Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimize access user paths should be fully configurable #689

Closed
S0obi opened this issue Aug 5, 2023 · 2 comments · Fixed by #692
Closed

Minimize access user paths should be fully configurable #689

S0obi opened this issue Aug 5, 2023 · 2 comments · Fixed by #692
Labels
enhancement

Comments

@S0obi
Copy link
Contributor

S0obi commented Aug 5, 2023

Description

Hello everyone,

I would like to propose a small change in OS Hardening minimize_access.yml file. In some situations, specific software may install many files in the hard coded user paths (like /usr/local/bin), the execution of the playbook will then take forever (more than an hour with thousand of files). It will be nice if the list of folder is configurable so users can configure it according to their needs.

Solution

https://github.com/dev-sec/ansible-collection-hardening/issues#L7-L19

  - name: Find files with write-permissions for group # noqa command-instead-of-shell
    ansible.builtin.shell: find -L {{ item }} -perm /go+w -type f
    with_community.general.flattened:
      - /usr/local/sbin
      - /usr/local/bin
      - /usr/sbin
      - /usr/bin
      - /sbin
      - /bin
      - "{{ os_env_extra_user_paths }}"
    register: minimize_access_directories
    ignore_errors: true
    changed_when: false

Replace the hard-coded list of directories with a variable, for example os_env_user_paths

Alternatives

No response

Additional information

...
@rndmh3ro
Copy link
Member

rndmh3ro commented Aug 7, 2023

Sounds reasonable.

We should probably have two variables, os_env_user_paths (as a default-variable) and os_env_extra_user_paths and use these in this task.

Do you want to create a PR?

S0obi added a commit to S0obi/ansible-collection-hardening that referenced this issue Aug 7, 2023
@S0obi
feat: customize user paths default. Resolves: dev-sec#689
a87ac46 
Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>
@S0obi S0obi mentioned this issue Aug 7, 2023
Merged
@S0obi
Copy link
Contributor Author

S0obi commented Aug 7, 2023

Sounds reasonable.

We should probably have two variables, os_env_user_paths (as a default-variable) and os_env_extra_user_paths and use these in this task.

Do you want to create a PR?

I issued #692 for your review, thanks!

S0obi added a commit to S0obi/ansible-collection-hardening that referenced this issue Aug 7, 2023
@S0obi
feat: customize user paths default. Resolves: dev-sec#689
32f8dc8 
Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>
rndmh3ro pushed a commit that referenced this issue Aug 24, 2023
@S0obi
feat: customize user paths default. Resolves: #689 (#692)
f602bc6 
Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: customize user paths default S0obi/ansible-collection-hardening
2 participants
@rndmh3ro @S0obi