_enabled }}", mode: "{{ os_mnt_boot_dir_mode }}", dump: "{{ os_mnt_boot_dump }}", passno: "{{ os_mnt_boot_passno }}" }
-    - { path: '/dev', src: '{{ os_mnt_dev_src }}', fstype: '{{ os_mnt_dev_filesystem }}', opts: '{{ os_mnt_dev_options }}', enabled: "{{ os_mnt_dev_enabled }}", mode: "{{ os_mnt_dev_dir_mode }}", dump: "{{ os_mnt_dev_dump }}", passno: "{{ os_mnt_dev_passno }}" }
-    - { path: '/dev/shm', src: '{{ os_mnt_dev_shm_src }}', fstype: '{{ os_mnt_dev_shm_filesystem }}', opts: '{{ os_mnt_dev_shm_options }}', enabled: "{{ os_mnt_dev_shm_enabled }}", mode: "{{ os_mnt_dev_shm_dir_mode }}", dump: "{{ os_mnt_dev_shm_dump }}", passno: "{{ os_mnt_dev_shm_passno }}" }
-    - { path: '/home', src: '{{ os_mnt_home_src }}', fstype: '{{ os_mnt_home_filesystem }}', opts: '{{ os_mnt_home_options }}', enabled: "{{ os_mnt_home_enabled }}", mode: "{{ os_mnt_home_dir_mode }}", dump: "{{ os_mnt_home_dump }}", passno: "{{ os_mnt_home_passno }}" }
-    - { path: '/run', src: '{{ os_mnt_run_src }}', fstype: '{{ os_mnt_run_filesystem }}', opts: '{{ os_mnt_run_options }}', enabled: "{{ os_mnt_run_enabled }}", mode: "{{ os_mnt_run_dir_mode }}", dump: "{{ os_mnt_run_dump }}", passno: "{{ os_mnt_run_passno }}" }
-    - { path: '/tmp', src: '{{ os_mnt_tmp_src }}', fstype: '{{ os_mnt_tmp_filesystem }}', opts: '{{ os_mnt_tmp_options }}', enabled: "{{ os_mnt_tmp_enabled }}", mode: "{{ os_mnt_tmp_dir_mode }}", dump: "{{ os_mnt_tmp_dump }}", passno: "{{ os_mnt_tmp_passno }}" }
-    - { path: '/var', src: '{{ os_mnt_var_src }}', fstype: '{{ os_mnt_var_filesystem }}', opts: '{{ os_mnt_var_options }}', enabled: "{{ os_mnt_var_enabled }}", mode: "{{ os_mnt_var_dir_mode }}", dump: "{{ os_mnt_var_dump }}", passno: "{{ os_mnt_var_passno }}" }
-    - { path: '/var/log', src: '{{ os_mnt_var_log_src }}', fstype: '{{ os_mnt_var_log_filesystem }}', opts: '{{ os_mnt_var_log_options }}', enabled: "{{ os_mnt_var_log_enabled }}", mode: "{{ os_mnt_var_log_dir_mode }}", dump: "{{ os_mnt_var_log_dump }}", passno: "{{ os_mnt_var_log_passno }}" }
-    - { path: '/var/log/audit', src: '{{ os_mnt_var_log_audit_src }}', fstype: '{{ os_mnt_var_log_audit_filesystem }}', opts: '{{ os_mnt_var_log_audit_options }}', enabled: "{{ os_mnt_var_log_audit_enabled }}", mode: "{{ os_mnt_var_log_audit_dir_mode }}", dump: "{{ os_mnt_var_log_audit_dump }}", passno: "{{ os_mnt_var_log_audit_passno }}" }
-    - { path: '/var/tmp', src: '{{ os_mnt_var_tmp_src }}', fstype: '{{ os_mnt_var_tmp_filesystem }}', opts: '{{ os_mnt_var_tmp_options }}', enabled: "{{ os_mnt_var_tmp_enabled }}", mode: "{{ os_mnt_var_tmp_dir_mode }}", dump: "{{ os_mnt_var_tmp_dump }}", passno: "{{ os_mnt_var_tmp_passno }}" }
+    - { path: '/boot', src: '{{ os_mnt_boot_src }}', fstype: '{{ os_mnt_boot_filesystem }}', opts: '{{ os_mnt_boot_options }}', enabled: "{{ os_mnt_boot_enabled }}", mode: "{{ os_mnt_boot_dir_mode }}", group: "{{ os_mnt_boot_group }}", owner: "{{ os_mnt_boot_owner }}", dump: "{{ os_mnt_boot_dump }}", passno: "{{ os_mnt_boot_passno }}" }
