blame | history | raw
J. Alexander Jacocks
2020-03-13 5b66061e9224fef019f472ad1846068a25f2f146 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

---


- name: Step 004 Environment specific Software


  hosts: localhost


  gather_facts: False


  become: false


  tasks:


    - debug:


        msg: "Software tasks Started"


 


 


- name: Deploy Roles if infra_workloads defined


  hosts:


    - nodes


  gather_facts: false


  run_once: false


  become: yes


  tags:


    - infra_workloads


  tasks:


  - name: apply infra workloads roles on nodes


    when:


    - infra_workloads|d("")|length > 0


    block:


      - name: Apply role "{{ workload_loop_var }}" on nodes


        include_role:


          name: "{{ workload_loop_var }}"


        vars:


          ACTION: "provision"


        loop: "{{ infra_workloads.split(',')|list }}"


        loop_control:


          loop_var: workload_loop_var


 


- name: Configure bastion for SELinux workshop


  hosts: all


  gather_facts: false


  become: true


  vars:


    avc: |


      '----


      time->Mon Nov 17 01:45:36 2008


      type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file


      type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)'


 


  tasks:


  - name: Install all needed packages


    package:


      state: present


      name:


        - selinux-policy-devel


        - ansible


        - policycoreutils


        - policycoreutils-python-utils


        - audit


        - git


        - setools-console


        - selinux-policy-doc


        - policycoreutils-newrole


        - setroubleshoot-server


        - make


        - gcc-c++


        - rpm-build


        - libcurl-devel


        - cockpit


        - cockpit-dashboard


        - cockpit-shell


        - cockpit-system


        - cockpit-ws


        - subscription-manager-cockpit


        - cockpit-composer


        - cockpit-session-recording


        - cockpit-machines


        - cockpit-packagekit


        - cockpit-podman


        - cockpit-storaged


 


  - name: Ensure cockpit is started


    systemd:


      name: "cockpit.socket"


      state: "started"


      enabled: true


      daemon_reload: true


 


  - name: Enable SELinux


    selinux:


      policy: targeted


      state: enforcing


 


  - name: Create testaudit file


    copy:


      mode: '0644'


      owner: root


      dest: /root/testaudit


      content: "{{ avc  }}"


 


  - name: Copy testaudit also to user dir


    copy:


      src: /root/testaudit


      dest: /home/ec2-user


      owner: ec2-user


      group: ec2-user


      mode: '0644'


      force: true


      remote_src: yes


 


  - name: Create .vimrc in user home dir


    copy:


      content: ""


      dest: /home/ec2-user/.vimrc


      owner: ec2-user


      group: ec2-user


      mode: '0644'


      force: no


 


- name: Software flight-check


  hosts: localhost


  connection: local


  gather_facts: false


  become: false


  tags:


    - post_flight_check


  tasks:


    - debug:


        msg: "Software checks completed successfully"