From b9a9310d7c04d0681c86477a9713e3c4c150f89b Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 3 Mar 2021 15:00:50 +0000 Subject: [PATCH] Use ansible_facts[] instead of fact variables See https://github.com/ansible/ansible/issues/73654 Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4 --- defaults/main.yml | 2 +- tasks/main.yml | 14 +++++++------- tasks/rhel7stig/accounts.yml | 4 ++-- tasks/rhel7stig/aide.yml | 8 ++++---- tasks/rhel7stig/apt.yml | 8 ++++---- tasks/rhel7stig/async_tasks.yml | 2 +- tasks/rhel7stig/auditd.yml | 2 +- tasks/rhel7stig/auth.yml | 10 +++++----- tasks/rhel7stig/dnf.yml | 20 ++++++++++---------- tasks/rhel7stig/file_perms.yml | 4 ++-- tasks/rhel7stig/kernel.yml | 4 ++-- tasks/rhel7stig/lsm.yml | 20 ++++++++++---------- tasks/rhel7stig/main.yml | 4 ++-- tasks/rhel7stig/misc.yml | 14 +++++++------- tasks/rhel7stig/rpm.yml | 6 +++--- tasks/rhel7stig/yum.yml | 4 ++-- templates/osas-auditd-rhel7.j2 | 2 +- tests/test.yml | 6 +++--- vars/main.yml | 2 +- vars/redhat-7.yml | 6 +++--- vars/redhat-8.yml | 6 +++--- vars/suse.yml | 2 +- 22 files changed, 75 insertions(+), 75 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 11dcde4f..b709b018 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -92,7 +92,7 @@ security_rhel7_audit_failure_flag: 1 # V-72081 security_rhel7_auditd_disk_full_action: syslog # V-72087 security_rhel7_auditd_network_failure_action: syslog # V-72087 # Size of remaining disk space (in MB) that triggers alerts. -security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 +security_rhel7_auditd_space_left: "{{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089 # Action to take when the space_left threshold is reached. security_rhel7_auditd_space_left_action: email # V-72091 # Send auditd email alerts to this user. diff --git a/tasks/main.yml b/tasks/main.yml index e7091225..eb619cc1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -16,11 +16,11 @@ - name: Gather variables for each operating system include_vars: "{{ item }}" with_first_found: - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - - "{{ ansible_distribution | lower }}.yml" - - "{{ ansible_os_family | lower }}.yml" + - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml" + - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" + - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" + - "{{ ansible_facts['distribution'] | lower }}.yml" + - "{{ ansible_facts['os_family'] | lower }}.yml" tags: - always @@ -33,14 +33,14 @@ - name: Check to see if we are booting with EFI or UEFI set_fact: - booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" + booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" tags: - always - name: Set facts set_fact: check_mode: "{{ noop_result is skipped }}" - linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}" + linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor','selinux') }}" grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" tags: - always diff --git a/tasks/rhel7stig/accounts.yml b/tasks/rhel7stig/accounts.yml index 978698d0..fe005814 100644 --- a/tasks/rhel7stig/accounts.yml +++ b/tasks/rhel7stig/accounts.yml @@ -73,7 +73,7 @@ backup: yes when: - security_libuser_crypt_style_sha512 | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' tags: - accounts - medium @@ -145,7 +145,7 @@ state: present when: - item.value is truthy(convert_bool=True) - - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family + - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_facts['os_family'] with_items: "{{ shadow_utils_rhel7 }}" tags: - accounts diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml index 98435287..bdcca33a 100644 --- a/tasks/rhel7stig/aide.yml +++ b/tasks/rhel7stig/aide.yml @@ -58,7 +58,7 @@ /sbin NORMAL when: - aide_conf.results[0].stat.exists | bool - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' tags: - low - aide @@ -76,7 +76,7 @@ backrefs: yes when: - aide_conf.results[1].stat.exists | bool - - ansible_pkg_mgr == 'zypper' + - ansible_facts['pkg_mgr'] == 'zypper' tags: - low - aide @@ -116,7 +116,7 @@ changed_when: false when: - aide_init is not skipped - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] tags: - medium - aide @@ -133,7 +133,7 @@ special_time: daily job: "/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root" when: - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] tags: - medium - aide diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index e749102c..fa328f8f 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -34,7 +34,7 @@ when: - security_check_package_checksums | bool - not check_mode | bool - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' tags: - high - V-71855 @@ -59,7 +59,7 @@ {{ invalid_checksum_files_violations }} when: - security_check_package_checksums | bool - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' - invalid_checksum_files is defined - invalid_checksum_files.stdout is defined tags: @@ -105,7 +105,7 @@ create: yes when: - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' tags: - low - packages @@ -116,7 +116,7 @@ src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades when: - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' - security_rhel7_automatic_package_updates | bool tags: - packages diff --git a/tasks/rhel7stig/async_tasks.yml b/tasks/rhel7stig/async_tasks.yml index eaac3c3f..325f54ac 100644 --- a/tasks/rhel7stig/async_tasks.yml +++ b/tasks/rhel7stig/async_tasks.yml @@ -26,7 +26,7 @@ poll: 0 when: - not check_mode | bool - - ansible_os_family | lower in ['redhat', 'suse'] + - ansible_facts['os_family'] | lower in ['redhat', 'suse'] tags: - rpm - high diff --git a/tasks/rhel7stig/auditd.yml b/tasks/rhel7stig/auditd.yml index 89b3015b..096b115c 100644 --- a/tasks/rhel7stig/auditd.yml +++ b/tasks/rhel7stig/auditd.yml @@ -61,7 +61,7 @@ - name: Get valid system architectures for audit rules set_fact: - auditd_architectures: "{{ (ansible_architecture == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" + auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}" check_mode: no tags: - always diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 4454b37c..4f6f8855 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -24,7 +24,7 @@ backrefs: yes when: - security_shadow_utils_fail_delay is defined - - ansible_os_family | lower == 'debian' + - ansible_facts['os_family'] | lower == 'debian' tags: - auth - medium @@ -39,7 +39,7 @@ backup: yes backrefs: yes when: - - ansible_os_family == 'Debian' + - ansible_facts['os_family'] == 'Debian' - security_disallow_blank_password_login | bool tags: - auth @@ -58,7 +58,7 @@ - auth - password when: - - ansible_os_family == 'RedHat' + - ansible_facts['os_family'] == 'RedHat' - security_disallow_blank_password_login | bool tags: - auth @@ -77,7 +77,7 @@ - "{{ pam_auth_file }}" - "{{ pam_password_file }}" when: - - ansible_pkg_mgr == 'zypper' + - ansible_facts['pkg_mgr'] == 'zypper' - security_disallow_blank_password_login | bool tags: - auth @@ -92,7 +92,7 @@ insertbefore: EOF block: "{{ lookup('template', 'pam_faillock.j2') }}" when: - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - security_pam_faillock_enable | bool tags: - auth diff --git a/tasks/rhel7stig/dnf.yml b/tasks/rhel7stig/dnf.yml index 43a7bb8b..9485b0d4 100644 --- a/tasks/rhel7stig/dnf.yml +++ b/tasks/rhel7stig/dnf.yml @@ -21,8 +21,8 @@ check_mode: no register: dnf_automatic_config_check when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['pkg_mgr'] == 'dnf' tags: - always @@ -33,8 +33,8 @@ line: "apply_updates = yes" state: present when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['pkg_mgr'] == 'dnf' - dnf_automatic_config_check.stat.exists | bool - security_rhel7_automatic_package_updates | bool tags: @@ -53,8 +53,8 @@ check_mode: no changed_when: False when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['pkg_mgr'] == 'dnf' - dnf_automatic_config_check.stat.exists | bool - security_rhel7_automatic_package_updates | bool tags: @@ -67,8 +67,8 @@ set_fact: dnf_automatic_timer: "{{ ('dnf-automatic-install.timer' in dnf_automatic_timers.stdout) | ternary('dnf-automatic-install.timer', 'dnf-automatic.timer') }}" when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['pkg_mgr'] == 'dnf' - dnf_automatic_config_check.stat.exists | bool - security_rhel7_automatic_package_updates | bool tags: @@ -83,8 +83,8 @@ enabled: yes state: started when: - - ansible_os_family | lower == 'redhat' - - ansible_pkg_mgr == 'dnf' + - ansible_facts['os_family'] | lower == 'redhat' + - ansible_facts['pkg_mgr'] == 'dnf' - dnf_automatic_config_check.stat.exists | bool - security_rhel7_automatic_package_updates | bool tags: diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml index 65cafe47..ac540b0f 100644 --- a/tasks/rhel7stig/file_perms.yml +++ b/tasks/rhel7stig/file_perms.yml @@ -21,7 +21,7 @@ changed_when: False when: - not check_mode | bool - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - security_reset_perm_ownership | bool tags: - file_perms @@ -38,7 +38,7 @@ - "{{ rpmverify_package_list.stdout_lines | default([]) }}" when: - not check_mode | bool - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - rpmverify_package_list is defined - rpmverify_package_list.stdout_lines | length > 0 async: 300 diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index 2210ea1d..2882ef39 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -79,7 +79,7 @@ failed_when: False check_mode: no when: - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] tags: - always @@ -89,7 +89,7 @@ FIPS is not enabled at boot time on this server. The STIG requires FIPS to be enabled at boot time. when: - - ansible_pkg_mgr in ['yum', 'zypper'] + - ansible_facts['pkg_mgr'] in ['yum', 'zypper'] - fips_check is defined - fips_check.stdout != '1' tags: diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index 8cd6f38e..c424b5bf 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -20,7 +20,7 @@ changed_when: false failed_when: false when: - - ansible_pkg_mgr in ['apt', 'zypper'] + - ansible_facts['pkg_mgr'] in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool tags: - high @@ -38,7 +38,7 @@ changed_when: false failed_when: false when: - - ansible_pkg_mgr in ['apt', 'zypper'] + - ansible_facts['pkg_mgr'] in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool tags: - high @@ -49,7 +49,7 @@ name: apparmor enabled: yes when: - - ansible_pkg_mgr in ['apt', 'zypper'] + - ansible_facts['pkg_mgr'] in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool - not check_mode tags: @@ -66,7 +66,7 @@ changed_when: - '"active (exited)" not in systemctl_apparmor_status.stdout' when: - - ansible_pkg_mgr in ['apt', 'zypper'] + - ansible_facts['pkg_mgr'] in ['apt', 'zypper'] - security_rhel7_enable_linux_security_module | bool - not check_mode - '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr' @@ -83,9 +83,9 @@ state: enforcing policy: targeted register: selinux_status_change - changed_when: selinux_status_change is changed and ansible_selinux.status != 'disabled' + changed_when: selinux_status_change is changed and ansible_facts['selinux']['status'] != 'disabled' when: - - ansible_os_family == "RedHat" + - ansible_facts['os_family'] == "RedHat" - security_rhel7_enable_linux_security_module | bool tags: - high @@ -97,7 +97,7 @@ path: /.autorelabel state: touch when: - - ansible_os_family == "RedHat" + - ansible_facts['os_family'] == "RedHat" - security_rhel7_enable_linux_security_module | bool - selinux_status_change is changed tags: @@ -113,8 +113,8 @@ changed_when: False check_mode: no when: - - ansible_os_family == 'RedHat' - - ansible_selinux.status == 'enabled' + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['selinux']['status'] == 'enabled' tags: - lsm - medium @@ -128,7 +128,7 @@ {{ device }} {% endfor %} when: - - ansible_os_family == 'RedHat' + - ansible_facts['os_family'] == 'RedHat' - unlabeled_devices.stdout is defined - unlabeled_devices.stdout | length > 0 tags: diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 0bc6b07b..c82bbfa5 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -59,7 +59,7 @@ name: "{{ security_epel_release_package }}" state: "{{ security_package_state }}" when: - - ansible_pkg_mgr == 'yum' + - ansible_facts['pkg_mgr'] == 'yum' - security_epel_install_repository | bool - security_enable_virus_scanner | bool tags: @@ -73,7 +73,7 @@ # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role. -- include_tasks: "{{ ansible_pkg_mgr }}.yml" +- include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml" # The bulk of the security changes are applied in these tasks. The tasks in # each file are tagged with the same name (for example, tasks in `auth.yml` diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index a62634db..b31d6ff5 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -67,7 +67,7 @@ The STIG requires that /home is on its own filesystem, but this system does not appear to be following the requirement. when: - - ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 + - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/home') | list | length == 0 tags: - low - misc @@ -79,7 +79,7 @@ The STIG requires that /var is on its own filesystem, but this system does not appear to be following the requirement. when: - - ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 + - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var') | list | length == 0 tags: - low - misc @@ -91,7 +91,7 @@ The STIG requires that /var/log/audit is on its own filesystem, but this system does not appear to be following the requirement. when: - - ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 + - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 tags: - low - misc @@ -103,7 +103,7 @@ The STIG requires that /tmp is on its own filesystem, but this system does not appear to be following the requirement. when: - - ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 + - ansible_facts['mounts'] | selectattr('mount', 'equalto', '/tmp') | list | length == 0 tags: - low - misc @@ -148,7 +148,7 @@ when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' notify: - restart clamav tags: @@ -164,7 +164,7 @@ when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' notify: - restart clamav tags: @@ -179,7 +179,7 @@ when: - clamav_install_check.stat.exists - security_enable_virus_scanner | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' notify: - restart clamav tags: diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml index e1605db2..b72887a2 100644 --- a/tasks/rhel7stig/rpm.yml +++ b/tasks/rhel7stig/rpm.yml @@ -35,7 +35,7 @@ when: - security_check_package_checksums | bool - not check_mode | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' tags: - rpm - high @@ -54,7 +54,7 @@ when: - security_check_package_checksums | bool - not check_mode | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' - invalid_checksum_files is defined - invalid_checksum_files.stdout is defined tags: @@ -84,7 +84,7 @@ state: present when: - security_package_clean_on_remove | bool - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' tags: - low - packages diff --git a/tasks/rhel7stig/yum.yml b/tasks/rhel7stig/yum.yml index bb5c4f21..66cc3960 100644 --- a/tasks/rhel7stig/yum.yml +++ b/tasks/rhel7stig/yum.yml @@ -21,7 +21,7 @@ check_mode: no register: yum_cron_config_check when: - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' tags: - always @@ -32,7 +32,7 @@ line: "apply_updates = yes" state: present when: - - ansible_os_family | lower == 'redhat' + - ansible_facts['os_family'] | lower == 'redhat' - yum_cron_config_check.stat.exists | bool - security_rhel7_automatic_package_updates | bool tags: diff --git a/templates/osas-auditd-rhel7.j2 b/templates/osas-auditd-rhel7.j2 index bfb46ed1..5989350b 100644 --- a/templates/osas-auditd-rhel7.j2 +++ b/templates/osas-auditd-rhel7.j2 @@ -31,7 +31,7 @@ {# Verify that the variable controlling the rule is enabled and any distro- #} {# specific requirements are met. #} {# #} -{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_os_family | lower) == ansible_os_family | lower) %} +{% if vars['security_rhel7_audit_' + command_sanitized ] | bool and (audited_command['distro'] | default(ansible_facts['os_family'] | lower) == ansible_facts['os_family'] | lower) %} # {{ audited_command['stig_id'] }} - All uses of the {{ audited_command['command'] }} command must be audited. {# #} {# Some audit rules are specific to syscalls. Different rules are needed for #} diff --git a/tests/test.yml b/tests/test.yml index 5a9174a0..8fe9e2e0 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -22,7 +22,7 @@ cache_valid_time: "{{ cache_timeout }}" changed_when: False when: - - ansible_pkg_mgr == 'apt' + - ansible_facts['pkg_mgr'] == 'apt' register: refresh_cache until: refresh_cache is success retries: 5 @@ -31,7 +31,7 @@ file: path: /etc/cron.daily/logrotate state: touch - when: ansible_os_family == 'RedHat' + when: ansible_facts['os_family'] == 'RedHat' changed_when: False - name: Install dconf package to test graphical session locks package: @@ -39,7 +39,7 @@ state: installed changed_when: False when: - - ansible_os_family == 'RedHat' + - ansible_facts['os_family'] == 'RedHat' register: install_packages until: install_packages is success retries: 5 diff --git a/vars/main.yml b/vars/main.yml index 1a0326f3..6b5bca3b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -55,7 +55,7 @@ auditd_config: # otherwise 'no' (required) # path: the path to the command (optional, default is '/usr/bin') # distro: restrict deployment to a single Linux distribution (optional, -# should be equal to 'ansible_os_family | lower', such as 'redhat' +# should be equal to 'ansible_facts['os_family'] | lower', such as 'redhat' # or 'ubuntu') # audited_commands: diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index a58bb644..7796cd4a 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth pam_postlogin_file: /etc/pam.d/postlogin vsftpd_conf_file: /etc/vsftpd/vsftpd.conf grub_conf_file: /boot/grub2/grub.cfg -grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" +grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg" aide_cron_job_path: /etc/cron.d/aide aide_database_file: /var/lib/aide/aide.db.gz aide_database_out_file: /var/lib/aide/aide.db.new.gz chrony_conf_file: /etc/chrony.conf chrony_key_file: /etc/chrony.keys daemon_init_params_file: /etc/init.d/functions -pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" +pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" # Service names cron_service: crond @@ -91,7 +91,7 @@ stig_packages_rhel7: state: "{{ security_package_state }}" enabled: "{{ security_enable_firewalld }}" - packages: - - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" + - "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" state: "{{ security_package_state }}" enabled: "{{ security_rhel7_automatic_package_updates }}" - packages: diff --git a/vars/redhat-8.yml b/vars/redhat-8.yml index 438240b4..79409456 100644 --- a/vars/redhat-8.yml +++ b/vars/redhat-8.yml @@ -25,14 +25,14 @@ pam_password_file: /etc/pam.d/password-auth pam_postlogin_file: /etc/pam.d/postlogin vsftpd_conf_file: /etc/vsftpd/vsftpd.conf grub_conf_file: /boot/grub2/grub.cfg -grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" +grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg" aide_cron_job_path: /etc/cron.d/aide aide_database_file: /var/lib/aide/aide.db.gz aide_database_out_file: /var/lib/aide/aide.db.new.gz chrony_conf_file: /etc/chrony.conf chrony_key_file: /etc/chrony.keys daemon_init_params_file: /etc/init.d/functions -pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" +pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" # Service names cron_service: crond @@ -90,7 +90,7 @@ stig_packages_rhel7: state: "{{ security_package_state }}" enabled: "{{ security_enable_firewalld }}" - packages: - - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" + - "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" state: "{{ security_package_state }}" enabled: "{{ security_rhel7_automatic_package_updates }}" - packages: diff --git a/vars/suse.yml b/vars/suse.yml index 2d810f1e..debd511b 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -27,7 +27,7 @@ grub_conf_file: /boot/grub2/grub.cfg # NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to # create the EFI distro directory. Since this information is not available on # Ansible, we have to improvise a bit... -grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" +grub_conf_file_efi: "{% set os_id = ansible_facts['distribution'].split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" aide_cron_job_path: /etc/cron.daily/aide aide_database_file: /var/lib/aide/aide.db aide_database_out_file: /var/lib/aide/aide.db.new