diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml index f37a4707..cc0acf16 100644 --- a/molecule/mysql_hardening/converge.yml +++ b/molecule/mysql_hardening/converge.yml @@ -12,22 +12,22 @@ mysql_python_package_debian: python3-pymysql when: - mysql_python_package_debian is not defined - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int > 19 + - ansible_facts.distribution == "Ubuntu" + - ansible_facts.distribution_major_version|int > 19 - name: Determine required MySQL Python libraries. ansible.builtin.set_fact: mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}" when: - mysql_python_package_debian is not defined - - ansible_distribution != "Ubuntu" - - ansible_distribution_major_version|int < 20 + - ansible_facts.distribution != "Ubuntu" + - ansible_facts.distribution_major_version|int < 20 - name: Use Python 3 on Suse ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Include mysql_hardening role ansible.builtin.include_role: diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml index 3b8e7251..04bc428a 100644 --- a/molecule/mysql_hardening/molecule.yml +++ b/molecule/mysql_hardening/molecule.yml @@ -23,6 +23,8 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer + # Currently not supported by dev-sec.mysql role + # inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 5db579bb..33642775 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -17,25 +17,25 @@ ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_distribution == 'Debian' - - ansible_distribution_major_version|int >= 11 + - ansible_facts.distribution == 'Debian' + - ansible_facts.distribution_major_version|int >= 11 - name: Use Python 3 on Suse ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Run the equivalent of "apt-get update && apt-get upgrade" ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required python packages on Suse ansible.builtin.command: zypper -n install python311-rpm python311-PyMySQL changed_when: false - when: ansible_os_family == 'Suse' + when: ansible_facts.os_family == 'Suse' - name: Create missing directory ansible.builtin.file: @@ -48,23 +48,23 @@ mysql_python_package_debian: python3-pymysql when: - mysql_python_package_debian is not defined - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int > 19 + - ansible_facts.distribution == "Ubuntu" + - ansible_facts.distribution_major_version|int > 19 - name: Determine required MySQL Python libraries. ansible.builtin.set_fact: mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}" when: - mysql_python_package_debian is not defined - - ansible_distribution != "Ubuntu" - - ansible_distribution_major_version|int < 20 + - ansible_facts.distribution != "Ubuntu" + - ansible_facts.distribution_major_version|int < 20 - name: Install required MySQL Python libraries on RHEL ansible.builtin.dnf: name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}" when: - - ansible_os_family == "RedHat" - - ansible_distribution_major_version == "7" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution_major_version == "7" - name: Install mysql with a generic Ansible role ansible.builtin.include_role: diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml index 326d6957..fd11388c 100644 --- a/molecule/mysql_hardening/verify.yml +++ b/molecule/mysql_hardening/verify.yml @@ -11,14 +11,14 @@ ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Install procps for debian systems ansible.builtin.apt: name: procps state: present update_cache: true - when: ansible_distribution == 'Debian' + when: ansible_facts.distribution == 'Debian' - name: Include tests for the service ansible.builtin.include_tasks: verify_tasks/service.yml diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml index 0c1f2672..37290f29 100644 --- a/molecule/nginx_hardening/molecule.yml +++ b/molecule/nginx_hardening/molecule.yml @@ -22,6 +22,8 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer + # Currently not supported by geerlingguy.nginx role + # inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml index 58a4999c..ba825d0c 100644 --- a/molecule/nginx_hardening/prepare.yml +++ b/molecule/nginx_hardening/prepare.yml @@ -16,7 +16,7 @@ - name: Set correct distribution Version for Amazon Linux ansible.builtin.set_fact: