--- # Copyright 2015, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Playbook for role testing hosts: localhost pre_tasks: - name: Ensure apt cache is updated before testing apt: update_cache: yes cache_valid_time: "{{ cache_timeout }}" when: ansible_pkg_mgr == 'apt' changed_when: False - name: Ensure OpenStack CI image has a logrotate cron job file: path: /etc/cron.daily/logrotate state: touch when: ansible_os_family == 'RedHat' changed_when: False - name: Install dconf package to test graphical session locks package: name: dconf state: installed when: ansible_os_family == 'RedHat' changed_when: False post_tasks: - name: Stat 20auto-upgrades file stat: path: /etc/apt/apt.conf.d/20auto-upgrades register: auto_upgrades_file when: - not check_mode - stig_version == 'rhel6' - ansible_pkg_mgr == 'apt' - name: Slurp contents of 50unattended-upgrades file slurp: src: /etc/apt/apt.conf.d/50unattended-upgrades register: unattended_upgrades_file_encoded when: - not check_mode - stig_version == 'rhel6' - ansible_pkg_mgr == 'apt' - name: Decode slurp'd 50-unattended-upgrades file set_fact: unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}" when: - not check_mode - stig_version == 'rhel6' - ansible_pkg_mgr == 'apt' - name: Ensure auto updates has been enabled assert: that: - auto_upgrades_file.stat.exists when: - not check_mode - stig_version == 'rhel6' - ansible_pkg_mgr == 'apt' - name: Ensure that auto update notifications has been enabled assert: that: - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file" when: - not check_mode - stig_version == 'rhel6' - ansible_pkg_mgr == 'apt' roles: - role: "openstack-ansible-security" vars: security_pwquality_apply_rules: yes security_package_clean_on_remove: yes # NOTE(mhayden): yum-cron has a bug upon update due to a RPM conflict in # the yum-cron.conf file. This test should be re-enabled when the # OpenStack CI images are updated. # See https://bugzilla.redhat.com/show_bug.cgi?id=1293513 security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}" # NOTE(mhayden): clamav is only available if EPEL is installed. There needs # to be some work done to figure out how to install EPEL for use with # this role without causing disruptions on the system. security_enable_virus_scanner: no security_run_virus_scanner_update: no security_search_for_invalid_owner: yes security_search_for_invalid_group_owner: yes security_enable_firewalld: yes security_password_remember_password: 5 security_disable_account_if_password_expires: yes security_rhel7_initialize_aide: yes security_require_grub_authentication: yes security_set_home_directory_permissions_and_owners_recursively: no security_reset_perm_ownership: yes security_rhel7_remove_shosts_files: yes