db5c6f2d66
With update of ansible-lint to version >=6.0.0 a lot of new linters were added, that enabled by default. In order to comply with linter rules we're applying changes to the role. With that we also update metdata to reflect current state. Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
110 lines
3.0 KiB
YAML
110 lines
3.0 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
# Copyright 2017, SUSE LINUX GmbH.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Ensure RPM verification task has finished
|
|
async_status:
|
|
jid: "{{ rpmverify_task.ansible_job_id }}"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: job_result
|
|
until: job_result.finished
|
|
retries: 360
|
|
delay: 10
|
|
when:
|
|
- rpmverify_task is not skipped
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: V-71855 - Get files with invalid checksums (rpm)
|
|
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
|
|
register: invalid_checksum_files
|
|
changed_when: False
|
|
when:
|
|
- security_check_package_checksums | bool
|
|
- not check_mode | bool
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
|
|
debug:
|
|
msg: |
|
|
The following files have checksums that differ from the checksum provided
|
|
with their package. Each of these should be verified manually to ensure
|
|
they have not been modified by an unauthorized user.
|
|
|
|
{% for filename in invalid_checksum_files.stdout_lines %}
|
|
{{ filename }}
|
|
{% endfor %}
|
|
when:
|
|
- security_check_package_checksums | bool
|
|
- not check_mode | bool
|
|
- invalid_checksum_files is defined
|
|
- invalid_checksum_files.stdout is defined
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: Determine all SUSE repositories
|
|
shell: ls /etc/zypp/repos.d/*.repo
|
|
changed_when: false
|
|
register: all_zypper_repositories
|
|
|
|
- name: V-71977 - Require digital signatures for all packages and repositories
|
|
lineinfile:
|
|
dest: "{{ item }}"
|
|
regexp: '^(#)?\s*gpgcheck'
|
|
line: "gpgcheck=1"
|
|
state: present
|
|
with_items:
|
|
- "{{ all_zypper_repositories.stdout_lines | default([]) }}"
|
|
- "{{ pkg_mgr_config }}"
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71977
|
|
- V-71979
|
|
- V-71981
|
|
|
|
- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
|
|
lineinfile:
|
|
dest: "{{ pkg_mgr_config }}"
|
|
regexp: '^(#)?\s*solver\.cleandepsOnRemove'
|
|
line: 'solver.cleandepsOnRemove = true'
|
|
state: present
|
|
when:
|
|
- security_package_clean_on_remove | bool
|
|
tags:
|
|
- low
|
|
- packages
|
|
- V-71987
|
|
|
|
- name: Enable automatic package updates (SUSE)
|
|
copy:
|
|
src: zypper-autoupdates
|
|
dest: /etc/cron.daily/zypper-autoupdates
|
|
mode: "0750"
|
|
when:
|
|
- security_rhel7_automatic_package_updates | bool
|
|
tags:
|
|
- packages
|
|
- cat2
|
|
- V-71999
|