fix problems with efi and vfat

dev-sec · Sep 2, 2018 · f4a79d7 · f4a79d7
1 parent 3da0d92
commit f4a79d7
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -219,7 +219,7 @@ sysctl_config:
   # example via package removal (e.g. wine, dosemu).  Therefore, this value
   # is reset to the secure default each time the sysctl values are loaded.
   vm.mmap_min_addr: 65536
-          
+
   # These settings eliminate an entire class of security vulnerability:
   # time-of-check-time-of-use cross-privilege attacks using guessable
   # filenames (generally seen as "/tmp file race" vulnerabilities).
@@ -246,4 +246,4 @@ os_filesystem_whitelist: []
 
 # Set to false to turn the role into a no-op. Useful when using
 # the Ansible role dependency mechanism.
-os_hardening_enabled: true
+os_hardening_enabled: true
diff --git a/tasks/modprobe.yml b/tasks/modprobe.yml
@@ -4,6 +4,17 @@
     name: '{{modprobe_package}}'
     state: 'present'
 
+- name: check if efi is installed
+  stat:
+    path: "/tmp"
+    #path: "/sys/firmware/efi"
+  register: efi_installed
+
+- name: remove vfat from fs-list if efi is used
+  set_fact:
+    os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
+  when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
+
 - name: disable unused filesystems | os-10
   template:
     src: 'etc/modprobe.d/modprobe.j2'