Blame SOURCES/scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch

76240a
From bf018e9f8327b231b967db8ec74fabf01802b6a8 Mon Sep 17 00:00:00 2001
76240a
From: Watson Sato <wsato@redhat.com>
76240a
Date: Wed, 11 Aug 2021 09:45:04 +0200
76240a
Subject: [PATCH 1/3] Add test for ansible files removed and readded
76240a
76240a
Check if any playbook removes a file and then add it back again.
76240a
The file removal is based on the 'file' module with 'state: absent', and
76240a
the reintroduction of the file is based on 'lineinfile', 'blockinfile'
76240a
and 'copy' modules.
76240a
---
76240a
 CMakeLists.txt                               |  2 +
76240a
 tests/CMakeLists.txt                         |  8 ++
76240a
 tests/test_ansible_file_removed_and_added.py | 97 ++++++++++++++++++++
76240a
 3 files changed, 107 insertions(+)
76240a
 create mode 100644 tests/test_ansible_file_removed_and_added.py
76240a
76240a
diff --git a/CMakeLists.txt b/CMakeLists.txt
76240a
index 330b869d0f9..e41f2caa630 100644
76240a
--- a/CMakeLists.txt
76240a
+++ b/CMakeLists.txt
76240a
@@ -129,6 +129,7 @@ find_python_module(jinja2 REQUIRED)
76240a
 find_python_module(pytest)
76240a
 find_python_module(pytest_cov)
76240a
 find_python_module(json2html)
76240a
+find_python_module(yamlpath)
76240a
 
76240a
 # sphinx documentation requirements
76240a
 find_python_module(sphinx)
76240a
@@ -231,6 +232,7 @@ message(STATUS "python pytest module (optional): ${PY_PYTEST}")
76240a
 message(STATUS "ansible-playbook module (optional): ${ANSIBLE_PLAYBOOK_EXECUTABLE}")
76240a
 message(STATUS "ansible-lint module (optional): ${ANSIBLE_LINT_EXECUTABLE}")
76240a
 message(STATUS "yamllint module (optional): ${YAMLLINT_EXECUTABLE}")
76240a
+message(STATUS "yamlpath module (optional): ${PY_YAMLPATH}")
76240a
 message(STATUS "BATS framework (optional): ${BATS_EXECUTABLE}")
76240a
 message(STATUS "python sphinx module (optional): ${PY_SPHINX}")
76240a
 message(STATUS "python sphinxcontrib.autojinja module (optional): ${PY_SPHINXCONTRIB.AUTOJINJA}")
76240a
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
76240a
index 3e2d8a4ec31..739cc124035 100644
76240a
--- a/tests/CMakeLists.txt
76240a
+++ b/tests/CMakeLists.txt
76240a
@@ -121,3 +121,11 @@ add_test(
76240a
 )
76240a
 set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
76240a
 set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json")
76240a
+
76240a
+if (PY_YAMLPATH)
76240a
+    add_test(
76240a
+        NAME "ansible-file-removed-and-added"
76240a
+        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible"
76240a
+    )
76240a
+    set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
76240a
+endif()
76240a
diff --git a/tests/test_ansible_file_removed_and_added.py b/tests/test_ansible_file_removed_and_added.py
76240a
new file mode 100644
76240a
index 00000000000..23f6f888bda
76240a
--- /dev/null
76240a
+++ b/tests/test_ansible_file_removed_and_added.py
76240a
@@ -0,0 +1,97 @@
76240a
+#!/usr/bin/python3
76240a
+
76240a
+import argparse
76240a
+import os
76240a
+import sys
76240a
+from types import SimpleNamespace
76240a
+from yamlpath import Processor
76240a
+from yamlpath import YAMLPath
76240a
+from yamlpath.common import Parsers
76240a
+from yamlpath.exceptions import YAMLPathException
76240a
+from yamlpath.wrappers import ConsolePrinter
76240a
+
76240a
+
76240a
+def parse_command_line_args():
76240a
+    parser = argparse.ArgumentParser(
76240a
+        description="Checks if an Ansible Playbook removes a file and then adds it again.")
