Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

Commit be38ac7

Browse files
author
Sebastian Gumprich
committed
Add selinux-check
1 parent c4482cb commit be38ac7

File tree

1 file changed

+13
-6
lines changed
  • roles/ansible-ssh-hardening/tasks

1 file changed

+13
-6
lines changed

roles/ansible-ssh-hardening/tasks/main.yml

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,15 +2,22 @@
22
- name: add the OS specific variables
33
include_vars: "{{ ansible_os_family }}.yml"
44

5+
- name: check is selinux is installed
6+
command: getenforce
7+
register: selinux_installed
8+
ignore_errors: true
9+
changed_when: false
10+
511
- name: test to see if selinux is running
612
command: getenforce
713
register: sestatus
814
changed_when: false
15+
when: selinux_installed.rc == 0
916

1017
- name: check the ssh_password policy state
1118
shell: semodule -l | grep "ssh_password" | awk '{print $3}'
1219
register: selinux_policy_state
13-
when: sestatus.stdout == 'Enforcing'
20+
when: selinux_installed.rc == 0
1421
changed_when: false
1522

1623
- name: create sshd_config and set permissions to root/600
@@ -24,27 +31,27 @@
2431

2532
- name: Create selinux custom policy drop folder
2633
file: path={{ custom_selinux_dir }} state=directory owner=root group=root mode=0750
27-
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
34+
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
2835

2936
# The following tasks only get executed when selinux is in state enforcing and UsePam is "no".
3037
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
3138

3239
- name: Distributing custom selinux policies
3340
copy: src='ssh_password' dest='{{ custom_selinux_dir }}'
3441
register: custom_policies_output
35-
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
42+
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
3643

3744
- name: check and compile policy
3845
shell: checkmodule -M -m -o {{ custom_selinux_dir }}/ssh_password.mod {{ custom_selinux_dir }}/ssh_password
39-
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
46+
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
4047

4148
- name: create selinux policy module package
4249
shell: semodule_package -o {{ custom_selinux_dir }}/ssh_password.pp -m {{ custom_selinux_dir }}/ssh_password.mod
43-
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
50+
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
4451

4552
- name: install selinux policy
4653
shell: semodule -i {{ custom_selinux_dir }}/ssh_password.pp
47-
when: not ssh_use_pam and sestatus.stdout == 'Enforcing'
54+
when: not ssh_use_pam and sestatus.stdout != 'Disabled'
4855

4956
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
5057
shell: semodule -r ssh_password

0 commit comments

Comments
 (0)