From 5ef94bf0ca308c57167b653495fd1365645bbf65 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 16 May 2017 10:24:19 -0500 Subject: [PATCH] Fix security role gate This commit removes the verbose options from the gate job and disables clamav installation in the CI jobs. The clamav package is only available in the EPEL repository, but the EPEL repo has been removed from the CentOS images in the OpenStack gate. This will need to be handled carefully in a later patch. It also removes an apostrophe from `tasks/main.yml` that breaks syntax highlighting in vim. Change-Id: Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05 --- tasks/main.yml | 2 +- tests/test.yml | 5 ++++- tox.ini | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 10e56b97..6129de01 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,7 +31,7 @@ tags: - always - - name: Check to see if we're booting with EFI/UEFI + - name: Check to see if we are booting with EFI or UEFI set_fact: booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" tags: diff --git a/tests/test.yml b/tests/test.yml index 99677a84..f9e6d0e4 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -86,7 +86,10 @@ security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" - security_enable_virus_scanner: yes + # NOTE(mhayden): clamav is only available if EPEL is installed. There needs + # to be some work done to figure out how to install EPEL for use with + # this role without causing disruptions on the system. + security_enable_virus_scanner: no security_run_virus_scanner_update: no security_search_for_invalid_owner: yes security_search_for_invalid_group_owner: yes diff --git a/tox.ini b/tox.ini index 1e16f1d3..4bdd3947 100644 --- a/tox.ini +++ b/tox.ini @@ -109,7 +109,7 @@ deps = setenv = {[testenv]setenv} # NOTE(mhayden): Disabling chrony since it causes conflicts in CI. - ANSIBLE_PARAMETERS="-vvv -e security_rhel7_enable_chrony=no" + ANSIBLE_PARAMETERS=-e security_rhel7_enable_chrony=no commands = {[testenv:tests_clone]commands} bash -c "{toxinidir}/tests/common/test-ansible-functional.sh" @@ -120,7 +120,7 @@ deps = setenv = {[testenv]setenv} # NOTE(mhayden): Disabling chrony since it causes conflicts in CI. - ANSIBLE_PARAMETERS="-vvv -e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no" + ANSIBLE_PARAMETERS=-e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no commands = {[testenv:tests_clone]commands} bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"