Unblock security role gate
This patch addresses two issues that are blocking the security role CI jobs from completing: The OpenStack CI image is missing the default audit.rules file and this causes augenrules to fail when it loads new rules. The first line in the default rules file deletes existing rules and this must be in place before loading new rulesets. The contents of the default file are now in the template file, which is safer anyway. The default file provided by the OS is removed. The task that updates the apt cache in test.yml was running more than once during the CI job run when the gate ran slowly. That's fine, but it breaks the idempotence checks. A `changed_when` is added to the task to ensure that the idempotence tests aren't affected by an apt cache update. Change-Id: I48be02df02b8a2a401bfd96e16ea0329632d9381 Partial-Bug: #1662622
This commit is contained in:
parent
f33e72f878
commit
86cc1449d4
|
@ -243,6 +243,17 @@
|
|||
- cat2
|
||||
- V-38498
|
||||
|
||||
- name: Remove system default audit.rules file
|
||||
file:
|
||||
path: /etc/audit/rules.d/audit.rules
|
||||
state: absent
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
notify:
|
||||
- generate auditd rules
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Auditd rules (includes several STIGs)
|
||||
template:
|
||||
src: osas-auditd.j2
|
||||
|
|
|
@ -1,5 +1,11 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Delete all existing auditd rules prior to loading this ruleset.
|
||||
-D
|
||||
|
||||
# Increase the buffers to survive stress events.
|
||||
-b 320
|
||||
|
||||
{% if security_audit_clock_settimeofday | bool %}
|
||||
# RHEL 6 STIG V-38522
|
||||
# Audits changes to system time via settimeofday
|
||||
|
|
|
@ -20,6 +20,7 @@
|
|||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_pkg_mgr == 'apt'
|
||||
changed_when: False
|
||||
- name: Ensure OpenStack CI image has a logrotate cron job
|
||||
file:
|
||||
path: /etc/cron.daily/logrotate
|
||||
|
|
Loading…
Reference in New Issue