+    - { path: '/dev', src: '{{ os_mnt_dev_src }}', fstype: '{{ os_mnt_dev_filesystem }}', opts: '{{ os_mnt_dev_options }}', enabled: "{{ os_mnt_dev_enabled }}", mode: "{{ os_mnt_dev_dir_mode }}", group: "{{ os_mnt_dev_group }}", owner: "{{ os_mnt_dev_owner }}", dump: "{{ os_mnt_dev_dump }}", passno: "{{ os_mnt_dev_passno }}" }
+    - { path: '/dev/shm', src: '{{ os_mnt_dev_shm_src }}', fstype: '{{ os_mnt_dev_shm_filesystem }}', opts: '{{ os_mnt_dev_shm_options }}', enabled: "{{ os_mnt_dev_shm_enabled }}", mode: "{{ os_mnt_dev_shm_dir_mode }}", group: "{{ os_mnt_dev_shm_group }}", owner: "{{ os_mnt_dev_shm_owner }}", dump: "{{ os_mnt_dev_shm_dump }}", passno: "{{ os_mnt_dev_shm_passno }}" }
+    - { path: '/home', src: '{{ os_mnt_home_src }}', fstype: '{{ os_mnt_home_filesystem }}', opts: '{{ os_mnt_home_options }}', enabled: "{{ os_mnt_home_enabled }}", mode: "{{ os_mnt_home_dir_mode }}", group: "{{ os_mnt_home_group }}", owner: "{{ os_mnt_home_owner }}", dump: "{{ os_mnt_home_dump }}", passno: "{{ os_mnt_home_passno }}" }
+    - { path: '/run', src: '{{ os_mnt_run_src }}', fstype: '{{ os_mnt_run_filesystem }}', opts: '{{ os_mnt_run_options }}', enabled: "{{ os_mnt_run_enabled }}", mode: "{{ os_mnt_run_dir_mode }}", group: "{{ os_mnt_run_group }}", owner: "{{ os_mnt_run_owner }}", dump: "{{ os_mnt_run_dump }}", passno: "{{ os_mnt_run_passno }}" }
+    - { path: '/tmp', src: '{{ os_mnt_tmp_src }}', fstype: '{{ os_mnt_tmp_filesystem }}', opts: '{{ os_mnt_tmp_options }}', enabled: "{{ os_mnt_tmp_enabled }}", mode: "{{ os_mnt_tmp_dir_mode }}", group: "{{ os_mnt_tmp_group }}", owner: "{{ os_mnt_tmp_owner }}", dump: "{{ os_mnt_tmp_dump }}", passno: "{{ os_mnt_tmp_passno }}" }
+    - { path: '/var', src: '{{ os_mnt_var_src }}', fstype: '{{ os_mnt_var_filesystem }}', opts: '{{ os_mnt_var_options }}', enabled: "{{ os_mnt_var_enabled }}", mode: "{{ os_mnt_var_dir_mode }}", group: "{{ os_mnt_var_group }}", owner: "{{ os_mnt_var_owner }}", dump: "{{ os_mnt_var_dump }}", passno: "{{ os_mnt_var_passno }}" }
+    - { path: '/var/log', src: '{{ os_mnt_var_log_src }}', fstype: '{{ os_mnt_var_log_filesystem }}', opts: '{{ os_mnt_var_log_options }}', enabled: "{{ os_mnt_var_log_enabled }}", mode: "{{ os_mnt_var_log_dir_mode }}", group: "{{ os_mnt_var_log_group }}", owner: "{{ os_mnt_var_log_owner }}", dump: "{{ os_mnt_var_log_dump }}", passno: "{{ os_mnt_var_log_passno }}" }
+    - { path: '/var/log/audit', src: '{{ os_mnt_var_log_audit_src }}', fstype: '{{ os_mnt_var_log_audit_filesystem }}', opts: '{{ os_mnt_var_log_audit_options }}', enabled: "{{ os_mnt_var_log_audit_enabled }}", mode: "{{ os_mnt_var_log_audit_dir_mode }}", group: "{{ os_mnt_var_log_audit_group }}", owner: "{{ os_mnt_var_log_audit_owner }}", dump: "{{ os_mnt_var_log_audit_dump }}", passno: "{{ os_mnt_var_log_audit_passno }}" }
+    - { path: '/var/tmp', src: '{{ os_mnt_var_tmp_src }}', fstype: '{{ os_mnt_var_tmp_filesystem }}', opts: '{{ os_mnt_var_tmp_options }}', enabled: "{{ os_mnt_var_tmp_enabled }}", mode: "{{ os_mnt_var_tmp_dir_mode }}", group: "{{ os_mnt_var_tmp_group }}", owner: "{{ os_mnt_var_tmp_owner }}", dump: "{{ os_mnt_var_tmp_dump }}", passno: "{{ os_mnt_var_tmp_passno }}" }
   loop_control:
     loop_var: mount

