particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feature: check FIPS mode within the ostree images

Browse source 
Check if the os has the system FIPS mode enabled
when `fips="true"` is passed as an ansible variable.

Signed-off-by: Miguel Martín <mmartinv@redhat.com>
This commit is contained in:
Miguel Martín 2023-11-16 16:03:06 +01:00 committed by Miguel Martin
parent 98847f7494
commit 10ccb3b385
1 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
test/data/ansible/check_ostree.yaml
View file

@ -13,6 +13,7 @@
ignition: "false"
test_custom_dirs_files: "false"
sysroot_ro: "false"
fips: "false"
tasks:
# current target host's IP address
@ -75,6 +76,22 @@
failed_counter: "{{ failed_counter | int + 1 }}"
when: "'rt' in result_kernel.stdout"
- name: check system FIPS mode
block:
- name: run 'fips-mode-setup --check'
command: fips-mode-setup --check
register: fips_mode_setup
- name: check 'fips-mode-setup --check' output
assert:
that:
- "'FIPS mode is enabled' in fips_mode_setup.stdout"
- "'FIPS mode is disabled' not in fips_mode_setup.stdout"
- "'Installation of FIPS modules is not completed' not in fips_mode_setup.stdout"
- "'Inconsistent state detected' not in fips_mode_setup.stdout"
fail_msg: "FIPS mode not enabled"
when: fips == "true"
# first installed or upgraded
# first installed has one commit, but upgraded has two
- name: determin which stage the checking is running on