9361a146e4
The security check should be skipped if GRUB update tool does not exist (grub isn't installed). Change-Id: I99a3b372e12e264cbc40bdc3ae6b6b60bf3c1c79
95 lines
2.3 KiB
YAML
95 lines
2.3 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Restarting services ########################################################
|
|
#
|
|
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
|
|
# since it's a special service. Using the old service scripts is required.
|
|
- name: restart auditd
|
|
command: service auditd restart
|
|
args:
|
|
warn: no
|
|
|
|
- name: restart chrony
|
|
service:
|
|
name: "{{ chrony_service }}"
|
|
state: restarted
|
|
|
|
- name: restart fail2ban
|
|
service:
|
|
name: fail2ban
|
|
state: restarted
|
|
|
|
- name: restart postfix
|
|
service:
|
|
name: postfix
|
|
state: restarted
|
|
|
|
- name: restart rsyslog
|
|
service:
|
|
name: rsyslog
|
|
state: restarted
|
|
|
|
- name: restart samba
|
|
service:
|
|
name: smbd
|
|
state: restarted
|
|
|
|
- name: restart ssh
|
|
service:
|
|
name: "{{ ssh_service }}"
|
|
state: restarted
|
|
|
|
- name: restart vsftpd
|
|
service:
|
|
name: vsftpd
|
|
state: restarted
|
|
|
|
- name: restart clamav
|
|
service:
|
|
name: "{{ clamav_service }}"
|
|
state: restarted
|
|
|
|
# Miscellaneous ##############################################################
|
|
- name: generate auditd rules
|
|
command: augenrules --load
|
|
notify: restart auditd
|
|
|
|
- name: rehash aliases
|
|
command: newaliases
|
|
|
|
- name: update grub config
|
|
command: "{{ grub_update_cmd }}"
|
|
when:
|
|
- security_enable_grub_update | bool
|
|
- grub_update_binary.stat.exists | bool
|
|
- grub_update_binary.stat.executable | bool
|
|
notify:
|
|
- set bootloader file permissions after updating grub config
|
|
|
|
# NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
|
|
# change, which breaks V-38583.
|
|
- name: set bootloader file permissions after updating grub config
|
|
file:
|
|
path: "{{ grub_config_file_boot }}"
|
|
mode: 0644
|
|
|
|
- name: dconf update
|
|
command: dconf update
|
|
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon-reload: yes
|