From 092dfae51bab6edebe961b92e4b5256fb23e778c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 8 Feb 2024 23:40:03 +0000 Subject: [PATCH] rename default variables to manage_ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- Vagrantfile | 2 +- defaults/main/aide.yml | 3 ++- defaults/main/auditd.yml | 2 ++ defaults/main/ntp.yml | 3 ++- defaults/main/password.yml | 3 ++- defaults/main/sshd.yml | 2 ++ defaults/main/ufw.yml | 1 + defaults/main/usbguard.yml | 3 ++- molecule/almalinux/molecule.yml | 4 ++-- molecule/default/molecule.yml | 6 +++--- molecule/default/verify.yml | 4 ++-- molecule/docker/molecule.yml | 2 +- tasks/kernelmodules.yml | 2 +- tasks/main.yml | 10 +++++++--- tasks/password.yml | 2 +- templates/etc/pam.d/common-account.j2 | 2 +- templates/etc/pam.d/common-auth.j2 | 2 +- 17 files changed, 33 insertions(+), 20 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 5335f891..4b75576f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -25,7 +25,7 @@ Vagrant.configure("2") do |config| "sshd_admin_net" => ["0.0.0.0/0"], "sshd_allow_groups" => ["vagrant", "sudo", "debian", "ubuntu"], "system_upgrade" => "false", - "install_aide" => "false", + "manage_aide" => "false", } end end diff --git a/defaults/main/aide.yml b/defaults/main/aide.yml index b2c1e5e2..6b9e98f6 100644 --- a/defaults/main/aide.yml +++ b/defaults/main/aide.yml @@ -1,3 +1,4 @@ --- -install_aide: true +manage_aide: true + aide_checksums: sha512 diff --git a/defaults/main/auditd.yml b/defaults/main/auditd.yml index ac956927..594462a6 100644 --- a/defaults/main/auditd.yml +++ b/defaults/main/auditd.yml @@ -1,4 +1,6 @@ --- +manage_auditd: true + auditd_apply_audit_rules: true auditd_action_mail_acct: root auditd_admin_space_left_action: suspend diff --git a/defaults/main/ntp.yml b/defaults/main/ntp.yml index 8637ede6..8a94d178 100644 --- a/defaults/main/ntp.yml +++ b/defaults/main/ntp.yml @@ -1,5 +1,6 @@ --- -enable_timesyncd: true +manage_timesyncd: true + fallback_ntp: - ntp.netnod.se - ntp.ubuntu.com diff --git a/defaults/main/password.yml b/defaults/main/password.yml index b0f47afb..9615ce29 100644 --- a/defaults/main/password.yml +++ b/defaults/main/password.yml @@ -1,5 +1,6 @@ --- -faillock_enable: true +manage_faillock: true + faillock: admin_group: [] audit: true diff --git a/defaults/main/sshd.yml b/defaults/main/sshd.yml index b051752b..02db7854 100644 --- a/defaults/main/sshd.yml +++ b/defaults/main/sshd.yml @@ -1,4 +1,6 @@ --- +manage_ssh: true + sshd_accept_env: LANG LC_* sshd_admin_net: - 192.168.0.0/24 diff --git a/defaults/main/ufw.yml b/defaults/main/ufw.yml index 00eb3907..d945f5ae 100644 --- a/defaults/main/ufw.yml +++ b/defaults/main/ufw.yml @@ -1,5 +1,6 @@ --- manage_ufw: true + ufw_outgoing_traffic: - 22 - 53 diff --git a/defaults/main/usbguard.yml b/defaults/main/usbguard.yml index c87d0a2a..2a8b0c16 100644 --- a/defaults/main/usbguard.yml +++ b/defaults/main/usbguard.yml @@ -1,5 +1,6 @@ --- -enable_usbguard: true +manage_usbguard: true + usbguard_configuration_file: /etc/usbguard/usbguard-daemon.conf usbguard_rulefile: /etc/usbguard/rules.conf diff --git a/molecule/almalinux/molecule.yml b/molecule/almalinux/molecule.yml index 65c05d71..6b65abc0 100644 --- a/molecule/almalinux/molecule.yml +++ b/molecule/almalinux/molecule.yml @@ -18,7 +18,7 @@ provisioner: inventory: host_vars: almalinux8: - enable_timesyncd: false + manage_timesyncd: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: @@ -26,7 +26,7 @@ provisioner: - sudo suid_sgid_permissions: false almalinux9: - enable_timesyncd: false + manage_timesyncd: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 765c76f8..3955e5fc 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -16,7 +16,7 @@ provisioner: host_vars: almalinux8: disable_wireless: true - enable_timesyncd: false + manage_timesyncd: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: @@ -26,7 +26,7 @@ provisioner: sshd_update_moduli: