-
Notifications
You must be signed in to change notification settings - Fork 9
/
login_defs-slackware.yml
137 lines (131 loc) · 4.34 KB
/
login_defs-slackware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
---
- name: /etc/shutdown.allow
tags:
- configuration
- authorization
become: true
when: ansible_distribution == "Slackware"
block:
- name: Create /etc/shutdown.allow
ansible.builtin.copy:
content: ""
dest: /etc/shutdown.allow
force: false
owner: root
group: root
mode: '0600'
- name: Use shutdown -a in /etc/inittab
ansible.builtin.replace:
path: /etc/inittab
regexp: '^(ca::ctrlaltdel:/sbin/shutdown -t5 -r now)$'
replace: '\g<1> -a'
validate: '/bin/grep "^ca::ctrlaltdel:/sbin/shutdown -t5 -r now -a$" %s'
- name: Set umask to 077 in /etc/profile (Slackware)
tags: configuration
become: true
when: ansible_distribution == "Slackware"
ansible.builtin.replace:
path: /etc/profile
regexp: '^(umask) [0-9]+$'
replace: '\g<1> 077'
validate: '/bin/grep "^umask 077$" %s'
# ftp://ftp.slackware.com/pub/slackware/slackware64-current/source/a/shadow/adduser
# Default AGID is "audio cdrom floppy input lp netdev plugdev power scanner video"
- name: Configure defchmod and AGID in /usr/sbin/adduser (Slackware)
tags: configuration
become: true
when: ansible_distribution == "Slackware"
ansible.builtin.replace:
path: /usr/sbin/adduser
regexp: '^({{ item.key }}=).+'
replace: '\g<1>{{ item.value }}'
validate: "/bin/grep '^{{ item.key }}={{ item.value }}$' %s"
with_dict:
defchmod: 700
AGID: '"audio input netdev plugdev power video"'
# Slackware Linux Benchmark v1.1 - 7.10 Require Authentication For Single-User Mode
# https://web.archive.org/web/20070702234716/http://www.bastille-linux.org:80/jay/anyone-with-a-screwdriver.html
# https://cisofy.com/lynis/controls/AUTH-9308/
- name: Single user mode authentication
tags:
- configuration
- authentication
become: true
when: ansible_distribution == "Slackware"
block:
- name: Remove S from System initialization (Slackware)
ansible.builtin.replace:
path: /etc/inittab
regexp: '^si:S:sysinit:/etc/rc\.d/rc\.S$'
replace: 'si::sysinit:/etc/rc.d/rc.S'
validate: '/bin/grep "^si::sysinit:/etc/rc.d/rc.S$" %s'
- name: Create separate entry for single user mode which requires authentication (Slackware)
ansible.builtin.blockinfile:
path: /etc/inittab
insertafter: "^x1:4:respawn:/etc/rc.d/rc.4$"
block: |
# single user mode
~~:S:wait:/sbin/sulogin
- name: Fix single user mode in rc.K
ansible.builtin.lineinfile:
path: /etc/rc.d/rc.K
regexp: '^/sbin/telinit'
line: /sbin/telinit -t 1 S
- name: Add LESS variables and disable core dumps
tags: configuration
ansible.builtin.blockinfile:
path: /etc/profile
block: |
export LESSSECURE=1
export LESSHISTFILE="/dev/null"
ulimit -Hc 0
become: true
when: ansible_distribution == "Slackware"
# https://github.com/ansible/ansible/issues/11024
# Cleanup Slackware's groups
- name: Slackware groups
when: ansible_distribution == "Slackware"
become: true
block:
- name: Remove all members from certain groups (Slackware)
ansible.builtin.command: gpasswd -M "" {{ item }}
register: result
changed_when: true
failed_when:
- result.failed == true
- '"is not a member of" not in result.stderr'
tags: accounts
with_items:
- root
- bin
- daemon
- sys
- adm
- disk
- name: Remove uucp from dialout group (Slackware)
ansible.builtin.command: gpasswd -d uucp dialout
register: result
changed_when: '"is not a member of" not in result.stderr'
failed_when:
- result.failed == true
- '"is not a member of" not in result.stderr'
tags: accounts
# root is root and that's enough :)
- name: Remove root from all supplemental groups
ansible.builtin.command: gpasswd -d root {{ item }}
register: result
failed_when:
- result.failed == true
- '"is not a member of" not in result.stderr'
changed_when: '"is not a member of" not in result.stderr'
tags: accounts
with_items:
- wheel
- audio
- name: Fix gshadow (Slackware)
when: ansible_distribution == "Slackware"
become: true
ansible.builtin.shell: set -o pipefail; yes | grpck
register: result
changed_when:
- result.rc != 0