Prepare vagrant centos/7 box for role testing

This will fix the follwing issues when using the centos/7 box for role testing:

* TASK [../../../openstack-ansible-security : V-38476 ...
  fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Missing CentOS 7 GPG keys"}

  The required gpg-pubkey packages are created after the import of the provided signing keys
  in /etc/pki/rpm-gpg.

* TASK [../../../openstack-ansible-security : V-38574 ...
  fatal: [centos7]: FAILED! => {"changed": false, "failed": true, "msg": "Must use SHA512 for password hashing (via PAM)"}

  sha512 instead of md5 has to be used in /etc/pam.d/password-auth

* TASK [../../../openstack-ansible-security : Check password hashing algorithm used in login.defs (for V-38576)] ***
  fatal: [centos7]: FAILED! => {"changed": true, "cmd": "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs", ...

  sha512 instead of md5 has to be used in /etc/login.defs

Change-Id: Ia40119dbf933b8102001cfe914312b17632bcf65
Co-authored-by: David Rabel <rabel@b1-systems.de>
This commit is contained in:
Christian Berendt 2017-02-27 20:43:07 +01:00 committed by David Rabel
parent 83e3c206e8
commit dd52e48925
2 changed files with 18 additions and 0 deletions

9
Vagrantfile vendored
View File

@ -15,6 +15,9 @@ Vagrant.configure("2") do |config|
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
ansible.groups = {
"ubuntu" => ["ubuntu1404"]
}
end
end
@ -30,6 +33,9 @@ Vagrant.configure("2") do |config|
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
ansible.groups = {
"ubuntu" => ["ubuntu1604"]
}
end
end
@ -45,6 +51,9 @@ Vagrant.configure("2") do |config|
ansible.skip_tags = ['V-38496']
# we need to run as sudo for a lot of the checks ansible-security runs
ansible.raw_arguments = ['-s']
ansible.groups = {
"centos" => ["centos7"]
}
end
end
end

View File

@ -13,6 +13,15 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Prepare centos/7 box for role testing
hosts: centos
tasks:
- name: Import all archive signing keys from /etc/pki/rpm-gpg
shell: rpm --import /etc/pki/rpm-gpg/*
- name: Use sha512 instead of md5 as password hashing algorithm
shell: authconfig --passalgo=sha512 --update
- name: Playbook for role testing
hosts: all
roles: