Check mode compatibility for security role

Closes-bug: 1516142

Implements: blueprint security-hardening

Change-Id: Ia38fbdd8bd8fa5aaef1252569563bf0a829f095d

tasks/apt.yml

@@ -22,6 +22,7 @@
   command: apt-key list
   register: v38476_result
   changed_when: "v38476_result.rc != 0"
+  always_run: True
 
 - name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
   fail:
@@ -45,6 +46,7 @@
   register: v38462_result
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - auth
     - cat1

tasks/auditd.yml

@@ -30,17 +30,28 @@
     name: auditd
     state: started
     enabled: true
+  when: not check_mode
   tags:
     - auditd
     - cat2
     - V-38632
     - V-38631
 
+- name: Verify that auditd.conf exists
+  stat:
+    path: /etc/audit/auditd.conf
+  register: auditd_conf
+  always_run: true
+  tags:
+    - auditd
+    - always
+
 - name: V-38633 - The system must set a maximum audit log file size
   lineinfile:
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?max_log_file ="
     line: "max_log_file = {{ max_log_file }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -53,6 +64,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?max_log_file_action ="
     line: "max_log_file_action = {{ max_log_file_action }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -65,6 +77,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?num_logs ="
     line: "num_logs = {{ num_logs }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -97,17 +110,27 @@
 - name: V-38637 - Contents of auditd package must be verified
   fail:
     msg: "FAILED: Could not verify that files from auditd package are unaltered"
-  when: v38637_result.rc == 2
+  when: not check_mode and v38637_result.rc == 2
   tags:
     - auditd
     - cat2
     - V-38637
 
+- name: Verify that auditd log directory exists (for V-38445)
+  stat:
+    path: /var/log/audit/
+  register: auditd_log_dir
+  always_run: True
+  tags:
+    - auditd
+    - always
+
 - name: V-38445 - Audit log files must be group-owned by root
   file:
     dest: /var/log/audit/
     group: root
     recurse: true
+  when: auditd_log_dir.stat.exists | bool
   tags:
     - auditd
     - cat2
@@ -118,6 +141,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?disk_error_action"
     line: "disk_error_action = {{ disk_error_action }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -130,6 +154,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?disk_full_action"
     line: "disk_full_action = {{ disk_full_action }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -142,6 +167,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?space_left"
     line: "space_left = {{ space_left }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -154,6 +180,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?space_left_action"
     line: "space_left_action = {{ space_left_action }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -166,6 +193,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?action_mail_acct"
     line: "action_mail_acct = {{ action_mail_acct }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -178,6 +206,7 @@
     dest: /var/log/audit/
     owner: root
     recurse: true
+  when: auditd_log_dir.stat.exists | bool
   tags:
     - auditd
     - cat2
@@ -202,6 +231,7 @@
     dest: "/var/log/audit/{{ item }}"
     mode: 0400
   with_items: v38498_result.stdout_lines
+  when: v_38498_result is defined
   tags:
     - auditd
     - cat2
@@ -223,6 +253,7 @@
     regexp: "^(#)?active"
     line: "active = yes"
     state: present
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:
@@ -235,6 +266,7 @@
     dest: /etc/audit/auditd.conf
     regexp: "^(#)?admin_space_left_action"
     line: "admin_space_left_action = {{ admin_space_left_action }}"
+  when: auditd_conf.stat.exists | bool
   notify:
     - restart auditd
   tags:

