added update repo url for centos option

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Jul 18, 2024 · e00e54b · e00e54b
1 parent aeef574
commit e00e54b
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,6 +18,11 @@ benchmark_version: 'v3r13'
 # Whether to skip the reboot
 rhel7stig_skip_reboot: true
 
+# With CentOS being EoL many mirrors no longer exist and fail for updates
+# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
+# It will add the new vaulted location where it is possible to get updates and package
+rhel7stig_add_updated_repo: false
+
 ###
 ### Settings for associated Audit role using Goss
 ###

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -72,7 +72,19 @@
   tags:
       - always
 
-- name: include prelim tasks
+- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original
+  ansible.builtin.template:
+      src: etc/yum.repos.d/CentOS-Base.repo.j2
+      dest: /etc/yum.repos.d/CentOS-Base.repo
+      owner: root
+      group: root
+      mode: '0644'
+      backup: true
+  when:
+      - rhel7stig_add_updated_repo
+      - ansible_distribution == "CentOS"
+
+- name: Include prelim tasks
   ansible.builtin.import_tasks:
       file: prelim.yml
   tags:
@@ -103,7 +115,7 @@
       - cat3
       - low
 
-- name: update auditd
+- name: Update auditd
   ansible.builtin.template:
       src: audit/99_auditd.rules.j2
       dest: /etc/audit/rules.d/99_auditd.rules

diff --git a/templates/etc/yum.repos.d/CentOS-Base.repo.j2 b/templates/etc/yum.repos.d/CentOS-Base.repo.j2
@@ -0,0 +1,34 @@
+# Note the BaseUrl Changes
+## This is due to CentOS being End Of Life
+# This will now use the legacy archived path
+# Original paths
+# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
+# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
+
+[base]
+name=CentOS-$releasever - Base
+baseurl=https://vault.centos.org/7.9.2009/os/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=https://vault.centos.org/7.9.2009/updates/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=https://vault.centos.org/7.9.2009/extras/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7