openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/tasks/rpm.yml
Travis Truman 5f8a93c6bf Ignore ansible-lint warnings about rpm command usage 
Direct usage of the command is unavoidable within these
tasks so we tell ansible-lint not to complain about it
using the tag.

Change-Id: I8e0d32a0e72daa533877d8107bdfe1b6aed736d6
2016-07-06 14:03:02 -04:00

110 lines
2.9 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Check if CentOS 7 GPG keys are installed (for V-38476)
command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
always_run: True
when:
- ansible_distribution == 'CentOS'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS)
fail:
msg: "Missing CentOS 7 GPG keys"
when:
- ansible_distribution == 'CentOS'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476)
command: "rpm -qi {{ item }}"
register: v38476_result
changed_when: v38476_result | failed
failed_when: False
always_run: True
with_items:
- gpg-pubkey-fd431d51-4ae0493b
- gpg-pubkey-2fa658e0-45700c69
when:
- ansible_distribution == 'RedHat'
tags:
- package
- cat1
- V-38476
- skip_ansible_lint
- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enteprise Linux)
fail:
msg: "Missing Red Hat Enterprise Linux 7 GPG keys"
when:
- ansible_distribution == 'RedHat'
- v38476_result | failed
tags:
- package
- cat1
- V-38476
- name: Search for yum repositories with GPG checks disabled
command: grep -r "gpgcheck=0" /etc/yum.repos.d/
register: v38462_result
changed_when: False
failed_when: False
always_run: True
tags:
- package
- cat1
- V-38462
- name: V-38462 - Package management tool must verify authenticity of packages
fail:
msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
when: "v38462_result.rc == 0"
tags:
- package
- cat1
- V-38462
- name: V-38481 - Install yum-cron for automatic updates
yum:
name: yum-cron
state: installed
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
lineinfile:
dest: /etc/yum/yum-cron.conf
regexp: "^apply_updates"
line: "apply_updates = yes"
state: present
when: security_unattended_upgrades_enabled | bool
tags:
- package
- cat2
- V-38481
View Git Blame Copy Permalink