Unblock security role gate

This patch addresses two issues that are blocking the security role
CI jobs from completing:

The OpenStack CI image is missing the default audit.rules file and this
causes augenrules to fail when it loads new rules. The first line in
the default rules file deletes existing rules and this must be in
place before loading new rulesets. The contents of the default file
are now in the template file, which is safer anyway. The default
file provided by the OS is removed.

The task that updates the apt cache in test.yml was running more than
once during the CI job run when the gate ran slowly. That's fine, but
it breaks the idempotence checks. A `changed_when` is added to the task
to ensure that the idempotence tests aren't affected by an apt cache
update.

Change-Id: I48be02df02b8a2a401bfd96e16ea0329632d9381
Partial-Bug: #1662622

tasks/auditd.yml

@@ -243,6 +243,17 @@
     - cat2
     - V-38498
 
+- name: Remove system default audit.rules file
+  file:
+    path: /etc/audit/rules.d/audit.rules
+    state: absent
+  when:
+    - auditd_conf.stat.exists
+  notify:
+    - generate auditd rules
+  tags:
+    - always
+
 - name: Auditd rules (includes several STIGs)
   template:
     src: osas-auditd.j2

templates/osas-auditd.j2

@@ -1,5 +1,11 @@
 # {{ ansible_managed }}
 
+# Delete all existing auditd rules prior to loading this ruleset.
+-D
+
+# Increase the buffers to survive stress events.
+-b 320
+
 {% if security_audit_clock_settimeofday | bool %}
 # RHEL 6 STIG V-38522
 # Audits changes to system time via settimeofday

tests/test.yml

@@ -20,6 +20,7 @@
       apt:
         update_cache: yes
       when: ansible_pkg_mgr == 'apt'
+      changed_when: False
     - name: Ensure OpenStack CI image has a logrotate cron job
       file:
         path: /etc/cron.daily/logrotate