correct grep exit codes

Signed-off-by: Thomas Sjögren <[email protected]>
konstruktoid · Oct 3, 2023 · 468b2f2 · 468b2f2
1 parent 083769f
commit 468b2f2
Show file tree

Hide file tree

Showing 2 changed files with 94 additions and 3 deletions.
diff --git a/f.diff b/f.diff
@@ -0,0 +1,91 @@
+diff --git a/defaults/main/sshd.yml b/defaults/main/sshd.yml
+index 6de918b..f9ef7f2 100644
+--- a/defaults/main/sshd.yml
++++ b/defaults/main/sshd.yml
+@@ -29,7 +29,6 @@ sshd_client_alive_interval: 200
+ sshd_compression: false
+ sshd_config_d_force_clear: false
+ sshd_config_force_replace: false
+-sshd_debian_banner: false
+ sshd_deny_groups: []
+ sshd_deny_users: []
+ sshd_gssapi_authentication: false
+diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
+index 216fa30..8067177 100644
+--- a/molecule/default/verify.yml
++++ b/molecule/default/verify.yml
+@@ -278,11 +278,6 @@
+         sshd_config_parameters: "{{ sshd_config_parameters + ['AuthenticationMethods ' + sshd_authentication_methods] }}"
+       when: ssh_installed_version is version('6.2', '>=')
+
+-    - name: Set sshd_config_parameters DebianBanner
+-      ansible.builtin.set_fact:
+-        sshd_config_parameters: "{{ sshd_config_parameters + ['DebianBanner ' + 'yes' if (sshd_debian_banner | bool) else 'no'] }}"
+-      when: ansible_facts.os_family == 'Debian'
+-
+     - name: Set sshd_config_parameters HostKey
+       ansible.builtin.set_fact:
+         sshd_config_parameters: "{{ sshd_config_parameters + ['HostKey ' + item] }}"
+@@ -308,6 +303,10 @@
+         sshd_config_parameters: "{{ sshd_config_parameters + ['Subsystem sftp ' + sshd_sftp_subsystem] }}"
+       when: sshd_sftp_enabled | bool
+
++    - name: Debug sshd facts
++      ansible.builtin.debug:
++        msg: "{{ sshd_config_parameters }}"
++
+     - name: Verify sshd configuration
+       become: true
+       ansible.builtin.lineinfile:
+@@ -332,17 +331,17 @@
+       loop: "{{ sshd_config_parameters }}"
+       when: sshd_config_directory.stat.exists
+
+-    - name: Verify sshd runtime configuration
+-      become: true
+-      environment:
+-        PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+-      ansible.builtin.command: sshd -T
+-      register: sshd_config
+-      changed_when: false
+-      failed_when: >-
+-        {%- set lower_parameter = item.split( )[0] | lower -%}
+-        {{ ( item | regex_replace('^[^\ ]+', lower_parameter) ) not in sshd_config.stdout_lines }}
+-      loop: "{{ (sshd_config_parameters | reject('regex', 'Allowgroups ') | list) + ['allowgroups vagrant', 'allowgroups sudo'] }}"
++#    - name: Verify sshd runtime configuration
++#      become: true
++#      environment:
++#        PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
++#      ansible.builtin.command: sshd -T
++#      register: sshd_config
++#      changed_when: false
++#      failed_when: >-
++#        {%- set lower_parameter = item.split( )[0] | lower -%}
++#        {{ ( item | regex_replace('^[^\ ]+', lower_parameter) ) not in sshd_config.stdout_lines }}
++#      loop: "{{ (sshd_config_parameters | reject('regex', 'Allowgroups ') | list) + ['allowgroups vagrant', 'allowgroups sudo'] }}"
+
+     - name: Verify sshd runtime ciphers and algorithms
+       become: true
+@@ -364,7 +363,7 @@
+       become: true
+       ansible.builtin.lineinfile:
+         dest: /etc/ssh/ssh_config
+-        line: "{{ item | indent(4) }}"
++        line: "    {{ item }}"
+         state: present
+       check_mode: true
+       register: ssh_config
+diff --git a/templates/etc/ssh/sshd_config.j2 b/templates/etc/ssh/sshd_config.j2
+index 98a0ce9..a9040ac 100644
+--- a/templates/etc/ssh/sshd_config.j2
++++ b/templates/etc/ssh/sshd_config.j2
+@@ -124,9 +124,6 @@ UseDNS {{ 'yes' if (sshd_use_dns | bool) else 'no' }}
+ PrintMotd {{ 'yes' if (sshd_print_motd | bool) else 'no' }}
+ PrintLastLog {{ 'yes' if (sshd_print_last_log | bool) else 'no' }}
+ Banner {{ sshd_banner if sshd_banner else 'none' }}
+-{% if ansible_facts.os_family == 'Debian' %}
+-DebianBanner {{ 'yes' if (sshd_debian_banner | bool) else 'no' }}
+-{% endif %}
+
+ {%+ if sshd_sftp_enabled +%}
+ #######################################################
diff --git a/tasks/post.yml b/tasks/post.yml
@@ -21,7 +21,7 @@
       set -o pipefail
       grubby --info="/boot/vmlinuz-$(uname -r)" | grep "^args.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}"
   changed_when: false
-  failed_when: false
+  failed_when: audit_grubenv.rc > 1
   args:
     executable: /bin/bash
   register: audit_grubenv
@@ -45,8 +45,8 @@
 - name: Stat Debian auditd GRUB settings
   become: true
   ansible.builtin.shell: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg
-  changed_when: audit_grub_cfg.rc != 0
-  failed_when: audit_grub_cfg.rc != 0
+  changed_when: false
+  failed_when: audit_grub_cfg.rc > 1
   register: audit_grub_cfg
   when: ansible_os_family == "Debian"
   tags: