Merge "Add hardening specific variables to tests"

2021-06-01 14:48:44 +00:00 · 2021-06-01 14:48:44 +00:00 · 1367d29dc7
commit 1367d29dc7
parent 5ab9cd8222 1d5824ddc4
3 changed files with 44 additions and 0 deletions
--- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
+++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml
@ -188,6 +188,9 @@
    - src: user_variables_horizon.yml.j2
      dest: user_variables_horizon.yml
      condition: "{{ 'horizon' in bootstrap_host_scenarios }}"
+    - src: user_variables_hardening.yml.j2
+      dest: user_variables_hardening.yml
+      condition: "{{ 'hardening' in bootstrap_host_scenarios_expanded }}"

 - name: Copy modified cinder-volume env.d file for ceph scenario
  copy:
--- a/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2
@ -0,0 +1,29 @@
+---
+
+security_disable_account_if_password_expires: yes
+security_enable_firewalld: yes
+security_pwquality_apply_rules: yes
+security_enable_pwquality_password_set: yes
+security_lock_session: yes
+security_pwquality_require_minimum_password_length: yes
+security_package_clean_on_remove: yes
+security_pam_faillock_enable: yes
+security_password_remember_password: 5
+security_reset_perm_ownership: yes
+security_require_grub_authentication: yes
+security_rhel7_automatic_package_updates: yes
+security_rhel7_initialize_aide: yes
+security_rhel7_remove_shosts_files: yes
+security_search_for_invalid_owner: yes
+security_search_for_invalid_group_owner: yes
+security_set_home_directory_permissions_and_owners: yes
+security_set_minimum_password_lifetime: yes
+security_unattended_upgrades_enabled: yes
+security_unattended_upgrades_notifications: yes
+# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
+# to be some work done to figure out how to install EPEL for use with
+# this role without causing disruptions on the system.
+security_enable_virus_scanner: no
+security_run_virus_scanner_update: no
+# Enable the contrib tasks.
+security_contrib_enabled: yes
--- a/zuul.d/playbooks/pre-gate-scenario.yml
+++ b/zuul.d/playbooks/pre-gate-scenario.yml
@ -41,6 +41,14 @@
          {%     set role_service_name = zuul.project.short_name |
                                       regex_replace('^openstack-ansible-os_(.*)$', '\\1')
          %}
+          {%   elif zuul.project.short_name is match('^ansible-role-(.*)$') %}
+          {%     set role_service_name = zuul.project.short_name |
+                                       regex_replace('^ansible-role-(.*)$', '\\1')
+          %}
+          {%   elif zuul.project.short_name == 'ansible-hardening' %}
+          {%     set role_service_name = 'hardening' %}
+          {%   endif %}
+          {%   if role_service_name is defined %}
          {%     set _ = _scenario.append(role_service_name) %}
          {#     Add special scenarios based on the project name #}
          {%     if role_service_name in scenario_map %}
@ -58,6 +66,10 @@
          %}
          {%     endif%}
          {%   endfor %}
+          {# Hardening role is special as our regular filters don't work for it #}
+          {%   if zuul.project.short_name == 'ansible-hardening' %}
+          {%     set _ = _scenario.append('hardening') %}
+          {%   endif %}
          {% endif %}
          {{ _scenario | join('_') }}
      when: