Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit adc8462

Browse files
author
Sebastian Gumprich
committed
Revamp conditionals again
1 parent 7b934e4 commit adc8462

File tree

1 file changed

+8
-14
lines changed
  • roles/ansible-ssh-hardening/tasks

1 file changed

+8
-14
lines changed

roles/ansible-ssh-hardening/tasks/main.yml

Lines changed: 8 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,16 @@
22
- name: add the OS specific variables
33
include_vars: "{{ ansible_os_family }}.yml"
44

5-
- name: check is selinux is installed
6-
command: getenforce
7-
register: selinux_installed
8-
ignore_errors: true
9-
changed_when: false
10-
115
- name: test to see if selinux is running
126
command: getenforce
137
register: sestatus
148
changed_when: false
15-
when: selinux_installed.rc == 0
9+
ignore_errors: true
1610

1711
- name: check the ssh_password policy state
1812
shell: semodule -l | grep "ssh_password" | awk '{print $3}'
1913
register: selinux_policy_state
20-
when: selinux_installed.rc == 0
14+
when: sestatus.rc == 0 and sestatus.stdout != 'Disabled'
2115
changed_when: false
2216

2317
- name: create sshd_config and set permissions to root/600
@@ -31,28 +25,28 @@
3125

3226
- name: Create selinux custom policy drop folder
3327
file: path={{ custom_selinux_dir }} state=directory owner=root group=root mode=0750
34-
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and selinux_installed.rc == 0
28+
when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
3529

3630
# The following tasks only get executed when selinux is in state enforcing and UsePam is "no".
3731
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
3832

3933
- name: Distributing custom selinux policies
4034
copy: src='ssh_password' dest='{{ custom_selinux_dir }}'
4135
register: custom_policies_output
42-
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and selinux_installed.rc == 0
36+
when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
4337

4438
- name: check and compile policy
4539
shell: checkmodule -M -m -o {{ custom_selinux_dir }}/ssh_password.mod {{ custom_selinux_dir }}/ssh_password
46-
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and selinux_installed.rc == 0
40+
when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
4741

4842
- name: create selinux policy module package
4943
shell: semodule_package -o {{ custom_selinux_dir }}/ssh_password.pp -m {{ custom_selinux_dir }}/ssh_password.mod
50-
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and selinux_installed.rc == 0
44+
when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
5145

5246
- name: install selinux policy
5347
shell: semodule -i {{ custom_selinux_dir }}/ssh_password.pp
54-
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and selinux_installed.rc == 0
48+
when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled'
5549

5650
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
5751
shell: semodule -r ssh_password
58-
when: (selinux_installed.rc == 0) and ssh_use_pam
52+
when: sestatus.rc == 0 and ssh_use_pam

0 commit comments

Comments
 (0)