diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml index f37a4707..cc0acf16 100644 --- a/molecule/mysql_hardening/converge.yml +++ b/molecule/mysql_hardening/converge.yml @@ -12,22 +12,22 @@ mysql_python_package_debian: python3-pymysql when: - mysql_python_package_debian is not defined - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int > 19 + - ansible_facts.distribution == "Ubuntu" + - ansible_facts.distribution_major_version|int > 19 - name: Determine required MySQL Python libraries. ansible.builtin.set_fact: mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}" when: - mysql_python_package_debian is not defined - - ansible_distribution != "Ubuntu" - - ansible_distribution_major_version|int < 20 + - ansible_facts.distribution != "Ubuntu" + - ansible_facts.distribution_major_version|int < 20 - name: Use Python 3 on Suse ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Include mysql_hardening role ansible.builtin.include_role: diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml index edfb2848..dbbeac1a 100644 --- a/molecule/mysql_hardening/molecule.yml +++ b/molecule/mysql_hardening/molecule.yml @@ -23,6 +23,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer, yaml + inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 5db579bb..33642775 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -17,25 +17,25 @@ ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_distribution == 'Debian' - - ansible_distribution_major_version|int >= 11 + - ansible_facts.distribution == 'Debian' + - ansible_facts.distribution_major_version|int >= 11 - name: Use Python 3 on Suse ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Run the equivalent of "apt-get update && apt-get upgrade" ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required python packages on Suse ansible.builtin.command: zypper -n install python311-rpm python311-PyMySQL changed_when: false - when: ansible_os_family == 'Suse' + when: ansible_facts.os_family == 'Suse' - name: Create missing directory ansible.builtin.file: @@ -48,23 +48,23 @@ mysql_python_package_debian: python3-pymysql when: - mysql_python_package_debian is not defined - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version|int > 19 + - ansible_facts.distribution == "Ubuntu" + - ansible_facts.distribution_major_version|int > 19 - name: Determine required MySQL Python libraries. ansible.builtin.set_fact: mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}" when: - mysql_python_package_debian is not defined - - ansible_distribution != "Ubuntu" - - ansible_distribution_major_version|int < 20 + - ansible_facts.distribution != "Ubuntu" + - ansible_facts.distribution_major_version|int < 20 - name: Install required MySQL Python libraries on RHEL ansible.builtin.dnf: name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}" when: - - ansible_os_family == "RedHat" - - ansible_distribution_major_version == "7" + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution_major_version == "7" - name: Install mysql with a generic Ansible role ansible.builtin.include_role: diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml index 326d6957..fd11388c 100644 --- a/molecule/mysql_hardening/verify.yml +++ b/molecule/mysql_hardening/verify.yml @@ -11,14 +11,14 @@ ansible.builtin.set_fact: ansible_python_interpreter: /usr/bin/python3 when: - - ansible_os_family == 'Suse' + - ansible_facts.os_family == 'Suse' - name: Install procps for debian systems ansible.builtin.apt: name: procps state: present update_cache: true - when: ansible_distribution == 'Debian' + when: ansible_facts.distribution == 'Debian' - name: Include tests for the service ansible.builtin.include_tasks: verify_tasks/service.yml diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml index 71c28cad..64b0477a 100644 --- a/molecule/nginx_hardening/molecule.yml +++ b/molecule/nginx_hardening/molecule.yml @@ -22,6 +22,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer, yaml + inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml index 58a4999c..ba825d0c 100644 --- a/molecule/nginx_hardening/prepare.yml +++ b/molecule/nginx_hardening/prepare.yml @@ -16,7 +16,7 @@ - name: Set correct distribution Version for Amazon Linux ansible.builtin.set_fact: ansible_distribution_major_version: 7 - when: ansible_distribution == 'Amazon' + when: ansible_facts.distribution == 'Amazon' - name: Install nginx with a generic Ansible role ansible.builtin.include_role: diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml index 84a1ed55..90a45eb8 100644 --- a/molecule/nginx_hardening/verify.yml +++ b/molecule/nginx_hardening/verify.yml @@ -12,7 +12,7 @@ name: procps state: present update_cache: true - when: ansible_distribution == 'Debian' + when: ansible_facts.distribution == 'Debian' - name: Verify hosts: localhost diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml index 31840719..34e1fae0 100644 --- a/molecule/os_hardening/molecule.yml +++ b/molecule/os_hardening/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer, yaml + inject_facts_as_vars: false verifier: name: ansible diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 5c187e8c..45c50bc0 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -16,7 +16,7 @@ ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required tools on SuSE # cannot use zypper module, since it depends on python-xml diff --git a/molecule/os_hardening_vm/converge.yml b/molecule/os_hardening_vm/converge.yml index b1511d51..910ad4ae 100644 --- a/molecule/os_hardening_vm/converge.yml +++ b/molecule/os_hardening_vm/converge.yml @@ -30,7 +30,7 @@ os_mnt_var_options: rw,nosuid,nodev,compress=zstd:1,subvol=var when: - ansible_facts.distribution == 'Fedora' - - ansible_distribution_major_version|int == 40 + - ansible_facts.distribution_major_version|int == 40 - name: Include os_hardening role ansible.builtin.include_role: diff --git a/molecule/os_hardening_vm/molecule.yml b/molecule/os_hardening_vm/molecule.yml index 333d0272..ca25c083 100644 --- a/molecule/os_hardening_vm/molecule.yml +++ b/molecule/os_hardening_vm/molecule.yml @@ -27,6 +27,7 @@ provisioner: callbacks_enabled: profile_tasks, timer, yaml # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301 library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}" + inject_facts_as_vars: false verifier: name: ansible env: diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 3e00f47b..7f706c76 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -26,7 +26,7 @@ ansible.builtin.dpkg_selections: name: grub-pc selection: hold - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' # we need to free up space, since the /boot partition in some Vagrant images is # pretty small and system updates might fail @@ -35,20 +35,20 @@ paths: /boot patterns: "initrd.img*" register: find_results - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Delete all initrd.img to free space on /boot ansible.builtin.file: path: "{{ item['path'] }}" state: absent with_items: "{{ find_results['files'] }}" - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Run the equivalent of "apt-get update && apt-get upgrade" ansible.builtin.apt: upgrade: safe update_cache: true - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' - name: Install required tools on fedora ansible.builtin.dnf: diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml index 834b709c..334f1557 100644 --- a/molecule/ssh_hardening/molecule.yml +++ b/molecule/ssh_hardening/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer, yaml + inject_facts_as_vars: false inventory: host_vars: # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_bsd/molecule.yml index 5561b695..b04438db 100644 --- a/molecule/ssh_hardening_bsd/molecule.yml +++ b/molecule/ssh_hardening_bsd/molecule.yml @@ -23,6 +23,7 @@ provisioner: callbacks_enabled: profile_tasks, timer, yaml # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301 library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}" + inject_facts_as_vars: false verifier: name: ansible env: diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml index 75c38058..3bea4e9b 100644 --- a/molecule/ssh_hardening_custom_tests/molecule.yml +++ b/molecule/ssh_hardening_custom_tests/molecule.yml @@ -18,6 +18,7 @@ provisioner: defaults: interpreter_python: auto_silent callbacks_enabled: profile_tasks, timer, yaml + inject_facts_as_vars: false verifier: name: ansible diff --git a/roles/os_hardening/tasks/ctrlaltdel.yml b/roles/os_hardening/tasks/ctrlaltdel.yml index dae46ad6..3727c31d 100644 --- a/roles/os_hardening/tasks/ctrlaltdel.yml +++ b/roles/os_hardening/tasks/ctrlaltdel.yml @@ -4,4 +4,4 @@ name: ctrl-alt-del.target masked: true daemon_reload: true - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml index b6916b4b..faa501c2 100644 --- a/roles/os_hardening/tasks/limits.yml +++ b/roles/os_hardening/tasks/limits.yml @@ -37,7 +37,7 @@ group: root mode: "0755" state: directory - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" - name: Create custom.conf for disabling coredumps ansible.builtin.template: @@ -46,7 +46,7 @@ owner: root group: root mode: "0644" - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" notify: Reload systemd - name: Enable coredumps @@ -56,7 +56,7 @@ ansible.builtin.file: path: /etc/systemd/coredump.conf.d state: absent - when: ansible_service_mgr == "systemd" + when: ansible_facts.service_mgr == "systemd" notify: Reload systemd - name: Remove 10.hardcore.conf config file diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml index 7715981e..4e9efd70 100644 --- a/roles/os_hardening/tasks/sysctl.yml +++ b/roles/os_hardening/tasks/sysctl.yml @@ -9,7 +9,7 @@ when: ansible_facts.os_family == 'RedHat' - name: Change sysctls - when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] + when: ansible_facts.virtualization_type not in ['docker', 'lxc', 'openvz'] block: - name: Protect sysctl.conf ansible.builtin.file: