Add idempotency check
This patch adds idempotency checking for the security role. It ensures that no changes are made when the security role runs multiple times against the same system. Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
This commit is contained in:
parent
20b8d9a86d
commit
fa11dd430b
|
@ -134,6 +134,7 @@
|
|||
- name: Check audit package contents for alterations with rpm (for V-38637)
|
||||
shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
|
||||
register: v38637_result
|
||||
changed_when: False
|
||||
when: ansible_pkg_mgr == 'yum'
|
||||
tags:
|
||||
- auditd
|
||||
|
|
|
@ -60,6 +60,7 @@
|
|||
- name: V-38496 - Get all system accounts
|
||||
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
|
||||
register: v38496_system_users
|
||||
changed_when: False
|
||||
always_run: True
|
||||
tags:
|
||||
- auth
|
||||
|
@ -69,6 +70,7 @@
|
|||
- name: V-38496 - Loop through system accounts to find unlocked accounts
|
||||
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
|
||||
register: v38496_unlocked_system_users
|
||||
changed_when: False
|
||||
always_run: True
|
||||
with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
|
||||
tags:
|
||||
|
@ -432,6 +434,7 @@
|
|||
- name: Search for sudoers files (for V-58901)
|
||||
shell: find /etc/sudoers* -type f
|
||||
register: v58901_result
|
||||
changed_when: False
|
||||
always_run: True
|
||||
tags:
|
||||
- auth
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
|
||||
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (init)
|
||||
lineinfile:
|
||||
dest: /etc/init/control-alt-delete.conf
|
||||
regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
|
||||
|
@ -25,9 +25,25 @@
|
|||
- cat1
|
||||
- V-38668
|
||||
|
||||
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
|
||||
command: systemctl mask ctrl-alt-del.target
|
||||
# This returns an exit code of 0 if it's running, 3 if it's masked.
|
||||
- name: Check if ctrl-alt-del.target is already masked (systemd)
|
||||
command: systemctl status ctrl-alt-del.target
|
||||
register: cad_mask_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
failed_when: False
|
||||
when: systemd_running | bool
|
||||
tags:
|
||||
- always
|
||||
- console
|
||||
- cat1
|
||||
- V-38668
|
||||
|
||||
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (systemd)
|
||||
command: systemctl mask ctrl-alt-del.target
|
||||
when:
|
||||
- systemd_running | bool
|
||||
- "'masked' in cad_mask_check.stdout"
|
||||
tags:
|
||||
- console
|
||||
- cat1
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
- name: Check init system
|
||||
command: cat /proc/1/comm
|
||||
register: _pid1_name
|
||||
changed_when: False
|
||||
always_run: True
|
||||
tags:
|
||||
- always
|
||||
|
@ -43,6 +44,7 @@
|
|||
- name: Check for check/audit mode
|
||||
command: /bin/true
|
||||
register: noop_result
|
||||
changed_when: False
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
|
|
@ -404,6 +404,7 @@
|
|||
- name: Check for unlabeled device files (for V-51379)
|
||||
shell: "find /dev -context '*unlabeled_t*'"
|
||||
register: v51379_unlabeled_devices
|
||||
changed_when: False
|
||||
always_run: True
|
||||
when:
|
||||
- ansible_os_family == 'RedHat'
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
- name: Check for security role marker in sshd_config
|
||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
||||
register: sshd_marker_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
failed_when: False
|
||||
tags:
|
||||
|
@ -30,6 +31,7 @@
|
|||
- name: Check for Match stanzas in sshd_config
|
||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
||||
register: sshd_match_check
|
||||
changed_when: False
|
||||
always_run: True
|
||||
failed_when: False
|
||||
tags:
|
||||
|
|
22
tox.ini
22
tox.ini
|
@ -160,24 +160,32 @@ deps =
|
|||
{[testenv:ansible]deps}
|
||||
setenv =
|
||||
{[testenv:ansible]setenv}
|
||||
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
|
||||
# images with apt config Apt::Get::AllowUnauthenticated set
|
||||
# to true.
|
||||
commands =
|
||||
{[testenv:ansible]commands}
|
||||
# NOTE(mhayden): Check/audit mode is a feature of the role and it should
|
||||
# be tested prior to running the functional test.
|
||||
|
||||
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
|
||||
# building images with apt config
|
||||
# Apt::Get::AllowUnauthenticated set to true.
|
||||
ansible-playbook --check \
|
||||
-i {toxinidir}/tests/inventory \
|
||||
-e "rolename={toxinidir}" \
|
||||
-e "install_test_packages=True" \
|
||||
--skip-tag V-38462 \
|
||||
{toxinidir}/tests/test_check.yml -vvvv
|
||||
{toxinidir}/tests/test_check.yml
|
||||
ansible-playbook -i {toxinidir}/tests/inventory \
|
||||
-e "rolename={toxinidir}" \
|
||||
-e "install_test_packages=True" \
|
||||
--skip-tag V-38462 \
|
||||
{toxinidir}/tests/test.yml -vvvv
|
||||
{toxinidir}/tests/test.yml
|
||||
bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
|
||||
-e "rolename={toxinidir}" \
|
||||
-e "install_test_packages=True" \
|
||||
--skip-tag V-38462 \
|
||||
{toxinidir}/tests/test.yml \
|
||||
| grep -q "changed=0.*failed=0" \
|
||||
&& (echo "Idempotence test: pass" && exit 0) \
|
||||
|| (echo "Idempotence test: fail" && exit 1)'
|
||||
|
||||
|
||||
|
||||
[testenv:linters]
|
||||
|
|
Loading…
Reference in New Issue