ansible_distribution_major_version: 7 - when: ansible_distribution == 'Amazon' + when: ansible_facts.distribution == 'Amazon' - name: Install nginx with a generic Ansible role ansible.builtin.include_role: diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml index 84a1ed55..90a45eb8 100644 --- a/molecule/nginx_hardening/verify.yml +++ b/molecule/nginx_hardening/verify.yml @@ -12,7 +12,7 @@ name: procps state: present update_cache: true - when: ansible_distribution == 'Debian' + when: ansible_facts.distribution == 'Debian' - name: Verify hosts: localhost diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml index e61c440c..85186917 100644 --- a/molecule/os_hardening/molecule.yml +++ b/molecule/os_hardening/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer + inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 5c187e8c..45c50bc0 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -16,7 +16,7 @@ ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required tools on SuSE # cannot use zypper module, since it depends on python-xml diff --git a/molecule/os_hardening/verify_tasks/pw_ageing.yml b/molecule/os_hardening/verify_tasks/pw_ageing.yml index 42b3668d..6bc5d479 100644 --- a/molecule/os_hardening/verify_tasks/pw_ageing.yml +++ b/molecule/os_hardening/verify_tasks/pw_ageing.yml @@ -19,7 +19,7 @@ # this uses the date from the expire_date variable and subtracts the current date. # it should be bigger that the password_expire_min of the user "pw_no_ageing" that: - - ( expiry_date.stdout | trim | to_datetime('%b %d, %Y') - ansible_date_time.date | to_datetime('%Y-%m-%d')).days == 60 + - ( expiry_date.stdout | trim | to_datetime('%b %d, %Y') - ansible_facts.date_time.date | to_datetime('%Y-%m-%d')).days == 60 - name: Get Password Expiry warning days for pw_ageing ansible.builtin.shell: chage -l pw_ageing | grep "warning before password expires" | cut -d ":" -f 2 diff --git a/molecule/os_hardening/verify_tasks/sys_account_shell.yml b/molecule/os_hardening/verify_tasks/sys_account_shell.yml index 30c040ba..3d0ad0a5 100644 --- a/molecule/os_hardening/verify_tasks/sys_account_shell.yml +++ b/molecule/os_hardening/verify_tasks/sys_account_shell.yml @@ -6,4 +6,4 @@ - name: Check that shell_sys_acc's shell is still bash ansible.builtin.assert: that: - - getent_passwd['shell_sys_acc'][5] == "/bin/bash" + - ansible_facts.getent_passwd['shell_sys_acc'][5] == "/bin/bash" diff --git a/molecule/os_hardening_vm/converge.yml b/molecule/os_hardening_vm/converge.yml index b1511d51..910ad4ae 100644 --- a/molecule/os_hardening_vm/converge.yml +++ b/molecule/os_hardening_vm/converge.yml @@ -30,7 +30,7 @@ os_mnt_var_options: rw,nosuid,nodev,compress=zstd:1,subvol=var when: - ansible_facts.distribution == 'Fedora' - - ansible_distribution_major_version|int == 40 + - ansible_facts.distribution_major_version|int == 40 - name: Include os_hardening role ansible.builtin.include_role: diff --git a/molecule/os_hardening_vm/molecule.yml b/molecule/os_hardening_vm/molecule.yml index 834c3d59..46642641 100644 --- a/molecule/os_hardening_vm/molecule.yml +++ b/molecule/os_hardening_vm/molecule.yml @@ -27,6 +27,7 @@ provisioner: callbacks_enabled: profile_tasks, timer # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301 library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}" + inject_facts_as_vars: false verifier: name: ansible env: diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 3e00f47b..7f706c76 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -26,7 +26,7 @@ ansible.builtin.dpkg_selections: name: grub-pc selection: hold - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' # we need to free up space, since the /boot partition in some Vagrant images is # pretty small and system updates might fail @@ -35,20 +35,20 @@ paths: /boot patterns: "initrd.img*" register: find_results - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Delete all initrd.img to free space on /boot ansible.builtin.file: path: "{{ item['path'] }}" state: absent with_items: "{{ find_results['files'] }}" - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Run the equivalent of "apt-get update && apt-get upgrade" ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required tools on