openstack
/
ansible-hardening
Code Issues Proposed changes

Use ansible_facts[] instead of fact variables 

See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
This commit is contained in:
Jonathan Rosser 2021-03-03 15:00:50 +00:00
parent 087919c425
commit b9a9310d7c
22 changed files with 75 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -92,7 +92,7 @@ security_rhel7_audit_failure_flag: 1 # V-72081
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user.

14
tasks/main.yml
View File

@ -16,11 +16,11 @@
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}.yml"
tags:
- always
@ -33,14 +33,14 @@
- name: Check to see if we are booting with EFI or UEFI
set_fact:
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
tags:
- always
- name: Set facts
set_fact:
check_mode: "{{ noop_result is skipped }}"
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}"
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
tags:
- always

4
tasks/rhel7stig/accounts.yml
View File

@ -73,7 +73,7 @@
backup: yes
when:
- security_libuser_crypt_style_sha512 | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
tags:
- accounts
- medium
@ -145,7 +145,7 @@
state: present
when:
- item.value is truthy(convert_bool=True)
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family']
with_items: "{{ shadow_utils_rhel7 }}"
tags:
- accounts

8
tasks/rhel7stig/aide.yml
View File

@ -58,7 +58,7 @@
/sbin NORMAL
when:
- aide_conf.results[0].stat.exists | bool
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
tags:
- low
- aide
@ -76,7 +76,7 @@
backrefs: yes
when:
- aide_conf.results[1].stat.exists | bool
- ansible_pkg_mgr == 'zypper'
- ansible_facts['pkg_mgr'] == 'zypper'
tags:
- low
- aide
@ -116,7 +116,7 @@
changed_when: false
when:
- aide_init is not skipped
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags:
- medium
- aide
@ -133,7 +133,7 @@
special_time: daily
job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root"
when:
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags:
- medium
- aide

8
tasks/rhel7stig/apt.yml
View File

@ -34,7 +34,7 @@
when:
- security_check_package_checksums | bool
- not check_mode | bool
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
tags:
- high
- V-71855
@ -59,7 +59,7 @@
{{ invalid_checksum_files_violations }}
when:
- security_check_package_checksums | bool
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
- invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined
tags:
@ -105,7 +105,7 @@
create: yes
when:
- security_package_clean_on_remove | bool
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
tags:
- low
- packages
@ -116,7 +116,7 @@
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when:
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
- security_rhel7_automatic_package_updates | bool
tags:
- packages

2
tasks/rhel7stig/async_tasks.yml
View File

@ -26,7 +26,7 @@
poll: 0
when:
- not check_mode | bool
- ansible_os_family | lower in ['redhat', 'suse']
- ansible_facts['os_family'] | lower in ['redhat', 'suse']
tags:
- rpm
- high

2
tasks/rhel7stig/auditd.yml
View File

@ -61,7 +61,7 @@
- name: Get valid system architectures for audit rules
set_fact:
auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
check_mode: no
tags:
- always

10
tasks/rhel7stig/auth.yml
View File

@ -24,7 +24,7 @@
backrefs: yes
when:
- security_shadow_utils_fail_delay is defined
- ansible_os_family | lower == 'debian'
- ansible_facts['os_family'] | lower == 'debian'
tags:
- auth
- medium
@ -39,7 +39,7 @@
backup: yes
backrefs: yes
when:
- ansible_os_family == 'Debian'
- ansible_facts['os_family'] == 'Debian'
- security_disallow_blank_password_login | bool
tags:
- auth
@ -58,7 +58,7 @@
- auth
- password
when:
- ansible_os_family == 'RedHat'
- ansible_facts['os_family'] == 'RedHat'
- security_disallow_blank_password_login | bool
tags:
- auth
@ -77,7 +77,7 @@
- "{{ pam_auth_file }}"
- "{{ pam_password_file }}"
when:
- ansible_pkg_mgr == 'zypper'
- ansible_facts['pkg_mgr'] == 'zypper'
- security_disallow_blank_password_login | bool
tags:
- auth
@ -92,7 +92,7 @@
insertbefore: EOF
block: "{{ lookup('template', 'pam_faillock.j2') }}"
when:
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- security_pam_faillock_enable | bool
tags:
- auth

