dev-sec · hackardoX · Jun 2, 2025 · Jun 2, 2025
diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml
@@ -95,108 +95,123 @@
   ansible.builtin.set_fact:
     mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}"
 
+- name: Define filesystems variable
+  ansible.builtin.set_fact:
+    filesystems:
+      - path: /boot
+        src: "{{ os_mnt_boot_src }}"
+        fstype: "{{ os_mnt_boot_filesystem }}"
+        opts: "{{ os_mnt_boot_options }}"
+        enabled: "{{ os_mnt_boot_enabled }}"
+        mode: "{{ os_mnt_boot_dir_mode }}"
+        group: "{{ os_mnt_boot_group }}"
+        owner: "{{ os_mnt_boot_owner }}"
+        dump: "{{ os_mnt_boot_dump }}"
+        passno: "{{ os_mnt_boot_passno }}"
+      - path: /dev
+        src: "{{ os_mnt_dev_src }}"
+        fstype: "{{ os_mnt_dev_filesystem }}"
+        opts: "{{ os_mnt_dev_options }}"
+        enabled: "{{ os_mnt_dev_enabled }}"
+        mode: "{{ os_mnt_dev_dir_mode }}"
+        group: "{{ os_mnt_dev_group }}"
+        owner: "{{ os_mnt_dev_owner }}"
+        dump: "{{ os_mnt_dev_dump }}"
+        passno: "{{ os_mnt_dev_passno }}"
+      - path: /dev/shm
+        src: "{{ os_mnt_dev_shm_src }}"
+        fstype: "{{ os_mnt_dev_shm_filesystem }}"
+        opts: "{{ os_mnt_dev_shm_options }}"
+        enabled: "{{ os_mnt_dev_shm_enabled }}"
+        mode: "{{ os_mnt_dev_shm_dir_mode }}"
+        group: "{{ os_mnt_dev_shm_group }}"
+        owner: "{{ os_mnt_dev_shm_owner }}"
+        dump: "{{ os_mnt_dev_shm_dump }}"
+        passno: "{{ os_mnt_dev_shm_passno }}"
+      - path: /home
+        src: "{{ os_mnt_home_src }}"
+        fstype: "{{ os_mnt_home_filesystem }}"
+        opts: "{{ os_mnt_home_options }}"
+        enabled: "{{ os_mnt_home_enabled }}"
+        mode: "{{ os_mnt_home_dir_mode }}"
+        group: "{{ os_mnt_home_group }}"
+        owner: "{{ os_mnt_home_owner }}"
+        dump: "{{ os_mnt_home_dump }}"
+        passno: "{{ os_mnt_home_passno }}"
+      - path: /run
+        src: "{{ os_mnt_run_src }}"
+        fstype: "{{ os_mnt_run_filesystem }}"
+        opts: "{{ os_mnt_run_options }}"
+        enabled: "{{ os_mnt_run_enabled }}"
+        mode: "{{ os_mnt_run_dir_mode }}"
+        group: "{{ os_mnt_run_group }}"
+        owner: "{{ os_mnt_run_owner }}"
+        dump: "{{ os_mnt_run_dump }}"
+        passno: "{{ os_mnt_run_passno }}"
+      - path: /tmp
+        src: "{{ os_mnt_tmp_src }}"
+        fstype: "{{ os_mnt_tmp_filesystem }}"
+        opts: "{{ os_mnt_tmp_options }}"
+        enabled: "{{ os_mnt_tmp_enabled }}"
+        mode: "{{ os_mnt_tmp_dir_mode }}"
+        group: "{{ os_mnt_tmp_group }}"
+        owner: "{{ os_mnt_tmp_owner }}"
+        dump: "{{ os_mnt_tmp_dump }}"
+        passno: "{{ os_mnt_tmp_passno }}"
+      - path: /var
+        src: "{{ os_mnt_var_src }}"
+        fstype: "{{ os_mnt_var_filesystem }}"
+        opts: "{{ os_mnt_var_options }}"
+        enabled: "{{ os_mnt_var_enabled }}"
+        mode: "{{ os_mnt_var_dir_mode }}"
+        group: "{{ os_mnt_var_group }}"
