Merge "Add idempotency check"

2016-07-27 13:54:24 +00:00 · 2016-07-27 13:54:24 +00:00 · 3c7ecaee40
commit 3c7ecaee40
parent 5e70944bef fa11dd430b
7 changed files with 43 additions and 10 deletions
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -134,6 +134,7 @@
 - name: Check audit package contents for alterations with rpm (for V-38637)
  shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
  register: v38637_result
+  changed_when: False
  when: ansible_pkg_mgr == 'yum'
  tags:
    - auditd
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -60,6 +60,7 @@
 - name: V-38496 - Get all system accounts
  shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
  register: v38496_system_users
+  changed_when: False
  always_run: True
  tags:
    - auth
@ -69,6 +70,7 @@
 - name: V-38496 - Loop through system accounts to find unlocked accounts
  shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
  register: v38496_unlocked_system_users
+  changed_when: False
  always_run: True
  with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
  tags:
@ -432,6 +434,7 @@
 - name: Search for sudoers files (for V-58901)
  shell: find /etc/sudoers* -type f
  register: v58901_result
+  changed_when: False
  always_run: True
  tags:
    - auth
--- a/tasks/console.yml
+++ b/tasks/console.yml
@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
+- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (init)
  lineinfile:
    dest: /etc/init/control-alt-delete.conf
    regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
@ -25,9 +25,25 @@
    - cat1
    - V-38668

- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
-  command: systemctl mask ctrl-alt-del.target
+# This returns an exit code of 0 if it's running, 3 if it's masked.
+- name: Check if ctrl-alt-del.target is already masked (systemd)
+  command: systemctl status ctrl-alt-del.target
+  register: cad_mask_check
+  changed_when: False
+  always_run: True
+  failed_when: False
  when: systemd_running | bool
+  tags:
+    - always
+    - console
+    - cat1
+    - V-38668
+
+- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (systemd)
+  command: systemctl mask ctrl-alt-del.target
+  when:
+    - systemd_running | bool
+    - "'masked' in cad_mask_check.stdout"
  tags:
    - console
    - cat1
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -30,6 +30,7 @@
  - name: Check init system
    command: cat /proc/1/comm
    register: _pid1_name
+    changed_when: False
    always_run: True
    tags:
      - always
@ -43,6 +44,7 @@
  - name: Check for check/audit mode
    command: /bin/true
    register: noop_result
+    changed_when: False
    tags:
      - always

--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -404,6 +404,7 @@
 - name: Check for unlabeled device files (for V-51379)
  shell: "find /dev -context '*unlabeled_t*'"
  register: v51379_unlabeled_devices
+  changed_when: False
  always_run: True
  when:
    - ansible_os_family == 'RedHat'
--- a/tasks/sshd.yml
+++ b/tasks/sshd.yml
@ -21,6 +21,7 @@
 - name: Check for security role marker in sshd_config
  command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
  register: sshd_marker_check
+  changed_when: False
  always_run: True
  failed_when: False
  tags:
@ -30,6 +31,7 @@
 - name: Check for Match stanzas in sshd_config
  command: "grep '^Match' /etc/ssh/sshd_config"
  register: sshd_match_check
+  changed_when: False
  always_run: True
  failed_when: False
  tags:
--- a/tox.ini
+++ b/tox.ini
@ -160,24 +160,32 @@ deps =
    {[testenv:ansible]deps}
 setenv =
    {[testenv:ansible]setenv}
-# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
-#                   images with apt config Apt::Get::AllowUnauthenticated set
-#                   to true.
 commands =
    {[testenv:ansible]commands}
-    # NOTE(mhayden): Check/audit mode is a feature of the role and it should
-    #                be tested prior to running the functional test.
+
+    # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
+    #                   building images with apt config
+    #                   Apt::Get::AllowUnauthenticated set to true.
    ansible-playbook --check \
                     -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
                     -e "install_test_packages=True" \
                     --skip-tag V-38462 \
-                     {toxinidir}/tests/test_check.yml -vvvv
+                     {toxinidir}/tests/test_check.yml
    ansible-playbook -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
                     -e "install_test_packages=True" \
                     --skip-tag V-38462 \
-                     {toxinidir}/tests/test.yml -vvvv
+                     {toxinidir}/tests/test.yml
+    bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
+                     -e "rolename={toxinidir}" \
+                     -e "install_test_packages=True" \
+                     --skip-tag V-38462 \
+                     {toxinidir}/tests/test.yml \
+                     | grep -q "changed=0.*failed=0" \
+                     && (echo "Idempotence test: pass" && exit 0) \
+                     || (echo "Idempotence test: fail" && exit 1)'
+


 [testenv:linters]