diff --git a/tasks/rhel7stig/async_tasks.yml b/tasks/rhel7stig/async_tasks.yml new file mode 100644 index 00000000..a73b2112 --- /dev/null +++ b/tasks/rhel7stig/async_tasks.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2017, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Multiple tasks will need the output of RPM verification, so let's do the +# lookup one time and then grep over the output in subsequent tasks. +- name: Verify all installed RPM packages + shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" + args: + warn: no + failed_when: False + changed_when: False + register: rpmverify_task + async: 300 + poll: 0 + when: + - not check_mode | bool + - ansible_os_family | lower in ['redhat', 'suse'] + tags: + - skip_ansible_lint + +- name: Check for .shosts or shosts.equiv files + find: + paths: / + recurse: yes + hidden: yes + patterns: '.shosts,shosts.equiv' + changed_when: False + register: shosts_find + async: 300 + poll: 0 + when: + - not check_mode | bool + - security_rhel7_remove_shosts_files | bool diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 7f9b277c..32e212ee 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -219,27 +219,25 @@ - auth - V-72275 -- name: Check for .shosts or shosts.equiv files - find: - paths: / - recurse: yes - hidden: yes - patterns: '.shosts,shosts.equiv' - register: shosts_find +- name: Ensure .shosts find has finished + async_status: + jid: "{{ shosts_find.ansible_job_id }}" + failed_when: False + changed_when: False + register: job_result + until: job_result.finished | bool + retries: 30 when: - - security_rhel7_remove_shosts_files | bool - tags: - - always + - not shosts_find | skipped - name: Remove .shosts or shosts.equiv files file: path: "{{ item.path }}" state: absent - with_items: "{{ shosts_find.files }}" + with_items: "{{ job_result.files }}" when: + - not job_result | skipped - security_rhel7_remove_shosts_files | bool - - shosts_find is defined - - shosts_find.files is defined tags: - high - auth diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 94cbb83c..ae00ff2b 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -31,23 +31,9 @@ tags: - always -# Multiple tasks will need the output of RPM verification, so let's do the -# lookup one time and then grep over the output in subsequent tasks. -- name: Verify all installed RPM packages - shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" - args: - warn: no - failed_when: False - changed_when: False - register: rpmverify_task - async: 300 - poll: 0 - when: - - not check_mode | bool - - ansible_os_family | lower in ['redhat', 'suse'] - tags: - - always - - skip_ansible_lint +# Some of the tasks in the role may take a long time to run. Let's start them +# as early as possible so they have time to finish. +- include: async_tasks.yml - name: Get user data for all users on the system get_users: @@ -68,6 +54,8 @@ # Package installations and removals must come first so that configuration # changes can be made later. - include: packages.yml + tags: + - always # Package managers are managed first since the changes in these tasks will # affect the remainder of the tasks in the role.