Customize fstab with noexec and softdep

Add softdep to each partitions Add noexec to /tmp and remount it if necessary
2020-10-09 10:30:12 +02:00 · 2020-10-09 10:30:12 +02:00 · 88df904282
parent c9d1bff1c6
commit 88df904282
3 changed files with 82 additions and 0 deletions
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@ -1,3 +1,8 @@
 ---
 - name: newaliases
  shell: smtpctl update table aliases
+
+- name: remount /tmp
+  command: mount -u -o noexec /tmp
+  args:
+    warn: no
--- a/roles/base/tasks/fstab.yml
+++ b/roles/base/tasks/fstab.yml
@ -0,0 +1,76 @@
+---
+- name: Fetch fstab content
+  command: "grep -v '^#' /etc/fstab"
+  check_mode: no
+  register: fstab_content
+  failed_when: false
+  changed_when: false
+  tags:
+    - fstab
+
+- name: / partition is customized - softdep
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/\s+\S+\s+rw)(.*)'
+    replace: '\1,softdep\2'
+  when:
+  - fstab_content.stdout | regex_search('\s/\s')
+  - not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep'))
+  tags:
+    - fstab
+
+- name: /var partition is customized - softdep
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/var\s+\S+\s+rw)(.*)'
+    replace: '\1,softdep\2'
+  when:
+  - fstab_content.stdout | regex_search('\s/var\s')
+  - not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep'))
+  tags:
+    - fstab
+
+- name: /usr partition is customized - softdep
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/usr\s+\S+\s+rw)(.*)'
+    replace: '\1,softdep\2'
+  when:
+  - fstab_content.stdout | regex_search('\s/usr\s')
+  - not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep'))
+  tags:
+    - fstab
+
+- name: /tmp partition is customized - noexec
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)'
+    replace: '\1,noexec\3'
+  when:
+  - fstab_content.stdout | regex_search('\s/tmp\s')
+  - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec'))
+  tags:
+    - fstab
+
+- name: /tmp partition is customized - softdep
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/tmp\s+\S+\s+rw)(.*)'
+    replace: '\1,softdep\2'
+  notify: remount /tmp
+  when:
+  - fstab_content.stdout | regex_search('\s/tmp\s')
+  - not (fstab_content.stdout | regex_search('\s+/tmp\s+\S+\s+rw,softdep'))
+  tags:
+    - fstab
+
+- name: /home partition is customized - softdep
+  replace:
+    dest: /etc/fstab
+    regexp: '(\s+/home\s+\S+\s+rw)(.*)'
+    replace: '\1,softdep\2'
+  when:
+  - fstab_content.stdout | regex_search('\s/home\s')
+  - not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep'))
+  tags:
+    - fstab
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -9,3 +9,4 @@
 - include: evobackup.yml
 - include: newsyslog.yml
 - include: cron.yml
+- include: fstab.yml