---
|
- name: Step 004 Environment specific Software
|
hosts: localhost
|
gather_facts: False
|
become: false
|
tasks:
|
- debug:
|
msg: "Software tasks Started"
|
|
|
- name: Deploy Roles if infra_workloads defined
|
hosts:
|
- nodes
|
gather_facts: false
|
run_once: false
|
become: yes
|
tags:
|
- infra_workloads
|
tasks:
|
- name: apply infra workloads roles on nodes
|
when:
|
- infra_workloads|d("")|length > 0
|
block:
|
- name: Apply role "{{ workload_loop_var }}" on nodes
|
include_role:
|
name: "{{ workload_loop_var }}"
|
vars:
|
ACTION: "provision"
|
loop: "{{ infra_workloads.split(',')|list }}"
|
loop_control:
|
loop_var: workload_loop_var
|
|
- name: Configure bastion for SELinux workshop
|
hosts: all
|
gather_facts: false
|
become: true
|
vars:
|
avc: |
|
'----
|
time->Mon Nov 17 01:45:36 2008
|
type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
|
type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)'
|
|
tasks:
|
- name: Install all needed packages
|
package:
|
state: present
|
name:
|
- selinux-policy-devel
|
- ansible
|
- policycoreutils
|
- policycoreutils-python-utils
|
- audit
|
- git
|
- setools-console
|
- selinux-policy-doc
|
- policycoreutils-newrole
|
- setroubleshoot-server
|
- make
|
- gcc-c++
|
- rpm-build
|
- libcurl-devel
|
- cockpit
|
- cockpit-dashboard
|
- cockpit-shell
|
- cockpit-system
|
- cockpit-ws
|
- subscription-manager-cockpit
|
- cockpit-composer
|
- cockpit-session-recording
|
- cockpit-machines
|
- cockpit-packagekit
|
- cockpit-podman
|
- cockpit-storaged
|
|
- name: Ensure cockpit is started
|
systemd:
|
name: "cockpit.socket"
|
state: "started"
|
enabled: true
|
daemon_reload: true
|
|
- name: Enable SELinux
|
selinux:
|
policy: targeted
|
state: enforcing
|
|
- name: Create testaudit file
|
copy:
|
mode: '0644'
|
owner: root
|
dest: /root/testaudit
|
content: "{{ avc }}"
|
|
- name: Copy testaudit also to user dir
|
copy:
|
src: /root/testaudit
|
dest: /home/ec2-user
|
owner: ec2-user
|
group: ec2-user
|
mode: '0644'
|
force: true
|
remote_src: yes
|
|
- name: Create .vimrc in user home dir
|
copy:
|
content: ""
|
dest: /home/ec2-user/.vimrc
|
owner: ec2-user
|
group: ec2-user
|
mode: '0644'
|
force: no
|
|
- name: Software flight-check
|
hosts: localhost
|
connection: local
|
gather_facts: false
|
become: false
|
tags:
|
- post_flight_check
|
tasks:
|
- debug:
|
msg: "Software checks completed successfully"
|