tasks/auth.yml

@@ -69,6 +69,7 @@
   register: v38496_result
   changed_when: v38496_result.stdout != '0'
   failed_when: False
+  always_run: True
   tags:
     - auth
     - cat2
@@ -92,6 +93,7 @@
   register: v38497_result
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - auth
     - cat1
@@ -102,7 +104,7 @@
 - name: V-38497 - The system must not have accounts configured with blank or null passwords.
   fail:
     msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security."
-  when: "v38497_result.rc == 0"
+  when: not check_mode and v38497_result.rc == 0
   tags:
     - auth
     - cat1
@@ -141,6 +143,7 @@
   shell: "awk -F: '($1 != \"root\") && ($3 == 0) {print}' /etc/passwd | wc -l"
   register: v38500_result
   changed_when: v38500_result.stdout != '0'
+  always_run: True
   tags:
     - auth
     - cat2
@@ -206,6 +209,7 @@
   shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
   register: v38499_result
   changed_when: False
+  always_run: True
   tags:
     - auth
     - cat2
@@ -255,6 +259,7 @@
   register: v38574_result
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - auth
     - cat2
@@ -274,6 +279,7 @@
   shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
   register: v38576_result
   changed_when: v38576_result.rc != 0
+  always_run: True
   tags:
     - auth
     - cat2
@@ -298,6 +304,7 @@
   register: v38577_libuser_check
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - auth
     - cat2
@@ -331,6 +338,7 @@
   register: v38681_result
   changed_when: False
   failed_when: v38681_result.rc > 1
+  always_run: True
   tags:
     - auth
     - cat3
@@ -360,6 +368,7 @@
   shell: pwck -rq | wc -l
   register: v38683_result
   changed_when: False
+  always_run: True
   tags:
     - auth
     - cat3
@@ -379,6 +388,7 @@
   register: v58901_nopasswd_result
   changed_when: False
   failed_when: v58901_nopasswd_result.rc > 1
+  always_run: True
   tags:
     - auth
     - cat2
@@ -389,6 +399,7 @@
   register: v58901_authenticate_result
   changed_when: False
   failed_when: v58901_authenticate_result.rc > 1
+  always_run: True
   tags:
     - auth
     - cat2
@@ -397,7 +408,9 @@
 - name: V-58901 - The sudo command must require authentication
   fail:
     msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration"
-  when: v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0
+  when: >
+    not check_mode
+    and (v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0)
   tags:
     - auth
     - cat2

tasks/mail.yml

@@ -22,11 +22,12 @@
     - cat3
     - V-38669
 
-- name: V-38669 - The postfix service must be enabled for mail delivery (ebable postfix)
+- name: V-38669 - The postfix service must be enabled for mail delivery (enable postfix)
   service:
     name: postfix
     state: started
     enabled: yes
+  when: not check_mode
   tags:
     - mail
     - cat3
@@ -47,11 +48,20 @@
     - cat2
     - V-38446
 
+- name: Verify that Postfix's main.cf exists
+  stat:
+    path: /etc/postfix/main.cf
+  register: postfix_main_cf
+  always_run: true
+  tags:
+    - always
+
 - name: V-38622 - Mail relaying must be restricted
   lineinfile:
     dest: /etc/postfix/main.cf
     regexp: "^(#)?inet_interfaces"
     line: "inet_interfaces = {{ postfix_inet_interfaces }}"
+  when: postfix_main_cf.stat.exists | bool
   notify:
     - restart postfix
   tags:

tasks/main.yml

@@ -13,6 +13,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+  - name: Verify if we're using check mode
+    command: /bin/true
+    register: noop_result
+
+  - name: Set a fact if we're in check mode
+    set_fact:
+      check_mode: "{{ noop_result|skipped }}"
+
   - include: apt.yml
   - include: auditd.yml
   - include: auth.yml

tasks/misc.yml

@@ -52,6 +52,7 @@
   shell: find /root /home -xdev -name .netrc | wc -l
   register: v38619_result
   changed_when: False
+  always_run: True
   tags:
     - cat2
     - V-38619
@@ -77,14 +78,24 @@
     name: chrony
     state: started
     enabled: yes
+  when: not check_mode
   tags:
     - cat2
     - V-38620
 
+- name: Check for chrony.conf
+  stat:
+    path: /etc/chrony/chrony.conf
+  register: chrony_conf
+  tags:
+    - always
+    - V-38620
+
 - name: V-38620 - Synchronize system clock (configuration file)
   template:
     src: chrony.conf.j2
     dest: /etc/chrony/chrony.conf
+  when: chrony_conf.stat.exists | bool
   notify:
     - restart chrony
   tags:
@@ -146,6 +157,7 @@
   register: v38660_snmpd_installed
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - cat2
     - V-38660
@@ -158,6 +170,7 @@
   when: v38660_snmpd_installed.rc == 0
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - cat2
     - V-38660
@@ -195,6 +208,7 @@
   register: v38599_result
   changed_when: False
   failed_when: False
+  always_run: True
   tags:
     - cat2
     - cat3
@@ -264,6 +278,7 @@
   shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
   register: v38674_result
   changed_when: False
+  always_run: True
   tags:
     - cat2
     - V-38674
@@ -280,6 +295,7 @@
   shell: "apparmor_status 2>&1 | head -n 1"
   register: v51337_result
   changed_when: False
+  always_run: True
   tags:
     - cat2
     - V-51337

tasks/services.yml

@@ -17,6 +17,7 @@
   shell: "find /etc/init.d/ -printf '%f\n'"
   register: sysv_services
   changed_when: false
+  always_run: True
   tags:
     - services
     - cat1