fedora ansible.builtin.dnf: diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml index ef3e62f7..e0698333 100644 --- a/molecule/ssh_hardening/molecule.yml +++ b/molecule/ssh_hardening/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer + inject_facts_as_vars: false inventory: host_vars: # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_bsd/molecule.yml index 96deb49e..10f970d2 100644 --- a/molecule/ssh_hardening_bsd/molecule.yml +++ b/molecule/ssh_hardening_bsd/molecule.yml @@ -23,6 +23,7 @@ provisioner: callbacks_enabled: profile_tasks, timer # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301 library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}" + inject_facts_as_vars: false verifier: name: ansible env: diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml index f60688ef..773af1ca 100644 --- a/molecule/ssh_hardening_custom_tests/molecule.yml +++ b/molecule/ssh_hardening_custom_tests/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer + inject_facts_as_vars: false verifier: name: ansible diff --git a/roles/os_hardening/tasks/ctrlaltdel.yml b/roles/os_hardening/tasks/ctrlaltdel.yml index dae46ad6..3727c31d 100644 --- a/roles/os_hardening/tasks/ctrlaltdel.yml +++ b/roles/os_hardening/tasks/ctrlaltdel.yml @@ -4,4 +4,4 @@ name: ctrl-alt-del.target masked: true daemon_reload: true - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml index b6916b4b..faa501c2 100644 --- a/roles/os_hardening/tasks/limits.yml +++ b/roles/os_hardening/tasks/limits.yml @@ -37,7 +37,7 @@ group: root mode: "0755" state: directory - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" - name: Create custom.conf for disabling coredumps ansible.builtin.template: @@ -46,7 +46,7 @@ owner: root group: root mode: "0644" - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" notify: Reload systemd - name: Enable coredumps @@ -56,7 +56,7 @@ ansible.builtin.file: path: /etc/systemd/coredump.conf.d state: absent - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" notify: Reload systemd - name: Remove 10.hardcore.conf config file diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index b0887fe2..f56175e1 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -89,7 +89,7 @@ - name: Generate list of current available mounted filesystems on the system ansible.builtin.set_fact: - mountpoints_list: "{{ ansible_mounts | map(attribute='mount') | list }}" + mountpoints_list: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - name: Append special devices list to valid mountpoint list ansible.builtin.set_fact: diff --git a/roles/os_hardening/tasks/minimize_access_fs.yml b/roles/os_hardening/tasks/minimize_access_fs.yml index 04e53b5d..7aeaf8d4 100644 --- a/roles/os_hardening/tasks/minimize_access_fs.yml +++ b/roles/os_hardening/tasks/minimize_access_fs.yml @@ -13,7 +13,7 @@ - mount.enabled | bool - mount.path in mountpoints_list vars: - mountinfo: "{{ ansible_mounts | selectattr('mount', 'equalto', mount.path) | list | first | default(None) }}" + mountinfo: "{{ ansible_facts.mounts | selectattr('mount', 'equalto', mount.path) | list | first | default(None) }}" notify: Remount filesystems - name: "Check for existence of mount {{ mount.path }}" diff --git a/roles/os_hardening/tasks/modprobe.yml b/roles/os_hardening/tasks/modprobe.yml index 23aad5dc..63bb8a5e 100644 --- a/roles/os_hardening/tasks/modprobe.yml +++ b/roles/os_hardening/tasks/modprobe.yml @@ -18,7 +18,7 @@ - name: Remove used filesystems from fs-list ansible.builtin.set_fact: - os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}" + os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_facts.mounts | map(attribute='fstype') | list) }}" - name: Disable unused filesystems | os-10 ansible.builtin.template: diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index 7715981e..4e9efd70 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -9,7 +9,7 @@ when: ansible_facts.os_family == 'RedHat' - name: Change sysctls - when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] + when: ansible_facts.virtualization_type not in ['docker', 'lxc', 'openvz'] block: - name: Protect sysctl.conf ansible.builtin.file: diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml index c139408f..cfdb6899 100644 --- a/roles/os_hardening/tasks/user_accounts.yml +++ b/roles/os_hardening/tasks/user_accounts.yml @@ -4,28 +4,28 @@ database: passwd # creates a dict for each user containing UID/HOMEDIR etc... # skip this task if getent was run before without specifying a key (single entry) - when: getent_passwd is undefined or - getent_passwd | length <= 1 + when: ansible_facts.getent_passwd is undefined or + ansible_facts.getent_passwd | length <= 1 - name: Read local linux shadow database ansible.builtin.getent: database: shadow - name: Extract system accounts from local user database - loop: "{{ getent_passwd.keys() | list }}" + loop: "{{ ansible_facts.getent_passwd.keys() | list }}" when: - - getent_passwd[item][1]|int > 0 - - getent_passwd[item][1]|int <= os_auth_sys_uid_max|int + - ansible_facts.getent_passwd[item][1]|int > 0 + - ansible_facts.getent_passwd[item][1]|int <= os_auth_sys_uid_max|int - item is not in os_always_ignore_users # skip users from "os_always_ignore_users" list (taken from role "vars") - item is not in os_ignore_users # skip users from "os_ignore_users" list (taken from role "defaults") ansible.builtin.set_fact: system_users: "{{ system_users | default([]) + [item] }}" - name: Extract regular (non-system, non-root) accounts from local user database - loop: "{{ getent_passwd.keys() | list }}" + loop: "{{ ansible_facts.getent_passwd.keys() | list }}" when: - - getent_passwd[item][1]|int >= os_auth_uid_min|int - - getent_passwd[item][1]|int <= os_auth_uid_max|int + - ansible_facts.getent_passwd[item][1]|int >= os_auth_uid_min|int + - ansible_facts.getent_passwd[item][1]|int <= os_auth_uid_max|int - item is not in os_always_ignore_users # skip users from "os_always_ignore_users" list (taken from role "vars") - item is not in os_ignore_users # skip users from "os_ignore_users" list (taken from role "defaults") ansible.builtin.set_fact: @@ -42,13 +42,14 @@ - os_user_pw_ageing - regular_users is defined and (regular_users | length > 0) - item not in os_users_without_password_ageing - - getent_shadow[item][0] is not match("\*") # password hashes containing illegal characters like "*" are unusable (locked) and don't need to age - - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable (locked) and don't need to age + # password hashes with illegal characters like "*" or "!" are unusable (locked) and don't need to age + - ansible_facts.getent_shadow[item][0] is not match("\*") + - ansible_facts.getent_shadow[item][0] is not match("\!") - name: Extract root account(s) from local user database - loop: "{{ getent_passwd.keys() | list }}" + loop: "{{ ansible_facts.getent_passwd.keys() | list }}" when: - - getent_passwd[item][1]|int == 0 + - ansible_facts.getent_passwd[item][1]|int == 0 ansible.builtin.set_fact: root_users: "{{ root_users | default([]) + [item] }}" @@ -56,7 +57,7 @@ ansible.builtin.file: mode: "0700" owner: "{{ item }}" - path: "{{ getent_passwd[item][4] }}" + path: "{{ ansible_facts.getent_passwd[item][4] }}" state: directory loop: "{{ root_users }}" when: @@ -71,8 +72,9 @@ loop: "{{ root_users }}" when: - os_rootuser_pw_ageing | bool - - getent_shadow[item][0] is not match("\*") # password hashes containing illegal characters like "*" are unusable (locked) and don't need to age - - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable (locked) and don't need to age + # password hashes with illegal characters like "*" or "!" are unusable (locked) and don't need to age + - ansible_facts.getent_shadow[item][0] is not match("\*") + - ansible_facts.getent_shadow[item][0] is not match("\!") - name: Remove additional users with UID=0 ("root" user is not touched) ansible.builtin.user: @@ -98,13 +100,13 @@ createhome: false loop: "{{ system_users }}" when: - - getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked) + - ansible_facts.getent_shadow[item][0] is not match("\!") # password hashes containing illegal characters like "!" are unusable already (locked) - name: Limit access to home directories of regular (non-system, non-root) accounts ansible.builtin.file: mode: "0700" owner: "{{ item }}" - path: "{{ getent_passwd[item][4] }}" + path: "{{ ansible_facts.getent_passwd[item][4] }}" state: directory loop: "{{ regular_users }}" when: