Merge pull request #782 from dev-sec/rem_dep

Remove deprecated rebuild of initrd
dev-sec · Jul 28, 2024 · f1b0bed · f1b0bed
2 parents d92a1c9 + f23d5d8
commit f1b0bed
Show file tree

Hide file tree

Showing 5 changed files with 0 additions and 46 deletions.
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
@@ -839,11 +839,6 @@ This role is mostly based on guides by:
   - Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created.
   - Type: bool
   - Required: no
-- `os_security_kernel_enable_module_loading`
-  - Default: `true`
-  - Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue <https://github.com/dev-sec/ansible-collection-hardening/pull/591>
-  - Type: bool
-  - Required: no
 - `os_security_packages_clean`
   - Default: `true`
   - Description: removes packages with known issues. See section packages.

diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -40,7 +40,6 @@ os_users_without_password_ageing: []
 
 # Specify system accounts whose login should not be disabled and password not changed
 os_ignore_users: [vagrant, kitchen]
-os_security_kernel_enable_module_loading: true
 os_security_kernel_enable_core_dump: false
 os_security_suid_sgid_enforce: true
 # User-defined blacklist and whitelist

diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml
@@ -73,13 +73,6 @@ argument_specs:
         default: '[]'
         type: list
         description: list of things, that a user is allowed to do. May contain `change_user`.
-      os_security_kernel_enable_module_loading:
-        default: true
-        type: bool
-        description: true if you want to allowed to change kernel modules once the
-          system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs
-          is deprecated and will be removed in the next major release. For more information
-          take a look at this issue <https://github.com/dev-sec/ansible-collection-hardening/pull/591>
       os_security_kernel_enable_core_dump:
         default: false
         type: bool

diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml
@@ -123,13 +123,3 @@
   when:
     - ansible_facts.selinux.status == 'enabled'
     - os_selinux_enabled | bool
-
-- name: Raise deprecation warning for initramfs tasks  # noqa ignore-errors
-  ansible.builtin.fail:
-    msg: "WARNING: Rebuilding initramfs is deprecated and will be removed
-          in the next major release. For more information take a look at this issue:
-          https://github.com/dev-sec/ansible-collection-hardening/pull/591"
-  when:
-    - os_security_kernel_enable_module_loading
-  ignore_errors: true
-  tags: always
diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml
@@ -18,29 +18,6 @@
     mode: "0544"
   when: ansible_facts.os_family == 'RedHat'
 
-- name: Install initramfs-tools
-  ansible.builtin.apt:
-    name: initramfs-tools
-    state: present
-    update_cache: true
-  when:
-    - ansible_facts.os_family == 'Debian'
-    - os_security_kernel_enable_module_loading
-
-- name: Rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
-  ansible.builtin.template:
-    src: etc/initramfs-tools/modules.j2
-    dest: /etc/initramfs-tools/modules
-    owner: root
-    group: root
-    mode: "0440"
-  notify:
-    - Update-initramfs
-  when:
-    - ansible_facts.os_family == 'Debian'
-    - os_security_kernel_enable_module_loading
-  register: initramfs
-
 - name: Change sysctls
   when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
   block: