Initial Fedora 25 support
This patch adds the initial support for Fedora 25 in the security role. A non-voting gate job is proposed in the following review: https://review.openstack.org/#/c/467297/ Docs and general cleanup for Fedora/Debian support is coming soon. Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
This commit is contained in:
Major Hayden
parent
ff4e1df690
commit
97186f8339
11
bindep.txt
11
bindep.txt
|
|
@ -10,7 +10,7 @@
|
|||
# will fall back to installing its default packages which
|
||||
# will potentially be detrimental to the tests executed.
|
||||
|
||||
# Base requirements for Ubuntu
|
||||
# Base requirements for Ubuntu and Debian
|
||||
build-essential [platform:dpkg]
|
||||
git-core [platform:dpkg]
|
||||
libssl-dev [platform:dpkg]
|
||||
|
|
@ -20,7 +20,8 @@ python2.7 [platform:dpkg]
|
|||
python-dev [platform:dpkg]
|
||||
python-apt [platform:dpkg]
|
||||
|
||||
# Base requirements for CentOS
|
||||
# Base requirements for CentOS and Fedora
|
||||
redhat-rpm-config [platform:rpm]
|
||||
gcc [platform:rpm]
|
||||
gcc-c++ [platform:rpm]
|
||||
git [platform:rpm]
|
||||
|
|
@ -38,7 +39,11 @@ libselinux-python [platform:rpm]
|
|||
python-pyasn1 [platform:dpkg]
|
||||
python-openssl [platform:dpkg]
|
||||
python2-pyasn1 [platform:rpm]
|
||||
python2-pyOpenSSL [platform:rpm]
|
||||
python2-pyOpenSSL [platform:centos]
|
||||
pyOpenSSL [platform:fedora]
|
||||
|
||||
# Other Ansible requirements
|
||||
python2-dnf [platform:fedora]
