From 85aa1b22b34db7dd0c97c1a1098131683a133010 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 31 May 2024 12:20:00 +0200 Subject: [PATCH] do not force type of ssh_gateway_ports (#765) * do not force type of gatewayports-var this way it can be a bool or a string. we also now test for it Signed-off-by: Sebastian Gumprich * replace yum with dnf Signed-off-by: Sebastian Gumprich --------- Signed-off-by: Sebastian Gumprich --- molecule/mysql_hardening/prepare.yml | 2 +- molecule/os_hardening/prepare.yml | 2 +- molecule/os_hardening_vm/prepare.yml | 2 +- molecule/ssh_hardening/prepare.yml | 2 +- molecule/ssh_hardening_custom_tests/converge.yml | 2 +- molecule/ssh_hardening_custom_tests/prepare.yml | 2 +- roles/os_hardening/tasks/pam_rhel.yml | 2 +- roles/os_hardening/tasks/yum.yml | 2 +- roles/ssh_hardening/meta/argument_specs.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index b1590bc9..bca652b3 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -67,7 +67,7 @@ - ansible_distribution_major_version|int < 20 - name: Install required MySQL Python libraries on RHEL - ansible.builtin.yum: + ansible.builtin.dnf: name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}" when: - ansible_os_family == "RedHat" diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 4236e100..f26853f6 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -41,7 +41,7 @@ when: ansible_facts.os_family == 'Archlinux' - name: Install required tools on RHEL # noqa ignore-errors - ansible.builtin.yum: + ansible.builtin.dnf: name: - openssh-clients - openssh diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 26826b40..6a3209c6 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -73,7 +73,7 @@ when: ansible_facts.os_family == 'Archlinux' - name: Install required tools on RHEL # noqa ignore-errors - ansible.builtin.yum: + ansible.builtin.dnf: name: - openssh-clients - openssh diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index aea8d894..e20edc48 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -13,7 +13,7 @@ when: ansible_facts.distribution == 'Fedora' - name: Install packages # noqa ignore-errors - ansible.builtin.yum: + ansible.builtin.dnf: name: - openssh-clients - openssh-server diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index 8b1e32e5..a2778ceb 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -21,7 +21,7 @@ - root network_ipv6_enable: true ssh_allow_tcp_forwarding: "yes" - ssh_gateway_ports: true + ssh_gateway_ports: "clientspecified" ssh_allow_agent_forwarding: true ssh_server_permit_environment_vars: "yes" ssh_server_accept_env_vars: PWD HTTP_PROXY diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index aea8d894..e20edc48 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -13,7 +13,7 @@ when: ansible_facts.distribution == 'Fedora' - name: Install packages # noqa ignore-errors - ansible.builtin.yum: + ansible.builtin.dnf: name: - openssh-clients - openssh-server diff --git a/roles/os_hardening/tasks/pam_rhel.yml b/roles/os_hardening/tasks/pam_rhel.yml index 8468b01c..78a5f983 100644 --- a/roles/os_hardening/tasks/pam_rhel.yml +++ b/roles/os_hardening/tasks/pam_rhel.yml @@ -1,6 +1,6 @@ --- - name: Install sssd-clients - ansible.builtin.yum: + ansible.builtin.dnf: name: sssd-client state: present when: diff --git a/roles/os_hardening/tasks/yum.yml b/roles/os_hardening/tasks/yum.yml index 14692753..76fe165f 100644 --- a/roles/os_hardening/tasks/yum.yml +++ b/roles/os_hardening/tasks/yum.yml @@ -45,7 +45,7 @@ - /etc/yum/pluginconf.d/rhnplugin.conf - name: Remove deprecated or insecure packages | package-01 - package-09 - ansible.builtin.yum: + ansible.builtin.dnf: name: "{{ os_security_packages_list }}" state: absent when: os_security_packages_clean | bool diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index 9361672b..817971a5 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -88,7 +88,7 @@ argument_specs: you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. ssh_gateway_ports: default: false - type: bool + type: raw description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.