Exclude system directories (/sys, /proc, /dev) from the shosts file search
This halves the number of files examined by the find module on an ubuntu focal system and nearly halves the runtime of the task on a ceph backed VM. Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
This commit is contained in:
parent
c6703cd5e5
commit
b7b945b21e
|
@ -201,7 +201,11 @@ security_pam_faillock_unlock_time: 604800 # V-71943
|
|||
#security_rhel7_concurrent_session_limit: 10 # V-72217
|
||||
# Remove .shosts and shosts.equiv files.
|
||||
security_rhel7_remove_shosts_files: no # V-72277
|
||||
|
||||
# Exclude these directories from the shosts files find
|
||||
security_rhel7_remove_shosts_exclude_dirs:
|
||||
- '/sys'
|
||||
- '/proc'
|
||||
- '/dev'
|
||||
## File permissions (file_perms)
|
||||
# Reset file permissions and ownership for files installed via RPM packages.
|
||||
security_reset_perm_ownership: no # V-71849
|
||||
|
|
|
@ -33,9 +33,24 @@
|
|||
- V-71855
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Check for .shosts or shosts.equiv files
|
||||
|
||||
- name: Locate top level directories to check for .shosts
|
||||
find:
|
||||
paths: /
|
||||
file_type: directory
|
||||
register: shosts_dirs
|
||||
when:
|
||||
- not check_mode | bool
|
||||
- security_rhel7_remove_shosts_files | bool
|
||||
tags:
|
||||
- high
|
||||
- auth
|
||||
- V-72277
|
||||
- V-72279
|
||||
|
||||
- name: Check for .shosts or shosts.equiv files
|
||||
find:
|
||||
paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
|
||||
recurse: yes
|
||||
hidden: yes
|
||||
patterns: '.shosts,shosts.equiv'
|
||||
|
|
Loading…
Reference in New Issue