
This patch addresses two issues that are blocking the security role CI jobs from completing: The OpenStack CI image is missing the default audit.rules file and this causes augenrules to fail when it loads new rules. The first line in the default rules file deletes existing rules and this must be in place before loading new rulesets. The contents of the default file are now in the template file, which is safer anyway. The default file provided by the OS is removed. The task that updates the apt cache in test.yml was running more than once during the CI job run when the gate ran slowly. That's fine, but it breaks the idempotence checks. A `changed_when` is added to the task to ensure that the idempotence tests aren't affected by an apt cache update. Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
98 lines
3.6 KiB
YAML
98 lines
3.6 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
pre_tasks:
|
|
- name: Ensure apt cache is updated before testing
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: "{{ cache_timeout }}"
|
|
when: ansible_pkg_mgr == 'apt'
|
|
changed_when: False
|
|
- name: Ensure OpenStack CI image has a logrotate cron job
|
|
file:
|
|
path: /etc/cron.daily/logrotate
|
|
state: touch
|
|
when: ansible_os_family == 'RedHat'
|
|
changed_when: False
|
|
- name: Install dconf package to test graphical session locks
|
|
package:
|
|
name: dconf
|
|
state: installed
|
|
when: ansible_os_family == 'RedHat'
|
|
changed_when: False
|
|
post_tasks:
|
|
- name: Stat 20auto-upgrades file
|
|
stat:
|
|
path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
register: auto_upgrades_file
|
|
when:
|
|
- not check_mode
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Slurp contents of 50unattended-upgrades file
|
|
slurp:
|
|
src: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
register: unattended_upgrades_file_encoded
|
|
when:
|
|
- not check_mode
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Decode slurp'd 50-unattended-upgrades file
|
|
set_fact:
|
|
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
|
|
when:
|
|
- not check_mode
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Ensure auto updates has been enabled
|
|
assert:
|
|
that:
|
|
- auto_upgrades_file.stat.exists
|
|
when:
|
|
- not check_mode
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Ensure that auto update notifications has been enabled
|
|
assert:
|
|
that:
|
|
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
|
|
when:
|
|
- not check_mode
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
roles:
|
|
- role: "openstack-ansible-security"
|
|
vars:
|
|
security_pwquality_apply_rules: yes
|
|
security_package_clean_on_remove: yes
|
|
# NOTE(mhayden): yum-cron has a bug upon update due to a RPM conflict in
|
|
# the yum-cron.conf file. This test should be re-enabled when the
|
|
# OpenStack CI images are updated.
|
|
# See https://bugzilla.redhat.com/show_bug.cgi?id=1293513
|
|
security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
|
security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
|
security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
|
security_enable_virus_scanner: yes
|
|
security_search_for_invalid_owner: yes
|
|
security_search_for_invalid_group_owner: yes
|
|
security_enable_firewalld: yes
|
|
security_password_remember_password: 5
|
|
security_disable_account_if_password_expires: yes
|
|
security_rhel7_initialize_aide: yes
|
|
security_require_grub_authentication: yes
|
|
security_set_home_directory_permissions_and_owners_recursively: no
|