Initial scaffolding for RHEL 7 STIG

This patch adds the initial scaffolding for the RHEL 7 STIG content
and provides a pathway for adding gate jobs that test the tasks for
the new content.

Implements: blueprint security-rhel7-stig
Change-Id: I4cc9468977fc6c14f4ca792a8964fa7a60a4e831

defaults/main.yml

@@ -13,6 +13,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+## STIG version selection
+# During the Ocata development cycle, the role will begin adding the RHEL 7
+# STIG content. By default, all operating systems will use the RHEL 6 STIG
+# until the work has completed.
+#
+# This variable should only be adjusted for testing purposes.
+stig_version: rhel6
+
 ## APT Cache Options
 # This variable is used across multiple OpenStack-Ansible roles to handle the
 # apt cache updates as efficiently as possible.

tasks/main.yml

@@ -56,30 +56,13 @@
     tags:
       - always
 
-  - include: apt.yml
-    static: no
-    when: ansible_pkg_mgr == 'apt'
-    tags:
-      - apt
-      - package
 
-  - include: rpm.yml
+  - include: rhel6stig/main.yml
-    static: no
+    when:
-    when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf'
+      - stig_version == 'rhel6'
-    tags:
-      - package
-      - rpm
 
-  - include: aide.yml
+  # NOTE(mhayden): RHEL 7 STIG content is still under development. Do not run
-  - include: auditd.yml
+  # these tasks against a production environment at this time.
-  - include: auth.yml
+  - include: rhel7stig/main.yml
-  - include: boot.yml
+    when:
-  - include: console.yml
+      - stig_version == 'rhel7'
-  - include: file_perms.yml
-  - include: kernel.yml
-  - include: lsm.yml
-  - include: mail.yml
-  - include: misc.yml
-  - include: nfsd.yml
-  - include: services.yml
-  - include: sshd.yml

tasks/rhel6stig/main.yml

@@ -0,0 +1,42 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+  - include: apt.yml
+    static: no
+    when: ansible_pkg_mgr == 'apt'
+    tags:
+      - apt
+      - package
+
+  - include: rpm.yml
+    static: no
+    when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf'
+    tags:
+      - package
+      - rpm
+
+  - include: aide.yml
+  - include: auditd.yml
+  - include: auth.yml
+  - include: boot.yml
+  - include: console.yml
+  - include: file_perms.yml
+  - include: kernel.yml
+  - include: lsm.yml
+  - include: mail.yml
+  - include: misc.yml
+  - include: nfsd.yml
+  - include: services.yml
+  - include: sshd.yml

tasks/rhel7stig/main.yml

@@ -0,0 +1,18 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Not yet implemented
+  debug:
+    msg: "The RHEL 7 STIG is not yet implemented."

tox.ini

@@ -163,6 +163,46 @@ commands =
                      || (echo "Idempotence test: fail" && exit 1)'
     {[testenv:func_logs]commands}
 
+[testenv:func_rhel7]
+# Ignore_errors is set to true so that the logs are collected at the
+#  end of the run. This will not produce a false positive. Any
+#  exception will be mark the run as failed and exit 1 after all of
+#  the commands have been iterated through.
+ignore_errors = True
+# NOTE(odyssey4me): this target does not use constraints because
+# it doesn't work in OpenStack-CI yet. Once that's fixed, we can
+# drop the install_command.
+install_command =
+    {[testenv:func_base]install_command}
+deps =
+    {[testenv:ansible]deps}
+commands =
+    {[testenv:ansible]commands}
+    # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
+    #                   building images with apt config
+    #                   Apt::Get::AllowUnauthenticated set to true.
+    # NOTE(mhayden): Skipping V-38660 since openstack-infra has SNMP v1/2 in
+    #                the images. This can be added back in once
+    #                https://review.openstack.org/#/c/354819/ merges.
+    ansible-playbook --check \
+                     -i {toxinidir}/tests/inventory \
+                     -e "install_test_packages=True stig_version=rhel7" \
+                     --skip-tag V-38462,V-38660 \
+                     {toxinidir}/tests/test_check.yml
+    ansible-playbook -i {toxinidir}/tests/inventory \
+                     -e "install_test_packages=True stig_version=rhel7" \
+                     --skip-tag V-38462,V-38660 \
+                     {toxinidir}/tests/test.yml
+    bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
+                     -e "install_test_packages=True stig_version=rhel7" \
+                     --skip-tag V-38462,V-38660 \
+                     {toxinidir}/tests/test.yml \
+                     | tee /tmp/idempotence_test_output.txt'
+    bash -c 'grep -q "changed=0.*failed=0" /tmp/idempotence_test_output.txt \
+                     && (echo "Idempotence test: pass" && exit 0) \
+                     || (echo "Idempotence test: fail" && exit 1)'
+    {[testenv:func_logs]commands}
+
 
 [testenv:linters]
 deps =