ungleich-public/public-health-ch
6
1
Fork 0
Code Issues Pull requests 1 Projects Releases Wiki Activity
public-health-ch/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml
Oleg Lavrovsky 0a6dcf6cc7 Updated Ansible setup
2020-05-15 22:41:39 +02:00

56 lines
2.1 KiB
YAML
Raw Blame History

---
- name: install selinux dependencies when selinux is installed
package:
name: '{{ ssh_selinux_packages }}'
state: present
- name: "authorize {{ ssh_server_ports }} ports for selinux"
seport:
ports: '{{ item }}'
proto: tcp
setype: ssh_port_t
state: present
with_items:
- "{{ ssh_server_ports }}"
- name: check if ssh_password module is already installed
shell: 'set -o pipefail && semodule -l | grep ssh_password'
args:
executable: /bin/bash
register: ssh_password_module
failed_when: false
changed_when: false
check_mode: no
# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed.
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
- block:
- name: Create selinux custom policy drop folder
file:
path: '{{ ssh_custom_selinux_dir }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0750'
- name: Distributing custom selinux policies
copy:
src: 'ssh_password'
dest: '{{ ssh_custom_selinux_dir }}'
- name: check and compile policy
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
- name: create selinux policy module package
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
- name: install selinux policy
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
# See http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
command: semodule -r ssh_password
when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0
Reference in a new issue View git blame Copy permalink