--- - name: Configure sysctl template: src: sysctl.d/local.conf.j2 dest: /etc/sysctl.d/local.conf mode: 0644 # Use this command to list setuid or setgid executables # find / -type f -perm /6000 -ls 2>/dev/null - name: Desactivate setuid/setgid on unused binaries file: path: "{{ item }}" mode: u-s,g-s loop: - /usr/lib/openssh/sshkeysign # Not used - /usr/bin/gpasswd # No group auth - /usr/bin/passwd # Only root should change passwd - /usr/bin/expiry # With re2o - /usr/bin/newgrp # No group auth - /usr/bin/chage # With re2o - /usr/bin/chsh # With re2o - /usr/bin/chfn # With re2o - /bin/mount # Only root should mount - /bin/umount # Only root should umount ignore_errors: true # Sometimes file won't exist # See altered packages and configurations with `debsums -ca` - name: Install debsums apt: name: debsums state: present register: apt_result retries: 3 until: apt_result is succeeded