mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
97 lines
3.2 KiB
YAML
97 lines
3.2 KiB
YAML
---
|
|
- name: Prepare Archliux host
|
|
hosts: all
|
|
become: true
|
|
gather_facts: false
|
|
tasks:
|
|
- name: Install python, since it's not installed by default
|
|
ansible.builtin.raw: pacman --noconfirm -Sy python
|
|
changed_when: false
|
|
when: lookup('env', 'MOLECULE_DISTRO') == 'generic/arch'
|
|
|
|
- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
|
|
hosts: all
|
|
become: true
|
|
environment:
|
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
|
tasks:
|
|
- name: Set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
|
ansible.builtin.set_fact:
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
when: ansible_facts.distribution == 'Fedora'
|
|
|
|
- name: Block update of Grub, because of error
|
|
ansible.builtin.dpkg_selections:
|
|
name: grub-pc
|
|
selection: hold
|
|
when: ansible_os_family == 'Debian'
|
|
|
|
# we need to free up space, since the /boot partition in some Vagrant images is
|
|
# pretty small and system updates might fail
|
|
- name: Find all initrd.img to delete them
|
|
ansible.builtin.find:
|
|
paths: /boot
|
|
patterns: "initrd.img*"
|
|
register: find_results
|
|
when: ansible_os_family == 'Debian'
|
|
|
|
- name: Delete all initrd.img to free space on /boot
|
|
ansible.builtin.file:
|
|
path: "{{ item['path'] }}"
|
|
state: absent
|
|
with_items: "{{ find_results['files'] }}"
|
|
when: ansible_os_family == 'Debian'
|
|
|
|
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
|
ansible.builtin.apt:
|
|
upgrade: safe
|
|
update_cache: true
|
|
when: ansible_os_family == 'Debian'
|
|
|
|
- name: Install required tools on SuSE
|
|
# cannot use zypper module, since it depends on python-xml
|
|
ansible.builtin.command: zypper -n install python-xml
|
|
changed_when: false
|
|
when: ansible_facts.os_family == 'Suse'
|
|
|
|
- name: Install required tools on fedora
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- python
|
|
- findutils
|
|
- procps-ng
|
|
- python3-libselinux
|
|
when: ansible_facts.distribution == 'Fedora'
|
|
|
|
- name: Install required tools on Arch
|
|
community.general.pacman:
|
|
name:
|
|
- awk
|
|
state: present
|
|
update_cache: true
|
|
when: ansible_facts.os_family == 'Archlinux'
|
|
|
|
- name: Install required tools on RHEL # noqa ignore-errors
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- openssh-clients
|
|
- openssh
|
|
state: present
|
|
update_cache: true
|
|
ignore_errors: true
|
|
|
|
- name: Create recursing symlink to test minimize access
|
|
ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz
|
|
changed_when: false
|
|
|
|
- name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
|
|
ansible.posix.mount:
|
|
path: /boot/efi
|
|
state: unmounted
|
|
when: ansible_facts.distribution == 'Fedora'
|
|
|
|
- name: Include YUM prepare tasks
|
|
ansible.builtin.include_tasks: prepare_tasks/yum.yml
|
|
when: ansible_facts.os_family == 'RedHat'
|