Merge pull request #209 from dev-sec/speedup

change minimize access tasks to speed them up
dev-sec · Mar 24, 2019 · 66f6c3c · 66f6c3c
2 parents 6de1df0 + 51c75bb
commit 66f6c3c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 19 deletions.
diff --git a/tasks/find_files.yml b/tasks/find_files.yml
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
 
-- include_tasks: hardening.yml
+- import_tasks: hardening.yml
   when: os_hardening_enabled
diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml
@@ -1,16 +1,26 @@
 ---
-# Using a two-pass approach for checking directories in order to support symlinks.
-- include_tasks: find_files.yml
-  loop_control:
-    loop_var: outer_item
-  loop:
+- name: find files with write-permissions for group
+  shell: "find -L {{ item }} -perm /go+w -type f"
+  with_flattened:
     - '/usr/local/sbin'
     - '/usr/local/bin'
     - '/usr/sbin'
     - '/usr/bin'
     - '/sbin'
     - '/bin'
-    - '{{ os_env_extra_user_paths }}'
+    - "{{ os_env_extra_user_paths }}"
+  register: minimize_access_directories
+  ignore_errors: true
+  changed_when: false
+
+- name: minimize access on found files
+  file:
+    path: '{{ item.1 }}'
+    mode: 'go-w'
+    state: file
+  with_subelements:
+    - "{{minimize_access_directories.results }}"
+    - stdout_lines
 
 - name: change shadow ownership to root and mode to 0600 | os-02
   file: