kubeasz/roles/os-harden/tasks/minimize_access.yml

36 lines
945 B
YAML

---
# Using a two-pass approach for checking directories in order to support symlinks.
- include_tasks: find_files.yml
loop_control:
loop_var: outer_item
loop:
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
- '{{ os_env_extra_user_paths }}'
- name: change shadow ownership to root and mode to 0600 | os-02
file:
dest: '/etc/shadow'
owner: '{{ os_shadow_perms.owner }}'
group: '{{ os_shadow_perms.group }}'
mode: '{{ os_shadow_perms.mode }}'
- name: change passwd ownership to root and mode to 0644 | os-03
file:
dest: '/etc/passwd'
owner: '{{ os_passwd_perms.owner }}'
group: '{{ os_passwd_perms.group }}'
mode: '{{ os_passwd_perms.mode }}'
- name: change su-binary to only be accessible to user and group root
file:
dest: '/bin/su'
owner: 'root'
group: 'root'
mode: '0750'
when: os_security_users_allow != None