x/browbeat
Code Issues Proposed changes

Adjust security, still accommodate RHEL 7.4

Browse Source 
Change-Id: Id0e7fcf2bc15ae5a692e4f8803be7c57391bc936
This commit is contained in:
akrzos 2018-04-16 12:25:06 -04:00
parent 17e5ad6321
commit 3913d5a098
1 changed files with 55 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
ansible/browbeat/adjust-security.yml
View File

@ -23,56 +23,95 @@
gather_facts: true gather_facts: true
remote_user: "{{ host_remote_user }}" remote_user: "{{ host_remote_user }}"
vars: vars:
ibrs_enabled: 0 ibpb_toggle: /sys/kernel/debug/x86/ibpb_enabled
pti_enabled: 1 ibrs_toggle: /sys/kernel/debug/x86/ibrs_enabled
retp_enabled: 1 pti_toggle: /sys/kernel/debug/x86/pti_enabled
retp_toggle: /sys/kernel/debug/x86/retp_enabled
security: true security: true
vars_files: vars_files:
- ../install/group_vars/all.yml - ../install/group_vars/all.yml
tasks: tasks:
- name: Check if rhel7 - name: Check if RHEL 7
fail: fail:
msg: Only run against RHEL7.X msg: Only run against RHEL7.X
when: when:
- ansible_distribution != "RedHat" - ansible_distribution != "RedHat"
- ansible_distribution_major_version < '7' - ansible_distribution_major_version < "7"
- name: Set default values for security on with RHEL 7.5
set_fact:
ibrs_enabled: 1
pti_enabled: 1
retp_enabled: 1
when:
- security|bool
- ansible_distribution_version == "7.5"
- name: Set default values for security on with RHEL 7.4
set_fact:
ibpb_enabled: 1
ibrs_enabled: 1
pti_enabled: 1
when:
- security|bool
- ansible_distribution_version == "7.4"
- name: Check to turn off security - name: Check to turn off security
set_fact: set_fact:
ibpb_enabled: 0
ibrs_enabled: 0 ibrs_enabled: 0
pti_enabled: 0 pti_enabled: 0
retp_enabled: 0 retp_enabled: 0
when: not security|bool when: not security|bool
- name: Debug print the new values for security - name: Debug print the new values for security RHEL 7.5
debug: debug:
msg: "Setting these: ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}} retp_enabled - {{retp_enabled}}" msg: "Setting these: ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}} retp_enabled - {{retp_enabled}}"
when: ansible_distribution_version == "7.5"
- name: Debug print the new values for security RHEL 7.4
debug:
msg: "Setting these: ibpb_enabled - {{ibpb_enabled}} ibrs_enabled- {{ibrs_enabled}} pti_enabled- {{pti_enabled}}"
when: ansible_distribution_version == "7.4"
- name: Check /sys/kernel for security performance affecting features - name: Check /sys/kernel for security performance affecting features
become: true become: true
shell: | shell: |
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)" echo "{{ibpb_toggle}}: $(cat {{ibpb_toggle}})"
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)" echo "{{ibrs_toggle}}: $(cat {{ibrs_toggle}})"
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)" echo "{{pti_toggle}}: $(cat {{pti_toggle}})"
echo "{{retp_toggle}}: $(cat {{retp_toggle}})"
register: security_vars register: security_vars
- name: Debug print the security_vars before setting - name: Debug print the security_vars before setting
debug: debug:
msg: "{{security_vars.stdout_lines}}" msg: "{{security_vars.stdout_lines}}"
- name: Turn on/off security - name: Turn on/off security on RHEL 7.5
become: true become: true
shell: | shell: |
echo {{ibrs_enabled}} > /sys/kernel/debug/x86/ibrs_enabled echo {{ibrs_enabled}} > {{ibrs_toggle}}
echo {{pti_enabled}} > /sys/kernel/debug/x86/pti_enabled echo {{pti_enabled}} > {{pti_toggle}}
echo {{retp_enabled}} > /sys/kernel/debug/x86/retp_enabled echo {{retp_enabled}} > {{retp_toggle}}
when:
- ansible_distribution_version == "7.5"
- name: Turn on/off security on RHEL 7.4
become: true
shell: |
echo {{ibpb_enabled}} > {{ibpb_toggle}}
echo {{ibrs_enabled}} > {{ibrs_toggle}}
echo {{pti_enabled}} > {{pti_toggle}}
when:
- ansible_distribution_version == "7.4"
- name: Check /sys/kernel for security performance affecting features - name: Check /sys/kernel for security performance affecting features
become: true become: true
shell: | shell: |
echo "/sys/kernel/debug/x86/ibrs_enabled: $(cat /sys/kernel/debug/x86/ibrs_enabled)" echo "{{ibpb_toggle}}: $(cat {{ibpb_toggle}})"
echo "/sys/kernel/debug/x86/pti_enabled: $(cat /sys/kernel/debug/x86/pti_enabled)" echo "{{ibrs_toggle}}: $(cat {{ibrs_toggle}})"
echo "/sys/kernel/debug/x86/retp_enabled: $(cat /sys/kernel/debug/x86/retp_enabled)" echo "{{pti_toggle}}: $(cat {{pti_toggle}})"
echo "{{retp_toggle}}: $(cat {{retp_toggle}})"
register: security_vars register: security_vars
- name: Debug print the security_vars after setting - name: Debug print the security_vars after setting