move FHS restrictions to a new file
This commit is contained in:
parent
453b78a59b
commit
e10e971dbe
|
@ -2,3 +2,4 @@
|
||||||
# defaults file for packweb-apache
|
# defaults file for packweb-apache
|
||||||
general_alert_email: "root@localhost"
|
general_alert_email: "root@localhost"
|
||||||
packweb_enable_evoadmin_vhost: True
|
packweb_enable_evoadmin_vhost: True
|
||||||
|
packweb_fhs_retrictions: True
|
||||||
|
|
63
packweb-apache/tasks/fhs_retrictions.yml
Normal file
63
packweb-apache/tasks/fhs_retrictions.yml
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Remove read permission on some folders (/, /etc, ...)
|
||||||
|
shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
|
||||||
|
register: command_result
|
||||||
|
changed_when: "'changed' in command_result.stdout"
|
||||||
|
failed_when: False
|
||||||
|
with_items:
|
||||||
|
- /
|
||||||
|
- /etc
|
||||||
|
- /usr
|
||||||
|
- /usr/bin
|
||||||
|
- /var
|
||||||
|
- /var/log
|
||||||
|
- /home
|
||||||
|
- /bin
|
||||||
|
- /sbin
|
||||||
|
- /lib
|
||||||
|
- /usr/lib
|
||||||
|
- /usr/include
|
||||||
|
- /usr/bin
|
||||||
|
- /usr/sbin
|
||||||
|
- /usr/share
|
||||||
|
- /usr/share/doc
|
||||||
|
- /etc/default
|
||||||
|
|
||||||
|
- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
|
||||||
|
shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
|
||||||
|
register: command_result
|
||||||
|
changed_when: "'changed' in command_result.stdout"
|
||||||
|
failed_when: False
|
||||||
|
with_items:
|
||||||
|
- /var/log/apt
|
||||||
|
- /var/lib/dpkg
|
||||||
|
- /var/log/munin
|
||||||
|
- /var/backups
|
||||||
|
- /etc/init.d
|
||||||
|
- /etc/apache2
|
||||||
|
- /etc/network
|
||||||
|
- /etc/phpmyadmin
|
||||||
|
- /var/log/installer
|
||||||
|
|
||||||
|
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
||||||
|
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
||||||
|
register: command_result
|
||||||
|
changed_when: "'changed' in command_result.stdout"
|
||||||
|
failed_when: False
|
||||||
|
with_items:
|
||||||
|
- /bin/ping
|
||||||
|
- /bin/ping6
|
||||||
|
- /usr/bin/fping
|
||||||
|
- /usr/bin/fping6
|
||||||
|
- /usr/bin/mtr
|
||||||
|
|
||||||
|
- name: Set 640 permission on some files (/var/log/evolix.log, ...)
|
||||||
|
shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
|
||||||
|
register: command_result
|
||||||
|
changed_when: "'changed' in command_result.stdout"
|
||||||
|
failed_when: False
|
||||||
|
with_items:
|
||||||
|
- /var/log/evolix.log
|
||||||
|
- /etc/warnquota.conf
|
||||||
|
|
|
@ -48,66 +48,8 @@
|
||||||
|
|
||||||
- include: awstats.yml
|
- include: awstats.yml
|
||||||
|
|
||||||
- name: Remove read permission on some folders (/, /etc, ...)
|
- include: fhs_retrictions.yml
|
||||||
shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
|
when: packweb_fhs_retrictions
|
||||||
register: command_result
|
|
||||||
changed_when: "'changed' in command_result.stdout"
|
|
||||||
failed_when: False
|
|
||||||
with_items:
|
|
||||||
- /
|
|
||||||
- /etc
|
|
||||||
- /usr
|
|
||||||
- /usr/bin
|
|
||||||
- /var
|
|
||||||
- /var/log
|
|
||||||
- /home
|
|
||||||
- /bin
|
|
||||||
- /sbin
|
|
||||||
- /lib
|
|
||||||
- /usr/lib
|
|
||||||
- /usr/include
|
|
||||||
- /usr/bin
|
|
||||||
- /usr/sbin
|
|
||||||
- /usr/share
|
|
||||||
- /usr/share/doc
|
|
||||||
- /etc/default
|
|
||||||
|
|
||||||
- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
|
|
||||||
shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
|
|
||||||
register: command_result
|
|
||||||
changed_when: "'changed' in command_result.stdout"
|
|
||||||
failed_when: False
|
|
||||||
with_items:
|
|
||||||
- /var/log/apt
|
|
||||||
- /var/lib/dpkg
|
|
||||||
- /var/log/munin
|
|
||||||
- /var/backups
|
|
||||||
- /etc/init.d
|
|
||||||
- /etc/apache2
|
|
||||||
- /etc/network
|
|
||||||
- /etc/phpmyadmin
|
|
||||||
- /var/log/installer
|
|
||||||
|
|
||||||
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
|
||||||
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
|
||||||
register: command_result
|
|
||||||
changed_when: "'changed' in command_result.stdout"
|
|
||||||
failed_when: False
|
|
||||||
with_items:
|
|
||||||
- /bin/ping
|
|
||||||
- /bin/ping6
|
|
||||||
- /usr/bin/fping
|
|
||||||
- /usr/bin/fping6
|
|
||||||
- /usr/bin/mtr
|
|
||||||
|
|
||||||
- name: Set 640 permission on some files (/var/log/evolix.log, ...)
|
|
||||||
shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
|
|
||||||
register: command_result
|
|
||||||
changed_when: "'changed' in command_result.stdout"
|
|
||||||
failed_when: False
|
|
||||||
with_items:
|
|
||||||
- /var/log/evolix.log
|
|
||||||
- /etc/warnquota.conf
|
|
||||||
|
|
||||||
- name: Install Evoadmin
|
- name: Install Evoadmin
|
||||||
include_role:
|
include_role:
|
||||||
|
|
Loading…
Reference in a new issue