From f23d5d8eafb3c14ecab08a85227415db0fad1545 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 28 Jul 2024 13:17:49 +0200 Subject: [PATCH] Remove deprecated rebuild of initrd Signed-off-by: Martin Schurz --- roles/os_hardening/README.md | 5 ----- roles/os_hardening/defaults/main.yml | 1 - roles/os_hardening/meta/argument_specs.yml | 7 ------- roles/os_hardening/tasks/hardening.yml | 10 ---------- roles/os_hardening/tasks/sysctl.yml | 23 ---------------------- 5 files changed, 46 deletions(-) diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index be024a1f..51989252 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -839,11 +839,6 @@ This role is mostly based on guides by: - Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. - Type: bool - Required: no -- `os_security_kernel_enable_module_loading` - - Default: `true` - - Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue - - Type: bool - - Required: no - `os_security_packages_clean` - Default: `true` - Description: removes packages with known issues. See section packages. diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 7430d806..44804760 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -40,7 +40,6 @@ os_users_without_password_ageing: [] # Specify system accounts whose login should not be disabled and password not changed os_ignore_users: [vagrant, kitchen] -os_security_kernel_enable_module_loading: true os_security_kernel_enable_core_dump: false os_security_suid_sgid_enforce: true # User-defined blacklist and whitelist diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index ae710989..b23aa06c 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -73,13 +73,6 @@ argument_specs: default: '[]' type: list description: list of things, that a user is allowed to do. May contain `change_user`. - os_security_kernel_enable_module_loading: - default: true - type: bool - description: true if you want to allowed to change kernel modules once the - system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs - is deprecated and will be removed in the next major release. For more information - take a look at this issue os_security_kernel_enable_core_dump: default: false type: bool diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml index c30b0082..3e4727f0 100644 --- a/roles/os_hardening/tasks/hardening.yml +++ b/roles/os_hardening/tasks/hardening.yml @@ -123,13 +123,3 @@ when: - ansible_facts.selinux.status == 'enabled' - os_selinux_enabled | bool - -- name: Raise deprecation warning for initramfs tasks # noqa ignore-errors - ansible.builtin.fail: - msg: "WARNING: Rebuilding initramfs is deprecated and will be removed - in the next major release. For more information take a look at this issue: - https://github.com/dev-sec/ansible-collection-hardening/pull/591" - when: - - os_security_kernel_enable_module_loading - ignore_errors: true - tags: always diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index d6ad9c1c..62d16d75 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -18,29 +18,6 @@ mode: "0544" when: ansible_facts.os_family == 'RedHat' -- name: Install initramfs-tools - ansible.builtin.apt: - name: initramfs-tools - state: present - update_cache: true - when: - - ansible_facts.os_family == 'Debian' - - os_security_kernel_enable_module_loading - -- name: Rebuild initramfs with starting pack of modules, if module loading at runtime is disabled - ansible.builtin.template: - src: etc/initramfs-tools/modules.j2 - dest: /etc/initramfs-tools/modules - owner: root - group: root - mode: "0440" - notify: - - Update-initramfs - when: - - ansible_facts.os_family == 'Debian' - - os_security_kernel_enable_module_loading - register: initramfs - - name: Change sysctls when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] block: