b792753b34
This role made use of conditionals that still used filters, this patch removes them all and switches them to the new system. Change-Id: I7c68f4e5f7248aedd3cdae734aac6d97a8ce058b
108 lines
2.9 KiB
YAML
108 lines
2.9 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
# Copyright 2017, SUSE LINUX GmbH.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Ensure RPM verification task has finished
|
|
async_status:
|
|
jid: "{{ rpmverify_task.ansible_job_id }}"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: job_result
|
|
until: job_result.finished
|
|
retries: 30
|
|
when:
|
|
- rpmverify_task is not skipped
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: V-71855 - Get files with invalid checksums (rpm)
|
|
shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
|
|
register: invalid_checksum_files
|
|
changed_when: False
|
|
when:
|
|
- security_check_package_checksums | bool
|
|
- not check_mode | bool
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
|
|
debug:
|
|
msg: |
|
|
The following files have checksums that differ from the checksum provided
|
|
with their package. Each of these should be verified manually to ensure
|
|
they have not been modified by an unauthorized user.
|
|
|
|
{% for filename in invalid_checksum_files.stdout_lines %}
|
|
{{ filename }}
|
|
{% endfor %}
|
|
when:
|
|
- security_check_package_checksums | bool
|
|
- not check_mode | bool
|
|
- invalid_checksum_files is defined
|
|
- invalid_checksum_files.stdout is defined
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71855
|
|
|
|
- name: Determine all SUSE repositories
|
|
shell: ls /etc/zypp/repos.d/*.repo
|
|
changed_when: false
|
|
register: all_zypper_repositories
|
|
|
|
- name: V-71977 - Require digital signatures for all packages and repositories
|
|
lineinfile:
|
|
dest: "{{ item }}"
|
|
regexp: '^(#)?\s*gpgcheck'
|
|
line: "gpgcheck=1"
|
|
state: present
|
|
with_items:
|
|
- "{{ all_zypper_repositories.stdout_lines | default([]) }}"
|
|
- "{{ pkg_mgr_config }}"
|
|
tags:
|
|
- rpm
|
|
- high
|
|
- V-71977
|
|
- V-71979
|
|
- V-71981
|
|
|
|
- name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
|
|
lineinfile:
|
|
dest: "{{ pkg_mgr_config }}"
|
|
regexp: '^(#)?\s*solver\.cleandepsOnRemove'
|
|
line: 'solver.cleandepsOnRemove = true'
|
|
state: present
|
|
when:
|
|
- security_package_clean_on_remove | bool
|
|
tags:
|
|
- low
|
|
- packages
|
|
- V-71987
|
|
|
|
- name: Enable automatic package updates (SUSE)
|
|
copy:
|
|
src: zypper-autoupdates
|
|
dest: /etc/cron.daily/zypper-autoupdates
|
|
when:
|
|
- security_rhel7_automatic_package_updates | bool
|
|
tags:
|
|
- packages
|
|
- cat2
|
|
- V-71999
|