|
4 | 4 | block: |
5 | 5 | - name: Configure virtual system calls |
6 | 6 | ansible.builtin.lineinfile: |
7 | | - line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" |
| 7 | + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall={{ 'none' if not allow_virtual_system_calls else 'emulate' }}" |
| 8 | + regexp: "^GRUB_CMDLINE_LINUX=" |
8 | 9 | dest: /etc/default/grub.d/99-hardening-vsyscall.cfg |
9 | 10 | state: present |
10 | 11 | create: true |
|
13 | 14 | group: root |
14 | 15 | when: |
15 | 16 | - ansible_os_family == "Debian" |
16 | | - - not allow_virtual_system_calls |
17 | 17 | notify: |
18 | 18 | - Update GRUB |
19 | 19 |
|
20 | 20 | - name: Configure virtual system calls using grubby |
21 | 21 | ansible.builtin.command: |
22 | | - cmd: grubby --update-kernel=ALL --args="vsyscall=none" |
| 22 | + cmd: grubby --update-kernel=ALL --args="vsyscall={{ 'none' if not allow_virtual_system_calls else 'emulate' }}" |
23 | 23 | register: grubby_update_kernel |
24 | 24 | changed_when: grubby_update_kernel.rc != 0 |
25 | 25 | failed_when: grubby_update_kernel.rc != 0 |
26 | 26 | when: |
27 | 27 | - ansible_os_family == "RedHat" |
28 | 28 | - ansible_virtualization_type not in ["container", "docker", "podman"] |
29 | | - - not allow_virtual_system_calls |
30 | 29 |
|
31 | 30 | - name: Configure page poisoning |
32 | 31 | ansible.builtin.lineinfile: |
33 | | - line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" |
| 32 | + line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison={{ '1' if enable_page_poisoning else '0' }}" |
| 33 | + regexp: "^GRUB_CMDLINE_LINUX=" |
34 | 34 | dest: /etc/default/grub.d/99-hardening-page-poison.cfg |
35 | 35 | state: present |
36 | 36 | create: true |
|
39 | 39 | group: root |
40 | 40 | when: |
41 | 41 | - ansible_os_family == "Debian" |
42 | | - - enable_page_poisoning |
43 | 42 | notify: |
44 | 43 | - Update GRUB |
45 | 44 |
|
46 | 45 | - name: Configure page poisoning using grubby |
47 | 46 | ansible.builtin.command: |
48 | | - cmd: grubby --update-kernel=ALL --args="page_poison=1" |
| 47 | + cmd: grubby --update-kernel=ALL --args="page_poison={{ '1' if enable_page_poisoning else '0' }}" |
49 | 48 | register: grubby_update_kernel |
50 | 49 | changed_when: grubby_update_kernel.rc != 0 |
51 | 50 | failed_when: grubby_update_kernel.rc != 0 |
52 | 51 | when: |
53 | 52 | - ansible_os_family == "RedHat" |
54 | 53 | - ansible_virtualization_type not in ["container", "docker", "podman"] |
55 | | - - enable_page_poisoning |
56 | 54 |
|
57 | 55 | - name: Configure page table isolation |
58 | 56 | ansible.builtin.lineinfile: |
59 | 57 | line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti={{ 'on' if page_table_isolation else 'auto' }}" |
| 58 | + regexp: "^GRUB_CMDLINE_LINUX=" |
60 | 59 | dest: /etc/default/grub.d/99-hardening-pti.cfg |
61 | 60 | state: present |
62 | 61 | create: true |
|
81 | 80 | - name: Configure SLUB debugger poisoning |
82 | 81 | ansible.builtin.lineinfile: |
83 | 82 | line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P" |
| 83 | + regexp: "^GRUB_CMDLINE_LINUX=" |
84 | 84 | dest: /etc/default/grub.d/99-hardening-slub-debug.cfg |
85 | 85 | state: present |
86 | 86 | create: true |
|
126 | 126 | ansible.builtin.lineinfile: |
127 | 127 | line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown={{ kernel_lockdown | trim }}" |
128 | 128 | dest: /etc/default/grub.d/99-hardening-lockdown.cfg |
| 129 | + regexp: "^GRUB_CMDLINE_LINUX=" |
129 | 130 | state: present |
130 | 131 | create: true |
131 | 132 | mode: "0640" |
|
0 commit comments