mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
24 lines
1 KiB
YAML
24 lines
1 KiB
YAML
---
|
|
- name: remove suid/sgid bit from binaries in blacklist
|
|
file: path='{{item}}' mode='a-s' state=file follow=yes
|
|
ignore_errors: true
|
|
with_items:
|
|
- '{{ os_security_suid_sgid_system_blacklist }}'
|
|
- '{{ os_security_suid_sgid_blacklist }}'
|
|
|
|
- name: find binaries with suid/sgid set
|
|
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
|
register: sbit_binaries
|
|
when: os_security_suid_sgid_remove_from_unknown
|
|
changed_when: False
|
|
|
|
- name: gather files from which to remove suids/sgids and remove system white-listed files
|
|
set_fact:
|
|
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
|
when: os_security_suid_sgid_remove_from_unknown
|
|
|
|
- name: remove suid/sgid bit from all binaries except in system and user whitelist
|
|
file: path='{{item}}' mode='a-s' state=file follow=yes
|
|
with_items:
|
|
- '{{ suid | default(omit) | difference(os_security_suid_sgid_whitelist) }}'
|
|
when: os_security_suid_sgid_remove_from_unknown
|