From 1d5824ddc476446d4c00541690f0967012210222 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 21 May 2021 17:27:02 +0300 Subject: [PATCH] Add hardening specific variables to tests In order to fully test hardening role we need to enable as much tasks as we can. So we add extra set of variables, that might be not enabled by default Change-Id: I0d6ba3632962ef1b6ecf865489846a95b46f6a30 --- .../tasks/prepare_aio_config.yml | 3 ++ .../templates/user_variables_hardening.yml.j2 | 29 +++++++++++++++++++ zuul.d/playbooks/pre-gate-scenario.yml | 12 ++++++++ 3 files changed, 44 insertions(+) create mode 100644 tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2 diff --git a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml index c9f721556b..a2810a42d3 100644 --- a/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml +++ b/tests/roles/bootstrap-host/tasks/prepare_aio_config.yml @@ -188,6 +188,9 @@ - src: user_variables_horizon.yml.j2 dest: user_variables_horizon.yml condition: "{{ 'horizon' in bootstrap_host_scenarios }}" + - src: user_variables_hardening.yml.j2 + dest: user_variables_hardening.yml + condition: "{{ 'hardening' in bootstrap_host_scenarios_expanded }}" - name: Copy modified cinder-volume env.d file for ceph scenario copy: diff --git a/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2 new file mode 100644 index 0000000000..afdd37e458 --- /dev/null +++ b/tests/roles/bootstrap-host/templates/user_variables_hardening.yml.j2 @@ -0,0 +1,29 @@ +--- + +security_disable_account_if_password_expires: yes +security_enable_firewalld: yes +security_pwquality_apply_rules: yes +security_enable_pwquality_password_set: yes +security_lock_session: yes +security_pwquality_require_minimum_password_length: yes +security_package_clean_on_remove: yes +security_pam_faillock_enable: yes +security_password_remember_password: 5 +security_reset_perm_ownership: yes +security_require_grub_authentication: yes +security_rhel7_automatic_package_updates: yes +security_rhel7_initialize_aide: yes +security_rhel7_remove_shosts_files: yes +security_search_for_invalid_owner: yes +security_search_for_invalid_group_owner: yes +security_set_home_directory_permissions_and_owners: yes +security_set_minimum_password_lifetime: yes +security_unattended_upgrades_enabled: yes +security_unattended_upgrades_notifications: yes +# NOTE(mhayden): clamav is only available if EPEL is installed. There needs +# to be some work done to figure out how to install EPEL for use with +# this role without causing disruptions on the system. +security_enable_virus_scanner: no +security_run_virus_scanner_update: no +# Enable the contrib tasks. +security_contrib_enabled: yes diff --git a/zuul.d/playbooks/pre-gate-scenario.yml b/zuul.d/playbooks/pre-gate-scenario.yml index 4dcb2e49fc..f3ba8901f8 100644 --- a/zuul.d/playbooks/pre-gate-scenario.yml +++ b/zuul.d/playbooks/pre-gate-scenario.yml @@ -41,6 +41,14 @@ {% set role_service_name = zuul.project.short_name | regex_replace('^openstack-ansible-os_(.*)$', '\\1') %} + {% elif zuul.project.short_name is match('^ansible-role-(.*)$') %} + {% set role_service_name = zuul.project.short_name | + regex_replace('^ansible-role-(.*)$', '\\1') + %} + {% elif zuul.project.short_name == 'ansible-hardening' %} + {% set role_service_name = 'hardening' %} + {% endif %} + {% if role_service_name is defined %} {% set _ = _scenario.append(role_service_name) %} {# Add special scenarios based on the project name #} {% if role_service_name in scenario_map %} @@ -58,6 +66,10 @@ %} {% endif%} {% endfor %} + {# Hardening role is special as our regular filters don't work for it #} + {% if zuul.project.short_name == 'ansible-hardening' %} + {% set _ = _scenario.append('hardening') %} + {% endif %} {% endif %} {{ _scenario | join('_') }} when: