Skip to content

Commit

Permalink
split _when: for readability
Browse files Browse the repository at this point in the history 
Signed-off-by: Thomas Sjögren <[email protected]>
  • Loading branch information
@konstruktoid
konstruktoid committed Feb 8, 2024
1 parent 7bfc5a9 commit ded0701
Show file tree
Hide file tree
Showing 33 changed files with 402 additions and 221 deletions.
17 changes: 12 additions & 5 deletions handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,9 @@
name: ssh
state: restarted
register: ssh_service
failed_when: ssh_service is not success and not 'Could not find the requested service' in ssh_service.msg
failed_when:
- ssh_service is not success
- not 'Could not find the requested service' in ssh_service.msg
when:
- ansible_virtualization_type not in ["container", "docker", "podman"]

Expand All @@ -96,7 +98,9 @@
name: sshd
state: restarted
register: sshd_service
failed_when: sshd_service is not success and not 'Could not find the requested service' in sshd_service.msg
failed_when:
- sshd_service is not success
- not 'Could not find the requested service' in sshd_service.msg
when:
- ansible_virtualization_type not in ["container", "docker", "podman"]

Expand Down Expand Up @@ -133,7 +137,8 @@
become: true
ansible.builtin.dnf:
autoremove: true
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"
tags:
- dnf
- packages
Expand All @@ -158,7 +163,8 @@
update-cracklib
register: update_debian_cracklib
changed_when: update_debian_cracklib.rc == 0
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"

- name: Update RedHat cracklib
environment:
Expand All @@ -168,7 +174,8 @@
cmd: create-cracklib-dict /usr/share/dict/*
register: update_redhat_cracklib
changed_when: update_redhat_cracklib.rc == 0
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"

- name: Update GRUB
become: true
Expand Down
67 changes: 45 additions & 22 deletions molecule/default/verify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,8 @@
- sshd_config_directory.stat.mode == "0600"
success_msg: "{{ sshd_config_directory.stat.path }} has correct permissions: {{ sshd_config_directory.stat.mode }}"
fail_msg: "{{ sshd_config_directory.stat.path }} permissions are incorrect: {{ sshd_config_directory.stat.mode }}"
when: sshd_config_directory.stat.exists
when:
- sshd_config_directory.stat.exists

- name: Verify sshd PermitRootLogin configuration
become: true
Expand All @@ -278,7 +279,8 @@
check_mode: true
register: sshd_config_d
failed_when: sshd_config_d is changed
when: sshd_config_directory.stat.exists
when:
- sshd_config_directory.stat.exists

- name: Set sshd_config_parameters
ansible.builtin.set_fact:
Expand Down Expand Up @@ -377,7 +379,8 @@
register: sshd_config
failed_when: sshd_config is changed
loop: "{{ sshd_config_parameters }}"
when: not sshd_config_directory.stat.exists
when:
- not sshd_config_directory.stat.exists

- name: Verify sshd config.d configuration
become: true
Expand All @@ -389,7 +392,8 @@
register: sshd_config
failed_when: sshd_config is changed
loop: "{{ sshd_config_parameters }}"
when: sshd_config_directory.stat.exists
when:
- sshd_config_directory.stat.exists

- name: Set parameters for runtime check
ansible.builtin.set_fact:
Expand Down Expand Up @@ -493,9 +497,10 @@
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ansible.builtin.shell: grep "^{{ crypto_policy | upper }}$" /etc/crypto-policies/config
register: crypto_policy_set
when: crypto_policies_config
failed_when: crypto_policy_set.rc != 0
changed_when: crypto_policy_set.rc != 0
failed_when: crypto_policy_set.rc != 0
when:
- crypto_policies_config

- name: Verify mounts
when:
Expand Down Expand Up @@ -644,14 +649,16 @@
register: audit_grubenv
failed_when: audit_grubenv.rc != 0
changed_when: audit_grubenv.rc != 0
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"

- name: Verify Debian audit GRUB settings
ansible.builtin.shell: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg
register: audit_grub_cfg
failed_when: audit_grub_cfg.rc != 0
changed_when: audit_grub_cfg.rc != 0
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"

- name: Verify RedHat GRUB IPv6 settings
ansible.builtin.shell:
Expand All @@ -661,15 +668,19 @@
register: audit_grubenv
failed_when: audit_grubenv.rc != 0
changed_when: audit_grubenv.rc != 0
when: ansible_os_family == "RedHat" and disable_ipv6
when:
- ansible_os_family == "RedHat"
- disable_ipv6

- name: Verify Debian GRUB IPv6 settings
ansible.builtin.shell:
cmd: grep "linux.*ipv6.disable=1" /boot/grub/grub.cfg
register: audit_grub_cfg
failed_when: audit_grub_cfg.rc != 0
changed_when: audit_grub_cfg.rc != 0
when: ansible_os_family == "Debian" and disable_ipv6
when:
- ansible_os_family == "Debian"
- disable_ipv6

- name: IPv6 sysctl configuration
become: true
Expand All @@ -688,7 +699,8 @@
with_items:
- net.ipv6.conf.all.disable_ipv6 = 1
- net.ipv6.conf.default.disable_ipv6 = 1
when: disable_ipv6
when:
- disable_ipv6

- name: Verify IPv6 sysctl runtime configuration
environment:
Expand Down Expand Up @@ -776,7 +788,8 @@
ansible.builtin.stat:
path: /usr/bin/pro
register: ubuntu_advantage_pro
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"

- name: Verify that apt_news is disabled
become: true
Expand All @@ -797,7 +810,8 @@
path: /etc/apt/apt.conf.d/20apt-esm-hook.conf
register: ubuntu_esm_hook
failed_when: ubuntu_esm_hook.stat.exists
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"

- name: Efi fact
ansible.builtin.set_fact:
Expand All @@ -814,7 +828,8 @@
register: cracklib_passwords
failed_when: cracklib_passwords.rc != 0
changed_when: cracklib_passwords.rc != 0
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"

- name: Verify username password list
environment:
Expand Down Expand Up @@ -888,7 +903,8 @@
register: faillockconf

- name: Get PAM version
when: faillockconf.stat.exists
when:
- faillockconf.stat.exists
tags:
- common-account
- common-auth
Expand Down Expand Up @@ -932,7 +948,8 @@
{%- for group in faillock.admin_group -%}
admin_group = {{ group }}
{%- endfor -%}
when: faillockconf.stat.exists
when:
- faillockconf.stat.exists

- name: Verify faillock.conf
become: true
Expand All @@ -945,7 +962,8 @@
register: verify_faillock
failed_when: verify_faillock is changed
loop: "{{ faillock_parameters | select() }}"
when: faillockconf.stat.exists
when:
- faillockconf.stat.exists

- name: Verify wireless state
environment:
Expand Down Expand Up @@ -975,7 +993,8 @@

- name: Verify aide configuration
become: true
when: install_aide
when:
- install_aide
block:
- name: Aide config check
become: true
Expand Down Expand Up @@ -1036,24 +1055,28 @@
register: mkpasswd
changed_when: false
failed_when: mkpasswd.rc != 0
when: password_algorithm == "yescrypt"
when:
- password_algorithm == "yescrypt"

- name: Set password
ansible.builtin.set_fact:
password: "{{ mkpasswd.stdout }}"
when: password_algorithm == "yescrypt"
when:
- password_algorithm == "yescrypt"

- name: Create sha512 password hash
vars:
salt: "{{ lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=16') }}"
ansible.builtin.set_fact:
password: "{{ 'Ansible Role Test User' | password_hash('sha512', salt, rounds=656000) }}"
when: password_algorithm == "sha512"
when:
- password_algorithm == "sha512"

- name: Print password
ansible.builtin.debug:
msg: "{{ password }}"
when: password
when:
- password

- name: Create test user
become: true
Expand Down
33 changes: 23 additions & 10 deletions tasks/aide.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
name: aide-common
state: present
install_recommends: false
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"
tags:
- aide
- CIS-UBUNTU2004-1.3.1
Expand All @@ -15,7 +16,8 @@
ansible.builtin.dnf:
name: aide
state: present
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"
tags:
- aide
- CCE-80844-4
Expand All @@ -39,7 +41,8 @@
mode: "0644"
owner: root
group: root
when: not aidecron.stat.exists
when:
- not aidecron.stat.exists
tags:
- aide

Expand All @@ -52,7 +55,8 @@
mode: "0644"
owner: root
group: root
when: not aidecron.stat.exists
when:
- not aidecron.stat.exists
notify:
- Reload systemd
- Enable aidecheck
Expand Down Expand Up @@ -117,7 +121,8 @@
ansible.builtin.stat:
path: /var/lib/aide/aide.db
register: ubuaidedb
when: ansible_os_family == "Debian"
when:
- ansible_os_family == "Debian"
tags:
- aide

Expand All @@ -128,7 +133,8 @@
register: rhelaidedb
changed_when: false
failed_when: false
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"
tags:
- aide

Expand All @@ -139,7 +145,9 @@
register: init_redhat_aide
changed_when: init_redhat_aide.rc != 0
failed_when: init_redhat_aide.rc != 0
when: ansible_os_family == "RedHat" and not rhelaidedb.stat.exists
when:
- ansible_os_family == "RedHat"
- rhelaidedb.stat.exists
tags:
- aide
- CCE-80675-2
Expand All @@ -151,7 +159,8 @@
register: rhelaidedbnew
changed_when: false
failed_when: false
when: ansible_os_family == "RedHat"
when:
- ansible_os_family == "RedHat"
tags:
- aide

Expand All @@ -162,7 +171,9 @@
register: cp_redhat_aide_db
changed_when: cp_redhat_aide_db.rc != 0
failed_when: cp_redhat_aide_db.rc != 0
when: ansible_os_family == "RedHat" and not rhelaidedbnew.stat.exists
when:
- ansible_os_family == "RedHat"
- rhelaidedbnew.stat.exists
tags:
- aide

Expand All @@ -173,6 +184,8 @@
register: init_debian_aide
changed_when: init_debian_aide.rc != 0
failed_when: init_debian_aide.rc != 0
when: ansible_os_family == "Debian" and not ubuaidedb.stat.exists
when:
- ansible_os_family == "Debian"
- ubuaidedb.stat.exists
tags:
- aide
Loading

0 comments on commit ded0701

Please sign in to comment.