Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Make ansible-lint happy #204

Merged
merged 1 commit into from
Feb 27, 2019
Merged

Make ansible-lint happy #204

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions tasks/hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
- '{{ ansible_os_family }}.yml'

- name: get openssh-version
shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
shell: set -o pipefail && ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
args:
executable: /bin/sh
executable: /bin/bash
changed_when: false
register: sshd_version
check_mode: no
Expand Down Expand Up @@ -62,7 +62,7 @@

- name: include tasks to setup ca keys and principals
include_tasks: ca_keys_and_principals.yml
when: ssh_trusted_user_ca_keys_file != ''
when: ssh_trusted_user_ca_keys_file | length > 0

- name: include tasks to setup 2FA
include_tasks: 2fa.yml
Expand Down
13 changes: 8 additions & 5 deletions tasks/selinux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: check if ssh_password module is already installed
shell: 'semodule -l | grep ssh_password'
shell: 'set -o pipefail && semodule -l | grep ssh_password'
args:
executable: /bin/bash
register: ssh_password_module
failed_when: false
changed_when: false
Expand All @@ -38,17 +40,18 @@
dest: '{{ ssh_custom_selinux_dir }}'

- name: check and compile policy
shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password

- name: create selinux policy module package
shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod

- name: install selinux policy
shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp

when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0

# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
# See http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
command: semodule -r ssh_password
when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0