Fix issues from new CentOS 7 release

This patch fixes the gate blocker for CentOS 7 in the Newton branch.

The grep for `rpmverify` needed an update to exclude `/var` and
`/etc`. Files in both directories are updated in the security role.

Also, the `yum-cron` packaging bug affects the Newton branch as well.
The workaround from master (I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659)
is backported to Newton.

Change-Id: I9b0f77eceb32d18a0d07f53ff1dbac2117b29da4

tasks/auditd.yml

@@ -100,7 +100,7 @@
     - V-38637
 
 - name: Check audit package contents for alterations with rpm (for V-38637)
-  shell: "rpmverify audit audit-libs | grep -v '\\.conf$' | wc -l"
+  shell: "rpmverify audit audit-libs | egrep -v '/(etc|var)' | wc -l"
   register: v38637_result
   changed_when: False
   when: ansible_pkg_mgr == 'yum'

tests/test.yml

@@ -64,5 +64,9 @@
   roles:
     - role: "openstack-ansible-security"
   vars:
-    security_unattended_upgrades_enabled: true
-    security_unattended_upgrades_notifications: true
+    # NOTE(mhayden): yum-cron has a bug upon update due to a RPM conflict in
+    # the yum-cron.conf file. This test should be re-enabled when the
+    # OpenStack CI images are updated.
+    # See https://bugzilla.redhat.com/show_bug.cgi?id=1293513
+    security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
+    security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"