6e761efc9c
Several tasks in the auth.yml file were actually more closely related to accounts rather than authentication. This patch moves tasks from the auth.yml into accounts.yml and adjusts the docs to match. This should alleviate confusion and allow deployers to fine-tune their Ansible playbook runs. Change-Id: I962014ba9022dd256dc04da6b4ac0860797fbc24
95 lines
2.6 KiB
YAML
95 lines
2.6 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Create temporary directory to hold any temporary files
|
|
command: "mktemp -d"
|
|
register: mktemp_result
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
tags:
|
|
- always
|
|
|
|
- name: Set a fact for the temporary directory
|
|
set_fact:
|
|
temp_dir: "{{ mktemp_result.stdout }}"
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
tags:
|
|
- always
|
|
|
|
# Multiple tasks will need the output of RPM verification, so let's do the
|
|
# lookup one time and then grep over the output in subsequent tasks.
|
|
- name: Verify all installed RPM packages
|
|
shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
|
|
args:
|
|
warn: no
|
|
failed_when: False
|
|
changed_when: False
|
|
register: rpmverify_task
|
|
async: 300
|
|
poll: 0
|
|
when:
|
|
- not check_mode | bool
|
|
- ansible_os_family | lower == 'redhat'
|
|
tags:
|
|
- always
|
|
- skip_ansible_lint
|
|
|
|
- name: Get a list of users on the system to use throughout the auth tasks
|
|
action: get_users
|
|
register: user_list
|
|
check_mode: no
|
|
tags:
|
|
- always
|
|
|
|
# Package installations and removals must come first so that configuration
|
|
# changes can be made later.
|
|
- include: packages.yml
|
|
|
|
# Package managers are managed first since the changes in these tasks will
|
|
# affect the remainder of the tasks in the role.
|
|
- include: apt.yml
|
|
when: ansible_os_family | lower == 'debian'
|
|
|
|
- include: rpm.yml
|
|
when: ansible_os_family | lower == 'redhat'
|
|
|
|
# The bulk of the security changes are applied in these tasks. The tasks in
|
|
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
|
# are tagged with `auth`). Also, the tag name matches up with the "STIG
|
|
# Controls by Tag" section of the role documentation.
|
|
- include: accounts.yml
|
|
- include: aide.yml
|
|
- include: auditd.yml
|
|
- include: auth.yml
|
|
- include: file_perms.yml
|
|
- include: graphical.yml
|
|
- include: kernel.yml
|
|
- include: lsm.yml
|
|
- include: misc.yml
|
|
- include: sshd.yml
|
|
|
|
- name: Remove the temporary directory
|
|
file:
|
|
path: "{{ temp_dir }}"
|
|
state: absent
|
|
changed_when: False
|
|
when:
|
|
- not check_mode | bool
|
|
tags:
|
|
- always
|