Merge pull request #39 from hardening-io/su_mode

Add mode to su-binary task. Fix #38

Author: chris-rock

.travis.yml

@@ -11,4 +11,4 @@ install:
 
 script:
   - ansible-playbook --syntax-check spec/travis.yml
-  - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl"
+  - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl" --extra-vars "os_security_users_allow=change_user"

roles/ansible-os-hardening/tasks/minimize_access.yml

@@ -14,5 +14,5 @@
   file: dest='/etc/shadow' owner=root group=root mode=0600
 
 - name: change su-binary to only be accessible to user and group root
-  file: dest='/bin/su' owner=root group=root mode
-  when: security_users_allow|default(None) != None
+  file: dest='/bin/su' owner=root group=root mode=0750
+  when: os_security_users_allow != None