ansible-hardening/tests/test.yml
Jonathan Rosser b9a9310d7c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
2021-03-10 16:54:58 +00:00

77 lines
2.8 KiB
YAML

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Playbook for role testing
hosts: localhost
pre_tasks:
- name: Ensure apt cache is updated before testing
apt:
update_cache: yes
cache_valid_time: "{{ cache_timeout }}"
changed_when: False
when:
- ansible_facts['pkg_mgr'] == 'apt'
register: refresh_cache
until: refresh_cache is success
retries: 5
delay: 2
- name: Ensure OpenStack CI image has a logrotate cron job
file:
path: /etc/cron.daily/logrotate
state: touch
when: ansible_facts['os_family'] == 'RedHat'
changed_when: False
- name: Install dconf package to test graphical session locks
package:
name: dconf
state: installed
changed_when: False
when:
- ansible_facts['os_family'] == 'RedHat'
register: install_packages
until: install_packages is success
retries: 5
delay: 2
roles:
- role: "ansible-hardening"
vars:
security_disable_account_if_password_expires: yes
security_enable_firewalld: yes
security_pwquality_apply_rules: yes
security_enable_pwquality_password_set: yes
security_lock_session: yes
security_pwquality_require_minimum_password_length: yes
security_package_clean_on_remove: yes
security_pam_faillock_enable: yes
security_password_remember_password: 5
security_reset_perm_ownership: yes
security_require_grub_authentication: yes
security_rhel7_automatic_package_updates: yes
security_rhel7_initialize_aide: yes
security_rhel7_remove_shosts_files: yes
security_search_for_invalid_owner: yes
security_search_for_invalid_group_owner: yes
security_set_home_directory_permissions_and_owners: yes
security_set_minimum_password_lifetime: yes
security_unattended_upgrades_enabled: yes
security_unattended_upgrades_notifications: yes
# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
# to be some work done to figure out how to install EPEL for use with
# this role without causing disruptions on the system.
security_enable_virus_scanner: no
security_run_virus_scanner_update: no
# Enable the contrib tasks.
security_contrib_enabled: yes