ansible-hardening/tests/test.yml

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Playbook for role testing
  hosts: localhost
  pre_tasks:
    - name: Ensure apt cache is updated before testing
      apt:
        update_cache: yes
        cache_valid_time: "{{ cache_timeout }}"
      when: ansible_pkg_mgr == 'apt'
      changed_when: False
    - name: Ensure OpenStack CI image has a logrotate cron job
      file:
        path: /etc/cron.daily/logrotate
        state: touch
      when: ansible_os_family == 'RedHat'
      changed_when: False
    - name: Install dconf package to test graphical session locks
      package:
        name: dconf
        state: installed
      when: ansible_os_family == 'RedHat'
      changed_when: False
  post_tasks:
    - name: Stat 20auto-upgrades file
      stat:
        path: /etc/apt/apt.conf.d/20auto-upgrades
      register: auto_upgrades_file
      when:
        - not check_mode
        - stig_version == 'rhel6'
        - ansible_pkg_mgr == 'apt'
    - name: Slurp contents of 50unattended-upgrades file
      slurp:
        src: /etc/apt/apt.conf.d/50unattended-upgrades
      register: unattended_upgrades_file_encoded
      when:
        - not check_mode
        - stig_version == 'rhel6'
        - ansible_pkg_mgr == 'apt'
    - name: Decode slurp'd 50-unattended-upgrades file
      set_fact:
        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
      when:
        - not check_mode
        - stig_version == 'rhel6'
        - ansible_pkg_mgr == 'apt'
    - name: Ensure auto updates has been enabled
      assert:
        that:
          - auto_upgrades_file.stat.exists
      when:
        - not check_mode
        - stig_version == 'rhel6'
        - ansible_pkg_mgr == 'apt'
    - name: Ensure that auto update notifications has been enabled
      assert:
        that:
          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
      when:
        - not check_mode
        - stig_version == 'rhel6'
        - ansible_pkg_mgr == 'apt'
  roles:
    - role: "openstack-ansible-security"
  vars:
    security_pwquality_apply_rules: yes
    security_package_clean_on_remove: yes
    # NOTE(mhayden): yum-cron has a bug upon update due to a RPM conflict in
    # the yum-cron.conf file. This test should be re-enabled when the
    # OpenStack CI images are updated.
    # See https://bugzilla.redhat.com/show_bug.cgi?id=1293513
    security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
    security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
    security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
    # NOTE(mhayden): clamav is only available if EPEL is installed. There needs
    # to be some work done to figure out how to install EPEL for use with
    # this role without causing disruptions on the system.
    security_enable_virus_scanner: no
    security_run_virus_scanner_update: no
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
    security_enable_firewalld: yes
    security_password_remember_password: 5
    security_disable_account_if_password_expires: yes
    security_rhel7_initialize_aide: yes
    security_require_grub_authentication: yes
    security_set_home_directory_permissions_and_owners_recursively: no
    security_reset_perm_ownership: yes
    security_rhel7_remove_shosts_files: yes