do not force type of ssh_gateway_ports (#765)

* do not force type of gatewayports-var this way it can be a bool or a string. we also now test for it Signed-off-by: Sebastian Gumprich <[email protected]> * replace yum with dnf Signed-off-by: Sebastian Gumprich <[email protected]> --------- Signed-off-by: Sebastian Gumprich <[email protected]>
dev-sec · May 31, 2024 · 85aa1b2 · 85aa1b2
1 parent 4af4012
commit 85aa1b2
Show file tree

Hide file tree

Showing 9 changed files with 9 additions and 9 deletions.
diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml
@@ -67,7 +67,7 @@
         - ansible_distribution_major_version|int < 20
 
     - name: Install required MySQL Python libraries on RHEL
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
         name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
       when:
         - ansible_os_family == "RedHat"

diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
@@ -41,7 +41,7 @@
       when: ansible_facts.os_family == 'Archlinux'
 
     - name: Install required tools on RHEL # noqa ignore-errors
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh

diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
@@ -73,7 +73,7 @@
       when: ansible_facts.os_family == 'Archlinux'
 
     - name: Install required tools on RHEL # noqa ignore-errors
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh

diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml
@@ -13,7 +13,7 @@
       when: ansible_facts.distribution == 'Fedora'
 
     - name: Install packages # noqa ignore-errors
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh-server

diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml
@@ -21,7 +21,7 @@
           - root
     network_ipv6_enable: true
     ssh_allow_tcp_forwarding: "yes"
-    ssh_gateway_ports: true
+    ssh_gateway_ports: "clientspecified"
     ssh_allow_agent_forwarding: true
     ssh_server_permit_environment_vars: "yes"
     ssh_server_accept_env_vars: PWD HTTP_PROXY

diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml
@@ -13,7 +13,7 @@
       when: ansible_facts.distribution == 'Fedora'
 
     - name: Install packages # noqa ignore-errors
-      ansible.builtin.yum:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh-server

diff --git a/roles/os_hardening/tasks/pam_rhel.yml b/roles/os_hardening/tasks/pam_rhel.yml
@@ -1,6 +1,6 @@
 ---
 - name: Install sssd-clients
-  ansible.builtin.yum:
+  ansible.builtin.dnf:
     name: sssd-client
     state: present
   when:

diff --git a/roles/os_hardening/tasks/yum.yml b/roles/os_hardening/tasks/yum.yml
@@ -45,7 +45,7 @@
     - /etc/yum/pluginconf.d/rhnplugin.conf
 
 - name: Remove deprecated or insecure packages | package-01 - package-09
-  ansible.builtin.yum:
+  ansible.builtin.dnf:
     name: "{{ os_security_packages_list }}"
     state: absent
   when: os_security_packages_clean | bool
diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml
@@ -88,7 +88,7 @@ argument_specs:
           you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`.
       ssh_gateway_ports:
         default: false
-        type: bool
+        type: raw
         description: Set to `false` to disable binding forwarded ports to non-loopback
           addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified`
           to allow the client to specify which address to bind to.