Merge pull request #11 from hardening-io/yum_rm_pkg

Add task to remove unused repos and pkgs

roles/ansible-os-hardening/tasks/main.yml

@@ -10,4 +10,6 @@
 - include: securetty.yml
 - include: suid_sgid.yml
 - include: sysctl.yml
+
 - include: yum.yml
+  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

roles/ansible-os-hardening/tasks/yum.yml

@@ -1,8 +1,36 @@
 ---
-- name: activate gpg-check for yum-repos in yum.conf
-  shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf"
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+- name: remove unused repositories
+  file: name='/etc/yum.repos.d/{{item}}.repo' state=absent
+  with_items:
+    - 'CentOS-Debuginfo'
+    - 'CentOS-Media'
+    - 'CentOS-Vault'
+  when: os_security_packages_clean
 
-- name: activate gpg-check for yum-repos in yum-repositories
-  shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo"
-  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+- name: get yum-repository-files
+  shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
+  register: yum_repos
+
+- name: check if rhnplugin.conf exists
+  stat: path='/etc/yum/pluginconf.d/rhnplugin.conf'
+  register: rhnplugin_file
+
+- name: activate gpg-check for yum-repos
+  replace: dest='{{item}}' regexp='^\s*gpgcheck=0' replace='gpgcheck=1'
+  with_items:
+    - '{{ yum_repos.stdout_lines }}'
+    - '/etc/yum.conf'
+
+- name: activate gpg-check for yum rhn if it exists
+  replace: dest='/etc/yum/pluginconf.d/rhnplugin.conf' regexp='^\s*gpgcheck=0' replace='gpgcheck=1'
+  when: rhnplugin_file.stat.exists
+
+- name: remove packages
+  yum: name='{{item}}' state=removed
+  with_items:
+    - xinetd
+    - inetd
+    - ypserv
+    - telnet-server
+    - rsh-server
+  when: os_security_packages_clean