From ef4d04bf109310da15cbe2469d039dad99abc033 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Thu, 24 Aug 2023 14:50:55 +0200
Subject: [PATCH] fix descrptions in readme

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
---
 roles/os_hardening/README.md               | 37 +++++++++++-----------
 roles/os_hardening/meta/argument_specs.yml | 24 ++++++++------
 2 files changed, 32 insertions(+), 29 deletions(-)

diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
index 04525d4dd..c3a617b44 100644
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@@ -54,19 +54,18 @@ We disable the following filesystems, because they're most likely not used:
 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
 
 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
-| Platform  | Versions             |
-| --------- | -------------------- |
-| EL        | 7, 8, 9              |
-| Ubuntu    | bionic, focal, jammy |
-| Debian    | buster, bullseye     |
-| Amazon    |                      |
-| Fedora    |                      |
-| ArchLinux |                      |
-| SmartOS   |                      |
-| opensuse  |                      |
+- EL
+  - 7, 8, 9
+- Ubuntu
+  - bionic, focal, jammy
+- Debian
+  - buster, bullseye
+- Amazon
+- Fedora
+- ArchLinux
+- SmartOS
+- opensuse
 
 ## Role Variables
 
@@ -290,14 +289,14 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
   - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
   - Type: bool
   - Required: no
-- `os_env_user_paths`
-  - Default: `[/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]`
-  - Description: Specify paths to the user's `PATH` variable.
-  - Type: list
-  - Required: no
 - `os_env_extra_user_paths`
   - Default: `"[]"`
-  - Description: add additional paths to the user's `PATH` variable (default is empty).
+  - Description: Specify additional paths that should be checked for binaries where access will be minimized
+  - Type: list
+  - Required: no
+- `os_env_user_paths`
+  - Default: `["/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"]`
+  - Description: Specify paths that should be checked for binaries where access will be minimized
   - Type: list
   - Required: no
 - `os_filesystem_whitelist`
@@ -856,7 +855,7 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
   - Type: str
   - Required: no
 - `sysctl_config`
-  - Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 1, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}`
+  - Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 0, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}`
   - Description: various sysctl-settings
   - Type: dict
   - Required: no
diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml
index 5ca59a775..e559d6364 100644
--- a/roles/os_hardening/meta/argument_specs.yml
+++ b/roles/os_hardening/meta/argument_specs.yml
@@ -8,11 +8,14 @@ argument_specs:
         default: false
         type: bool
         description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc.
+      os_env_user_paths:
+        default: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]
+        type: list
+        description: Specify paths that should be checked for binaries where access will be minimized
       os_env_extra_user_paths:
         default: '[]'
         type: list
-        description: add additional paths to the user's `PATH` variable (default is
-          empty).
+        description: Specify additional paths that should be checked for binaries where access will be minimized
       os_auth_pw_max_age:
         default: 60
         type: int
@@ -235,7 +238,7 @@ argument_specs:
         default: SUSPEND
         type: str
         description: This parameter tells the system what action to take when the
-          system has detected  that  it is low on disk space. Valid values are ignore,
+          system has detected that it is low on disk space. Valid values are ignore,
           syslog, rotate, email, exec, suspend, single, and halt.
       os_auditd_space_left:
         default: 75
@@ -451,11 +454,11 @@ argument_specs:
         type: str
         description: Configure file system for fstab entry /dev
       os_mnt_dev_dump:
-        default: 0
+        default: '0'
         type: str
         description: Configure dump for fstab entry /var/tmp.
       os_mnt_dev_passno:
-        default: 0
+        default: '0'
         type: str
         description: Configure passno for fstab entry /var/tmp.
       os_mnt_dev_shm_dir_mode:
@@ -479,11 +482,11 @@ argument_specs:
         type: str
         description: Configure file system for fstab entry /dev/shm
       os_mnt_dev_shm_dump:
-        default: 0
+        default: '0'
         type: str
         description: Configure dump for fstab entry /var/tmp.
       os_mnt_dev_shm_passno:
-        default: 0
+        default: '0'
         type: str
         description: Configure passno for fstab entry /var/tmp.
       os_mnt_home_dir_mode:
@@ -539,11 +542,11 @@ argument_specs:
         type: str
         description: Configure file system for fstab entry /run
       os_mnt_run_dump:
-        default: 0
+        default: '0'
         type: str
         description: Configure dump for fstab entry /var/tmp.
       os_mnt_run_passno:
-        default: 0
+        default: '0'
         type: str
         description: Configure passno for fstab entry /var/tmp.
       os_mnt_tmp_dir_mode:
@@ -739,7 +742,7 @@ argument_specs:
           net.ipv4.conf.all.rp_filter: 1
           net.ipv4.conf.default.rp_filter: 1
           net.ipv4.icmp_echo_ignore_broadcasts: 1
-          net.ipv4.icmp_ignore_bogus_error_responses: 1
+          net.ipv4.icmp_ignore_bogus_error_responses: 0
           net.ipv4.icmp_ratelimit: 100
           net.ipv4.icmp_ratemask: 88089
           net.ipv4.tcp_timestamps: 0
@@ -842,3 +845,4 @@ argument_specs:
         description: If this variable is set to 'yes', on stop and reload the built-in
           chains are flushed. If it is set to 'no', on stop and reload the ufw secondary
           chains are removed and the ufw primary chains are flushed
+