true suid_sgid_permissions: false almalinux9: - enable_timesyncd: false + manage_timesyncd: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: @@ -38,7 +38,7 @@ provisioner: ansible_become_pass: vagrant ansible_python_interpreter: /usr/bin/python3 disable_wireless: false - enable_usbguard: false + manage_usbguard: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 057faa19..6f6f68e7 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -761,7 +761,7 @@ - NTP={{ ntp | join(' ') }} - FallbackNTP={{ fallback_ntp | join(' ') }} when: - - enable_timesyncd + - manage_timesyncd - ansible_virtualization_type not in ["container", "docker", "podman"] - name: Stat /etc/default/motd-news @@ -994,7 +994,7 @@ - name: Verify aide configuration become: true when: - - install_aide + - manage_aide block: - name: Aide config check become: true diff --git a/molecule/docker/molecule.yml b/molecule/docker/molecule.yml index 02b1c2ed..fe7e729a 100644 --- a/molecule/docker/molecule.yml +++ b/molecule/docker/molecule.yml @@ -16,7 +16,7 @@ provisioner: inventory: host_vars: almalinux9: - enable_timesyncd: false + manage_timesyncd: false sshd_admin_net: - "0.0.0.0/0" sshd_allow_groups: diff --git a/tasks/kernelmodules.yml b/tasks/kernelmodules.yml index 188d14aa..774521a7 100644 --- a/tasks/kernelmodules.yml +++ b/tasks/kernelmodules.yml @@ -73,7 +73,7 @@ state: present create: true with_items: - - "{{ misc_modules_usbguard if enable_usbguard else misc_modules_blocklist }}" + - "{{ misc_modules_usbguard if manage_usbguard else misc_modules_blocklist }}" tags: - modprobe - CCE-80832-9 diff --git a/tasks/main.yml b/tasks/main.yml index 99b4141f..584cdc6e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,7 +43,7 @@ ansible.builtin.include_tasks: file: usbguard.yml when: - - enable_usbguard + - manage_usbguard - ansible_virtualization_type not in ["container", "docker", "podman"] - name: Configure systemd system and users @@ -58,7 +58,7 @@ ansible.builtin.include_tasks: file: timesyncd.yml when: - - enable_timesyncd + - manage_timesyncd - ansible_virtualization_type not in ["container", "docker", "podman"] - name: Clean fstab @@ -110,6 +110,8 @@ - name: Configure ssh server and client ansible.builtin.include_tasks: file: sshconfig.yml + when: + - manage_ssh - name: Configure PAM ansible.builtin.include_tasks: @@ -128,6 +130,8 @@ - name: Configure auditd ansible.builtin.include_tasks: file: auditd.yml + when: + - manage_auditd - name: Configure AppArmor ansible.builtin.include_tasks: @@ -147,7 +151,7 @@ ansible.builtin.include_tasks: file: aide.yml when: > - install_aide | bool and + manage_aide | bool and (not (ansible_os_family == "Debian" and (ansible_lsb.codename == "groovy" or ansible_lsb.codename == "hirsute"))) diff --git a/tasks/password.yml b/tasks/password.yml index da432036..f5f99b6a 100644 --- a/tasks/password.yml +++ b/tasks/password.yml @@ -8,7 +8,7 @@ owner: root group: root when: - - faillock_enable | bool + - manage_faillock | bool tags: - common-account - common-auth diff --git a/templates/etc/pam.d/common-account.j2 b/templates/etc/pam.d/common-account.j2 index cea366be..c3bb6dbc 100644 --- a/templates/etc/pam.d/common-account.j2 +++ b/templates/etc/pam.d/common-account.j2 @@ -4,6 +4,6 @@ account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so -{% if (faillock_enable | bool) %} +{% if (manage_faillock | bool) %} account required pam_faillock.so {% endif %} diff --git a/templates/etc/pam.d/common-auth.j2 b/templates/etc/pam.d/common-auth.j2 index 4ccacb67..a8ffa911 100644 --- a/templates/etc/pam.d/common-auth.j2 +++ b/templates/etc/pam.d/common-auth.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} # Generated by Ansible role {{ ansible_role_name }} -{% if (faillock_enable | bool) %} +{% if (manage_faillock | bool) %} auth required pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so auth [default=die] pam_faillock.so authfail