Remove deprecated always_run
The `always_run` argument has been deprecated[1] and replaced with `check_mode: no`. [1] http://docs.ansible.com/ansible/playbooks_checkmode.html Change-Id: I534fbcdfe5212822f510de8fd06bd7d7337299fa
This commit is contained in:
Major Hayden
parent
fde5a74f95
commit
a3e0f681d8
@ -24,14 +24,11 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
# NOTE(major): This task differs from other OSA roles because it has
|
|
||||||
# "always_run" set. This is required for check/audit mode to operate
|
|
||||||
# properly.
|
|
||||||
- name: Check init system
|
- name: Check init system
|
||||||
command: cat /proc/1/comm
|
command: cat /proc/1/comm
|
||||||
register: _pid1_name
|
register: _pid1_name
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /etc/aide/aide.conf.d
|
path: /etc/aide/aide.conf.d
|
||||||
register: aide_conf
|
register: aide_conf
|
||||||
always_run: true
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
@ -35,7 +35,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: "{{ aide_database_file }}"
|
path: "{{ aide_database_file }}"
|
||||||
register: aide_database
|
register: aide_database
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
|||||||
@ -29,7 +29,7 @@
|
|||||||
command: apt-key list
|
command: apt-key list
|
||||||
register: v38476_result
|
register: v38476_result
|
||||||
changed_when: "v38476_result.rc != 0"
|
changed_when: "v38476_result.rc != 0"
|
||||||
always_run: True
|
check_mode: no
|
||||||
|
|
||||||
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
||||||
fail:
|
fail:
|
||||||
@ -53,7 +53,7 @@
|
|||||||
register: v38462_result
|
register: v38462_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- package
|
- package
|
||||||
- cat1
|
- cat1
|
||||||
|
|||||||
@ -29,7 +29,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /etc/audit/auditd.conf
|
path: /etc/audit/auditd.conf
|
||||||
register: auditd_conf
|
register: auditd_conf
|
||||||
always_run: true
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auditd
|
- auditd
|
||||||
- always
|
- always
|
||||||
@ -125,7 +125,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /var/log/audit/
|
path: /var/log/audit/
|
||||||
register: auditd_log_dir
|
register: auditd_log_dir
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auditd
|
- auditd
|
||||||
- always
|
- always
|
||||||
|
|||||||
@ -61,7 +61,7 @@
|
|||||||
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
||||||
register: v38496_system_users
|
register: v38496_system_users
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -71,7 +71,7 @@
|
|||||||
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
||||||
register: v38496_unlocked_system_users
|
register: v38496_unlocked_system_users
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
|
with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
@ -167,7 +167,7 @@
|
|||||||
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
|
shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
|
||||||
register: v38500_result
|
register: v38500_result
|
||||||
changed_when: v38500_result.stdout != '0'
|
changed_when: v38500_result.stdout != '0'
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -200,7 +200,7 @@
|
|||||||
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
|
shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
|
||||||
register: v38499_result
|
register: v38499_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -250,7 +250,7 @@
|
|||||||
register: v38574_result
|
register: v38574_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -270,7 +270,7 @@
|
|||||||
command: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
|
command: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
|
||||||
register: v38576_result
|
register: v38576_result
|
||||||
changed_when: v38576_result.rc != 0
|
changed_when: v38576_result.rc != 0
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -294,7 +294,7 @@
|
|||||||
register: v38577_libuser_check
|
register: v38577_libuser_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
@ -327,7 +327,7 @@
|
|||||||
register: v38681_result
|
register: v38681_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: v38681_result.rc > 1
|
failed_when: v38681_result.rc > 1
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat3
|
- cat3
|
||||||
@ -357,7 +357,7 @@
|
|||||||
shell: pwck -rq | wc -l
|
shell: pwck -rq | wc -l
|
||||||
register: v38683_result
|
register: v38683_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat3
|
- cat3
|
||||||
@ -377,7 +377,7 @@
|
|||||||
paths: "/etc/sudoers*"
|
paths: "/etc/sudoers*"
|
||||||
file_type: file
|
file_type: file
|
||||||
register: v58901_result
|
register: v58901_result
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- auth
|
- auth
|
||||||
- cat2
|
- cat2
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: "{{ grub_conf_file }}"
|
path: "{{ grub_conf_file }}"
|
||||||
register: grub_cfg
|
register: grub_cfg
|
||||||
always_run: True
|
check_mode: no
|
||||||
|
|
||||||
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
|
- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|||||||
@ -30,7 +30,7 @@
|
|||||||
command: systemctl status ctrl-alt-del.target
|
command: systemctl status ctrl-alt-del.target
|
||||||
register: cad_mask_check
|
register: cad_mask_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
when: systemd_running | bool
|
when: systemd_running | bool
|
||||||
tags:
|
tags:
|
||||||
|
|||||||
@ -54,7 +54,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /etc/postfix/main.cf
|
path: /etc/postfix/main.cf
|
||||||
register: postfix_main_cf
|
register: postfix_main_cf
|
||||||
always_run: true
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
|||||||
@ -27,7 +27,7 @@
|
|||||||
shell: find /root /home -xdev -name .netrc | wc -l
