---
# Copyright 2019 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

  - name: protect grub with root password
    blockinfile:
      dest: /etc/grub.d/40_custom
      state: present
      insertafter: 'EOF'
      content: |
        # define superusers
        set superusers="root"
        #define users
        password_pbkdf2 root {{ host_os.grub2_password }}
    when:
      - host_os is defined
      - host_os.grub2_password | default(False, True)

  - name: check whether grub-efi exists
    stat:
      path: /boot/efi/EFI/centos/grub.cfg
    register: grub_efi_file_stat

  - name: generate grub config
    command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg

  - name: generate grub-efi config
    command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
    when: grub_efi_file_stat.stat.exists == true

  - name: chsh/chfn right setting
    file:
      path: "{{ item }}"
      state: file
      mode: 04700
      owner: root
      group: root
    with_items:
      - /usr/bin/chsh
      - /usr/bin/chfn

  - name: permission change for ssh certificates
    file:
      path: "{{ item }}"
      state: file
      mode: 0600
      owner: root
      group: root
    with_fileglob:
      - /etc/ssh/ssh_host_*_key

  - name: reload audit config
    command: augenrules --load

  - name: Checking existing file id for permission set 0600
    stat:
      path: "{{ item }}"
    register: file_perm_status
    with_items:
      - /var/log/boot.log
      - /var/log/cloud-init.log
      - /var/log/cloud-init-output.log
      - /var/log/dmesg
      - /var/log/dmesg.old
      - /var/log/java_install.log
      - /var/log/ntp.log
      - /var/log/rhsm/rhsmcertd.log
      - /var/log/rhsm/rhsm.log
      - /var/log/tuned/tuned.log
      - /var/log/up2date
      - /var/log/wpa_supplicant.log
      - /etc/cron.d/0hourly
      - /etc/cron.daily/0yum-daily.cron
      - /etc/cron.daily/man-db.cron
      - /etc/cron.hourly/0anacron
      - /etc/cron.hourly/0yum-hourly.cron
      - /boot/grub2/grub.cfg
      - /etc/rsyslog.conf
      - /etc/sysctl.conf
      - /etc/ntp.conf
      - /etc/audit/audit.rules

  - name: change permission of of files to 0600
    file:
      path: "{{ item.stat.path }}"
      state: file
      mode: 0600
    when:  item.stat.exists
    with_items: "{{ file_perm_status.results }}"

  - name: delete broken links
    file:
      path: "{{ item }}"
      state: absent
    with_lines:
      - find /run/udev/watch/ -xtype l