Add ability to change apt/yum package state

The current method of installing the distribution packages required is
set in the tasks and cannot be changed by a deployer.

Currently the apt task always installs the latest package. This results
in unexpected binary changes when a deployer may simply be trying to
execute a configuration change.

This patch adds the ability for a deployer to change the desired state
so that the results are predictable.

Change-Id: I896ef4f57afa55f52b05799efce2ef370f31dee0

defaults/main.yml

@@ -18,6 +18,10 @@
 # apt cache updates as efficiently as possible.
 cache_timeout: 600
 
+# Set the package install state for distribution packages
+# Options are 'present' and 'latest'
+security_package_state: "latest"
+
 ### Default configurations for openstack-ansible-security #####################
 #
 # All of the configuration items below are documented in the developer notes

releasenotes/notes/package-state-6684c5634bdf127a.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - The security role now supports the ability to configure whether
+    apt/yum tasks install the latest available package, or just ensure
+    that the package is present. The default action is to ensure that
+    the latest package is present. The action taken may be changed to
+    only ensure that the package is present by setting
+    ``security_package_state`` to ``present``.
+upgrade:
+  - The security role always checks whether the latest package is
+    installed when executed. If a deployer wishes to change the check to
+    only validate the presence of the package, the option
+    ``security_package_state`` should be set to ``present``.

tasks/apt.yml

@@ -81,7 +81,7 @@
 - name: Install unattended-upgrades package (for V-38481)
   apt:
     name: unattended-upgrades
-    state: present
+    state: "{{ security_package_state }}"
   when: security_unattended_upgrades_enabled | bool
   tags:
     - package

tasks/auditd.yml

@@ -16,7 +16,7 @@
 - name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
   apt:
     name: "{{ auditd_pkg }}"
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'apt'
   tags:
     - auditd
@@ -27,7 +27,7 @@
 - name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
   yum:
     name: "{{ auditd_pkg }}"
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'yum'
   tags:
     - auditd
@@ -98,7 +98,7 @@
 - name: Ensure debsums package is installed (for V-38637)
   apt:
     name: debsums
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'apt'
   tags:
     - auditd

tasks/auth.yml

@@ -185,7 +185,7 @@
 - name: V-38501 - The system must disable accounts after excessive login failures (install fail2ban)
   apt:
     name: fail2ban
-    state: present
+    state: "{{ security_package_state }}"
   when: security_install_fail2ban | bool
   tags:
     - auth

tasks/lsm.yml

@@ -16,7 +16,7 @@
 - name: Install packages for AppArmor support (for V-51337)
   apt:
     name: "{{ item }}"
-    state: present
+    state: "{{ security_package_state }}"
   with_items:
     - apparmor
     - apparmor-profiles
@@ -44,7 +44,7 @@
 - name: Install packages for SELinux support (for V-51337)
   yum:
     name: "{{ item }}"
-    state: present
+    state: "{{ security_package_state }}"
   with_items:
     - libselinux-python
     - policycoreutils-python

tasks/mail.yml

@@ -16,7 +16,7 @@
 - name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
   apt:
     name: postfix
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'apt'
   tags:
     - mail
@@ -26,7 +26,7 @@
 - name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
   yum:
     name: postfix
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'yum'
   tags:
     - mail

tasks/misc.yml

@@ -15,8 +15,8 @@
 
 - name: V-38489 - Install AIDE (with apt)
   apt:
-      name: "{{ item }}"
-      state: present
+    name: "{{ item }}"
+    state: "{{ security_package_state }}"
   with_items:
     - aide
     - aide-common
@@ -27,8 +27,8 @@
 
 - name: V-38489 - Install AIDE (with yum)
   yum:
-      name: aide
-      state: present
+    name: aide
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'yum'
   tags:
     - cat2
@@ -92,7 +92,7 @@
 - name: V-38620 - Synchronize system clock (installing chrony with apt)
   apt:
     name: chrony
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'apt'
   tags:
     - cat2
@@ -101,7 +101,7 @@
 - name: V-38620 - Synchronize system clock (installing chrony with yum)
   yum:
     name: chrony
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'yum'
   tags:
     - cat2
@@ -143,7 +143,7 @@
 - name: V-38624 - System logs must be rotated daily (install logrotate with apt)
   apt:
     name: logrotate
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'apt'
   tags:
     - cat3
@@ -152,7 +152,7 @@
 - name: V-38624 - System logs must be rotated daily (install logrotate with yum)
   yum:
     name: logrotate
-    state: present
+    state: "{{ security_package_state }}"
   when: ansible_pkg_mgr == 'yum'
   tags:
     - cat3

tasks/rpm.yml

@@ -89,7 +89,7 @@
 - name: V-38481 - Install yum-cron for automatic updates
   yum:
     name: yum-cron
-    state: installed
+    state: "{{ security_package_state }}"
   when: security_unattended_upgrades_enabled | bool
   tags:
     - package