76240a
+    parser.add_argument("--ansible_dir", required=True,
76240a
+                        help="Directory containing Ansible Playbooks")
76240a
+    args = parser.parse_args()
76240a
+    return args
76240a
+
76240a
+
76240a
+def check_playbook_file_removed_and_added(playbook_path):
76240a
+    playbook_ok = True
76240a
+
76240a
+    yaml_parser = Parsers.get_yaml_editor()
76240a
+
76240a
+    logging_args = SimpleNamespace(quiet=False, verbose=False, debug=False)
76240a
+    log = ConsolePrinter(logging_args)
76240a
+
76240a
+    # Find every path removed by a file Task (also matches tasks within blocks)
76240a
+    files_absent_string = "tasks.**.file[state=absent][parent()].path"
76240a
+    files_absent_yamlpath = YAMLPath(files_absent_string)
76240a
+    path_editing_tasks_yamlpath = ""
76240a
+
76240a
+    log.info("Info: Evaluating playbook '{}'".format(playbook_path))
76240a
+    (yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml_parser, log, playbook_path)
76240a
+    if not doc_loaded:
76240a
+        # There was an issue loading the file; an error message has already been
76240a
+        # printed via ConsolePrinter.
76240a
+        return False
76240a
+
76240a
+    processor = Processor(log, yaml_data)
76240a
+    try:
76240a
+        for node in processor.get_nodes(files_absent_yamlpath, mustexist=False):
76240a
+            path = str(node)
76240a
+            # 'node' is a NodeCoords.
76240a
+            if path == 'None':
76240a
+                continue
76240a
+            elif "{{" in path:
76240a
+                # Identified path is a Jinja expression, unfortunately there is no easy way to get
76240a
+                # the actual path without making this test very complicated
76240a
+                continue
76240a
+
76240a
+            # Check if this paths is used in any of the following ansible modules
76240a
+            ansible_modules = ["lineinfile", "blockinfile", "copy"]
76240a
+            path_editing_tasks_string = "tasks.**.[.=~/{modules}/][*='{path}'][parent()].name"
76240a
+            path_editing_tasks_yamlpath = YAMLPath(path_editing_tasks_string.format(
76240a
+                modules="|".join(ansible_modules),
76240a
+                path=node)
76240a
+                )
76240a
+            for task in processor.get_nodes(path_editing_tasks_yamlpath, mustexist=False):
76240a
+                log.info("Error: Task '{}' manipulates a file that is removed by another task"
76240a
+                         .format(task))
76240a
+                playbook_ok = False
76240a
+    except YAMLPathException as ex:
76240a
+        no_file_msg = ("Cannot add PathSegmentTypes.TRAVERSE subreference to lists at 'None' "
76240a
+                       "in '{}'.")
76240a
+        if str(ex) == no_file_msg.format(files_absent_string):
76240a
+            log.info("Info: Playbook {} has no 'file' tasks.".format(playbook_path))
76240a
+        elif path_editing_tasks_yamlpath and str(ex) == no_file_msg.format(
76240a
+                path_editing_tasks_yamlpath):
76240a
+            log.info("Info: Playbook {} has no '{}' tasks.".format(
76240a
+                playbook_path, " ".join(ansible_modules)))
76240a
+        else:
76240a
+            log.info("Error: {}.".format(ex))
76240a
+
76240a
+    return playbook_ok
76240a
+
76240a
+
76240a
+def main():
76240a
+    args = parse_command_line_args()
76240a
+
76240a
+    all_playbooks_ok = True
76240a
+    for dir_item in os.listdir(args.ansible_dir):
76240a
+        if dir_item.endswith(".yml"):
76240a
+            playbook_path = os.path.join(args.ansible_dir, dir_item)
76240a
+
76240a
+            if not check_playbook_file_removed_and_added(playbook_path):
76240a
+                all_playbooks_ok = False
76240a
+
76240a
+    if not all_playbooks_ok:
76240a
+        sys.exit(1)
76240a
+
76240a
+
76240a
+if __name__ == "__main__":
76240a
+    main()
76240a
76240a
From e6d727762ba446cad94f1e002fa7a7fef0f1a4cb Mon Sep 17 00:00:00 2001
76240a
From: Watson Sato <wsato@redhat.com>
76240a
Date: Wed, 11 Aug 2021 09:48:14 +0200
76240a
Subject: [PATCH 2/3] Unit tests the function for file removed and added
76240a
76240a
Add a unit test for the core function that checks if any playbook
76240a
removes a file and then reintroduces it back.