+        owner: "{{ os_mnt_var_owner }}"
+        dump: "{{ os_mnt_var_dump }}"
+        passno: "{{ os_mnt_var_passno }}"
+      - path: /var/log
+        src: "{{ os_mnt_var_log_src }}"
+        fstype: "{{ os_mnt_var_log_filesystem }}"
+        opts: "{{ os_mnt_var_log_options }}"
+        enabled: "{{ os_mnt_var_log_enabled }}"
+        mode: "{{ os_mnt_var_log_dir_mode }}"
+        group: "{{ os_mnt_var_log_group }}"
+        owner: "{{ os_mnt_var_log_owner }}"
+        dump: "{{ os_mnt_var_log_dump }}"
+        passno: "{{ os_mnt_var_log_passno }}"
+      - path: /var/log/audit
+        src: "{{ os_mnt_var_log_audit_src }}"
+        fstype: "{{ os_mnt_var_log_audit_filesystem }}"
+        opts: "{{ os_mnt_var_log_audit_options }}"
+        enabled: "{{ os_mnt_var_log_audit_enabled }}"
+        mode: "{{ os_mnt_var_log_audit_dir_mode }}"
+        group: "{{ os_mnt_var_log_audit_group }}"
+        owner: "{{ os_mnt_var_log_audit_owner }}"
+        dump: "{{ os_mnt_var_log_audit_dump }}"
+        passno: "{{ os_mnt_var_log_audit_passno }}"
+      - path: /var/tmp
+        src: "{{ os_mnt_var_tmp_src }}"
+        fstype: "{{ os_mnt_var_tmp_filesystem }}"
+        opts: "{{ os_mnt_var_tmp_options }}"
+        enabled: "{{ os_mnt_var_tmp_enabled }}"
+        mode: "{{ os_mnt_var_tmp_dir_mode }}"
+        group: "{{ os_mnt_var_tmp_group }}"
+        owner: "{{ os_mnt_var_tmp_owner }}"
+        dump: "{{ os_mnt_var_tmp_dump }}"
+        passno: "{{ os_mnt_var_tmp_passno }}"
+
+- name: Extract distinct groups from filesystems
+  ansible.builtin.set_fact:
+    distinct_groups: "{{ filesystems | map(attribute='group') | unique | list }}"
+
+- name: Ensure all distinct groups exist
+  ansible.builtin.group:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ distinct_groups }}"
+  when: distinct_groups is defined
+
 - name: Minimize access for filesystems
   ansible.builtin.include_tasks: minimize_access_fs.yml
   loop_control:
     loop_var: mount
-  loop:
-    - path: /boot
-      src: "{{ os_mnt_boot_src }}"
-      fstype: "{{ os_mnt_boot_filesystem }}"
-      opts: "{{ os_mnt_boot_options }}"
-      enabled: "{{ os_mnt_boot_enabled }}"
-      mode: "{{ os_mnt_boot_dir_mode }}"
-      group: "{{ os_mnt_boot_group }}"
-      owner: "{{ os_mnt_boot_owner }}"
-      dump: "{{ os_mnt_boot_dump }}"
-      passno: "{{ os_mnt_boot_passno }}"
-    - path: /dev
-      src: "{{ os_mnt_dev_src }}"
-      fstype: "{{ os_mnt_dev_filesystem }}"
-      opts: "{{ os_mnt_dev_options }}"
-      enabled: "{{ os_mnt_dev_enabled }}"
-      mode: "{{ os_mnt_dev_dir_mode }}"
-      group: "{{ os_mnt_dev_group }}"
-      owner: "{{ os_mnt_dev_owner }}"
-      dump: "{{ os_mnt_dev_dump }}"
-      passno: "{{ os_mnt_dev_passno }}"
-    - path: /dev/shm
-      src: "{{ os_mnt_dev_shm_src }}"
-      fstype: "{{ os_mnt_dev_shm_filesystem }}"
-      opts: "{{ os_mnt_dev_shm_options }}"
-      enabled: "{{ os_mnt_dev_shm_enabled }}"
-      mode: "{{ os_mnt_dev_shm_dir_mode }}"
