diff --git a/roles/ansible-os-hardening/tasks/main.yml b/roles/ansible-os-hardening/tasks/main.yml index 92a6bb88d..539bf826d 100644 --- a/roles/ansible-os-hardening/tasks/main.yml +++ b/roles/ansible-os-hardening/tasks/main.yml @@ -10,4 +10,6 @@ - include: securetty.yml - include: suid_sgid.yml - include: sysctl.yml + - include: yum.yml + when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' diff --git a/roles/ansible-os-hardening/tasks/yum.yml b/roles/ansible-os-hardening/tasks/yum.yml index f53eb4384..3167a328c 100644 --- a/roles/ansible-os-hardening/tasks/yum.yml +++ b/roles/ansible-os-hardening/tasks/yum.yml @@ -1,8 +1,36 @@ --- -- name: activate gpg-check for yum-repos in yum.conf - shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf" - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' +- name: remove unused repositories + file: name='/etc/yum.repos.d/{{item}}.repo' state=absent + with_items: + - 'CentOS-Debuginfo' + - 'CentOS-Media' + - 'CentOS-Vault' + when: os_security_packages_clean -- name: activate gpg-check for yum-repos in yum-repositories - shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo" - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' +- name: get yum-repository-files + shell: 'find /etc/yum.repos.d/ -type f -name *.repo' + register: yum_repos + +- name: check if rhnplugin.conf exists + stat: path='/etc/yum/pluginconf.d/rhnplugin.conf' + register: rhnplugin_file + +- name: activate gpg-check for yum-repos + replace: dest='{{item}}' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' + with_items: + - '{{ yum_repos.stdout_lines }}' + - '/etc/yum.conf' + +- name: activate gpg-check for yum rhn if it exists + replace: dest='/etc/yum/pluginconf.d/rhnplugin.conf' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' + when: rhnplugin_file.stat.exists + +- name: remove packages + yum: name='{{item}}' state=removed + with_items: + - xinetd + - inetd + - ypserv + - telnet-server + - rsh-server + when: os_security_packages_clean