76240a
---
76240a
 tests/CMakeLists.txt                          |  6 ++
76240a
 .../file_block_removed_and_added.yml          | 69 +++++++++++++++++++
76240a
 .../file_not_removed_and_added.yml            | 49 +++++++++++++
76240a
 .../file_removed_and_added.yml                | 62 +++++++++++++++++
76240a
 .../file_removed_and_not_added.yml            | 46 +++++++++++++
76240a
 ...t_check_playbook_file_removed_and_added.py | 39 +++++++++++
76240a
 6 files changed, 271 insertions(+)
76240a
 create mode 100644 tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
76240a
 create mode 100644 tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
76240a
 create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_added.yml
76240a
 create mode 100644 tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
76240a
 create mode 100644 tests/test_check_playbook_file_removed_and_added.py
76240a
76240a
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
76240a
index 739cc124035..000a1b1385d 100644
76240a
--- a/tests/CMakeLists.txt
76240a
+++ b/tests/CMakeLists.txt
76240a
@@ -123,6 +123,12 @@ set_tests_properties("fix_rules-sort_subkeys" PROPERTIES LABELS quick)
76240a
 set_tests_properties("fix_rules-sort_subkeys" PROPERTIES DEPENDS "test-rule-dir-json")
76240a
 
76240a
 if (PY_YAMLPATH)
76240a
+    if (PY_PYTEST)
76240a
+        add_test(
76240a
+            NAME "test-function-check_playbook_file_removed_and_added"
76240a
+            COMMAND "${PYTHON_EXECUTABLE}" -m pytest ${PYTEST_COVERAGE_OPTIONS} "${CMAKE_CURRENT_SOURCE_DIR}/test_check_playbook_file_removed_and_added.py"
76240a
+        )
76240a
+    endif()
76240a
     add_test(
76240a
         NAME "ansible-file-removed-and-added"
76240a
         COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_CURRENT_SOURCE_DIR}/test_ansible_file_removed_and_added.py" --ansible_dir "${CMAKE_BINARY_DIR}/ansible"
76240a
diff --git a/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
76240a
new file mode 100644
76240a
index 00000000000..8863b333129
76240a
--- /dev/null
76240a
+++ b/tests/ansible_file_removed_and_added/file_block_removed_and_added.yml
76240a
@@ -0,0 +1,69 @@
76240a
+---
76240a
+
76240a
+- hosts: all
76240a
+  vars:
76240a
+    var_system_crypto_policy: !!str FUTURE
76240a
+    var_sudo_logfile: !!str /var/log/sudo.log
76240a
+
76240a
+  tasks:
76240a
+    - name: Modify the System Login Banner - add correct banner
76240a
+      lineinfile:
76240a
+        dest: /etc/issue
76240a
+        line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
76240a
+          "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
76240a
+          "\n") | regex_replace("\\", "") | wordwrap() }}'
76240a
+        create: true
76240a
+      when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
76240a
+      tags:
76240a
+        - banner_etc_issue
76240a
+        - low_complexity
76240a
+        - medium_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+        - unknown_strategy
76240a
+
76240a
+    - name: Test for existence /etc/issue
76240a
+      stat:
76240a
+        path: /etc/issue
76240a
+      register: file_exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
+    - name: Ensure permission 0644 on /etc/issue
76240a
+      file:
76240a
+        path: /etc/issue
76240a
+        mode: '0644'
76240a
+      when: file_exists.stat is defined and file_exists.stat.exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
+    - block:
76240a
+
76240a
+        - name: Remove Rsh Trust Files
76240a
+          file:
76240a
+            path: /root/shosts.equiv
76240a
+            state: absent
76240a
+
76240a
+        - name: Add line to /root/shosts.equiv
76240a
+          lineinfile:
76240a
+            dest: /root/shosts.equiv
76240a
+            line: 'test host'
76240a
+            create: true
76240a
+      tags:
76240a
+        - high_severity
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - no_reboot_needed
76240a
+        - no_rsh_trust_files
76240a
+        - restrict_strategy
76240a
+
76240a
diff --git a/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
76240a
new file mode 100644
76240a
index 00000000000..3d3e53b958f
76240a
--- /dev/null
76240a
+++ b/tests/ansible_file_removed_and_added/file_not_removed_and_added.yml
76240a
@@ -0,0 +1,49 @@
76240a
+---
76240a
+
76240a
+- hosts: all
76240a
+  vars:
76240a
+    var_system_crypto_policy: !!str FUTURE
76240a
+    var_sudo_logfile: !!str /var/log/sudo.log
76240a
+
76240a
+  tasks:
76240a
+    - name: Modify the System Login Banner - add correct banner
