openstack/ansible-hardening
Code Issues Proposed changes

Fix security role gate

Browse Source 
This commit removes the verbose options from the gate job and disables
clamav installation in the CI jobs. The clamav package is only available
in the EPEL repository, but the EPEL repo has been removed from
the CentOS images in the OpenStack gate. This will need to be handled
carefully in a later patch.

It also removes an apostrophe from `tasks/main.yml` that breaks syntax
highlighting in vim.

Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05
This commit is contained in:
Major Hayden 2017-05-16 10:24:19 -05:00
parent d4daf7edfb
commit 5ef94bf0ca
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tasks/main.yml
View File

@ -31,7 +31,7 @@
tags:
- always
- name: Check to see if we're booting with EFI/UEFI
- name: Check to see if we are booting with EFI or UEFI
set_fact:
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
tags:

5
tests/test.yml
View File

@ -86,7 +86,10 @@
security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
security_enable_virus_scanner: yes
# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
# to be some work done to figure out how to install EPEL for use with
# this role without causing disruptions on the system.
security_enable_virus_scanner: no
security_run_virus_scanner_update: no
security_search_for_invalid_owner: yes
security_search_for_invalid_group_owner: yes

4
tox.ini
View File

@ -109,7 +109,7 @@ deps =
setenv =
{[testenv]setenv}
# NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
ANSIBLE_PARAMETERS="-vvv -e security_rhel7_enable_chrony=no"
ANSIBLE_PARAMETERS=-e security_rhel7_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
@ -120,7 +120,7 @@ deps =
setenv =
{[testenv]setenv}
# NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
ANSIBLE_PARAMETERS="-vvv -e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no"
ANSIBLE_PARAMETERS=-e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no
commands =
{[testenv:tests_clone]commands}
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"