public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml

32 lines
1 KiB
YAML
Raw Permalink Normal View History

2018-12-17 12:50:15 +00:00
---
- name: install modprobe to disable filesystems | os-10
package:
2020-05-15 20:41:39 +00:00
name: '{{ modprobe_package }}'
2018-12-17 12:50:15 +00:00
state: 'present'
- name: check if efi is installed
stat:
path: "/sys/firmware/efi"
register: efi_installed
- name: remove vfat from fs-list if efi is used
set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
2021-02-18 15:40:18 +00:00
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- name: remove used filesystems from fs-list
set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
# we cannot do this on el6 and below, because these systems don't support the map function
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
2018-12-17 12:50:15 +00:00
- name: disable unused filesystems | os-10
template:
src: 'etc/modprobe.d/modprobe.j2'
dest: '/etc/modprobe.d/dev-sec.conf'
owner: 'root'
group: 'root'
2020-05-15 20:41:39 +00:00
mode: '0644'