GET /api/v1/files/895
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 895,
    "sha1": "6728c7de75f6a615bfebb64f07da464e25349591",
    "playbook": {
        "id": 15,
        "items": {
            "plays": 4,
            "tasks": 279,
            "results": 219,
            "hosts": 1,
            "files": 110,
            "records": 0
        },
        "labels": [],
        "started": "2020-01-31T15:49:56.286406Z",
        "ended": "2020-01-31T15:58:51.284585Z",
        "duration": "00:08:54.998179",
        "name": null,
        "ansible_version": "2.8.8",
        "status": "failed",
        "path": "/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-hosts.yml"
    },
    "content": "---\n# Copyright 2016, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n- name: Check apparmor_status output\n  command: apparmor_status\n  register: apparmor_status_output\n  check_mode: no\n  changed_when: false\n  failed_when: false\n  when:\n    - ansible_pkg_mgr in ['apt', 'zypper']\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): The systemd unit file for apparmor just calls an old SysV\n# init script and exits. It's not possible to ask systemd if apparmor is\n# running and if we tell systemd to start apparmor, it will tell us that it\n# started apparmor each time. This breaks idempotency and we check\n# systemd's status directly as an alternative.\n- name: Check if apparmor is running\n  command: \"systemctl status apparmor\"\n  register: systemctl_apparmor_status\n  check_mode: no\n  changed_when: false\n  failed_when: false\n  when:\n    - ansible_pkg_mgr in ['apt', 'zypper']\n  tags:\n    - high\n    - V-71989\n\n- name: Ensure AppArmor is enabled at boot time\n  service:\n    name: apparmor\n    enabled: yes\n  when:\n    - ansible_pkg_mgr in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): Since the AppArmor systemd unit calls a SysV init script, the\n# unit will always say AppArmor is dead. This means that the following task\n# will always start the unit every time it runs (which breaks idempotency).\n- name: Ensure AppArmor is running\n  service:\n    name: apparmor\n    state: started\n  changed_when:\n    - '\"active (exited)\" not in systemctl_apparmor_status.stdout'\n  when:\n    - ansible_pkg_mgr in ['apt', 'zypper']\n    - security_rhel7_enable_linux_security_module | bool\n    - not check_mode\n    - '\"apparmor filesystem is not mounted\" not in apparmor_status_output.stderr'\n  tags:\n    - high\n    - V-71989\n\n# NOTE(mhayden): The \"changed_when\" is required here because this task will\n# always show as changed when SELinux is completely disabled. It's not possible\n# to switch to permissive/enforcing in an online way when SELinux is completely\n# disabled at boot time.\n- name: Ensure SELinux is in enforcing mode on the next reboot\n  selinux:\n    state: enforcing\n    policy: targeted\n  register: selinux_status_change\n  changed_when: selinux_status_change is changed and ansible_selinux.status != 'disabled'\n  when:\n    - ansible_os_family == \"RedHat\"\n    - security_rhel7_enable_linux_security_module | bool\n  tags:\n    - high\n    - V-71989\n    - V-71991\n\n- name: Relabel files on next boot if SELinux mode changed\n  file:\n    path: /.autorelabel\n    state: touch\n  when:\n    - ansible_os_family == \"RedHat\"\n    - security_rhel7_enable_linux_security_module | bool\n    - selinux_status_change is changed\n  tags:\n    - high\n    - V-71989\n    - V-71991\n\n# NOTE(mhayden): Ansible's find module doesn't support searching for files\n# based on SELinux contexts yet.\n- name: Check for unlabeled device files\n  command: \"find /dev -context '*unlabeled_t*'\"\n  register: unlabeled_devices\n  changed_when: False\n  check_mode: no\n  when:\n    - ansible_os_family == 'RedHat'\n    - ansible_selinux.status == 'enabled'\n  tags:\n    - lsm\n    - medium\n    - V-72039\n\n- name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification.\n  debug:\n    msg: |\n      Devices were found without SELinux labels:\n      {% for device in unlabeled_devices.stdout_lines %}\n      {{ device }}\n      {% endfor %}\n  when:\n    - ansible_os_family == 'RedHat'\n    - unlabeled_devices.stdout is defined\n    - unlabeled_devices.stdout | length > 0\n  tags:\n    - lsm\n    - medium\n    - V-72039\n",
    "created": "2020-01-31T15:49:56.852034Z",
    "updated": "2020-01-31T15:49:56.852070Z",
    "path": "/home/zuul/src/opendev.org/openstack/ansible-hardening/tasks/rhel7stig/lsm.yml"
}