From 88df90428214dc0c777a57546b3e3d46ee939be4 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 1/7] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/handlers/main.yml | 5 +++ roles/base/tasks/fstab.yml | 76 ++++++++++++++++++++++++++++++++++++ roles/base/tasks/main.yml | 1 + 3 files changed, 82 insertions(+) create mode 100644 roles/base/tasks/fstab.yml diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index ba888e0..a424527 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -1,3 +1,8 @@ --- - name: newaliases shell: smtpctl update table aliases + +- name: remount /tmp + command: mount -u -o noexec /tmp + args: + warn: no diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml new file mode 100644 index 0000000..eee8152 --- /dev/null +++ b/roles/base/tasks/fstab.yml @@ -0,0 +1,76 @@ +--- +- name: Fetch fstab content + command: "grep -v '^#' /etc/fstab" + check_mode: no + register: fstab_content + failed_when: false + changed_when: false + tags: + - fstab + +- name: / partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/\s') + - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /var partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/var\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/var\s') + - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /usr partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/usr\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/usr\s') + - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /tmp partition is customized - noexec + replace: + dest: /etc/fstab + regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' + replace: '\1,noexec\3' + when: + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) + tags: + - fstab + +- name: /tmp partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/tmp\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + notify: remount /tmp + when: + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,softdep')) + tags: + - fstab + +- name: /home partition is customized - softdep + replace: + dest: /etc/fstab + regexp: '(\s+/home\s+\S+\s+rw)(.*)' + replace: '\1,softdep\2' + when: + - fstab_content.stdout | regex_search('\s/home\s') + - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) + tags: + - fstab diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 3b1ca7a..bd467b3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -9,3 +9,4 @@ - include: evobackup.yml - include: newsyslog.yml - include: cron.yml +- include: fstab.yml From e019b797230fc775a6640817e10a14ebddadbfca Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:55:12 +0200 Subject: [PATCH 2/7] yamllint + correction /tmp softdep softdep is not added anymore if noexec is already defined after rw --- roles/base/handlers/main.yml | 2 +- roles/base/tasks/fstab.yml | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index a424527..7d18f17 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -5,4 +5,4 @@ - name: remount /tmp command: mount -u -o noexec /tmp args: - warn: no + warn: false diff --git a/roles/base/tasks/fstab.yml b/roles/base/tasks/fstab.yml index eee8152..7112137 100644 --- a/roles/base/tasks/fstab.yml +++ b/roles/base/tasks/fstab.yml @@ -1,7 +1,7 @@ --- - name: Fetch fstab content command: "grep -v '^#' /etc/fstab" - check_mode: no + check_mode: false register: fstab_content failed_when: false changed_when: false @@ -14,8 +14,8 @@ regexp: '(\s+/\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/\s') - - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/\s') + - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep')) tags: - fstab @@ -25,8 +25,8 @@ regexp: '(\s+/var\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/var\s') - - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/var\s') + - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep')) tags: - fstab @@ -36,8 +36,8 @@ regexp: '(\s+/usr\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/usr\s') - - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/usr\s') + - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep')) tags: - fstab @@ -47,8 +47,9 @@ regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)' replace: '\1,noexec\3' when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout + | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec')) tags: - fstab @@ -59,8 +60,9 @@ replace: '\1,softdep\2' notify: remount /tmp when: - - fstab_content.stdout | regex_search('\s/tmp\s') - - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/tmp\s') + - not (fstab_content.stdout + | regex_search('\s+/tmp\s+\S+\s+rw,(noexec,)*softdep')) tags: - fstab @@ -70,7 +72,7 @@ regexp: '(\s+/home\s+\S+\s+rw)(.*)' replace: '\1,softdep\2' when: - - fstab_content.stdout | regex_search('\s/home\s') - - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) + - fstab_content.stdout | regex_search('\s/home\s') + - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep')) tags: - fstab From 4f201d3a7352f7318bfc1767df82c12abfedf348 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:46 +0200 Subject: [PATCH 3/7] Customize root crontab and daily.local Add custome PATH to root crontab Add environment variable to daily.local Add a "next_part" before the evocheck line in daily.local --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index bd467b3..5db225a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -10,3 +10,4 @@ - include: newsyslog.yml - include: cron.yml - include: fstab.yml +- include: cron.yml From 0a4e970ab81d9421f5a01c5d7fab1276367130cf Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 4/7] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5db225a..6c7fd81 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,3 +11,4 @@ - include: cron.yml - include: fstab.yml - include: cron.yml +- include: fstab.yml From bd4748b4037ce27d3602fa0f99f09c6df03358be Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 14:15:46 +0200 Subject: [PATCH 5/7] Customize root crontab and daily.local Add custome PATH to root crontab Add environment variable to daily.local Add a "next_part" before the evocheck line in daily.local --- roles/base/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 6c7fd81..5db225a 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,4 +11,3 @@ - include: cron.yml - include: fstab.yml - include: cron.yml -- include: fstab.yml From 5fa8e0c9bbeffb0915afca14530b90f798ea380e Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 10:30:12 +0200 Subject: [PATCH 6/7] Customize fstab with noexec and softdep Add softdep to each partitions Add noexec to /tmp and remount it if necessary --- roles/base/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 5db225a..6c7fd81 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -11,3 +11,4 @@ - include: cron.yml - include: fstab.yml - include: cron.yml +- include: fstab.yml From 92837424fb67358c0f6c15e127028cfda29418ca Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 9 Oct 2020 15:35:23 +0200 Subject: [PATCH 7/7] Fix weird commits --- roles/base/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 6c7fd81..bd467b3 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -10,5 +10,3 @@ - include: newsyslog.yml - include: cron.yml - include: fstab.yml -- include: cron.yml -- include: fstab.yml