public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/yum.yml

---
- name: remove unused repositories
  file:
    name: '/etc/yum.repos.d/{{ item }}.repo'
    state: 'absent'
  with_items:
    - 'CentOS-Debuginfo'
    - 'CentOS-Media'
    - 'CentOS-Vault'
  when: os_security_packages_clean

- name: get yum-repository-files
  shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
  changed_when: False
  register: yum_repos

- name: check if rhnplugin.conf exists
  stat:
    path: '/etc/yum/pluginconf.d/rhnplugin.conf'
  register: rhnplugin_file

  # for the 'default([])' see here:
  # https://github.com/dev-sec/ansible-os-hardening/issues/99 and
  # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repos
  replace:
    dest: '{{ item }}'
    regexp: '^\s*gpgcheck: 0'
    replace: 'gpgcheck: 1'
  with_flattened:
    - '/etc/yum.conf'
    - '{{ yum_repos.stdout_lines| default([]) }}'

- name: activate gpg-check for yum rhn if it exists
  replace:
    dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
    regexp: '^\s*gpgcheck: 0'
    replace: 'gpgcheck: 1'
  when: rhnplugin_file.stat.exists

- name: remove deprecated or insecure packages | package-01 - package-09
  yum:
    name: '{{ item }}'
    state: 'absent'
  with_items:
    - '{{ os_security_packages_list }}'
  when: os_security_packages_clean
Ansible deployment 2017-04-24 12:22:51 +00:00			`---`
			`- name: remove unused repositories`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`file:`
			`name: '/etc/yum.repos.d/{{ item }}.repo'`
			`state: 'absent'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`with_items:`
			`- 'CentOS-Debuginfo'`
			`- 'CentOS-Media'`
			`- 'CentOS-Vault'`
			`when: os_security_packages_clean`

			`- name: get yum-repository-files`
			`shell: 'find /etc/yum.repos.d/ -type f -name *.repo'`
			`changed_when: False`
			`register: yum_repos`

			`- name: check if rhnplugin.conf exists`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`stat:`
			`path: '/etc/yum/pluginconf.d/rhnplugin.conf'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`register: rhnplugin_file`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`# for the 'default([])' see here:`
Ansible deployment 2017-04-24 12:22:51 +00:00			`# https://github.com/dev-sec/ansible-os-hardening/issues/99 and`
			`# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause`
			`- name: activate gpg-check for yum-repos`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`replace:`
			`dest: '{{ item }}'`
			`regexp: '^\s*gpgcheck: 0'`
			`replace: 'gpgcheck: 1'`
			`with_flattened:`
Ansible deployment 2017-04-24 12:22:51 +00:00			`- '/etc/yum.conf'`
			`- '{{ yum_repos.stdout_lines\| default([]) }}'`

			`- name: activate gpg-check for yum rhn if it exists`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`replace:`
			`dest: '/etc/yum/pluginconf.d/rhnplugin.conf'`
			`regexp: '^\s*gpgcheck: 0'`
			`replace: 'gpgcheck: 1'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`when: rhnplugin_file.stat.exists`

Updated Ansible roles 2018-12-17 12:50:15 +00:00			`- name: remove deprecated or insecure packages \| package-01 - package-09`
			`yum:`
			`name: '{{ item }}'`
			`state: 'absent'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`with_items:`
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`- '{{ os_security_packages_list }}'`
Ansible deployment 2017-04-24 12:22:51 +00:00			`when: os_security_packages_clean`