20
tasks/rhel7stig/dnf.yml
View File

@ -21,8 +21,8 @@
check_mode: no
register: dnf_automatic_config_check
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
tags:
- always
@ -33,8 +33,8 @@
line: "apply_updates = yes"
state: present
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:
@ -53,8 +53,8 @@
check_mode: no
changed_when: False
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:
@ -67,8 +67,8 @@
set_fact:
dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}"
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:
@ -83,8 +83,8 @@
enabled: yes
state: started
when:
- ansible_os_family | lower == 'redhat'
- ansible_pkg_mgr == 'dnf'
- ansible_facts['os_family'] | lower == 'redhat'
- ansible_facts['pkg_mgr'] == 'dnf'
- dnf_automatic_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:

4
tasks/rhel7stig/file_perms.yml
View File

@ -21,7 +21,7 @@
changed_when: False
when:
- not check_mode | bool
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- security_reset_perm_ownership | bool
tags:
- file_perms
@ -38,7 +38,7 @@
- "{{ rpmverify_package_list.stdout_lines | default([]) }}"
when:
- not check_mode | bool
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- rpmverify_package_list is defined
- rpmverify_package_list.stdout_lines | length > 0
async: 300

4
tasks/rhel7stig/kernel.yml
View File

@ -79,7 +79,7 @@
failed_when: False
check_mode: no
when:
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
tags:
- always
@ -89,7 +89,7 @@
FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time.
when:
- ansible_pkg_mgr in ['yum', 'zypper']
- ansible_facts['pkg_mgr'] in ['yum', 'zypper']
- fips_check is defined
- fips_check.stdout != '1'
tags:

20
tasks/rhel7stig/lsm.yml
View File

@ -20,7 +20,7 @@
changed_when: false
failed_when: false
when:
- ansible_pkg_mgr in ['apt', 'zypper']
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
tags:
- high
@ -38,7 +38,7 @@
changed_when: false
failed_when: false
when:
- ansible_pkg_mgr in ['apt', 'zypper']
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
tags:
- high
@ -49,7 +49,7 @@
name: apparmor
enabled: yes
when:
- ansible_pkg_mgr in ['apt', 'zypper']
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
- not check_mode
tags:
@ -66,7 +66,7 @@
changed_when:
- '"active (exited)" not in systemctl_apparmor_status.stdout'
when:
- ansible_pkg_mgr in ['apt', 'zypper']
- ansible_facts['pkg_mgr'] in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
- not check_mode
- '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
@ -83,9 +83,9 @@
state: enforcing
policy: targeted
register: selinux_status_change
changed_when: selinux_status_change is changed and ansible_selinux.status != 'disabled'
changed_when: selinux_status_change is changed and ansible_facts['selinux']['status'] != 'disabled'
when:
- ansible_os_family == "RedHat"
- ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool
tags:
- high
@ -97,7 +97,7 @@
path: /.autorelabel
state: touch
when:
- ansible_os_family == "RedHat"
- ansible_facts['os_family'] == "RedHat"
- security_rhel7_enable_linux_security_module | bool
- selinux_status_change is changed
tags:
@ -113,8 +113,8 @@
changed_when: False
check_mode: no
when:
- ansible_os_family == 'RedHat'
- ansible_selinux.status == 'enabled'
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['selinux']['status'] == 'enabled'
tags:
- lsm
- medium
@ -128,7 +128,7 @@
{{ device }}
{% endfor %}
when:
- ansible_os_family == 'RedHat'
- ansible_facts['os_family'] == 'RedHat'
- unlabeled_devices.stdout is defined
- unlabeled_devices.stdout | length > 0
tags:

4
tasks/rhel7stig/main.yml
View File

@ -59,7 +59,7 @@
name: "{{ security_epel_release_package }}"
state: "{{ security_package_state }}"
when:
- ansible_pkg_mgr == 'yum'
- ansible_facts['pkg_mgr'] == 'yum'
- security_epel_install_repository | bool
- security_enable_virus_scanner | bool
tags:
@ -73,7 +73,7 @@
# Package managers are managed first since the changes in these tasks will
# affect the remainder of the tasks in the role.
- include_tasks: "{{ ansible_pkg_mgr }}.yml"
- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
# The bulk of the security changes are applied in these tasks. The tasks in
# each file are tagged with the same name (for example, tasks in `auth.yml`

