From e68aa26a20b36e8b243ddb4c5e186358bdd6913d Mon Sep 17 00:00:00 2001
From: Simone Tiraboschi <stirabos@redhat.com>
Date: Wed, 31 Jul 2019 09:50:49 +0200
Subject: [PATCH] Reboot the engine VM after openscap remediations

Reboot the engine VM after openscap remediations
and, on RHEL only, explicitly check that FIPS
mode has really been enabled before running
engine-setup

Bug-Url: https://bugzilla.redhat.com/1734171
---
 tasks/apply_openscap_profile.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tasks/apply_openscap_profile.yml b/tasks/apply_openscap_profile.yml
index 7050b3f..ea6ba11 100644
--- a/tasks/apply_openscap_profile.yml
+++ b/tasks/apply_openscap_profile.yml
@@ -32,3 +32,17 @@
               regexp="^\s*PermitRootLogin"
               line="PermitRootLogin {{ he_root_ssh_access }}"
               state=present
+- name: Reboot the engine VM to ensure that FIPS is enabled
+  reboot:
+    reboot_timeout: 1200
+- block:
+    - name: Check if FIPS is enabled
+      command: sysctl -n crypto.fips_enabled
+      changed_when: true
+      register: he_fips_enabled
+    - debug: var=he_fips_enabled
+    - name: Enforce FIPS mode
+      fail:
+        msg: "FIPS mode is not enabled as required"
+      when: he_fips_enabled.stdout != "1"
+  when: ansible_distribution is search("RedHat")