From 66e258da7e2381fd60129305126c884207950d2a Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 28 May 2015 21:20:04 +0000 Subject: [PATCH 1/3] Add task to remove unused repos and pkgs --- roles/ansible-os-hardening/tasks/main.yml | 2 ++ roles/ansible-os-hardening/tasks/yum.yml | 20 ++++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/roles/ansible-os-hardening/tasks/main.yml b/roles/ansible-os-hardening/tasks/main.yml index 92a6bb88d..539bf826d 100644 --- a/roles/ansible-os-hardening/tasks/main.yml +++ b/roles/ansible-os-hardening/tasks/main.yml @@ -10,4 +10,6 @@ - include: securetty.yml - include: suid_sgid.yml - include: sysctl.yml + - include: yum.yml + when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' diff --git a/roles/ansible-os-hardening/tasks/yum.yml b/roles/ansible-os-hardening/tasks/yum.yml index f53eb4384..189102948 100644 --- a/roles/ansible-os-hardening/tasks/yum.yml +++ b/roles/ansible-os-hardening/tasks/yum.yml @@ -1,8 +1,24 @@ --- - name: activate gpg-check for yum-repos in yum.conf shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf" - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: activate gpg-check for yum-repos in yum-repositories shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo" - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' + +- name: remove unused repositories + file: name='/etc/yum.repos.d/{{item}}.repo' state=absent + with_items: + - 'CentOS-Debuginfo' + - 'CentOS-Media' + - 'CentOS-Vault' + when: os_security_packages_clean + +- name: remove packages + yum: name='{{item}}' state=removed + with_items: + - xinetd + - inetd + - ypserv + - telnet-server + - rsh-server + when: os_security_packages_clean From c9252b167f4d2e0cd32cfd51446383abfdcb1988 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 28 May 2015 21:33:56 +0000 Subject: [PATCH 2/3] add gpgcheck rhnplugin.conf, consolidate task --- roles/ansible-os-hardening/tasks/yum.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/ansible-os-hardening/tasks/yum.yml b/roles/ansible-os-hardening/tasks/yum.yml index 189102948..cdd4a3f38 100644 --- a/roles/ansible-os-hardening/tasks/yum.yml +++ b/roles/ansible-os-hardening/tasks/yum.yml @@ -1,10 +1,4 @@ --- -- name: activate gpg-check for yum-repos in yum.conf - shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf" - -- name: activate gpg-check for yum-repos in yum-repositories - shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo" - - name: remove unused repositories file: name='/etc/yum.repos.d/{{item}}.repo' state=absent with_items: @@ -13,6 +7,15 @@ - 'CentOS-Vault' when: os_security_packages_clean +- name: activate gpg-check for yum-repos + shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' {{item}}" + with_items: + - '/etc/yum.conf' + - '/etc/yum.repos.d/*.repo' + +- name: activate gpg-check for yum rhn if it exists + shell: sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum/pluginconf.d/rhnplugin.conf removes='/etc/yum/pluginconf.d/rhnplugin.conf' + - name: remove packages yum: name='{{item}}' state=removed with_items: From e6f2253c493ecb423eb56eb3a257c93ad110a7c6 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 31 May 2015 20:57:28 +0000 Subject: [PATCH 3/3] replace sed with replace-module --- roles/ansible-os-hardening/tasks/yum.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/ansible-os-hardening/tasks/yum.yml b/roles/ansible-os-hardening/tasks/yum.yml index cdd4a3f38..3167a328c 100644 --- a/roles/ansible-os-hardening/tasks/yum.yml +++ b/roles/ansible-os-hardening/tasks/yum.yml @@ -7,14 +7,23 @@ - 'CentOS-Vault' when: os_security_packages_clean +- name: get yum-repository-files + shell: 'find /etc/yum.repos.d/ -type f -name *.repo' + register: yum_repos + +- name: check if rhnplugin.conf exists + stat: path='/etc/yum/pluginconf.d/rhnplugin.conf' + register: rhnplugin_file + - name: activate gpg-check for yum-repos - shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' {{item}}" + replace: dest='{{item}}' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' with_items: + - '{{ yum_repos.stdout_lines }}' - '/etc/yum.conf' - - '/etc/yum.repos.d/*.repo' - name: activate gpg-check for yum rhn if it exists - shell: sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum/pluginconf.d/rhnplugin.conf removes='/etc/yum/pluginconf.d/rhnplugin.conf' + replace: dest='/etc/yum/pluginconf.d/rhnplugin.conf' regexp='^\s*gpgcheck=0' replace='gpgcheck=1' + when: rhnplugin_file.stat.exists - name: remove packages yum: name='{{item}}' state=removed