Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add remove suid/sgid function #12

Merged
merged 3 commits into from
Jun 3, 2015
Merged

Add remove suid/sgid function #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
544779e
Add remove suid/sgid function
May 31, 2015
fb59fab
Remove duplicate whitelist-check
Jun 1, 2015
b73ceae
Add missing condition
Jun 1, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions roles/ansible-os-hardening/tasks/suid_sgid.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
---
#- name: remove suid/sgid bit from binaries in blacklist
# file: path='{{item}}' mode='a-s'
# ignore_errors: true
# with_items:
# - '{{ os_security_suid_sgid_system_blacklist }}'
#
#- name: find binaries with suid/sgid set
# shell: 'find / \( -perm -4000 -o -perm -2000 \) -type f -print 2>/dev/null | grep -v "No such file or directory"'
# register: sbit_binaries
#
#- debug: var=sbit_binaries.stdout_lines
#- debug: var={{os_security_suid_sgid_system_blacklist}}
#
#- name: remove suid/sgid bit from all binaries except in whitelist
# file: path='{{item}}' mode='a-s'
# with_items:
# - sbit_binaries.stdout_lines
- name: remove suid/sgid bit from binaries in blacklist
file: path='{{item}}' mode='a-s'
ignore_errors: true
with_items:
- '{{ os_security_suid_sgid_system_blacklist }}'
- '{{ os_security_suid_sgid_blacklist }}'

- name: find binaries with suid/sgid set
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
register: sbit_binaries
when: os_security_suid_sgid_remove_from_unknown

- name: gather files from which to remove suids/sgids and remove system white-listed files
set_fact:
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown

- name: remove suid/sgid bit from all binaries except in system and user whitelist
file: path='{{item}}' mode='a-s' state=file
with_items:
- '{{ suid | difference(os_security_suid_sgid_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown
59 changes: 28 additions & 31 deletions roles/ansible-os-hardening/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,48 +2,46 @@
#os_authconfig_shadow_enable: true
#os_authconfig_md5_enable: true

os_desktop_enable: false
os_desktop_enable: false
os_network_forwarding: false
os_network_ipv6_enable: false
os_network_arp_restricted: true
os_env_extra_user_paths: []
os_env_umask: '027'
os_env_root_path: '/'
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_retries: 5
os_auth_lockout_time: 600 # 10min
os_auth_timeout: 60
os_auth_allow_homeless: false
os_auth_pam_passwdqc_enable: true
os_env_extra_user_paths: []
os_env_umask: '027'
os_env_root_path: '/'
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_retries: 5
os_auth_lockout_time: 600 # 10min
os_auth_timeout: 60
os_auth_allow_homeless: false
os_auth_pam_passwdqc_enable: true
os_auth_pam_passwdqc_options: 'disabled,disabled,16,12,8'
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_chfn_restrict: ''
# may contain: change_user
os_security_users_allow: []
os_security_kernel_enable_module_loading: true
os_security_kernel_enable_sysrq: false
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_enforce: true
os_security_users_allow: []
os_security_kernel_enable_module_loading: true
os_security_kernel_enable_sysrq: false
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_enforce: true
# user-defined blacklist and whitelist
os_security_suid_sgid_blacklist: []
os_security_suid_sgid_whitelist: []
# if this is true, remove any suid/sgid bits from files that were not in the
# whitelist
os_security_suid_sgid_remove_from_unknown: false
os_security_suid_sgid_dry_run_on_unknown: false
os_security_suid_sgid_blacklist: []
os_security_suid_sgid_whitelist: []
# if this is true, remove any suid/sgid bits from files that were not in the whitelist
os_security_suid_sgid_remove_from_unknown: false

# remove packages with known issues
os_security_packages_clean: true
os_security_packages_clean: true

# SYSTEM CONFIGURATION
# ====================
# These are not meant to be modified by the user

# misc
os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128

# suid and sgid blacklists and whitelists
# ---------------------------------------
Expand All @@ -58,8 +56,8 @@ os_security_suid_sgid_system_blacklist: [
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
Expand Down Expand Up @@ -129,5 +127,4 @@ os_security_suid_sgid_system_whitelist: [
]

# set default cpu vendor
os_security_cpu_vendor: 'intel'

os_security_cpu_vendor: 'intel'