Add idempotency check

This patch adds idempotency checking for the security role. It
ensures that no changes are made when the security role runs
multiple times against the same system.

Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
This commit is contained in:
Major Hayden
2016-07-22 10:52:45 -05:00
parent 20b8d9a86d
commit fa11dd430b
7 changed files with 43 additions and 10 deletions

View File

@@ -134,6 +134,7 @@
- name: Check audit package contents for alterations with rpm (for V-38637) - name: Check audit package contents for alterations with rpm (for V-38637)
shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
register: v38637_result register: v38637_result
changed_when: False
when: ansible_pkg_mgr == 'yum' when: ansible_pkg_mgr == 'yum'
tags: tags:
- auditd - auditd

View File

@@ -60,6 +60,7 @@
- name: V-38496 - Get all system accounts - name: V-38496 - Get all system accounts
shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd" shell: "awk -F: '$1 !~ /^root$/ && $3 < 500 {print $1}' /etc/passwd"
register: v38496_system_users register: v38496_system_users
changed_when: False
always_run: True always_run: True
tags: tags:
- auth - auth
@@ -69,6 +70,7 @@
- name: V-38496 - Loop through system accounts to find unlocked accounts - name: V-38496 - Loop through system accounts to find unlocked accounts
shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow" shell: "awk -F: '$1 ~ /^{{ item }}$/ && $2 !~ /^[!*]/ {print $1}' /etc/shadow"
register: v38496_unlocked_system_users register: v38496_unlocked_system_users
changed_when: False
always_run: True always_run: True
with_items: "{{ v38496_system_users.stdout_lines | default([]) }}" with_items: "{{ v38496_system_users.stdout_lines | default([]) }}"
tags: tags:
@@ -432,6 +434,7 @@
- name: Search for sudoers files (for V-58901) - name: Search for sudoers files (for V-58901)
shell: find /etc/sudoers* -type f shell: find /etc/sudoers* -type f
register: v58901_result register: v58901_result
changed_when: False
always_run: True always_run: True
tags: tags:
- auth - auth

View File

@@ -13,7 +13,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled - name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (init)
lineinfile: lineinfile:
dest: /etc/init/control-alt-delete.conf dest: /etc/init/control-alt-delete.conf
regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"' regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
@@ -25,9 +25,25 @@
- cat1 - cat1
- V-38668 - V-38668
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled # This returns an exit code of 0 if it's running, 3 if it's masked.
command: systemctl mask ctrl-alt-del.target - name: Check if ctrl-alt-del.target is already masked (systemd)
command: systemctl status ctrl-alt-del.target
register: cad_mask_check
changed_when: False
always_run: True
failed_when: False
when: systemd_running | bool when: systemd_running | bool
tags:
- always
- console
- cat1
- V-38668
- name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled (systemd)
command: systemctl mask ctrl-alt-del.target
when:
- systemd_running | bool
- "'masked' in cad_mask_check.stdout"
tags: tags:
- console - console
- cat1 - cat1

View File

@@ -30,6 +30,7 @@
- name: Check init system - name: Check init system
command: cat /proc/1/comm command: cat /proc/1/comm
register: _pid1_name register: _pid1_name
changed_when: False
always_run: True always_run: True
tags: tags:
- always - always
@@ -43,6 +44,7 @@
- name: Check for check/audit mode - name: Check for check/audit mode
command: /bin/true command: /bin/true
register: noop_result register: noop_result
changed_when: False
tags: tags:
- always - always

View File

@@ -404,6 +404,7 @@
- name: Check for unlabeled device files (for V-51379) - name: Check for unlabeled device files (for V-51379)
shell: "find /dev -context '*unlabeled_t*'" shell: "find /dev -context '*unlabeled_t*'"
register: v51379_unlabeled_devices register: v51379_unlabeled_devices
changed_when: False
always_run: True always_run: True
when: when:
- ansible_os_family == 'RedHat' - ansible_os_family == 'RedHat'

View File

@@ -21,6 +21,7 @@
- name: Check for security role marker in sshd_config - name: Check for security role marker in sshd_config
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config" command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
register: sshd_marker_check register: sshd_marker_check
changed_when: False
always_run: True always_run: True
failed_when: False failed_when: False
tags: tags:
@@ -30,6 +31,7 @@
- name: Check for Match stanzas in sshd_config - name: Check for Match stanzas in sshd_config
command: "grep '^Match' /etc/ssh/sshd_config" command: "grep '^Match' /etc/ssh/sshd_config"
register: sshd_match_check register: sshd_match_check
changed_when: False
always_run: True always_run: True
failed_when: False failed_when: False
tags: tags:

22
tox.ini
View File

@@ -160,24 +160,32 @@ deps =
{[testenv:ansible]deps} {[testenv:ansible]deps}
setenv = setenv =
{[testenv:ansible]setenv} {[testenv:ansible]setenv}
# NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
# images with apt config Apt::Get::AllowUnauthenticated set
# to true.
commands = commands =
{[testenv:ansible]commands} {[testenv:ansible]commands}
# NOTE(mhayden): Check/audit mode is a feature of the role and it should
# be tested prior to running the functional test. # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now
# building images with apt config
# Apt::Get::AllowUnauthenticated set to true.
ansible-playbook --check \ ansible-playbook --check \
-i {toxinidir}/tests/inventory \ -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \ -e "rolename={toxinidir}" \
-e "install_test_packages=True" \ -e "install_test_packages=True" \
--skip-tag V-38462 \ --skip-tag V-38462 \
{toxinidir}/tests/test_check.yml -vvvv {toxinidir}/tests/test_check.yml
ansible-playbook -i {toxinidir}/tests/inventory \ ansible-playbook -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \ -e "rolename={toxinidir}" \
-e "install_test_packages=True" \ -e "install_test_packages=True" \
--skip-tag V-38462 \ --skip-tag V-38462 \
{toxinidir}/tests/test.yml -vvvv {toxinidir}/tests/test.yml
bash -c 'ansible-playbook -i {toxinidir}/tests/inventory \
-e "rolename={toxinidir}" \
-e "install_test_packages=True" \
--skip-tag V-38462 \
{toxinidir}/tests/test.yml \
| grep -q "changed=0.*failed=0" \
&& (echo "Idempotence test: pass" && exit 0) \
|| (echo "Idempotence test: fail" && exit 1)'
[testenv:linters] [testenv:linters]