From 0dc00d83ade03a163e8842dbb8e64bff1d7b6fa1 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <github@gumpri.ch>
Date: Thu, 24 Jan 2019 21:00:25 +0100
Subject: [PATCH 1/4] change minimize access tasks to speed them up

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
---
 tasks/find_files.yml      | 12 ------------
 tasks/minimize_access.yml | 21 +++++++++++++++------
 2 files changed, 15 insertions(+), 18 deletions(-)
 delete mode 100644 tasks/find_files.yml

diff --git a/tasks/find_files.yml b/tasks/find_files.yml
deleted file mode 100644
index 08913321..00000000
--- a/tasks/find_files.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-- name: find directories for minimizing access
-  find:
-    paths: '{{ outer_item }}'
-    recurse: yes
-  register: minimize_access_directories
-
-- name: minimize access on found files
-  file:
-    path: '{{ item.path }}'
-    mode: 'go-w'
-    state: file
-  with_items: '{{ minimize_access_directories.files }}'
diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml
index c9121fca..db28fff8 100644
--- a/tasks/minimize_access.yml
+++ b/tasks/minimize_access.yml
@@ -1,16 +1,25 @@
 ---
-# Using a two-pass approach for checking directories in order to support symlinks.
-- include_tasks: find_files.yml
-  loop_control:
-    loop_var: outer_item
-  loop:
+- name: find files with write-permissions for group
+  shell: "find {{ item }} -perm /go+w -type f"
+  with_flattened:
     - '/usr/local/sbin'
     - '/usr/local/bin'
     - '/usr/sbin'
     - '/usr/bin'
     - '/sbin'
     - '/bin'
-    - '{{ os_env_extra_user_paths }}'
+    - "{{ os_env_extra_user_paths }}"
+  register: minimize_access_directories
+  changed_when: false
+
+- name: minimize access on found files
+  file:
+    path: '{{ item.1 }}'
+    mode: 'go-w'
+    state: file
+  with_subelements:
+    - "{{minimize_access_directories.results }}"
+    - stdout_lines
 
 - name: change shadow ownership to root and mode to 0600 | os-02
   file:

From 28b50436d794d9ff80575c875e222090df8b6223 Mon Sep 17 00:00:00 2001
From: pmav99 <pmav99@users.noreply.github.com>
Date: Thu, 17 Jan 2019 17:06:32 +0200
Subject: [PATCH 2/4] [readme] Update documentation link

The old link was no longer valid
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f9979389..9fb063af 100644
--- a/README.md
+++ b/README.md
@@ -115,7 +115,7 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
       net.ipv4.ip_forward: 1
 ```
 
-Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
+Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
 
 ## Local Testing
 

From f10877031257ece5e3b1439f38cc79308a75a5c1 Mon Sep 17 00:00:00 2001
From: Joshua Talbot <info@jtalb.com>
Date: Mon, 28 Jan 2019 20:05:08 +0000
Subject: [PATCH 3/4] yml fixes

Signed-off-by: Joshua Talbot <info@jtalb.com>
---
 .kitchen.vagrant.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
index 500b90c8..0a2ea79a 100644
--- a/.kitchen.vagrant.yml
+++ b/.kitchen.vagrant.yml
@@ -16,7 +16,7 @@ provisioner:
   require_ruby_for_busser: false
   ansible_verbose: true
   roles_path: ../ansible-os-hardening/
-  playbook: default.yml
+  playbook: tests/test.yml
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
 

From ececa0eee292ca4e4370c15e35c16330d91be3f8 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <github@gumpri.ch>
Date: Sun, 24 Mar 2019 19:33:10 +0100
Subject: [PATCH 4/4] add symlink following to find task

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
---
 tasks/main.yml            | 2 +-
 tasks/minimize_access.yml | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 33eb1eaf..285634ba 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,4 @@
 ---
 
-- include_tasks: hardening.yml
+- import_tasks: hardening.yml
   when: os_hardening_enabled
diff --git a/tasks/minimize_access.yml b/tasks/minimize_access.yml
index db28fff8..3961be13 100644
--- a/tasks/minimize_access.yml
+++ b/tasks/minimize_access.yml
@@ -1,6 +1,6 @@
 ---
 - name: find files with write-permissions for group
-  shell: "find {{ item }} -perm /go+w -type f"
+  shell: "find -L {{ item }} -perm /go+w -type f"
   with_flattened:
     - '/usr/local/sbin'
     - '/usr/local/bin'
@@ -10,6 +10,7 @@
     - '/bin'
     - "{{ os_env_extra_user_paths }}"
   register: minimize_access_directories
+  ignore_errors: true
   changed_when: false
 
 - name: minimize access on found files