openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tests/test.yml
Major Hayden 3942b20fb1 Unblock security role gate 
This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
2017-01-03 12:19:46 -06:00

98 lines
3.6 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Playbook for role testing
hosts: localhost
pre_tasks:
- name: Ensure apt cache is updated before testing
apt:
update_cache: yes
cache_valid_time: "{{ cache_timeout }}"
when: ansible_pkg_mgr == 'apt'
changed_when: False
- name: Ensure OpenStack CI image has a logrotate cron job
file:
path: /etc/cron.daily/logrotate
state: touch
when: ansible_os_family == 'RedHat'
changed_when: False
- name: Install dconf package to test graphical session locks
package:
name: dconf
state: installed
when: ansible_os_family == 'RedHat'
changed_when: False
post_tasks:
- name: Stat 20auto-upgrades file
stat:
path: /etc/apt/apt.conf.d/20auto-upgrades
register: auto_upgrades_file
when:
- not check_mode
- stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt'
- name: Slurp contents of 50unattended-upgrades file
slurp:
src: /etc/apt/apt.conf.d/50unattended-upgrades
register: unattended_upgrades_file_encoded
when:
- not check_mode
- stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt'
- name: Decode slurp'd 50-unattended-upgrades file
set_fact:
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
when:
- not check_mode
- stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt'
- name: Ensure auto updates has been enabled
assert:
that:
- auto_upgrades_file.stat.exists
when:
- not check_mode
- stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt'
- name: Ensure that auto update notifications has been enabled
assert:
that:
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
when:
- not check_mode
- stig_version == 'rhel6'
- ansible_pkg_mgr == 'apt'
roles:
- role: "openstack-ansible-security"
vars:
security_pwquality_apply_rules: yes
security_package_clean_on_remove: yes
# NOTE(mhayden): yum-cron has a bug upon update due to a RPM conflict in
# the yum-cron.conf file. This test should be re-enabled when the
# OpenStack CI images are updated.
# See https://bugzilla.redhat.com/show_bug.cgi?id=1293513
security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_enable_virus_scanner: yes
security_search_for_invalid_owner: yes
security_search_for_invalid_group_owner: yes
security_enable_firewalld: yes
security_password_remember_password: 5
security_disable_account_if_password_expires: yes
security_rhel7_initialize_aide: yes
security_require_grub_authentication: yes
security_set_home_directory_permissions_and_owners_recursively: no
View Git Blame Copy Permalink