feat(os_hardening): extend file permission tasks to cover more files

The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
siemens · Oct 18, 2021 · cce9d2c · cce9d2c
1 parent 2994552
commit cce9d2c
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml
@@ -29,17 +29,27 @@
 
 - name: Change shadow ownership to root and mode to 0600 | os-02
   file:
-    dest: '/etc/shadow'
+    dest: "{{ item }}"
     owner: '{{ os_shadow_perms.owner }}'
     group: '{{ os_shadow_perms.group }}'
     mode: '{{ os_shadow_perms.mode }}'
+  loop:
+    - '/etc/shadow'
+    - '/etc/gshadow'
+    - '/etc/shadow-'
+    - '/etc/gshadow-'
 
 - name: Change passwd ownership to root and mode to 0644 | os-03
   file:
-    dest: '/etc/passwd'
+    dest: "{{ item }}"
     owner: '{{ os_passwd_perms.owner }}'
     group: '{{ os_passwd_perms.group }}'
     mode: '{{ os_passwd_perms.mode }}'
+  loop:
+    - '/etc/passwd'
+    - '/etc/group'
+    - '/etc/passwd-'
+    - '/etc/group-'
 
 - name: Change su-binary to only be accessible to user and group root
   file: