Cleanup old OS-support and simplify vars (#458)

* use os_family instead of distribution for debian systems

Signed-off-by: rndmh3ro <[email protected]>

* remove tasks related to rhel6 or debian 6

Signed-off-by: rndmh3ro <[email protected]>

Author: rndmh3ro

roles/os_hardening/tasks/hardening.yml

@@ -68,7 +68,7 @@
   tags: yum
 
 - import_tasks: apt.yml
-  when: ansible_facts.distribution in ['Debian', 'Ubuntu']
+  when: ansible_facts.os_family == 'Debian'
   tags: apt
 
 - import_tasks: selinux.yml

roles/os_hardening/tasks/modprobe.yml

@@ -19,8 +19,6 @@
 - name: Remove used filesystems from fs-list
   set_fact:
     os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
-  # we cannot do this on el6 and below, because these systems don't support the map function
-  when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
 
 - name: Disable unused filesystems | os-10
   template:

roles/os_hardening/tasks/pam.yml

@@ -19,7 +19,7 @@
 
 - import_tasks: pam_debian.yml
   when:
-    - ansible_facts.distribution in ['Debian', 'Ubuntu']
+    - ansible_facts.os_family == 'Debian'
 
 - import_tasks: pam_rhel.yml
   when:

roles/os_hardening/tasks/sysctl.yml

@@ -58,16 +58,15 @@
         ignoreerrors: true
       with_dict: '{{ sysctl_config }}'
 
-    - name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
+    - name: Change various sysctl-settings on Amazon Linux, look at the sysctl-vars file for documentation
       sysctl:
         name: '{{ item.key }}'
         value: '{{ item.value }}'
         state: present
         reload: true
         ignoreerrors: true
       with_dict: '{{ sysctl_rhel_config }}'
-      when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
-            ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
+      when: ansible_facts.distribution == 'Amazon'
 
   when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
 
@@ -78,5 +77,5 @@
     mode: '0644'
   when:
     - ufw_manage_defaults
-    - ansible_facts.distribution in ['Debian', 'Ubuntu']
+    - ansible_facts.os_family == 'Debian'
   tags: ufw

roles/ssh_hardening/defaults/main.yml

@@ -191,7 +191,6 @@ ssh_server_accept_env_vars: ''
 # maximum number of concurrent unauthenticated connections to the SSH daemon
 ssh_max_startups: '10:30:60'       # sshd
 
-ssh_ps53: 'yes'
 ssh_ps59: 'sandbox'
 
 ssh_macs: []

roles/ssh_hardening/tasks/crypto_macs.yml

@@ -4,13 +4,6 @@
     ssh_macs: '{{ ssh_macs_53_default }}'
   when: sshd_version is version('5.3', '>=')
 
-- name: Set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
-  set_fact:
-    ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
-  when:
-    - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
-    - ansible_facts.distribution_version is version('6.5', '>=')
-
 - name: Set macs according to openssh-version if openssh >= 5.9
   set_fact:
     ssh_macs: '{{ ssh_macs_59_default }}'

roles/ssh_hardening/templates/opensshd.conf.j2

@@ -103,11 +103,7 @@ LogLevel {{ sshd_log_level }}
 UseLogin no
 {% endif %}
 {% if sshd_version is version('7.5', '<') %}
-UsePrivilegeSeparation {{
-  (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6')
-  or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon')
-  | ternary(ssh_ps53, ssh_ps59)
-}}
+UsePrivilegeSeparation {{ ssh_ps59 }}
 {% endif %}
 
 LoginGraceTime {{ ssh_login_grace_time }}

roles/ssh_hardening/vars/main.yml

@@ -3,10 +3,6 @@ ssh_macs_53_default:
   - hmac-ripemd160
   - hmac-sha1
 
-ssh_macs_53_el_6_5_default:
-  - hmac-sha2-512
-  - hmac-sha2-256
-
 ssh_macs_59_default:
   - hmac-sha2-512
   - hmac-sha2-256