mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 13:21:52 +00:00
Fix #344: make the os_env_umask variable usable again
Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
This commit is contained in:
Sylvain Prat
parent
837f99bdf8
commit
ea471b38b7
10 changed files with 12 additions and 10 deletions
|
|
@ -63,4 +63,3 @@ scenario:
|
|||
- idempotence
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
|
|
|
|||
|
|
@ -86,8 +86,8 @@ We know that this is the case on Raspberry Pi.
|
|||
- Default: `[]`
|
||||
- Description: add additional paths to the user's `PATH` variable (default is empty).
|
||||
- `os_env_umask`
|
||||
- Default: `027`
|
||||
- Description: set default permissions for new files to `750`
|
||||
- Default: `027` or `077` depending on the platform.
|
||||
- Description: set default permissions for new files to `750` or `700`.
|
||||
- `os_auth_pw_max_age`
|
||||
- Default: `60`
|
||||
- Description: maximum password age (set to `99999` to effectively disable it)
|
||||
|
|
|
|||
|
|
@ -271,6 +271,9 @@ os_filesystem_whitelist: []
|
|||
# the Ansible role dependency mechanism.
|
||||
os_hardening_enabled: true
|
||||
|
||||
# Set the umask you want to apply, or leave empty to use the defaults.
|
||||
os_env_umask: ''
|
||||
|
||||
# Set to false to disable installing and configuring auditd.
|
||||
os_auditd_enabled: true
|
||||
os_auditd_max_log_file_action: keep_logs
|
||||
|
|
|
|||
|
|
@ -92,7 +92,7 @@ KILLCHAR 025
|
|||
# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
|
||||
# `022` is the "historical" value in Debian for UMASK
|
||||
# `027`, or even `077`, could be considered better for privacy.
|
||||
UMASK {{ os_env_umask }}
|
||||
UMASK {{ os_env_umask | default(os_env_umask_default, true) }}
|
||||
|
||||
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
|
||||
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
os_env_umask_default: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
os_env_umask_default: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
os_env_umask_default: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '077'
|
||||
os_env_umask_default: '077'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '077'
|
||||
os_env_umask_default: '077'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ os_passwd_perms:
|
|||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
os_env_umask_default: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
|
|
|
|||
Loading…
Reference in a new issue