Exclude system directories (/sys, /proc, /dev) from the shosts file search

This halves the number of files examined by the find module on an ubuntu focal system and nearly halves the runtime of the task on a ceph backed VM. Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
2021-02-03 10:39:54 +00:00 · 2021-02-03 10:39:54 +00:00 · b7b945b21e
parent c6703cd5e5
commit b7b945b21e
2 changed files with 21 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -201,7 +201,11 @@ security_pam_faillock_unlock_time: 604800                    # V-71943
 #security_rhel7_concurrent_session_limit: 10                 # V-72217
 # Remove .shosts and shosts.equiv files.
 security_rhel7_remove_shosts_files: no                       # V-72277
-
+# Exclude these directories from the shosts files find
+security_rhel7_remove_shosts_exclude_dirs:
+  - '/sys'
+  - '/proc'
+  - '/dev'
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: no                            # V-71849
--- a/tasks/rhel7stig/async_tasks.yml
+++ b/tasks/rhel7stig/async_tasks.yml
@ -33,9 +33,24 @@
    - V-71855
    - skip_ansible_lint

- name: Check for .shosts or shosts.equiv files
+
+- name: Locate top level directories to check for .shosts
  find:
    paths: /
+    file_type: directory
+  register: shosts_dirs
+  when:
+    - not check_mode | bool
+    - security_rhel7_remove_shosts_files | bool
+  tags:
+    - high
+    - auth
+    - V-72277
+    - V-72279
+
+- name: Check for .shosts or shosts.equiv files
+  find:
+    paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
    recurse: yes
    hidden: yes
    patterns: '.shosts,shosts.equiv'