Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: customize user paths default. Resolves: #689 (#692)

Browse source 
Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>
This commit is contained in:
Thibault Soubiran 2023-08-24 14:02:23 +02:00 committed by GitHub
parent e3273a8d54
commit f602bc621a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
roles/os_hardening/README.md
View file

@ -290,6 +290,11 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
- Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
- Type: bool
- Required: no
- `os_env_user_paths`
- Default: `[/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]`
- Description: Specify paths to the user's `PATH` variable.
- Type: list
- Required: no
- `os_env_extra_user_paths`
- Default: `"[]"`
- Description: add additional paths to the user's `PATH` variable (default is empty).

1
roles/os_hardening/defaults/main.yml
View file

@ -1,5 +1,6 @@
---
os_desktop_enable: false
os_env_user_paths: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]
os_env_extra_user_paths: []
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # Discourage password cycling

7
roles/os_hardening/tasks/minimize_access.yml
View file

@ -7,12 +7,7 @@
- name: Find files with write-permissions for group # noqa command-instead-of-shell
ansible.builtin.shell: find -L {{ item }} -perm /go+w -type f
with_community.general.flattened:
- /usr/local/sbin
- /usr/local/bin
- /usr/sbin
- /usr/bin
- /sbin
- /bin
- "{{ os_env_user_paths }}"
- "{{ os_env_extra_user_paths }}"
register: minimize_access_directories
ignore_errors: true