diff --git a/defaults/main.yml b/defaults/main.yml index 17935ba5..e82a63b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,6 +18,10 @@ # apt cache updates as efficiently as possible. cache_timeout: 600 +# Set the package install state for distribution packages +# Options are 'present' and 'latest' +security_package_state: "latest" + ### Default configurations for openstack-ansible-security ##################### # # All of the configuration items below are documented in the developer notes diff --git a/releasenotes/notes/package-state-6684c5634bdf127a.yaml b/releasenotes/notes/package-state-6684c5634bdf127a.yaml new file mode 100644 index 00000000..dbc9aefc --- /dev/null +++ b/releasenotes/notes/package-state-6684c5634bdf127a.yaml @@ -0,0 +1,13 @@ +--- +features: + - The security role now supports the ability to configure whether + apt/yum tasks install the latest available package, or just ensure + that the package is present. The default action is to ensure that + the latest package is present. The action taken may be changed to + only ensure that the package is present by setting + ``security_package_state`` to ``present``. +upgrade: + - The security role always checks whether the latest package is + installed when executed. If a deployer wishes to change the check to + only validate the presence of the package, the option + ``security_package_state`` should be set to ``present``. diff --git a/tasks/apt.yml b/tasks/apt.yml index ad7ba1f8..76d4c0b8 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -81,7 +81,7 @@ - name: Install unattended-upgrades package (for V-38481) apt: name: unattended-upgrades - state: present + state: "{{ security_package_state }}" when: security_unattended_upgrades_enabled | bool tags: - package diff --git a/tasks/auditd.yml b/tasks/auditd.yml index e5682c0c..76a5bbb9 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -16,7 +16,7 @@ - name: V-38631/38632 - The operating system must produce audit records (install auditd with apt) apt: name: "{{ auditd_pkg }}" - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'apt' tags: - auditd @@ -27,7 +27,7 @@ - name: V-38631/38632 - The operating system must produce audit records (install auditd with yum) yum: name: "{{ auditd_pkg }}" - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'yum' tags: - auditd @@ -98,7 +98,7 @@ - name: Ensure debsums package is installed (for V-38637) apt: name: debsums - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'apt' tags: - auditd diff --git a/tasks/auth.yml b/tasks/auth.yml index d38d531c..3476a456 100644 --- a/tasks/auth.yml +++ b/tasks/auth.yml @@ -185,7 +185,7 @@ - name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban) apt: name: fail2ban - state: present + state: "{{ security_package_state }}" when: security_install_fail2ban | bool tags: - auth diff --git a/tasks/lsm.yml b/tasks/lsm.yml index 7c5b170e..b7034911 100644 --- a/tasks/lsm.yml +++ b/tasks/lsm.yml @@ -16,7 +16,7 @@ - name: Install packages for AppArmor support (for V-51337) apt: name: "{{ item }}" - state: present + state: "{{ security_package_state }}" with_items: - apparmor - apparmor-profiles @@ -44,7 +44,7 @@ - name: Install packages for SELinux support (for V-51337) yum: name: "{{ item }}" - state: present + state: "{{ security_package_state }}" with_items: - libselinux-python - policycoreutils-python diff --git a/tasks/mail.yml b/tasks/mail.yml index ab7b758a..7f7255f0 100644 --- a/tasks/mail.yml +++ b/tasks/mail.yml @@ -16,7 +16,7 @@ - name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt) apt: name: postfix - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'apt' tags: - mail @@ -26,7 +26,7 @@ - name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum) yum: name: postfix - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'yum' tags: - mail diff --git a/tasks/misc.yml b/tasks/misc.yml index 1650fc39..9f58d813 100644 --- a/tasks/misc.yml +++ b/tasks/misc.yml @@ -15,8 +15,8 @@ - name: V-38489 - Install AIDE (with apt) apt: - name: "{{ item }}" - state: present + name: "{{ item }}" + state: "{{ security_package_state }}" with_items: - aide - aide-common @@ -27,8 +27,8 @@ - name: V-38489 - Install AIDE (with yum) yum: - name: aide - state: present + name: aide + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'yum' tags: - cat2 @@ -92,7 +92,7 @@ - name: V-38620 - Synchronize system clock (installing chrony with apt) apt: name: chrony - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'apt' tags: - cat2 @@ -101,7 +101,7 @@ - name: V-38620 - Synchronize system clock (installing chrony with yum) yum: name: chrony - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'yum' tags: - cat2 @@ -143,7 +143,7 @@ - name: V-38624 - System logs must be rotated daily (install logrotate with apt) apt: name: logrotate - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'apt' tags: - cat3 @@ -152,7 +152,7 @@ - name: V-38624 - System logs must be rotated daily (install logrotate with yum) yum: name: logrotate - state: present + state: "{{ security_package_state }}" when: ansible_pkg_mgr == 'yum' tags: - cat3 diff --git a/tasks/rpm.yml b/tasks/rpm.yml index ce3512f1..04d74858 100644 --- a/tasks/rpm.yml +++ b/tasks/rpm.yml @@ -89,7 +89,7 @@ - name: V-38481 - Install yum-cron for automatic updates yum: name: yum-cron - state: installed + state: "{{ security_package_state }}" when: security_unattended_upgrades_enabled | bool tags: - package