8868011d4c
Enable repo GPG checks causes some CentOS systems to become unable to retrieve yum metadata. It also causes the security gate jobs to balloon out to 12 minutes (normally 3-4 mins). Closes-Bug: 1641729 Change-Id: I229b471bbd9fbe39776b9022671b03da0a659163
76 lines
2.3 KiB
YAML
76 lines
2.3 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Multiple tasks will need the output of RPM verification, so let's do the
|
|
# lookup one time and then grep over the output in subsequent tasks.
|
|
- name: Verify all installed RPM packages
|
|
shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
|
|
args:
|
|
warn: no
|
|
failed_when: False
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
tags:
|
|
- always
|
|
- skip_ansible_lint
|
|
|
|
- name: RHEL-07-010020 - Get files with invalid checksums (rpm)
|
|
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
|
|
register: rhel_07_010020_files
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- RHEL-07-010020
|
|
|
|
- name: RHEL-07-010020 - The cryptographic hash of system files and commands must match vendor values (rpm)
|
|
debug:
|
|
msg: |
|
|
The following files have checksums that differ from the checksum provided
|
|
with their package. Each of these should be verified manually to ensure
|
|
they have not been modified by an unauthorized user.
|
|
|
|
{% for filename in rhel_07_010020_files.stdout_lines %}
|
|
{{ filename }}
|
|
{% endfor %}
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
- rhel_07_010020_files is defined
|
|
- rhel_07_010020_files.stdout is defined
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- RHEL-07-010020
|
|
|
|
- name: RHEL-07-020150 - Require digital signatures for all packages
|
|
lineinfile:
|
|
dest: /etc/yum.conf
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
state: present
|
|
with_items: "{{ rpm_gpgchecks | default([]) }}"
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- RHEL-07-020150
|
|
- RHEL-07-020151
|
|
- RHEL-07-020152
|