30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
---
|
|
# CIS L1 names legacy cleartext clients (telnet) for removal. They are absent on
|
|
# a fresh minimal install; query first and remove only when present so the run
|
|
# stays idempotent (a chroot package-manager remove cannot use the package module).
|
|
- name: Check for insecure cleartext clients
|
|
when: cis_strict | default(false)
|
|
ansible.builtin.command: >-
|
|
{{ chroot_command }}
|
|
{{ 'dpkg -s' if is_debian | bool else 'pacman -Q' if os == 'archlinux' else 'rpm -q' }}
|
|
{{ item }}
|
|
loop: "{{ cis_cfg.insecure_packages }}"
|
|
register: cis_insecure_present
|
|
changed_when: false
|
|
failed_when: false
|
|
loop_control:
|
|
label: "{{ item }}"
|
|
|
|
- name: Remove insecure cleartext clients (CIS L1+)
|
|
when:
|
|
- cis_strict | default(false)
|
|
- item.rc == 0
|
|
ansible.builtin.command: >-
|
|
{{ chroot_command }}
|
|
{{ 'apt-get remove -y' if is_debian | bool else 'pacman -R --noconfirm' if os == 'archlinux' else 'dnf remove -y' }}
|
|
{{ item.item }}
|
|
loop: "{{ cis_insecure_present.results | default([]) }}"
|
|
changed_when: true
|
|
loop_control:
|
|
label: "{{ item.item }}"
|