public-health-ch/ansible/roles/dev-sec.os-hardening/tasks/yum.yml

49 lines
1.5 KiB
YAML
Raw Normal View History

2017-04-24 12:22:51 +00:00
---
- name: remove unused repositories
2018-12-17 12:50:15 +00:00
file:
name: '/etc/yum.repos.d/{{ item }}.repo'
state: 'absent'
2021-02-18 15:40:18 +00:00
loop:
2017-04-24 12:22:51 +00:00
- 'CentOS-Debuginfo'
- 'CentOS-Media'
- 'CentOS-Vault'
2020-05-15 20:41:39 +00:00
when: os_security_packages_clean | bool
2017-04-24 12:22:51 +00:00
- name: get yum-repository-files
2021-02-18 15:40:18 +00:00
find:
paths: '/etc/yum.repos.d'
patterns: '*.repo'
2017-04-24 12:22:51 +00:00
register: yum_repos
2021-02-18 15:40:18 +00:00
# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repository-files
replace:
path: '{{ item.path }}'
regexp: '^\s*gpgcheck.*'
replace: 'gpgcheck=1'
with_items:
- '{{ yum_repos.files | default([]) }}'
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
2020-05-15 20:41:39 +00:00
- name: activate gpg-check for config files
2018-12-17 12:50:15 +00:00
replace:
2021-02-18 15:40:18 +00:00
path: '{{ item }}'
regexp: '^\s*gpgcheck\W.*'
replace: 'gpgcheck=1'
2020-05-15 20:41:39 +00:00
register: status
failed_when: status.rc is defined and status.rc != 257
2021-02-18 15:40:18 +00:00
loop:
2017-04-24 12:22:51 +00:00
- '/etc/yum.conf'
2020-05-15 20:41:39 +00:00
- '/etc/dnf/dnf.conf'
- '/etc/yum/pluginconf.d/rhnplugin.conf'
2017-04-24 12:22:51 +00:00
2018-12-17 12:50:15 +00:00
- name: remove deprecated or insecure packages | package-01 - package-09
yum:
2020-05-15 20:41:39 +00:00
name: '{{ os_security_packages_list }}'
2018-12-17 12:50:15 +00:00
state: 'absent'
2020-05-15 20:41:39 +00:00
when: os_security_packages_clean | bool