Skip to content

Commit 140e3a3

Browse files
authored
Merge pull request #902 from konstruktoid/issue900
ensure lines are replaced when updating grub_cmdline
2 parents ff9df4a + 4eda45e commit 140e3a3

2 files changed

Lines changed: 12 additions & 11 deletions

File tree

tasks/kernel.yml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,8 @@
44
block:
55
- name: Configure virtual system calls
66
ansible.builtin.lineinfile:
7-
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
7+
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall={{ 'none' if not allow_virtual_system_calls else 'emulate' }}"
8+
regexp: "^GRUB_CMDLINE_LINUX="
89
dest: /etc/default/grub.d/99-hardening-vsyscall.cfg
910
state: present
1011
create: true
@@ -13,24 +14,23 @@
1314
group: root
1415
when:
1516
- ansible_os_family == "Debian"
16-
- not allow_virtual_system_calls
1717
notify:
1818
- Update GRUB
1919

2020
- name: Configure virtual system calls using grubby
2121
ansible.builtin.command:
22-
cmd: grubby --update-kernel=ALL --args="vsyscall=none"
22+
cmd: grubby --update-kernel=ALL --args="vsyscall={{ 'none' if not allow_virtual_system_calls else 'emulate' }}"
2323
register: grubby_update_kernel
2424
changed_when: grubby_update_kernel.rc != 0
2525
failed_when: grubby_update_kernel.rc != 0
2626
when:
2727
- ansible_os_family == "RedHat"
2828
- ansible_virtualization_type not in ["container", "docker", "podman"]
29-
- not allow_virtual_system_calls
3029

3130
- name: Configure page poisoning
3231
ansible.builtin.lineinfile:
33-
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
32+
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison={{ '1' if enable_page_poisoning else '0' }}"
33+
regexp: "^GRUB_CMDLINE_LINUX="
3434
dest: /etc/default/grub.d/99-hardening-page-poison.cfg
3535
state: present
3636
create: true
@@ -39,24 +39,23 @@
3939
group: root
4040
when:
4141
- ansible_os_family == "Debian"
42-
- enable_page_poisoning
4342
notify:
4443
- Update GRUB
4544

4645
- name: Configure page poisoning using grubby
4746
ansible.builtin.command:
48-
cmd: grubby --update-kernel=ALL --args="page_poison=1"
47+
cmd: grubby --update-kernel=ALL --args="page_poison={{ '1' if enable_page_poisoning else '0' }}"
4948
register: grubby_update_kernel
5049
changed_when: grubby_update_kernel.rc != 0
5150
failed_when: grubby_update_kernel.rc != 0
5251
when:
5352
- ansible_os_family == "RedHat"
5453
- ansible_virtualization_type not in ["container", "docker", "podman"]
55-
- enable_page_poisoning
5654

5755
- name: Configure page table isolation
5856
ansible.builtin.lineinfile:
5957
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti={{ 'on' if page_table_isolation else 'auto' }}"
58+
regexp: "^GRUB_CMDLINE_LINUX="
6059
dest: /etc/default/grub.d/99-hardening-pti.cfg
6160
state: present
6261
create: true
@@ -81,6 +80,7 @@
8180
- name: Configure SLUB debugger poisoning
8281
ansible.builtin.lineinfile:
8382
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
83+
regexp: "^GRUB_CMDLINE_LINUX="
8484
dest: /etc/default/grub.d/99-hardening-slub-debug.cfg
8585
state: present
8686
create: true
@@ -126,6 +126,7 @@
126126
ansible.builtin.lineinfile:
127127
line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown={{ kernel_lockdown | trim }}"
128128
dest: /etc/default/grub.d/99-hardening-lockdown.cfg
129+
regexp: "^GRUB_CMDLINE_LINUX="
129130
state: present
130131
create: true
131132
mode: "0640"

tasks/sshconfig.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@
144144
path: /etc/ssh/ssh_host_rsa_key
145145
mode: "0600"
146146
owner: root
147-
group: "{{ 'ssh_keys' if ansible_os_family == 'RedHat' else 'root' }}"
147+
group: "{{ 'ssh_keys' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version < '10') else 'root' }}"
148148
regenerate: partial_idempotence
149149

150150
- name: Generate SSH ECDSA keypair
@@ -155,7 +155,7 @@
155155
path: /etc/ssh/ssh_host_ecdsa_key
156156
mode: "0600"
157157
owner: root
158-
group: "{{ 'ssh_keys' if ansible_os_family == 'RedHat' else 'root' }}"
158+
group: "{{ 'ssh_keys' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version < '10') else 'root' }}"
159159
regenerate: partial_idempotence
160160
when:
161161
- ssh_installed_version is version('6.0', '>=')
@@ -167,7 +167,7 @@
167167
path: /etc/ssh/ssh_host_ed25519_key
168168
mode: "0600"
169169
owner: root
170-
group: "{{ 'ssh_keys' if ansible_os_family == 'RedHat' else 'root' }}"
170+
group: "{{ 'ssh_keys' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version < '10') else 'root' }}"
171171
regenerate: partial_idempotence
172172
when:
173173
- ssh_installed_version is version('6.5', '>=')

0 commit comments

Comments
 (0)