forked from star3am/hashiqube
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathel.yml
executable file
·141 lines (125 loc) · 5.11 KB
/
el.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---
# if you want to list all variables for this host, uncomment this
#- name: "Ansible | List all known variables and facts"
# debug:
# var: hostvars[inventory_hostname]
# verbosity: 1
# set custom facts which we can use later on
- set_fact:
cloud: "google"
when:
ansible_facts['system_vendor'] == 'Google'
- set_fact:
cloud: "azure"
when:
ansible_facts['system_vendor'] == 'Microsoft Corporation'
- set_fact:
cloud: "amazon"
when:
ansible_facts['system_vendor'] == 'Xen'
- set_fact:
cloud: "vagrant"
when:
ansible_facts['system_vendor'] == 'innotek GmbH'
- name: "Cloud"
debug:
msg: "Cloud: {{ cloud }}"
- name: "OS"
debug:
msg: "{{ ansible_distribution }} {{ ansible_distribution_version }} {{ ansible_distribution_release }} on {{ cloud }}"
- name: "Write Ansible hostvars to file"
copy:
content: "{{ hostvars[inventory_hostname] }}"
dest: /build-{{ version_number }}.json
mode: "0644"
# WARNING!! This is just a POC normally we would not enter a password in clear text
- name: Ensure user ansible is present
ansible.builtin.user:
name: ansible
password: "{{ 'aix1rii3Bahshuleikei5y'|password_hash('sha512') }}"
# password: "$6$IBULZeGd6UP6Jkg3$QqdevUQs.VDuMnT8prurhLuz3PErfoUHXg0/culpF4uj8RdZJ7UyuOG9LAz2B16Nao1jFe5X.NIKw0eYBKyXO1"
update_password: on_create
comment: Ansible Tower
uid: 1040
shell: /bin/bash
groups: users,sudo
append: yes
tags:
- day0
# https://fedoraproject.org/wiki/EPEL#Quickstart
# we dont have a Redhat Subscription Manager or Satelite Server so we use EPEL
# we use the URL to the RPM, because dnf and yum cannot find the epel repo
- name: "Enable EPEL Repository"
yum:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_facts['distribution_major_version'] }}.noarch.rpm"
state: present
disable_gpg_check: yes
ignore_errors: true
# rpm -ql epel-release
# dnf repository-packages epel list
# dnf repolist -v
- name: "Ensure package manager repositories are configured | Get repo list"
command: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured
check_mode: no
args:
warn: false
# - name: "Ensure package manager repositories are configured | Display repo list"
# debug:
# msg:
# - "Alert! Below are the configured repos. Please review and make sure all allign with site policy"
# - "{{ dnf_configured.stdout_lines }}"
- name: "Get repo files list "
command: ls -l /etc/yum.repos.d/
register: ls_l_etc_yum_dot_repos_dot_d
- name: "Ensure package manager repositories are configured | Display repo list"
debug:
msg:
- "Alert! Below are the configured repos. Please review and make sure all allign with site policy"
- "{{ ls_l_etc_yum_dot_repos_dot_d.stdout_lines }}"
- name: "Install Package dependencies"
dnf:
name: "{{ item }}"
state: present
with_items:
- aide
- ipset
- firewalld
ignore_errors: true
when:
(ansible_facts['system_vendor'] == 'Xen'
and ansible_facts['distribution'] == "RedHat"
and ansible_facts['distribution_major_version'] == "8")
# amazon-ebs.redhat-83: TASK [/Users/riaannolan/workspace/servian.com/soe-image-factory/ansible/RHEL8-CIS : SCORED | 1.4.1 | PATCH | Ensure AIDE is installed | Install AIDE] ***
# amazon-ebs.redhat-83: fatal: [none]: FAILED! => {"changed": false, "failures": ["No package aide available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}
# amazon-ebs.redhat-83: failed: [none] (item=firewalld) => {"ansible_loop_var": "item", "changed": false, "failures": ["No package firewalld available."], "item": "firewalld", "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}
# amazon-ebs.redhat-83: TASK [/Users/riaannolan/workspace/servian.com/soe-image-factory/ansible/RHEL8-CIS : SCORED | 3.4.1.1 | PATCH | Ensure a Firewall package is installed] ***
# amazon-ebs.redhat-83: fatal: [none]: FAILED! => {"changed": false, "failures": ["No package firewalld available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []}
# FIX RHEL8-CIS SCORED | 1.4.1 | PATCH | Ensure AIDE is installed
# FIX RHEL8-CIS SCORED | 3.4.1.1 | PATCH | Ensure a Firewall package is installed
- name: "FIX RHEL8-CIS SCORED | 1.4.1 | PATCH | Ensure X is installed"
yum:
name: "{{ item }}"
state: present
disable_gpg_check: yes
with_items:
- http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/aide-0.16-14.el8.x86_64.rpm
when:
(ansible_facts['system_vendor'] == 'innotek GmbH'
and ansible_facts['distribution'] == "RedHat"
and ansible_facts['distribution_major_version'] == "8")
ignore_errors: true
- name: "FIX RHEL7-CIS AUTOMATED | 1.4.1 | PATCH | Ensure X is installed"
yum:
name: "{{ item }}"
state: present
disable_gpg_check: yes
with_items:
- http://mirror.centos.org/centos/7/os/x86_64/Packages/aide-0.15.1-13.el7.x86_64.rpm
when:
(ansible_facts['system_vendor'] == 'innotek GmbH'
and ansible_facts['distribution'] == "RedHat"
and ansible_facts['distribution_major_version'] == "7")
ignore_errors: true