14
tasks/rhel7stig/misc.yml
View File

@ -67,7 +67,7 @@
The STIG requires that /home is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0
tags:
- low
- misc
@ -79,7 +79,7 @@
The STIG requires that /var is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0
tags:
- low
- misc
@ -91,7 +91,7 @@
The STIG requires that /var/log/audit is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0
tags:
- low
- misc
@ -103,7 +103,7 @@
The STIG requires that /tmp is on its own filesystem, but this system
does not appear to be following the requirement.
when:
- ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0
- ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0
tags:
- low
- misc
@ -148,7 +148,7 @@
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
tags:
@ -164,7 +164,7 @@
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
tags:
@ -179,7 +179,7 @@
when:
- clamav_install_check.stat.exists
- security_enable_virus_scanner | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
notify:
- restart clamav
tags:

6
tasks/rhel7stig/rpm.yml
View File

@ -35,7 +35,7 @@
when:
- security_check_package_checksums | bool
- not check_mode | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
tags:
- rpm
- high
@ -54,7 +54,7 @@
when:
- security_check_package_checksums | bool
- not check_mode | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
- invalid_checksum_files is defined
- invalid_checksum_files.stdout is defined
tags:
@ -84,7 +84,7 @@
state: present
when:
- security_package_clean_on_remove | bool
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
tags:
- low
- packages

4
tasks/rhel7stig/yum.yml
View File

@ -21,7 +21,7 @@
check_mode: no
register: yum_cron_config_check
when:
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
tags:
- always
@ -32,7 +32,7 @@
line: "apply_updates = yes"
state: present
when:
- ansible_os_family | lower == 'redhat'
- ansible_facts['os_family'] | lower == 'redhat'
- yum_cron_config_check.stat.exists | bool
- security_rhel7_automatic_package_updates | bool
tags:

2
templates/osas-auditd-rhel7.j2
View File

@ -31,7 +31,7 @@
{# Verify that the variable controlling the rule is enabled and any distro- #}
{# specific requirements are met. #}
{# #}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %}
{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_facts['os_family'] | lower) == ansible_facts['os_family'] | lower) %}
# {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited.
{# #}
{# Some audit rules are specific to syscalls. Different rules are needed for #}

6
tests/test.yml
View File

@ -22,7 +22,7 @@
cache_valid_time: "{{ cache_timeout }}"
changed_when: False
when:
- ansible_pkg_mgr == 'apt'
- ansible_facts['pkg_mgr'] == 'apt'
register: refresh_cache
until: refresh_cache is success
retries: 5
@ -31,7 +31,7 @@
file:
path: /etc/cron.daily/logrotate
state: touch
when: ansible_os_family == 'RedHat'
when: ansible_facts['os_family'] == 'RedHat'
changed_when: False
- name: Install dconf package to test graphical session locks
package:
@ -39,7 +39,7 @@
state: installed
changed_when: False
when:
- ansible_os_family == 'RedHat'
- ansible_facts['os_family'] == 'RedHat'
register: install_packages
until: install_packages is success
retries: 5

2
vars/main.yml
View File

@ -55,7 +55,7 @@ auditd_config:
# otherwise 'no' (required)
# path: the path to the command (optional, default is '/usr/bin')
# distro: restrict deployment to a single Linux distribution (optional,
# should be equal to 'ansible_os_family | lower', such as 'redhat'
# should be equal to 'ansible_facts['os_family'] | lower', such as 'redhat'
# or 'ubuntu')
#
audited_commands:

6
vars/redhat-7.yml
View File

@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names
cron_service: crond
@ -91,7 +91,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages:

6
vars/redhat-8.yml
View File

@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names
cron_service: crond
@ -90,7 +90,7 @@ stig_packages_rhel7:
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
- "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages:

2
vars/suse.yml
View File

@ -27,7 +27,7 @@ grub_conf_file: /boot/grub2/grub.cfg
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
# create the EFI distro directory. Since this information is not available on
# Ansible, we have to improvise a bit...
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new