-      group: "{{ os_mnt_dev_shm_group }}"
-      owner: "{{ os_mnt_dev_shm_owner }}"
-      dump: "{{ os_mnt_dev_shm_dump }}"
-      passno: "{{ os_mnt_dev_shm_passno }}"
-    - path: /home
-      src: "{{ os_mnt_home_src }}"
-      fstype: "{{ os_mnt_home_filesystem }}"
-      opts: "{{ os_mnt_home_options }}"
-      enabled: "{{ os_mnt_home_enabled }}"
-      mode: "{{ os_mnt_home_dir_mode }}"
-      group: "{{ os_mnt_home_group }}"
-      owner: "{{ os_mnt_home_owner }}"
-      dump: "{{ os_mnt_home_dump }}"
-      passno: "{{ os_mnt_home_passno }}"
-    - path: /run
-      src: "{{ os_mnt_run_src }}"
-      fstype: "{{ os_mnt_run_filesystem }}"
-      opts: "{{ os_mnt_run_options }}"
-      enabled: "{{ os_mnt_run_enabled }}"
-      mode: "{{ os_mnt_run_dir_mode }}"
-      group: "{{ os_mnt_run_group }}"
-      owner: "{{ os_mnt_run_owner }}"
-      dump: "{{ os_mnt_run_dump }}"
-      passno: "{{ os_mnt_run_passno }}"
-    - path: /tmp
-      src: "{{ os_mnt_tmp_src }}"
-      fstype: "{{ os_mnt_tmp_filesystem }}"
-      opts: "{{ os_mnt_tmp_options }}"
-      enabled: "{{ os_mnt_tmp_enabled }}"
-      mode: "{{ os_mnt_tmp_dir_mode }}"
-      group: "{{ os_mnt_tmp_group }}"
-      owner: "{{ os_mnt_tmp_owner }}"
-      dump: "{{ os_mnt_tmp_dump }}"
-      passno: "{{ os_mnt_tmp_passno }}"
-    - path: /var
-      src: "{{ os_mnt_var_src }}"
-      fstype: "{{ os_mnt_var_filesystem }}"
-      opts: "{{ os_mnt_var_options }}"
-      enabled: "{{ os_mnt_var_enabled }}"
-      mode: "{{ os_mnt_var_dir_mode }}"
-      group: "{{ os_mnt_var_group }}"
-      owner: "{{ os_mnt_var_owner }}"
-      dump: "{{ os_mnt_var_dump }}"
-      passno: "{{ os_mnt_var_passno }}"
-    - path: /var/log
-      src: "{{ os_mnt_var_log_src }}"
-      fstype: "{{ os_mnt_var_log_filesystem }}"
-      opts: "{{ os_mnt_var_log_options }}"
-      enabled: "{{ os_mnt_var_log_enabled }}"
-      mode: "{{ os_mnt_var_log_dir_mode }}"
-      group: "{{ os_mnt_var_log_group }}"
-      owner: "{{ os_mnt_var_log_owner }}"
-      dump: "{{ os_mnt_var_log_dump }}"
-      passno: "{{ os_mnt_var_log_passno }}"
-    - path: /var/log/audit
-      src: "{{ os_mnt_var_log_audit_src }}"
-      fstype: "{{ os_mnt_var_log_audit_filesystem }}"
-      opts: "{{ os_mnt_var_log_audit_options }}"
-      enabled: "{{ os_mnt_var_log_audit_enabled }}"
-      mode: "{{ os_mnt_var_log_audit_dir_mode }}"
-      group: "{{ os_mnt_var_log_audit_group }}"
-      owner: "{{ os_mnt_var_log_audit_owner }}"
-      dump: "{{ os_mnt_var_log_audit_dump }}"
-      passno: "{{ os_mnt_var_log_audit_passno }}"
-    - path: /var/tmp
-      src: "{{ os_mnt_var_tmp_src }}"
-      fstype: "{{ os_mnt_var_tmp_filesystem }}"
-      opts: "{{ os_mnt_var_tmp_options }}"
-      enabled: "{{ os_mnt_var_tmp_enabled }}"
-      mode: "{{ os_mnt_var_tmp_dir_mode }}"
-      group: "{{ os_mnt_var_tmp_group }}"
-      owner: "{{ os_mnt_var_tmp_owner }}"
-      dump: "{{ os_mnt_var_tmp_dump }}"
-      passno: "{{ os_mnt_var_tmp_passno }}"
+  loop: "{{ filesystems }}"