openstack/ansible-hardening
Code Issues Proposed changes

Check apparmor_status output

Browse Source 
This patch adds a check for the output of `apparmor_status` to
get a more accurate state of AppArmor's status. This should fix
idempotency issues that are plaguing the gate jobs.

Closes-Bug: 1715223
Change-Id: I10bb3212a3cc26ed27aa38cdc2e42ece722a6497
This commit is contained in:
Major Hayden 2017-09-05 15:53:58 -05:00
parent 9c21000834
commit 75c06173c7
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
tasks/rhel7stig/lsm.yml
View File

@ -13,11 +13,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if AppArmor is disabled at boot time
shell: "dmesg | grep -i apparmor || true"
register: dmesg_apparmor_output
changed_when: False
- name: Check apparmor_status output
command: apparmor_status
register: apparmor_status_output
check_mode: no
changed_when: false
failed_when: false
when:
- ansible_pkg_mgr in ['apt', 'zypper']
tags:
@ -48,8 +49,6 @@
when:
- ansible_pkg_mgr in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
- not check_mode
- '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
tags:
- high
- V-71989
@ -67,7 +66,7 @@
- ansible_pkg_mgr in ['apt', 'zypper']
- security_rhel7_enable_linux_security_module | bool
- not check_mode
- '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
- '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
tags:
- high
- V-71989