Fix security role gate
This patch includes three manual backports to fix the stable/ocata gate jobs. It disables ClamAV auto updates, temporarily disables installation of ClamAV in the gate, and cleans up the func_rhel7 job from tox.ini. Combined backport of: I44c2e089ff6175b3004ef7f6713622ac615bf6db Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05 I39cfcc102bc98895823b4de9df930e6f273aaf15 Change-Id: Ieb0a1bb0acd1172600e23555babf66d6bb940a29
This commit is contained in:
parent
c58c839f9c
commit
3a2486f51b
|
@ -548,6 +548,8 @@ security_rhel7_enable_linux_security_module: yes # RHEL-07-020210 /
|
|||
security_rhel7_disable_autofs: yes # RHEL-07-020161
|
||||
# Enable virus scanning with clamav
|
||||
security_enable_virus_scanner: no # RHEL-07-030810
|
||||
# Run the virus scanner update during the deployment (if scanner is deployed)
|
||||
security_run_virus_scanner_update: yes
|
||||
# Disable ctrl-alt-delete key sequence on the console.
|
||||
security_rhel7_disable_ctrl_alt_delete: yes # RHEL-07-020220
|
||||
# Install and enable firewalld for iptables management.
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Check to see if we're booting with EFI/UEFI
|
||||
- name: Check to see if we are booting with EFI or UEFI
|
||||
set_fact:
|
||||
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
|
||||
tags:
|
||||
|
|
|
@ -188,6 +188,7 @@
|
|||
when:
|
||||
- clamav_install_check.stat.exists
|
||||
- security_enable_virus_scanner | bool
|
||||
- security_run_virus_scanner_update | bool
|
||||
async: 300
|
||||
poll: 5
|
||||
tags:
|
||||
|
|
|
@ -86,7 +86,11 @@
|
|||
security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
||||
security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
||||
security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
|
||||
security_enable_virus_scanner: yes
|
||||
# NOTE(mhayden): clamav is only available if EPEL is installed. There needs
|
||||
# to be some work done to figure out how to install EPEL for use with
|
||||
# this role without causing disruptions on the system.
|
||||
security_enable_virus_scanner: no
|
||||
security_run_virus_scanner_update: no
|
||||
security_search_for_invalid_owner: yes
|
||||
security_search_for_invalid_group_owner: yes
|
||||
security_enable_firewalld: yes
|
||||
|
|
13
tox.ini
13
tox.ini
|
@ -114,19 +114,6 @@ commands =
|
|||
{[testenv:tests_clone]commands}
|
||||
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
|
||||
|
||||
# NOTE(mhayden): This should be removed once upstream gating is using the
|
||||
# func_rhel6 test below.
|
||||
[testenv:func_rhel7]
|
||||
deps =
|
||||
{[testenv:ansible]deps}
|
||||
setenv =
|
||||
{[testenv]setenv}
|
||||
# NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
|
||||
ANSIBLE_PARAMETERS=-e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no
|
||||
commands =
|
||||
{[testenv:tests_clone]commands}
|
||||
bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
|
||||
|
||||
[testenv:func_rhel6]
|
||||
deps =
|
||||
{[testenv:ansible]deps}
|
||||
|
|
Loading…
Reference in New Issue