You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 lines
1.1 KiB
YAML
40 lines
1.1 KiB
YAML
---
|
|
|
|
# protecting process list of users different than root
|
|
# Source: https://wiki.archlinux.org/index.php/Security#hidepid
|
|
|
|
- name: Configure group for reading other processes
|
|
group:
|
|
state: present
|
|
name: proc
|
|
system: yes
|
|
|
|
- name: Configure proc mounting in fstab
|
|
lineinfile:
|
|
path: "{{ global_fstab_file }}"
|
|
regexp: '^\S+\s+/proc\s+proc\s+'
|
|
line: >-
|
|
proc /proc proc
|
|
nosuid,nodev,noexec,hidepid=2,gid=proc
|
|
0 0
|
|
|
|
- name: Ensure configuration directory for whitelisted services exist
|
|
file:
|
|
state: directory
|
|
path: "{{ global_systemd_configuration_directory }}/{{ item }}.d"
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,g=rx,o=rx
|
|
loop: "{{ global_proc_hidepid_service_whitelist }}"
|
|
|
|
- name: Configure whitelisted services to adapt to hidepid setting
|
|
copy:
|
|
content: |
|
|
[Service]
|
|
SupplementaryGroups=proc
|
|
dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf"
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,g=r,o=r
|
|
loop: "{{ global_proc_hidepid_service_whitelist }}"
|