From 34d9a808d302192f409c0c73273d8274969ed6a5 Mon Sep 17 00:00:00 2001 From: andrea11 <10788630+andrea11@users.noreply.github.com> Date: Mon, 2 Jun 2025 17:58:27 +1200 Subject: [PATCH 1/2] fix: verify group exists Signed-off-by: andrea11 <10788630+andrea11@users.noreply.github.com> --- roles/os_hardening/tasks/minimize_access.yml | 217 ++++++++++--------- 1 file changed, 116 insertions(+), 101 deletions(-) diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index b0887fe2b..b989c299b 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -95,108 +95,123 @@ ansible.builtin.set_fact: mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}" +- name: Define filesystems variable + set_fact: + filesystems: + - path: /boot + src: "{{ os_mnt_boot_src }}" + fstype: "{{ os_mnt_boot_filesystem }}" + opts: "{{ os_mnt_boot_options }}" + enabled: "{{ os_mnt_boot_enabled }}" + mode: "{{ os_mnt_boot_dir_mode }}" + group: "{{ os_mnt_boot_group }}" + owner: "{{ os_mnt_boot_owner }}" + dump: "{{ os_mnt_boot_dump }}" + passno: "{{ os_mnt_boot_passno }}" + - path: /dev + src: "{{ os_mnt_dev_src }}" + fstype: "{{ os_mnt_dev_filesystem }}" + opts: "{{ os_mnt_dev_options }}" + enabled: "{{ os_mnt_dev_enabled }}" + mode: "{{ os_mnt_dev_dir_mode }}" + group: "{{ os_mnt_dev_group }}" + owner: "{{ os_mnt_dev_owner }}" + dump: "{{ os_mnt_dev_dump }}" + passno: "{{ os_mnt_dev_passno }}" + - path: /dev/shm + src: "{{ os_mnt_dev_shm_src }}" + fstype: "{{ os_mnt_dev_shm_filesystem }}" + opts: "{{ os_mnt_dev_shm_options }}" + enabled: "{{ os_mnt_dev_shm_enabled }}" + mode: "{{ os_mnt_dev_shm_dir_mode }}" + group: "{{ os_mnt_dev_shm_group }}" + owner: "{{ os_mnt_dev_shm_owner }}" + dump: "{{ os_mnt_dev_shm_dump }}" + passno: "{{ os_mnt_dev_shm_passno }}" + - path: /home + src: "{{ os_mnt_home_src }}" + fstype: "{{ os_mnt_home_filesystem }}" + opts: "{{ os_mnt_home_options }}" + enabled: "{{ os_mnt_home_enabled }}" + mode: "{{ os_mnt_home_dir_mode }}" + group: "{{ os_mnt_home_group }}" + owner: "{{ os_mnt_home_owner }}" + dump: "{{ os_mnt_home_dump }}" + passno: "{{ os_mnt_home_passno }}" + - path: /run + src: "{{ os_mnt_run_src }}" + fstype: "{{ os_mnt_run_filesystem }}" + opts: "{{ os_mnt_run_options }}" + enabled: "{{ os_mnt_run_enabled }}" + mode: "{{ os_mnt_run_dir_mode }}" + group: "{{ os_mnt_run_group }}" + owner: "{{ os_mnt_run_owner }}" + dump: "{{ os_mnt_run_dump }}" + passno: "{{ os_mnt_run_passno }}" + - path: /tmp + src: "{{ os_mnt_tmp_src }}" + fstype: "{{ os_mnt_tmp_filesystem }}" + opts: "{{ os_mnt_tmp_options }}" + enabled: "{{ os_mnt_tmp_enabled }}" + mode: "{{ os_mnt_tmp_dir_mode }}" + group: "{{ os_mnt_tmp_group }}" + owner: "{{ os_mnt_tmp_owner }}" + dump: "{{ os_mnt_tmp_dump }}" + passno: "{{ os_mnt_tmp_passno }}" + - path: /var + src: "{{ os_mnt_var_src }}" + fstype: "{{ os_mnt_var_filesystem }}" + opts: "{{ os_mnt_var_options }}" + enabled: "{{ os_mnt_var_enabled }}" + mode: "{{ os_mnt_var_dir_mode }}" + group: "{{ os_mnt_var_group }}" + owner: "{{ os_mnt_var_owner }}" + dump: "{{ os_mnt_var_dump }}" + passno: "{{ os_mnt_var_passno }}" + - path: /var/log + src: "{{ os_mnt_var_log_src }}" + fstype: "{{ os_mnt_var_log_filesystem }}" + opts: "{{ os_mnt_var_log_options }}" + enabled: "{{ os_mnt_var_log_enabled }}" + mode: "{{ os_mnt_var_log_dir_mode }}" + group: "{{ os_mnt_var_log_group }}" + owner: "{{ os_mnt_var_log_owner }}" + dump: "{{ os_mnt_var_log_dump }}" + passno: "{{ os_mnt_var_log_passno }}" + - path: /var/log/audit + src: "{{ os_mnt_var_log_audit_src }}" + fstype: "{{ os_mnt_var_log_audit_filesystem }}" + opts: "{{ os_mnt_var_log_audit_options }}" + enabled: "{{ os_mnt_var_log_audit_enabled }}" + mode: "{{ os_mnt_var_log_audit_dir_mode }}" + group: "{{ os_mnt_var_log_audit_group }}" + owner: "{{ os_mnt_var_log_audit_owner }}" + dump: "{{ os_mnt_var_log_audit_dump }}" + passno: "{{ os_mnt_var_log_audit_passno }}" + - path: /var/tmp + src: "{{ os_mnt_var_tmp_src }}" + fstype: "{{ os_mnt_var_tmp_filesystem }}" + opts: "{{ os_mnt_var_tmp_options }}" + enabled: "{{ os_mnt_var_tmp_enabled }}" + mode: "{{ os_mnt_var_tmp_dir_mode }}" + group: "{{ os_mnt_var_tmp_group }}" + owner: "{{ os_mnt_var_tmp_owner }}" + dump: "{{ os_mnt_var_tmp_dump }}" + passno: "{{ os_mnt_var_tmp_passno }}" + +- name: Extract distinct groups from filesystems + set_fact: + distinct_groups: "{{ filesystems | map(attribute='group') | unique | list }}" + +- name: Ensure all distinct groups exist + ansible.builtin.group: + name: "{{ item }}" + state: present + loop: "{{ distinct_groups }}" + when: distinct_groups is defined + - name: Minimize access for filesystems ansible.builtin.include_tasks: minimize_access_fs.yml loop_control: loop_var: mount - loop: - - path: /boot - src: "{{ os_mnt_boot_src }}" - fstype: "{{ os_mnt_boot_filesystem }}" - opts: "{{ os_mnt_boot_options }}" - enabled: "{{ os_mnt_boot_enabled }}" - mode: "{{ os_mnt_boot_dir_mode }}" - group: "{{ os_mnt_boot_group }}" - owner: "{{ os_mnt_boot_owner }}" - dump: "{{ os_mnt_boot_dump }}" - passno: "{{ os_mnt_boot_passno }}" - - path: /dev - src: "{{ os_mnt_dev_src }}" - fstype: "{{ os_mnt_dev_filesystem }}" - opts: "{{ os_mnt_dev_options }}" - enabled: "{{ os_mnt_dev_enabled }}" - mode: "{{ os_mnt_dev_dir_mode }}" - group: "{{ os_mnt_dev_group }}" - owner: "{{ os_mnt_dev_owner }}" - dump: "{{ os_mnt_dev_dump }}" - passno: "{{ os_mnt_dev_passno }}" - - path: /dev/shm - src: "{{ os_mnt_dev_shm_src }}" - fstype: "{{ os_mnt_dev_shm_filesystem }}" - opts: "{{ os_mnt_dev_shm_options }}" - enabled: "{{ os_mnt_dev_shm_enabled }}" - mode: "{{ os_mnt_dev_shm_dir_mode }}" - group: "{{ os_mnt_dev_shm_group }}" - owner: "{{ os_mnt_dev_shm_owner }}" - dump: "{{ os_mnt_dev_shm_dump }}" - passno: "{{ os_mnt_dev_shm_passno }}" - - path: /home - src: "{{ os_mnt_home_src }}" - fstype: "{{ os_mnt_home_filesystem }}" - opts: "{{ os_mnt_home_options }}" - enabled: "{{ os_mnt_home_enabled }}" - mode: "{{ os_mnt_home_dir_mode }}" - group: "{{ os_mnt_home_group }}" - owner: "{{ os_mnt_home_owner }}" - dump: "{{ os_mnt_home_dump }}" - passno: "{{ os_mnt_home_passno }}" - - path: /run - src: "{{ os_mnt_run_src }}" - fstype: "{{ os_mnt_run_filesystem }}" - opts: "{{ os_mnt_run_options }}" - enabled: "{{ os_mnt_run_enabled }}" - mode: "{{ os_mnt_run_dir_mode }}" - group: "{{ os_mnt_run_group }}" - owner: "{{ os_mnt_run_owner }}" - dump: "{{ os_mnt_run_dump }}" - passno: "{{ os_mnt_run_passno }}" - - path: /tmp - src: "{{ os_mnt_tmp_src }}" - fstype: "{{ os_mnt_tmp_filesystem }}" - opts: "{{ os_mnt_tmp_options }}" - enabled: "{{ os_mnt_tmp_enabled }}" - mode: "{{ os_mnt_tmp_dir_mode }}" - group: "{{ os_mnt_tmp_group }}" - owner: "{{ os_mnt_tmp_owner }}" - dump: "{{ os_mnt_tmp_dump }}" - passno: "{{ os_mnt_tmp_passno }}" - - path: /var - src: "{{ os_mnt_var_src }}" - fstype: "{{ os_mnt_var_filesystem }}" - opts: "{{ os_mnt_var_options }}" - enabled: "{{ os_mnt_var_enabled }}" - mode: "{{ os_mnt_var_dir_mode }}" - group: "{{ os_mnt_var_group }}" - owner: "{{ os_mnt_var_owner }}" - dump: "{{ os_mnt_var_dump }}" - passno: "{{ os_mnt_var_passno }}" - - path: /var/log - src: "{{ os_mnt_var_log_src }}" - fstype: "{{ os_mnt_var_log_filesystem }}" - opts: "{{ os_mnt_var_log_options }}" - enabled: "{{ os_mnt_var_log_enabled }}" - mode: "{{ os_mnt_var_log_dir_mode }}" - group: "{{ os_mnt_var_log_group }}" - owner: "{{ os_mnt_var_log_owner }}" - dump: "{{ os_mnt_var_log_dump }}" - passno: "{{ os_mnt_var_log_passno }}" - - path: /var/log/audit - src: "{{ os_mnt_var_log_audit_src }}" - fstype: "{{ os_mnt_var_log_audit_filesystem }}" - opts: "{{ os_mnt_var_log_audit_options }}" - enabled: "{{ os_mnt_var_log_audit_enabled }}" - mode: "{{ os_mnt_var_log_audit_dir_mode }}" - group: "{{ os_mnt_var_log_audit_group }}" - owner: "{{ os_mnt_var_log_audit_owner }}" - dump: "{{ os_mnt_var_log_audit_dump }}" - passno: "{{ os_mnt_var_log_audit_passno }}" - - path: /var/tmp - src: "{{ os_mnt_var_tmp_src }}" - fstype: "{{ os_mnt_var_tmp_filesystem }}" - opts: "{{ os_mnt_var_tmp_options }}" - enabled: "{{ os_mnt_var_tmp_enabled }}" - mode: "{{ os_mnt_var_tmp_dir_mode }}" - group: "{{ os_mnt_var_tmp_group }}" - owner: "{{ os_mnt_var_tmp_owner }}" - dump: "{{ os_mnt_var_tmp_dump }}" - passno: "{{ os_mnt_var_tmp_passno }}" + loop: "{{ filesystems }}" From 1ca7fa27a8f42f32edc762e31521336119ecae73 Mon Sep 17 00:00:00 2001 From: andrea11 <10788630+andrea11@users.noreply.github.com> Date: Mon, 2 Jun 2025 19:00:12 +1200 Subject: [PATCH 2/2] chore: use fqcn for set_fact Signed-off-by: andrea11 <10788630+andrea11@users.noreply.github.com> --- roles/os_hardening/tasks/minimize_access.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index b989c299b..636450f99 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -96,7 +96,7 @@ mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}" - name: Define filesystems variable - set_fact: + ansible.builtin.set_fact: filesystems: - path: /boot src: "{{ os_mnt_boot_src }}" @@ -200,7 +200,7 @@ passno: "{{ os_mnt_var_tmp_passno }}" - name: Extract distinct groups from filesystems - set_fact: + ansible.builtin.set_fact: distinct_groups: "{{ filesystems | map(attribute='group') | unique | list }}" - name: Ensure all distinct groups exist