26 lines
794 B
YAML
26 lines
794 B
YAML
|
---
|
||
|
- name: Configure sysctl
|
||
|
template:
|
||
|
src: 'sysctl.d/local.conf.j2'
|
||
|
dest: '/etc/sysctl.d/local.conf'
|
||
|
mode: 0644
|
||
|
|
||
|
# Use this command to list setuid or setgid executables
|
||
|
# find / -type f -perm /6000 -ls 2>/dev/null
|
||
|
- name: Desactivate setuid/setgid on unused binaries
|
||
|
file:
|
||
|
path: "{{ item }}"
|
||
|
mode: u-s,g-s
|
||
|
loop:
|
||
|
- /usr/lib/openssh/sshkeysign # Not used
|
||
|
- /usr/bin/gpasswd # No group auth
|
||
|
- /usr/bin/passwd # Only root should change passwd
|
||
|
- /usr/bin/expiry # With re2o
|
||
|
- /usr/bin/newgrp # No group auth
|
||
|
- /usr/bin/chage # With re2o
|
||
|
- /usr/bin/chsh # With re2o
|
||
|
- /usr/bin/chfn # With re2o
|
||
|
- /bin/mount # Only root should mount
|
||
|
- /bin/umount # Only root should umount
|
||
|
ignore_errors: yes # Sometimes file won't exist
|