-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rework filesystem hardening #555
Conversation
i think this would supersede #523 |
Yes, I was too slow :) Thanks! #523 is deprecated |
Hi @divialth, yes there was a reason for me, because Would you prefer to query a fact for an specific operatingsystems to set this to |
This should be no longer a problem. The first task in I also did not changed any of the |
I think this will work for us. A "go" on my side 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please consider my suggestions as nitpicking.
Aside from my comments I want to say I absolutely like what you did here!
- removed a lot duplicated code by using a loop - added new hardening options for /tmp - added new options "passno" and "dump" for every filesystem. currently ansible changed that values to 0 for every fs new default depends on fstype, can be overwriten in config - removed default fstype in config the type will now be autodetected, can be overwriten in config - mount src setting is now optional the source will now be autodetected, can be overwriten in config - it will be now checked, if it is really a mount - changed fs reload to handler - removed check os_auditd_enabled on /var/log/audit Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
f178915
to
8d9cac4
Compare
I have implemented your other naming suggestions and also did a rebase to resolve the merge conflicts. The current failing CI checks seems to be unrelated. Please correct me if I am wrong. |
currently ansible changed that values to 0 for every fs
new default depends on fstype, can be overwritten in config
the type will now be autodetected, can be overwritten in config
the source will now be autodetected, can be overwritten in config
Notes:
If you have many different configured servers this is very useful