38 lines
1.5 KiB
YAML
38 lines
1.5 KiB
YAML
---
|
|
- name: Build CIS permission targets
|
|
ansible.builtin.set_fact:
|
|
cis_permission_targets: >-
|
|
{{
|
|
[
|
|
{ "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
|
|
{ "path": "/mnt/etc/cron.hourly", "mode": "0700" },
|
|
{ "path": "/mnt/etc/cron.daily", "mode": "0700" },
|
|
{ "path": "/mnt/etc/cron.weekly", "mode": "0700" },
|
|
{ "path": "/mnt/etc/cron.monthly", "mode": "0700" },
|
|
{ "path": "/mnt/etc/cron.d", "mode": "0700" },
|
|
{ "path": "/mnt/etc/crontab", "mode": "0600" },
|
|
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
|
|
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
|
|
{ "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
|
|
"rhel10", "rocky"] else "fusermount"), "mode": "755" },
|
|
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
|
|
] | reject("none")
|
|
}}
|
|
changed_when: false
|
|
|
|
- name: Check CIS permission targets
|
|
ansible.builtin.stat:
|
|
path: "{{ item.path }}"
|
|
loop: "{{ cis_permission_targets }}"
|
|
register: cis_permission_stats
|
|
changed_when: false
|
|
|
|
- name: Set permissions for existing targets
|
|
ansible.builtin.file:
|
|
path: "{{ item.item.path }}"
|
|
owner: "{{ item.item.owner | default(omit) }}"
|
|
group: "{{ item.item.group | default(omit) }}"
|
|
mode: "{{ item.item.mode }}"
|
|
loop: "{{ cis_permission_stats.results }}"
|
|
when: item.stat.exists
|