|
||||
|
||||
# Required for compressing collected log files in CI
|
||||
gzip
|
||||
|
|
|
|||
12
run_tests.sh
12
run_tests.sh
|
|
@ -26,10 +26,14 @@ fi
|
|||
# Install bindep and tox with pip.
|
||||
sudo pip install bindep tox
|
||||
|
||||
## Bindep pre-requisites
|
||||
# Fedora requires the redhat-lsb-core package.
|
||||
# CentOS 7 requires two additional packages:
|
||||
# redhat-lsb-core - for bindep profile support
|
||||
# epel-release - required to install python-ndg_httpsclient/python2-pyasn1
|
||||
if which yum; then
|
||||
if [ -e /etc/fedora-release ]; then
|
||||
sudo dnf -y install redhat-lsb-core
|
||||
elif [ -e /etc/centos-release ]; then
|
||||
sudo yum -y install redhat-lsb-core epel-release
|
||||
fi
|
||||
|
||||
|
|
@ -44,7 +48,11 @@ if which apt-get; then
|
|||
DEBIAN_FRONTEND=noninteractive \
|
||||
sudo apt-get -q --option "Dpkg::Options::=--force-confold" \
|
||||
--assume-yes install $BINDEP_PKGS
|
||||
elif which yum; then
|
||||
elif [ -e /etc/fedora-release ]; then
|
||||
if [[ ${#BINDEP_PKGS} > 0 ]]; then
|
||||
sudo dnf install -y $BINDEP_PKGS
|
||||
fi
|
||||
elif [ -e /etc/centos-release]; then
|
||||
# Don't run yum with an empty list of packages.
|
||||
# It will fail and cause the script to exit with an error.
|
||||
if [[ ${#BINDEP_PKGS} > 0 ]]; then
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
yum.yml
|
||||
|
|
@ -62,11 +62,7 @@
|
|||
|
||||
# Package managers are managed first since the changes in these tasks will
|
||||
# affect the remainder of the tasks in the role.
|
||||
- include: apt.yml
|
||||
when: ansible_os_family | lower == 'debian'
|
||||
|
||||
- include: rpm.yml
|
||||
when: ansible_os_family | lower == 'redhat'
|
||||
- include: "{{ ansible_pkg_mgr }}.yml"
|
||||
|
||||
# The bulk of the security changes are applied in these tasks. The tasks in
|
||||
# each file are tagged with the same name (for example, tasks in `auth.yml`
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@
|
|||
|
||||
- name: V-71987 - Clean requirements/dependencies when removing packages (rpm)
|
||||
lineinfile:
|
||||
dest: /etc/yum.conf
|
||||
dest: "{{ pkg_mgr_config }}"
|
||||
regexp: "^(#)?clean_requirements_on_remove"
|
||||
line: "clean_requirements_on_remove=1"
|
||||
state: present
|
||||
|
|
@ -68,10 +68,13 @@
|
|||
path: /etc/yum/yum-cron.conf
|
||||
check_mode: no
|
||||
register: yum_cron_config_check
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr == 'yum'
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: V-71999 - System security patches and updates must be installed and up to date. (yum)
|
||||
- name: Enable automatic package updates (yum)
|
||||
lineinfile:
|
||||
dest: /etc/yum/yum-cron.conf
|
||||
regexp: "^apply_updates"
|
||||
|
|
@ -79,6 +82,7 @@
|
|||
state: present
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr == 'yum'
|
||||
- yum_cron_config_check.stat.exists | bool
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
tags:
|
||||
|
|
@ -86,7 +90,49 @@
|
|||
- medium
|
||||
- V-71999
|
||||
|
||||
- name: V-71999 - System security patches and updates must be installed and up to date. (apt)
|
||||
- name: Check if /etc/dnf/automatic.conf exists
|
||||
stat:
|
||||
path: /etc/dnf/automatic.conf
|
||||
check_mode: no
|
||||
register: dnf_automatic_config_check
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr == 'dnf'
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Enable automatic package updates (dnf)
|
||||
lineinfile:
|
||||
dest: /etc/dnf/automatic.conf
|
||||
regexp: "^apply_updates"
|
||||
line: "apply_updates = yes"
|
||||
state: present
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr == 'dnf'
|
||||
- dnf_automatic_config_check.stat.exists | bool
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
tags:
|
||||
- packages
|
||||
- medium
|
||||
- V-71999
|
||||
|
||||
- name: Enable dnf-automatic timer for automatic package updates
|
||||
systemd:
|
||||
name: dnf-automatic.timer
|
||||
enabled: yes
|
||||
state: started
|
||||
when:
|
||||
- ansible_os_family | lower == 'redhat'
|
||||
- ansible_pkg_mgr == 'dnf'
|
||||
- dnf_automatic_config_check.stat.exists | bool
|
||||
- security_rhel7_automatic_package_updates | bool
|
||||
tags:
|
||||
- packages
|
||||
- medium
|
||||
- V-71999
|
||||
|
||||
- name: Enable automatic package updates (apt)
|
||||
copy:
|
||||
src: 20auto-upgrades
|
||||
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@
|
|||
|
||||
- name: V-71977 - Require digital signatures for all packages
|
||||
lineinfile:
|
||||
dest: /etc/yum.conf
|
||||
dest: "{{ pkg_mgr_config }}"
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
|
|
@ -13,9 +13,9 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
## Variables for CentOS 7 and Red Hat Enterprise Linux 7
|
||||
# The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7
|
||||
# and deployers should not override them.
|
||||
## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 25.
|
||||
# The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
|
||||
# and Fedora 25. Deployers should not override these.
|
||||
#
|
||||
# For more details, see 'vars/main.yml'.
|
||||
|
||||
|
|
@ -31,6 +31,7 @@ aide_cron_job_path: /etc/cron.d/aide
|
|||
aide_database_file: /var/lib/aide/aide.db.gz
|
||||
chrony_conf_file: /etc/chrony.conf
|
||||
daemon_init_params_file: /etc/init.d/functions
|
||||
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
|
||||
|
||||
# Service names
|
||||
cron_service: crond
|
||||
|
|
@ -144,7 +145,7 @@ stig_packages_rhel7:
|
|||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_enable_firewalld }}"
|
||||
- packages:
|
||||
- yum-cron
|
||||
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
|
||||
state: "{{ security_package_state }}"
|
||||
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
||||
- packages:
|
||||
|
|
|
|||
Loading…
Reference in New Issue