ansible-vault icon indicating copy to clipboard operation
ansible-vault copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

Implement "Use Correct Filesystem Permissions." hardening advice

Open akerouanton opened this issue 2 years ago • 2 comments

The Production Hardening guide have the following bullet:

Use Correct Filesystem Permissions. Always ensure appropriate permissions are applied to files prior to starting Vault, especially those containing sensitive information.

This would be implemented through a shell script declared in a ExecStartPre directive of the systemd service (and before starting the daemon in init scripts). It'd have to check for the file perms and owner/group of all the paths declared in this role.

Would such change be accepted by maintainers (if so, I can work on it)?

akerouanton avatar Nov 29 '21 10:11 akerouanton

Rather audit the file permissions in this role and create a pull-request for improvements.

bbaassssiiee avatar Dec 01 '21 18:12 bbaassssiiee

You could also add Goss or TestInfra tests that users can run.

bbaassssiiee avatar Dec 01 '21 18:12 bbaassssiiee