Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated rebuild of initrd #782

Merged
merged 1 commit into from
Jul 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions roles/os_hardening/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -839,11 +839,6 @@ This role is mostly based on guides by:
- Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created.
- Type: bool
- Required: no
- `os_security_kernel_enable_module_loading`
- Default: `true`
- Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue <https://github.com/dev-sec/ansible-collection-hardening/pull/591>
- Type: bool
- Required: no
- `os_security_packages_clean`
- Default: `true`
- Description: removes packages with known issues. See section packages.
Expand Down
1 change: 0 additions & 1 deletion roles/os_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ os_users_without_password_ageing: []

# Specify system accounts whose login should not be disabled and password not changed
os_ignore_users: [vagrant, kitchen]
os_security_kernel_enable_module_loading: true
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_enforce: true
# User-defined blacklist and whitelist
Expand Down
7 changes: 0 additions & 7 deletions roles/os_hardening/meta/argument_specs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,13 +73,6 @@ argument_specs:
default: '[]'
type: list
description: list of things, that a user is allowed to do. May contain `change_user`.
os_security_kernel_enable_module_loading:
default: true
type: bool
description: true if you want to allowed to change kernel modules once the
system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs
is deprecated and will be removed in the next major release. For more information
take a look at this issue <https://github.com/dev-sec/ansible-collection-hardening/pull/591>
os_security_kernel_enable_core_dump:
default: false
type: bool
Expand Down
10 changes: 0 additions & 10 deletions roles/os_hardening/tasks/hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,13 +123,3 @@
when:
- ansible_facts.selinux.status == 'enabled'
- os_selinux_enabled | bool

- name: Raise deprecation warning for initramfs tasks # noqa ignore-errors
ansible.builtin.fail:
msg: "WARNING: Rebuilding initramfs is deprecated and will be removed
in the next major release. For more information take a look at this issue:
https://github.com/dev-sec/ansible-collection-hardening/pull/591"
when:
- os_security_kernel_enable_module_loading
ignore_errors: true
tags: always
23 changes: 0 additions & 23 deletions roles/os_hardening/tasks/sysctl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,29 +18,6 @@
mode: "0544"
when: ansible_facts.os_family == 'RedHat'

- name: Install initramfs-tools
ansible.builtin.apt:
name: initramfs-tools
state: present
update_cache: true
when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading

- name: Rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
ansible.builtin.template:
src: etc/initramfs-tools/modules.j2
dest: /etc/initramfs-tools/modules
owner: root
group: root
mode: "0440"
notify:
- Update-initramfs
when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading
register: initramfs

- name: Change sysctls
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
block:
Expand Down
Loading