With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
This role made use of conditionals that still used filters, this
patch removes them all and switches them to the new system.
Change-Id: I7c68f4e5f7248aedd3cdae734aac6d97a8ce058b
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: I8d78a2b4ba2a8746cbb809e4f8c9370abe211350
The ansible_selinux variable is always populated with a 'status'
property, even if SELinux is not installed or configured. This
patch simplifies the check.
Change-Id: Ifddc385fc292ddb7d6c2758b199401c45de0f0f2
Signed-off-by: Major Hayden <major@mhtx.net>
This patch adds a check for the output of `apparmor_status` to
get a more accurate state of AppArmor's status. This should fix
idempotency issues that are plaguing the gate jobs.
Closes-Bug: 1715223
Change-Id: I10bb3212a3cc26ed27aa38cdc2e42ece722a6497
This patch helps us work around the limitations of the SysV init
script for AppArmor that systemd calls.
Change-Id: Ic846942d8ef3b4a8ecc1d79bda11e29b7230e3cc
The apparmor systemd unit file simply calls an old SysV init script
to load AppArmor profiles. The init script exits and systemd has no
idea if it's still running or not. This causes Ansible to start
the apparmor unit each time the playbook runs, which breaks the
idempotency checks.
This patch checks the apparmor_status output directly to see what the
status of AppArmor actually is. If the module is loaded, then we
should not try to start AppArmor with the unit file again.
This patch also includes the updates from the openstack-ansible-tests
repository that were included in
https://review.openstack.org/#/c/488489/ so that the gate can be
unblocked.
Partial-Bug: 1710675
Change-Id: If253714d0ca4b5a3d324255751e6f6615ca75dde
Add support for the openSUSE Leap distributions. The security rules
are similar to the RedHat and Ubuntu ones. We also replace
ansible_os_family with ansible_pkg_mgr since the former does not
return consistent results across different SUSE distributions especially
on older Ansible versions.
Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
The task that checks for AppArmor being disabled at boot time
fails if the line isn't present in dmesg. This patch ensures that
the output from dmesg is always maintained and the shell always
comes back with success.
Change-Id: Ib612cbf1ba3f3ec8284b41eab39d76cb5291c58e
Closes-Bug: 1694508
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.
Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
This patch skips the `find` task that searches for unlabeled content on
systems with SELinux disabled. This fails because labels aren't loaded at that
time.
The patch also fixed an idempotent test failure that comes from the `selinux`
Ansible module repeatedly trying to get SELinux into enforcing mode when it
is disabled.
Closes-bug: 1649617
Change-Id: I7d30a07bd7e8a4461846660c281b9e53b0783461
This patch adds tasks to search for device files without SELinux labels and
prints a list of those devices in the Ansible output.
Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: Ic870f91ead4e89189efb8ad93674798063c97ba8
This patch enables SELinux/AppArmor and sets the SELinux targeted policy
on CentOS/RHEL hosts. Documentation is included.
Implements: blueprint security-rhel7-stig
Change-Id: I7e225bc10331e12d2405154d873a578e18532305