4e7e57add2
This patch skips the assertions on the test tasks that run after the security role is applied. These should only run on the RHEL6 STIG content for now. Change-Id: Ibee89def31fea8263f92666e593f7d44bd21cbc6
69 lines
2.3 KiB
YAML
69 lines
2.3 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
pre_tasks:
|
|
- name: Ensure apt cache is updated before testing
|
|
apt:
|
|
update_cache: yes
|
|
when: ansible_pkg_mgr == 'apt'
|
|
- name: Ensure OpenStack CI image has a logrotate cron job
|
|
file:
|
|
path: /etc/cron.daily/logrotate
|
|
state: touch
|
|
when: ansible_os_family == 'RedHat'
|
|
changed_when: False
|
|
post_tasks:
|
|
- name: Stat 20auto-upgrades file
|
|
stat:
|
|
path: /etc/apt/apt.conf.d/20auto-upgrades
|
|
register: auto_upgrades_file
|
|
when:
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Slurp contents of 50unattended-upgrades file
|
|
slurp:
|
|
src: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
register: unattended_upgrades_file_encoded
|
|
when:
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Decode slurp'd 50-unattended-upgrades file
|
|
set_fact:
|
|
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
|
|
when:
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Ensure auto updates has been enabled
|
|
assert:
|
|
that:
|
|
- auto_upgrades_file.stat.exists
|
|
when:
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
- name: Ensure that auto update notifications has been enabled
|
|
assert:
|
|
that:
|
|
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
|
|
when:
|
|
- stig_version == 'rhel6'
|
|
- ansible_pkg_mgr == 'apt'
|
|
roles:
|
|
- role: "openstack-ansible-security"
|
|
vars:
|
|
security_unattended_upgrades_enabled: true
|
|
security_unattended_upgrades_notifications: true
|