Remove deprecated always_run
The `always_run` argument has been deprecated[1] and replaced with `check_mode: no`. [1] http://docs.ansible.com/ansible/playbooks_checkmode.html Change-Id: I534fbcdfe5212822f510de8fd06bd7d7337299fa
This commit is contained in:
Major Hayden
parent
fde5a74f95
commit
a3e0f681d8
@ -24,14 +24,11 @@
|
||||
tags:
|
||||
- always
|
||||
|
||||
# NOTE(major): This task differs from other OSA roles because it has
|
||||
# "always_run" set. This is required for check/audit mode to operate
|
||||
# properly.
|
||||
- name: Check init system
|
||||
command: cat /proc/1/comm
|
||||
register: _pid1_name
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
stat:
|
||||
path: /etc/aide/aide.conf.d
|
||||
register: aide_conf
|
||||
always_run: true
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
stat:
|
||||
path: "{{ aide_database_file }}"
|
||||
register: aide_database
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
command: apt-key list
|
||||
register: v38476_result
|
||||
changed_when: "v38476_result.rc != 0"
|
||||
always_run: True
|
||||
check_mode: no
|
||||
|
||||
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
||||
fail:
|
||||
@ -53,7 +53,7 @@
|
||||
register: v38462_result
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- package
|
||||
- cat1
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
stat:
|
||||
path: /etc/audit/auditd.conf
|
||||
register: auditd_conf
|
||||
always_run: true
|
||||
check_mode: no
|
||||
tags:
|
||||
- auditd
|
||||
- always
|
||||
@ -125,7 +125,7 @@
|
||||
stat:
|
||||
path: /var/log/audit/
|
||||
register: auditd_log_dir
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auditd
|
||||
- always
|
||||
|
||||
@ -61,7 +61,7 @@
|
||||
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
||||
register: v38496_system_users
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -71,7 +71,7 @@
|
||||
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
||||
register: v38496_unlocked_system_users
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
|
||||
tags:
|
||||
- auth
|
||||
@ -167,7 +167,7 @@
|
||||
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
|
||||
register: v38500_result
|
||||
changed_when: v38500_result.stdout != '0'
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -200,7 +200,7 @@
|
||||
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
|
||||
register: v38499_result
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -250,7 +250,7 @@
|
||||
register: v38574_result
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -270,7 +270,7 @@
|
||||
command: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
|
||||
register: v38576_result
|
||||
changed_when: v38576_result.rc != 0
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -294,7 +294,7 @@
|
||||
register: v38577_libuser_check
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
@ -327,7 +327,7 @@
|
||||
register: v38681_result
|
||||
changed_when: False
|
||||
failed_when: v38681_result.rc > 1
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat3
|
||||
@ -357,7 +357,7 @@
|
||||
shell: pwck -rq | wc -l
|
||||
register: v38683_result
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat3
|
||||
@ -377,7 +377,7 @@
|
||||
paths: "/etc/sudoers*"
|
||||
file_type: file
|
||||
register: v58901_result
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- auth
|
||||
- cat2
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
stat:
|
||||
path: "{{ grub_conf_file }}"
|
||||
register: grub_cfg
|
||||
always_run: True
|
||||
check_mode: no
|
||||
|
||||
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
|
||||
lineinfile:
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
command: systemctl status ctrl-alt-del.target
|
||||
register: cad_mask_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
when: systemd_running | bool
|
||||
tags:
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
stat:
|
||||
path: /etc/postfix/main.cf
|
||||
register: postfix_main_cf
|
||||
always_run: true
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@
|
||||
shell: find /root /home -xdev -name .netrc | wc -l
|
||||
register: v38619_result
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- cat2
|
||||
- V-38619
|
||||
@ -110,7 +110,7 @@
|
||||
register: v38660_snmpd_apt
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when: ansible_pkg_mgr == 'apt'
|
||||
tags:
|
||||
- cat2
|
||||
@ -121,7 +121,7 @@
|
||||
register: v38660_snmpd_rpm
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when: ansible_pkg_mgr == 'yum'
|
||||
tags:
|
||||
- cat2
|
||||
@ -142,7 +142,7 @@
|
||||
register: v38660_result
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when:
|
||||
- snmpd_installed is defined
|
||||
- snmpd_installed | bool
|
||||
@ -187,7 +187,7 @@
|
||||
register: v38599_vsftpd_apt
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when: ansible_pkg_mgr == 'apt'
|
||||
tags:
|
||||
- cat2
|
||||
@ -200,7 +200,7 @@
|
||||
register: v38599_vsftpd_rpm
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when: ansible_pkg_mgr == 'yum'
|
||||
tags:
|
||||
- cat2
|
||||
@ -312,7 +312,7 @@
|
||||
command: "find /dev -context '*unlabeled_t*'"
|
||||
register: v51379_unlabeled_devices
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when:
|
||||
- ansible_os_family == 'RedHat'
|
||||
tags:
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
stat:
|
||||
path: /etc/exports
|
||||
register: exports
|
||||
always_run: yes
|
||||
check_mode: no
|
||||
tags:
|
||||
- nfs
|
||||
- cat1
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
register: v38476_result
|
||||
changed_when: v38476_result | failed
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
when:
|
||||
- ansible_distribution == 'CentOS'
|
||||
tags:
|
||||
@ -43,7 +43,7 @@
|
||||
register: v38476_result
|
||||
changed_when: v38476_result | failed
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
with_items:
|
||||
- gpg-pubkey-fd431d51-4ae0493b
|
||||
- gpg-pubkey-2fa658e0-45700c69
|
||||
@ -71,7 +71,7 @@
|
||||
register: v38462_result
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- package
|
||||
- cat1
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
command: "find /etc/init.d/ -printf '%f\n'"
|
||||
register: sysv_services_installed
|
||||
changed_when: false
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- services
|
||||
- cat1
|
||||
@ -28,7 +28,7 @@
|
||||
shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
|
||||
register: systemd_services_installed
|
||||
changed_when: false
|
||||
always_run: True
|
||||
check_mode: no
|
||||
tags:
|
||||
- services
|
||||
- cat1
|
||||
|
||||
@ -22,7 +22,7 @@
|
||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
||||
register: sshd_marker_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
tags:
|
||||
- ssh
|
||||
@ -32,7 +32,7 @@
|
||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
||||
register: sshd_match_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
tags:
|
||||
- ssh
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
stat:
|
||||
path: /etc/gdm/custom.conf
|
||||
register: RHEL_07_010430_gdm_conf
|
||||
always_run: True
|
||||
check_mode: no
|
||||
|
||||
- name: RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
|
||||
lineinfile:
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
||||
register: sshd_marker_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
|
||||
# Check for "Match" stanzas in the sshd_config.
|
||||
@ -31,7 +31,7 @@
|
||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
||||
register: sshd_match_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
check_mode: no
|
||||
failed_when: False
|
||||
|
||||
# If the marker is missing, and "Match" stanzas are present, we must carefully
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user