mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
31 lines
1 KiB
YAML
31 lines
1 KiB
YAML
---
|
|
- name: install modprobe to disable filesystems | os-10
|
|
package:
|
|
name: '{{ modprobe_package }}'
|
|
state: 'present'
|
|
|
|
- name: check if efi is installed
|
|
stat:
|
|
path: "/sys/firmware/efi"
|
|
register: efi_installed
|
|
|
|
- name: remove vfat from fs-list if efi is used
|
|
set_fact:
|
|
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
|
|
when:
|
|
- efi_installed.stat.isdir is defined
|
|
- efi_installed.stat.isdir
|
|
|
|
- name: remove used filesystems from fs-list
|
|
set_fact:
|
|
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
|
|
# we cannot do this on el6 and below, because these systems don't support the map function
|
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
|
|
|
- name: disable unused filesystems | os-10
|
|
template:
|
|
src: 'etc/modprobe.d/modprobe.j2'
|
|
dest: '/etc/modprobe.d/dev-sec.conf'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0644'
|