---
- name: Configure sysctl
  template:
    src: 'sysctl.d/local.conf.j2'
    dest: '/etc/sysctl.d/local.conf'
    mode: 0644

# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
  file:
    path: "{{ item }}"
    mode: u-s,g-s
  loop:
    - /usr/lib/openssh/sshkeysign  # Not used
    - /usr/bin/gpasswd  # No group auth
    - /usr/bin/passwd  # Only root should change passwd
    - /usr/bin/expiry  # With re2o
    - /usr/bin/newgrp  # No group auth
    - /usr/bin/chage  # With re2o
    - /usr/bin/chsh  # With re2o
    - /usr/bin/chfn  # With re2o
    - /bin/mount  # Only root should mount
    - /bin/umount  # Only root should umount
  ignore_errors: true  # Sometimes file won't exist