Add remove suid/sgid function

dev-sec · Jun 1, 2015 · 544779e · 544779e
1 parent c6121c2
commit 544779e
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 48 deletions.
diff --git a/roles/ansible-os-hardening/tasks/suid_sgid.yml b/roles/ansible-os-hardening/tasks/suid_sgid.yml
@@ -1,19 +1,28 @@
 ---
-#- name: remove suid/sgid bit from binaries in blacklist
-#  file: path='{{item}}' mode='a-s'
-#  ignore_errors: true
-#  with_items:
-#    - '{{ os_security_suid_sgid_system_blacklist }}'
-#
-#- name: find binaries with suid/sgid set
-#  shell: 'find / \( -perm -4000 -o -perm -2000 \) -type f -print 2>/dev/null | grep -v "No such file or directory"'
-#  register: sbit_binaries
-#
-#- debug: var=sbit_binaries.stdout_lines
-#- debug: var={{os_security_suid_sgid_system_blacklist}}
-#
-#- name: remove suid/sgid bit from all binaries except in whitelist
-#  file: path='{{item}}' mode='a-s'
-#  with_items:
-#    - sbit_binaries.stdout_lines
+- name: remove suid/sgid bit from binaries in blacklist
+  file: path='{{item}}' mode='a-s'
+  ignore_errors: true
+  with_items:
+    - '{{ os_security_suid_sgid_system_blacklist }}'
+    - '{{ os_security_suid_sgid_blacklist }}'
 
+- name: find binaries with suid/sgid set
+  shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
+  register: sbit_binaries
+  when: os_security_suid_sgid_remove_from_unknown
+
+- name: gather files from which to remove suids/sgids and remove system white-listed files
+  set_fact:
+    suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
+  when: os_security_suid_sgid_remove_from_unknown
+
+- name: exclude user white-listed files
+  set_fact:
+    suid_clean: '{{ suid | difference(os_security_suid_sgid_whitelist) }}'
+  when: os_security_suid_sgid_remove_from_unknown
+
+- name: remove suid/sgid bit from all binaries except in whitelist
+  file: path='{{item}}' mode='a-s'
+  with_items:
+    - '{{ suid_clean | difference(os_security_suid_sgid_system_whitelist) }}'
+  when: os_security_suid_sgid_remove_from_unknown
diff --git a/roles/ansible-os-hardening/vars/main.yml b/roles/ansible-os-hardening/vars/main.yml
@@ -2,48 +2,46 @@
 #os_authconfig_shadow_enable:  true
 #os_authconfig_md5_enable:  true
 
-os_desktop_enable:  false
+os_desktop_enable: false
 os_network_forwarding: false
 os_network_ipv6_enable: false
 os_network_arp_restricted: true 
-os_env_extra_user_paths:  []
-os_env_umask:  '027'
-os_env_root_path:  '/'
-os_auth_pw_max_age:  60
-os_auth_pw_min_age:  7 # discourage password cycling
-os_auth_retries:  5
-os_auth_lockout_time:  600 # 10min
-os_auth_timeout:  60
-os_auth_allow_homeless:  false
-os_auth_pam_passwdqc_enable:  true
+os_env_extra_user_paths: []
+os_env_umask: '027'
+os_env_root_path: '/'
+os_auth_pw_max_age: 60
+os_auth_pw_min_age: 7 # discourage password cycling
+os_auth_retries: 5
+os_auth_lockout_time: 600 # 10min
+os_auth_timeout: 60
+os_auth_allow_homeless: false
+os_auth_pam_passwdqc_enable: true
 os_auth_pam_passwdqc_options: 'disabled,disabled,16,12,8'
-os_auth_root_ttys:  [console, tty1, tty2, tty3, tty4, tty5, tty6]
-os_auth_uid_min:  1000
-os_auth_gid_min:  1000
+os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
+os_auth_uid_min: 1000
+os_auth_gid_min: 1000
 os_chfn_restrict: ''
 # may contain: change_user
-os_security_users_allow:  []
-os_security_kernel_enable_module_loading:  true
-os_security_kernel_enable_sysrq:  false
-os_security_kernel_enable_core_dump:  false
-os_security_suid_sgid_enforce:  true
+os_security_users_allow: []
+os_security_kernel_enable_module_loading: true
+os_security_kernel_enable_sysrq: false
+os_security_kernel_enable_core_dump: false
+os_security_suid_sgid_enforce: true
 # user-defined blacklist and whitelist
-os_security_suid_sgid_blacklist:  []
-os_security_suid_sgid_whitelist:  []
-# if this is true, remove any suid/sgid bits from files that were not in the
-# whitelist
-os_security_suid_sgid_remove_from_unknown:  false
-os_security_suid_sgid_dry_run_on_unknown:  false
+os_security_suid_sgid_blacklist: []
+os_security_suid_sgid_whitelist: []
+# if this is true, remove any suid/sgid bits from files that were not in the whitelist
+os_security_suid_sgid_remove_from_unknown: false
 
 # remove packages with known issues
-os_security_packages_clean:  true
+os_security_packages_clean: true
 
 # SYSTEM CONFIGURATION
 # ====================
 # These are not meant to be modified by the user
 
 # misc
-os_security_kernel_secure_sysrq:  4 + 16 + 32 + 64 + 128
+os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
 
 # suid and sgid blacklists and whitelists
 # ---------------------------------------
@@ -58,8 +56,8 @@ os_security_suid_sgid_system_blacklist: [
   '/usr/libexec/openssh/ssh-keysign',
   '/usr/lib/openssh/ssh-keysign',
   # misc others
-  '/sbin/netreport',                                            # not normally required for user
-  '/usr/sbin/usernetctl',                                       # modify interfaces via functional accounts
+  '/sbin/netreport', # not normally required for user
+  '/usr/sbin/usernetctl', # modify interfaces via functional accounts
   # connecting to ...
   '/usr/sbin/userisdnctl',                                      # no isdn...
   '/usr/sbin/pppd',                                             # no ppp / dsl ...
@@ -129,5 +127,4 @@ os_security_suid_sgid_system_whitelist:  [
 ]
 
 # set default cpu vendor
-os_security_cpu_vendor:  'intel'
-
+os_security_cpu_vendor: 'intel'