ensure netplan configuration files permissions

Signed-off-by: Thomas Sjögren <[email protected]>

Author: konstruktoid

molecule/default/verify.yml

@@ -1438,3 +1438,25 @@
         - name: Print kernel lockdown
           ansible.builtin.debug:
             msg: "{{ kernel_lockdown.stdout }}"
+
+    - name: Verify netplan files permissions
+      become: true
+      block:
+        - name: Find all netplan configuration files
+          ansible.builtin.find:
+            paths:
+              - /etc/netplan
+              - /lib/netplan
+              - /run/netplan
+            recurse: true
+            patterns: "*.yaml"
+          register: netplan_configuration
+
+        - name: Assert netplan files permissions
+          ansible.builtin.assert:
+            that:
+              - item.mode == "0600"
+            success_msg: "{{ item.path }} has correct permissions: {{ item.mode }}"
+            fail_msg: "{{ item.path }} permissions are incorrect: {{ item.mode }}"
+          with_items:
+            - "{{ netplan_configuration.files }}"

tasks/main.yml

@@ -323,6 +323,12 @@
   tags:
     - sudo
 
+- name: Set netplan permissions
+  ansible.builtin.import_tasks:
+    file: netplan.yml
+  tags:
+    - netplan
+
 - name: Miscellaneous extra tasks
   ansible.builtin.import_tasks:
     file: extras.yml

tasks/netplan.yml

@@ -0,0 +1,22 @@
+---
+- name: Find and set permissions of netplan configuration files
+  become: true
+  block:
+    - name: Find all netplan configuration files
+      ansible.builtin.find:
+        paths:
+          - /etc/netplan
+          - /lib/netplan
+          - /run/netplan
+        recurse: true
+        patterns: "*.yaml"
+      register: netplan_configuration
+
+    - name: Set permissions of netplan configuration files
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        mode: "0600"
+        owner: root
+        group: root
+      with_items:
+        - "{{ netplan_configuration.files }}"