diff --git a/defaults/main.yml b/defaults/main.yml index 8e82c7f3..21da1f0d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -306,3 +306,7 @@ sudoers_remove_authenticate: no # V-58901 # # V-38651 - System default umask for bash must be 077 #umask_bash: 077 # V-38651 + +## Unattended upgrades (APT) configuration +unattended_upgrades_enabled: false +unattended_upgrades_notifications: false diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst index a4bf072e..bc435db4 100644 --- a/doc/source/developer-notes/V-38481.rst +++ b/doc/source/developer-notes/V-38481.rst @@ -1,10 +1,18 @@ **Exception** -Operating system patching is left up to the deployer to configure based on -their business requirements and toleration for risk. Enabling automated -updates in Ubuntu can be done with changes to the apt configuration. +Operating system patching policies vary from organization to organization and +are typically established based on business requirements and risk tolerance. -Ubuntu's documentation on `automatic updates`_ covers a few options for -configuring apt. +If desired, automatic updates (using the ``unattended-upgrades`` package) +can be enabled via openstack-ansible-security by setting the following +variable to ``true``: -.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html +.. code-block:: yaml + + unattended_upgrades: true + +Note that this will only apply updates made available to the distro-security +(eg. trusty-security) repositories. + +**Deployers are urged to fully understand the impact of enabling automatic +update before making the change.** diff --git a/files/20auto-upgrades b/files/20auto-upgrades new file mode 100644 index 00000000..8d6d7c82 --- /dev/null +++ b/files/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/tasks/apt.yml b/tasks/apt.yml index 3a680ee6..27e23249 100644 --- a/tasks/apt.yml +++ b/tasks/apt.yml @@ -60,3 +60,36 @@ - auth - cat1 - V-38462 + +- name: Install unattended-upgrades package (for V-38481) + apt: + name: unattended-upgrades + state: present + when: unattended_upgrades_enabled | bool + tags: + - apt + - cat2 + - V-38481 + +- name: V-38481 - System security patches and updates must be installed and up-to-date + copy: + src: 20auto-upgrades + dest: /etc/apt/apt.conf.d/20auto-upgrades + when: unattended_upgrades_enabled | bool + tags: + - apt + - cat2 + - V-38481 + +- name: Enable unattended upgrades notifications (for V-38481) + lineinfile: + dest: /etc/apt/apt.conf.d/50unattended-upgrades + regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";' + line: 'Unattended-Upgrade::Mail "root";' + when: + - unattended_upgrades_enabled | bool + - unattended_upgrades_notifications | bool + tags: + - apt + - cat2 + - V-38481 diff --git a/tests/test.yml b/tests/test.yml index 246c9018..fd96783d 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -19,5 +19,28 @@ - name: Ensure apt cache is updated before testing apt: update_cache: yes + post_tasks: + - name: Stat 20auto-upgrades file + stat: + path: /etc/apt/apt.conf.d/20auto-upgrades + register: auto_upgrades_file + - name: Slurp contents of 50unattended-upgrades file + slurp: + src: /etc/apt/apt.conf.d/50unattended-upgrades + register: unattended_upgrades_file_encoded + - name: Decode slurp'd 50-unattended-upgrades file + set_fact: + unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}" + - name: Ensure auto updates has been enabled + assert: + that: + - auto_upgrades_file.stat.exists + - name: Ensure that auto update notifications has been enabled + assert: + that: + - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file" roles: - role: "{{ rolename }}" + vars: + unattended_upgrades_enabled: true + unattended_upgrades_notifications: true