Add idempotency check

This patch adds idempotency checking for the security role. It
ensures that no changes are made when the security role runs
multiple times against the same system.

Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7

tasks/auditd.yml

@@ -134,6 +134,7 @@
 - name: Check audit package contents for alterations with rpm (for V-38637)
   shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
   register: v38637_result
+  changed_when: False
   when: ansible_pkg_mgr == 'yum'
   tags:
     - auditd

tasks/auth.yml

@@ -60,6 +60,7 @@
 - name: V-38496 - Get all system accounts
   shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
   register: v38496_system_users
+  changed_when: False
   always_run: True
   tags:
     - auth
@@ -69,6 +70,7 @@
 - name: V-38496 - Loop through system accounts to find unlocked accounts
   shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
   register: v38496_unlocked_system_users
+  changed_when: False
   always_run: True
   with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
   tags:
@@ -432,6 +434,7 @@
 - name: Search for sudoers files (for V-58901)
   shell: find /etc/sudoers* -type f
   register: v58901_result
+  changed_when: False
   always_run: True
   tags:
     - auth

tasks/console.yml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
+- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (init)
   lineinfile:
     dest: /etc/init/control-alt-delete.conf
     regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
@@ -25,9 +25,25 @@
     - cat1
     - V-38668
 
-- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
-  command: systemctl mask ctrl-alt-del.target
+# This returns an exit code of 0 if it's running, 3 if it's masked.
+- name: Check if ctrl-alt-del.target is already masked (systemd)
+  command: systemctl status ctrl-alt-del.target
+  register: cad_mask_check
+  changed_when: False
+  always_run: True
+  failed_when: False
   when: systemd_running | bool
+  tags:
+    - always
+    - console
+    - cat1
+    - V-38668
+
+- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (systemd)
+  command: systemctl mask ctrl-alt-del.target
+  when:
+    - systemd_running | bool
+    - "'masked' in cad_mask_check.stdout"
   tags:
     - console
     - cat1

tasks/main.yml

@@ -30,6 +30,7 @@
   - name: Check init system
     command: cat /proc/1/comm
     register: _pid1_name
+    changed_when: False
     always_run: True
     tags:
       - always
@@ -43,6 +44,7 @@
   - name: Check for check/audit mode
     command: /bin/true
     register: noop_result
+    changed_when: False
     tags:
       - always
 

tasks/misc.yml

@@ -404,6 +404,7 @@
 - name: Check for unlabeled device files (for V-51379)
   shell: "find /dev -context '*unlabeled_t*'"
   register: v51379_unlabeled_devices
+  changed_when: False
   always_run: True
   when:
     - ansible_os_family == 'RedHat'

tasks/sshd.yml

@@ -21,6 +21,7 @@
 - name: Check for security role marker in sshd_config
   command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
   register: sshd_marker_check
+  changed_when: False
   always_run: True
   failed_when: False
   tags:
@@ -30,6 +31,7 @@
 - name: Check for Match stanzas in sshd_config
   command: "grep '^Match' /etc/ssh/sshd_config"
   register: sshd_match_check
+  changed_when: False
   always_run: True
   failed_when: False
   tags:

tox.ini

@@ -160,24 +160,32 @@ deps =
     {[testenv:ansible]deps}
 setenv =
     {[testenv:ansible]setenv}
-# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
-#                   images with apt config Apt::Get::AllowUnauthenticated set
-#                   to true.
 commands =
     {[testenv:ansible]commands}
-    # NOTE(mhayden): Check/audit mode is a feature of the role and it should
-    #                be tested prior to running the functional test.
+
+    # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
+    #                   building images with apt config
+    #                   Apt::Get::AllowUnauthenticated set to true.
     ansible-playbook --check \
                      -i {toxinidir}/tests/inventory \
                      -e "rolename={toxinidir}" \
                      -e "install_test_packages=True" \
                      --skip-tag V-38462 \
-                     {toxinidir}/tests/test_check.yml -vvvv
+                     {toxinidir}/tests/test_check.yml
     ansible-playbook -i {toxinidir}/tests/inventory \
                      -e "rolename={toxinidir}" \
                      -e "install_test_packages=True" \
                      --skip-tag V-38462 \
-                     {toxinidir}/tests/test.yml -vvvv
+                     {toxinidir}/tests/test.yml
+    bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
+                     -e "rolename={toxinidir}" \
+                     -e "install_test_packages=True" \
+                     --skip-tag V-38462 \
+                     {toxinidir}/tests/test.yml \
+                     | grep -q "changed=0.*failed=0" \
+                     && (echo "Idempotence test: pass" && exit 0) \
+                     || (echo "Idempotence test: fail" && exit 1)'
+
 
 
 [testenv:linters]