roles/os_hardening/tasks/minimize_access_fs.yml

@@ -24,8 +24,8 @@
 - name: "Harden permissions for {{ mount.path }} directory"
   file:
     dest: "{{ mount.path }}"
-    owner: 'root'
-    group: 'root'
+    owner: "{{ mount.owner }}"
+    group: "{{ mount.group }}"
     mode: "{{ mount.mode }}"
   when:
     - mountpoint_exists.stat.exists | bool

roles/os_hardening/vars/Amazon.yml

@@ -35,6 +35,46 @@ os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: false
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail
 os_useradd_create_home: true

roles/os_hardening/vars/Archlinux.yml

@@ -29,6 +29,46 @@ os_auth_sub_gid_min: 100000
 os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 modprobe_package: 'kmod'
 auditd_package: 'audit'
 

roles/os_hardening/vars/Debian.yml

@@ -33,6 +33,46 @@ os_auth_sub_gid_min: 100000
 os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_mail_dir: /var/mail
 

roles/os_hardening/vars/Fedora.yml

@@ -35,6 +35,46 @@ os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: true
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail
 os_useradd_create_home: true

roles/os_hardening/vars/RedHat.yml

@@ -35,6 +35,46 @@ os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: true
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail
 os_useradd_create_home: true

roles/os_hardening/vars/RedHat_7.yml

@@ -35,6 +35,46 @@ os_auth_sub_gid_count: 65536
 
 os_auth_pam_sssd_enable: false
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail
 os_useradd_create_home: true

roles/os_hardening/vars/Suse.yml

@@ -33,6 +33,46 @@ os_auth_sub_gid_min: 100000
 os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_group: 'root'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
 # defaults for useradd
 os_useradd_create_home: false
 

roles/os_hardening/vars/Ubuntu.yml

@@ -0,0 +1,91 @@
+---
+
+os_packages_pam_ccreds: 'libpam-ccreds'
+os_nologin_shell_path: '/usr/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: shadow
+  mode: '0640'
+
+os_passwd_perms:
+  owner: root
+  group: root
+  mode: '0644'
+
+os_env_umask: '027'
+
+os_auth_uid_min: 1000
+os_auth_uid_max: 60000
+os_auth_gid_min: 1000
+os_auth_gid_max: 60000
+os_auth_sys_uid_min: 100
+os_auth_sys_uid_max: 999
+os_auth_sys_gid_min: 100
+os_auth_sys_gid_max: 999
+os_auth_sub_uid_min: 100000
+os_auth_sub_uid_max: 600100000
+os_auth_sub_uid_count: 65536
+os_auth_sub_gid_min: 100000
+os_auth_sub_gid_max: 600100000
+os_auth_sub_gid_count: 65536
+
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_group: 'root'
+os_mnt_boot_owner: 'root'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_group: 'root'
+os_mnt_dev_owner: 'root'
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_group: 'root'
+os_mnt_dev_shm_owner: 'root'
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_group: 'root'
+os_mnt_home_owner: 'root'
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_group: 'root'
+os_mnt_run_owner: 'root'
+
+os_mnt_tmp_dir_mode: '1777'
+os_mnt_tmp_group: 'root'
+os_mnt_tmp_owner: 'root'
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_group: 'root'
+os_mnt_var_owner: 'root'
+
+os_mnt_var_log_dir_mode: '0775'
+os_mnt_var_log_group: 'syslog'
+os_mnt_var_log_owner: 'root'
+
+os_mnt_var_log_audit_dir_mode: '0700'
+os_mnt_var_log_audit_group: 'root'
+os_mnt_var_log_audit_owner: 'root'
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_group: 'root'
+os_mnt_var_tmp_owner: 'root'
+
+# defaults for useradd
+os_useradd_mail_dir: /var/mail
+
+modprobe_package: 'kmod'
+auditd_package: 'auditd'
+
+tally2_path: '/usr/share/pam-configs/tally2'
+passwdqc_path: '/usr/share/pam-configs/passwdqc'
+
+hidepid_option: '2'  # allowed values: 0, 1, 2
+
+sysctl_custom_config:
+  # Mitigation of vulnerability CVE-2021-33909
+  kernel.unprivileged_userns_clone: 0
+  # Mitigation of vulnerability CVE-2021-33910
+  kernel.unprivileged_bpf_disabled: 1