Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 13:21:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add selinux-check

Browse source
This commit is contained in:
Sebastian Gumprich 2015-08-16 20:37:33 +00:00
parent c4482cb12e
commit be38ac75f4
1 changed files with 13 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
roles/ansible-ssh-hardening/tasks/main.yml
View file

@ -2,15 +2,22 @@
- name: add the OS specific variables
include_vars: "{{ ansible_os_family }}.yml"
- name: check is selinux is installed
command: getenforce
register: selinux_installed
ignore_errors: true
changed_when: false
- name: test to see if selinux is running
command: getenforce
register: sestatus
changed_when: false
when: selinux_installed.rc == 0
- name: check the ssh_password policy state
shell: semodule -l | grep "ssh_password" | awk '{print $3}'
register: selinux_policy_state
when: sestatus.stdout == 'Enforcing'
when: selinux_installed.rc == 0
changed_when: false
- name: create sshd_config and set permissions to root/600
@ -24,7 +31,7 @@
- name: Create selinux custom policy drop folder
file: path={{ custom_selinux_dir }} state=directory owner=root group=root mode=0750
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
# The following tasks only get executed when selinux is in state enforcing and UsePam is "no".
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
@ -32,19 +39,19 @@
- name: Distributing custom selinux policies
copy: src='ssh_password' dest='{{ custom_selinux_dir }}'
register: custom_policies_output
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
- name: check and compile policy
shell: checkmodule -M -m -o {{ custom_selinux_dir }}/ssh_password.mod {{ custom_selinux_dir }}/ssh_password
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
- name: create selinux policy module package
shell: semodule_package -o {{ custom_selinux_dir }}/ssh_password.pp -m {{ custom_selinux_dir }}/ssh_password.mod
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
- name: install selinux policy
shell: semodule -i {{ custom_selinux_dir }}/ssh_password.pp
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
shell: semodule -r ssh_password