--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Playbook for role testing hosts: localhost pre_tasks: - name: Ensure apt cache is updated before testing apt: update_cache: yes cache_valid_time: "{{ cache_timeout }}" changed_when: False when: - ansible_facts['pkg_mgr'] == 'apt' register: refresh_cache until: refresh_cache is success retries: 5 delay: 2 - name: Ensure OpenStack CI image has a logrotate cron job file: path: /etc/cron.daily/logrotate state: touch when: ansible_facts['os_family'] == 'RedHat' changed_when: False - name: Install dconf package to test graphical session locks package: name: dconf state: installed changed_when: False when: - ansible_facts['os_family'] == 'RedHat' register: install_packages until: install_packages is success retries: 5 delay: 2 roles: - role: "ansible-hardening" vars: security_disable_account_if_password_expires: yes security_enable_firewalld: yes security_pwquality_apply_rules: yes security_enable_pwquality_password_set: yes security_lock_session: yes security_pwquality_require_minimum_password_length: yes security_package_clean_on_remove: yes security_pam_faillock_enable: yes security_password_remember_password: 5 security_reset_perm_ownership: yes security_require_grub_authentication: yes security_rhel7_automatic_package_updates: yes security_rhel7_initialize_aide: yes security_rhel7_remove_shosts_files: yes security_search_for_invalid_owner: yes security_search_for_invalid_group_owner: yes security_set_home_directory_permissions_and_owners: yes security_set_minimum_password_lifetime: yes security_unattended_upgrades_enabled: yes security_unattended_upgrades_notifications: yes # NOTE(mhayden): clamav is only available if EPEL is installed. There needs # to be some work done to figure out how to install EPEL for use with # this role without causing disruptions on the system. security_enable_virus_scanner: no security_run_virus_scanner_update: no # Enable the contrib tasks. security_contrib_enabled: yes