Fix risky-file-permissions because of unpecified mode

2024-10-28 18:37:44 +01:00 · 2024-10-28 18:37:44 +01:00 · adde811f47
commit adde811f47
parent f788767839
4 changed files with 11 additions and 1 deletions
--- a/roles/cis/tasks/main.yml
+++ b/roles/cis/tasks/main.yml
@ -4,6 +4,7 @@
    - name: Disable Kernel Modules
      ansible.builtin.copy:
        dest: /mnt/etc/modprobe.d/cis.conf
+        mode: '0644'
        content: |
          CIS LVL 3 Restrictions
          install freevxfs        /bin/true
@ -22,6 +23,7 @@
    - name: Create USB Rules
      ansible.builtin.copy:
        dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
+        mode: '0644'
        content: |
          By default, disable all.
          ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
@ -38,6 +40,7 @@
    - name: Create a consolidated sysctl configuration file
      ansible.builtin.copy:
        dest: /mnt/etc/sysctl.d/10-cis.conf
+        mode: '0644'
        content: |
          ## CIS Sysctl configurations
          net.ipv4.conf.all.log_martians = 1
--- a/roles/configuration/tasks/main.yml
+++ b/roles/configuration/tasks/main.yml
@ -39,6 +39,7 @@
          ansible.builtin.copy:
            content: "{{ hostname }}"
            dest: /mnt/etc/hostname
+            mode: '0644'

        - name: Add host entry to /etc/hosts
          ansible.builtin.lineinfile:
@ -48,13 +49,15 @@

        - name: Create vconsole.conf
          ansible.builtin.copy:
-            content: KEYMAP=us-intl
+            content: KEYMAP=us
            dest: /mnt/etc/vconsole.conf
+            mode: '0644'

        - name: Create locale.conf
          ansible.builtin.copy:
            content: LANG=en_US.UTF-8
            dest: /mnt/etc/locale.conf
+            mode: '0644'

        - name: SSH permit Password
          ansible.builtin.replace:
@ -131,6 +134,7 @@
          ansible.builtin.template:
            src: custom.sh.j2
            dest: /mnt/etc/profile.d/custom.sh
+            mode: '0644'

    - name: Setup Network
      block:
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@ -66,8 +66,10 @@
          ansible.builtin.file:
            path: /etc/yum.repos.d
            state: directory
+            mode: '0755'

        - name: Create RHEL repository file
          ansible.builtin.template:
            src: "{{ os | lower }}.repo.j2"
            dest: /etc/yum.repos.d/{{ os | lower }}.repo
+            mode: '0644'
--- a/roles/virtualization/tasks/libvirt.yml
+++ b/roles/virtualization/tasks/libvirt.yml
@ -21,6 +21,7 @@
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: /tmp/{{ item.dest_prefix }}-{{ hostname }}.yml
+    mode: '0644'
  loop:
    - { src: cloud-user-data.yml.j2, dest_prefix: cloud-user-data }
    - { src: cloud-network-config.yml.j2, dest_prefix: cloud-network-config }