From 4e9a8a1d6ab556628555063402dd5f491814b9db Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 23 May 2017 07:31:18 -0500 Subject: [PATCH] Initial Debian 8 support This patch sets up the security role so that it applies cleanly to systems running Debian 8. Change-Id: I15f003b8f57922b354143a86ccb34df77759e723 --- tasks/rhel7stig/lsm.yml | 12 ++++++++++++ tasks/rhel7stig/packages.yml | 2 +- vars/{ubuntu.yml => debian.yml} | 7 ++++--- 3 files changed, 17 insertions(+), 4 deletions(-) rename vars/{ubuntu.yml => debian.yml} (95%) diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index 12649591..80a40bff 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -13,6 +13,17 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Check if AppArmor is disabled at boot time + shell: "dmesg | grep -i apparmor" + register: dmesg_apparmor_output + changed_when: False + check_mode: no + when: + - ansible_os_family == "Debian" + tags: + - high + - V-71989 + - name: Ensure AppArmor is running service: name: apparmor @@ -22,6 +33,7 @@ - ansible_os_family == "Debian" - security_rhel7_enable_linux_security_module | bool - not check_mode + - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout' tags: - high - V-71989 diff --git a/tasks/rhel7stig/packages.yml b/tasks/rhel7stig/packages.yml index 9d96c3f7..9e9e2a2a 100644 --- a/tasks/rhel7stig/packages.yml +++ b/tasks/rhel7stig/packages.yml @@ -91,7 +91,7 @@ src: 20auto-upgrades dest: /etc/apt/apt.conf.d/20auto-upgrades when: - - ansible_os_family | lower == 'ubuntu' + - ansible_os_family | lower == 'debian' - security_rhel7_automatic_package_updates | bool tags: - packages diff --git a/vars/ubuntu.yml b/vars/debian.yml similarity index 95% rename from vars/ubuntu.yml rename to vars/debian.yml index cb6d4a29..0b7b56b0 100644 --- a/vars/ubuntu.yml +++ b/vars/debian.yml @@ -13,9 +13,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -## Variables for Ubuntu 14.04 (trusty) and Ubuntu 16.04 (xenial) -# The following variables apply only to Ubuntu 14.04 (trusty) and Ubuntu 16.04 -# (xenial) and deployers should not override them. +## Variables for Ubuntu and Debian +# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04 +# (xenial), and Debian 8 (jessie). Deployers should not need to override these +# variables. # # For more details, see 'vars/main.yml'.