|
shell: find /root /home -xdev -name .netrc | wc -l
|
||||||
register: v38619_result
|
register: v38619_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
- V-38619
|
- V-38619
|
||||||
@ -110,7 +110,7 @@
|
|||||||
register: v38660_snmpd_apt
|
register: v38660_snmpd_apt
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when: ansible_pkg_mgr == 'apt'
|
when: ansible_pkg_mgr == 'apt'
|
||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
@ -121,7 +121,7 @@
|
|||||||
register: v38660_snmpd_rpm
|
register: v38660_snmpd_rpm
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when: ansible_pkg_mgr == 'yum'
|
when: ansible_pkg_mgr == 'yum'
|
||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
@ -142,7 +142,7 @@
|
|||||||
register: v38660_result
|
register: v38660_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when:
|
when:
|
||||||
- snmpd_installed is defined
|
- snmpd_installed is defined
|
||||||
- snmpd_installed | bool
|
- snmpd_installed | bool
|
||||||
@ -187,7 +187,7 @@
|
|||||||
register: v38599_vsftpd_apt
|
register: v38599_vsftpd_apt
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when: ansible_pkg_mgr == 'apt'
|
when: ansible_pkg_mgr == 'apt'
|
||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
@ -200,7 +200,7 @@
|
|||||||
register: v38599_vsftpd_rpm
|
register: v38599_vsftpd_rpm
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when: ansible_pkg_mgr == 'yum'
|
when: ansible_pkg_mgr == 'yum'
|
||||||
tags:
|
tags:
|
||||||
- cat2
|
- cat2
|
||||||
@ -312,7 +312,7 @@
|
|||||||
command: "find /dev -context '*unlabeled_t*'"
|
command: "find /dev -context '*unlabeled_t*'"
|
||||||
register: v51379_unlabeled_devices
|
register: v51379_unlabeled_devices
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when:
|
when:
|
||||||
- ansible_os_family == 'RedHat'
|
- ansible_os_family == 'RedHat'
|
||||||
tags:
|
tags:
|
||||||
|
|||||||
@ -18,7 +18,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /etc/exports
|
path: /etc/exports
|
||||||
register: exports
|
register: exports
|
||||||
always_run: yes
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- nfs
|
- nfs
|
||||||
- cat1
|
- cat1
|
||||||
|
|||||||
@ -18,7 +18,7 @@
|
|||||||
register: v38476_result
|
register: v38476_result
|
||||||
changed_when: v38476_result | failed
|
changed_when: v38476_result | failed
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
when:
|
when:
|
||||||
- ansible_distribution == 'CentOS'
|
- ansible_distribution == 'CentOS'
|
||||||
tags:
|
tags:
|
||||||
@ -43,7 +43,7 @@
|
|||||||
register: v38476_result
|
register: v38476_result
|
||||||
changed_when: v38476_result | failed
|
changed_when: v38476_result | failed
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
with_items:
|
with_items:
|
||||||
- gpg-pubkey-fd431d51-4ae0493b
|
- gpg-pubkey-fd431d51-4ae0493b
|
||||||
- gpg-pubkey-2fa658e0-45700c69
|
- gpg-pubkey-2fa658e0-45700c69
|
||||||
@ -71,7 +71,7 @@
|
|||||||
register: v38462_result
|
register: v38462_result
|
||||||
changed_when: False
|
changed_when: False
|
||||||
failed_when: False
|
failed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- package
|
- package
|
||||||
- cat1
|
- cat1
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
command: "find /etc/init.d/ -printf '%f\n'"
|
command: "find /etc/init.d/ -printf '%f\n'"
|
||||||
register: sysv_services_installed
|
register: sysv_services_installed
|
||||||
changed_when: false
|
changed_when: false
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- services
|
- services
|
||||||
- cat1
|
- cat1
|
||||||
@ -28,7 +28,7 @@
|
|||||||
shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
|
shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
|
||||||
register: systemd_services_installed
|
register: systemd_services_installed
|
||||||
changed_when: false
|
changed_when: false
|
||||||
always_run: True
|
check_mode: no
|
||||||
tags:
|
tags:
|
||||||
- services
|
- services
|
||||||
- cat1
|
- cat1
|
||||||
|
|||||||
@ -22,7 +22,7 @@
|
|||||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
||||||
register: sshd_marker_check
|
register: sshd_marker_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
tags:
|
tags:
|
||||||
- ssh
|
- ssh
|
||||||
@ -32,7 +32,7 @@
|
|||||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
command: "grep '^Match' /etc/ssh/sshd_config"
|
||||||
register: sshd_match_check
|
register: sshd_match_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
tags:
|
tags:
|
||||||
- ssh
|
- ssh
|
||||||
|
|||||||
@ -17,7 +17,7 @@
|
|||||||
stat:
|
stat:
|
||||||
path: /etc/gdm/custom.conf
|
path: /etc/gdm/custom.conf
|
||||||
register: RHEL_07_010430_gdm_conf
|
register: RHEL_07_010430_gdm_conf
|
||||||
always_run: True
|
check_mode: no
|
||||||
|
|
||||||
- name: RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
|
- name: RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|||||||
@ -23,7 +23,7 @@
|
|||||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
||||||
register: sshd_marker_check
|
register: sshd_marker_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
|
||||||
# Check for "Match" stanzas in the sshd_config.
|
# Check for "Match" stanzas in the sshd_config.
|
||||||
@ -31,7 +31,7 @@
|
|||||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
command: "grep '^Match' /etc/ssh/sshd_config"
|
||||||
register: sshd_match_check
|
register: sshd_match_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
always_run: True
|
check_mode: no
|
||||||
failed_when: False
|
failed_when: False
|
||||||
|
|
||||||
# If the marker is missing, and "Match" stanzas are present, we must carefully
|
# If the marker is missing, and "Match" stanzas are present, we must carefully
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user