diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 04525d4d..e5c1f8e1 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -54,19 +54,18 @@ We disable the following filesystems, because they're most likely not used: To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. - ## Supported Operating Systems - -| Platform | Versions | -| --------- | -------------------- | -| EL | 7, 8, 9 | -| Ubuntu | bionic, focal, jammy | -| Debian | buster, bullseye | -| Amazon | | -| Fedora | | -| ArchLinux | | -| SmartOS | | -| opensuse | | +- EL + - 7, 8, 9 +- Ubuntu + - bionic, focal, jammy +- Debian + - buster, bullseye +- Amazon +- Fedora +- ArchLinux +- SmartOS +- opensuse ## Role Variables @@ -290,14 +289,14 @@ To prevent some of the filesystems from being disabled, add them to the `os_file - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. - Type: bool - Required: no -- `os_env_user_paths` - - Default: `[/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin]` - - Description: Specify paths to the user's `PATH` variable. - - Type: list - - Required: no - `os_env_extra_user_paths` - Default: `"[]"` - - Description: add additional paths to the user's `PATH` variable (default is empty). + - Description: Specify additional paths that should be checked for binaries where access will be minimized + - Type: list + - Required: no +- `os_env_user_paths` + - Default: `["/usr/local/sbin", "/usr/local/bin", "/usr/sbin", "/usr/bin", "/sbin", "/bin"]` + - Description: Specify paths that should be checked for binaries where access will be minimized - Type: list - Required: no - `os_filesystem_whitelist` diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index 5ca59a77..ae710989 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -8,11 +8,14 @@ argument_specs: default: false type: bool description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + os_env_user_paths: + default: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin] + type: list + description: Specify paths that should be checked for binaries where access will be minimized os_env_extra_user_paths: default: '[]' type: list - description: add additional paths to the user's `PATH` variable (default is - empty). + description: Specify additional paths that should be checked for binaries where access will be minimized os_auth_pw_max_age: default: 60 type: int @@ -235,7 +238,7 @@ argument_specs: default: SUSPEND type: str description: This parameter tells the system what action to take when the - system has detected that it is low on disk space. Valid values are ignore, + system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. os_auditd_space_left: default: 75 @@ -451,11 +454,11 @@ argument_specs: type: str description: Configure file system for fstab entry /dev os_mnt_dev_dump: - default: 0 + default: '0' type: str description: Configure dump for fstab entry /var/tmp. os_mnt_dev_passno: - default: 0 + default: '0' type: str description: Configure passno for fstab entry /var/tmp. os_mnt_dev_shm_dir_mode: @@ -479,11 +482,11 @@ argument_specs: type: str description: Configure file system for fstab entry /dev/shm os_mnt_dev_shm_dump: - default: 0 + default: '0' type: str description: Configure dump for fstab entry /var/tmp. os_mnt_dev_shm_passno: - default: 0 + default: '0' type: str description: Configure passno for fstab entry /var/tmp. os_mnt_home_dir_mode: @@ -539,11 +542,11 @@ argument_specs: type: str description: Configure file system for fstab entry /run os_mnt_run_dump: - default: 0 + default: '0' type: str description: Configure dump for fstab entry /var/tmp. os_mnt_run_passno: - default: 0 + default: '0' type: str description: Configure passno for fstab entry /var/tmp. os_mnt_tmp_dir_mode: