Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not touch sysctl file to avoid idempotency problems #309

Merged
merged 1 commit into from Sep 19, 2020
Merged

do not touch sysctl file to avoid idempotency problems #309

merged 1 commit into from Sep 19, 2020

Conversation

rndmh3ro
Copy link
Member

No description provided.

@schurzi
Copy link
Contributor

schurzi commented Sep 19, 2020

@rndmh3ro please sign off your commits before merging :)

@rndmh3ro rndmh3ro merged commit 5c91da6 into master Sep 19, 2020
@rndmh3ro rndmh3ro deleted the rndmh3ro-patch-1 branch September 19, 2020 12:38
nodiscc
nodiscc reviewed Sep 19, 2020
View reviewed changes
tasks/sysctl.yml
@@ -5,7 +5,7 @@
owner: 'root'
group: 'root'
mode: '0440'
state: touch
state: file
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will run into errors with this if the file does not exist (ansible file module errors out whenstate: file is used on a non-existent path). The proper way to fix idempotence is

state: touch
modification_time: preserve
access_time: preserve

https://docs.ansible.com/ansible/latest/modules/file_module.html

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is why it was touch, not file! Thanks! That's what happens if you don't document your code.

I'll fix thix.

rndmh3ro added a commit that referenced this pull request Nov 8, 2020
@schurzi @rndmh3ro
add support for CentOS8 (#309)
be0e7f7 
* add testing for CentOS8

Adds testing environments for CentOS8 to local Kitchen and remote Travis
tests. Currently only local Kitchen Docker tests are verified.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable system wide CRYPTO_POLICY on RHEL8+

by default sshd will not use the crypto settings from sshd_config. To
make the settings effective we need to disable the system wide
CRYPTO_POLICY.

see: https://access.redhat.com/solutions/4410591

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Set volume variable for travis tests to use cgroups mount where needed

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>

Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
wkhayrattee added a commit to wak-automation/ansible-os-hardening that referenced this pull request Nov 27, 2021
@wkhayrattee
fix: use touch with no date changes
cab45d2 
See related ticket:
- dev-sec#310
- dev-sec#309
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@schurzi @rndmh3ro
add support for CentOS8 (dev-sec#309)
ab3e32a 
* add testing for CentOS8

Adds testing environments for CentOS8 to local Kitchen and remote Travis
tests. Currently only local Kitchen Docker tests are verified.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable system wide CRYPTO_POLICY on RHEL8+

by default sshd will not use the crypto settings from sshd_config. To
make the settings effective we need to disable the system wide
CRYPTO_POLICY.

see: https://access.redhat.com/solutions/4410591

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Set volume variable for travis tests to use cgroups mount where needed

Signed-off-by: Sebastian Gumprich <github@gumpri.ch>

Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@rndmh3ro
do not touch sysctl file to avoid idempotency problems (dev-sec#309)
1ec84e9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nodiscc nodiscc nodiscc left review comments

@schurzi schurzi schurzi approved these changes

Assignees
No one assigned
Labels
bug patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rndmh3ro @schurzi @nodiscc