76240a
+      lineinfile:
76240a
+        dest: /etc/issue
76240a
+        line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
76240a
+          "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
76240a
+          "\n") | regex_replace("\\", "") | wordwrap() }}'
76240a
+        create: true
76240a
+      when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
76240a
+      tags:
76240a
+        - banner_etc_issue
76240a
+        - low_complexity
76240a
+        - medium_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+        - unknown_strategy
76240a
+
76240a
+    - name: Test for existence /etc/issue
76240a
+      stat:
76240a
+        path: /etc/issue
76240a
+      register: file_exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
+    - name: Ensure permission 0644 on /etc/issue
76240a
+      file:
76240a
+        path: /etc/issue
76240a
+        mode: '0644'
76240a
+      when: file_exists.stat is defined and file_exists.stat.exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
diff --git a/tests/ansible_file_removed_and_added/file_removed_and_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_added.yml
76240a
new file mode 100644
76240a
index 00000000000..a44c39a9db2
76240a
--- /dev/null
76240a
+++ b/tests/ansible_file_removed_and_added/file_removed_and_added.yml
76240a
@@ -0,0 +1,62 @@
76240a
+---
76240a
+
76240a
+- hosts: all
76240a
+  vars:
76240a
+    var_system_crypto_policy: !!str FUTURE
76240a
+    var_sudo_logfile: !!str /var/log/sudo.log
76240a
+
76240a
+  tasks:
76240a
+    - name: Modify the System Login Banner - remove incorrect banner
76240a
+      file:
76240a
+        state: absent
76240a
+        path: /etc/issue
76240a
+      when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
76240a
+      tags:
76240a
+        - banner_etc_issue
76240a
+        - low_complexity
76240a
+        - medium_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+        - unknown_strategy
76240a
+
76240a
+    - name: Modify the System Login Banner - add correct banner
76240a
+      lineinfile:
76240a
+        dest: /etc/issue
76240a
+        line: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$",
76240a
+          "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
76240a
+          "\n") | regex_replace("\\", "") | wordwrap() }}'
76240a
+        create: true
76240a
+      when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
76240a
+      tags:
76240a
+        - banner_etc_issue
76240a
+        - low_complexity
76240a
+        - medium_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+        - unknown_strategy
76240a
+
76240a
+    - name: Test for existence /etc/issue
76240a
+      stat:
76240a
+        path: /etc/issue
76240a
+      register: file_exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
+    - name: Ensure permission 0644 on /etc/issue
76240a
+      file:
76240a
+        path: /etc/issue
76240a
+        mode: '0644'
76240a
+      when: file_exists.stat is defined and file_exists.stat.exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
diff --git a/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
76240a
new file mode 100644
76240a
index 00000000000..08cda7e5063
76240a
--- /dev/null
76240a
+++ b/tests/ansible_file_removed_and_added/file_removed_and_not_added.yml
76240a
@@ -0,0 +1,46 @@
76240a
+---
76240a
+
76240a
+- hosts: all
76240a
+  vars:
76240a
+    var_system_crypto_policy: !!str FUTURE
76240a
+    var_sudo_logfile: !!str /var/log/sudo.log
76240a
+
76240a
+  tasks:
76240a
+    - name: Modify the System Login Banner - remove incorrect banner
76240a
+      file:
76240a
+        state: absent
76240a
+        path: /etc/issue
76240a
+      when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
76240a
+      tags:
76240a
+        - banner_etc_issue
76240a
+        - low_complexity
76240a
+        - medium_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+        - unknown_strategy
76240a
+
76240a
+    - name: Test for existence /etc/issue
76240a
+      stat:
76240a
+        path: /etc/issue
76240a
+      register: file_exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
+    - name: Ensure permission 0644 on /etc/issue
76240a
+      file:
76240a
+        path: /etc/issue
76240a
+        mode: '0644'
76240a
+      when: file_exists.stat is defined and file_exists.stat.exists
76240a
+      tags:
76240a
+        - configure_strategy
76240a
+        - file_permissions_etc_issue
76240a
+        - low_complexity
76240a
+        - low_disruption
76240a
+        - medium_severity
76240a
+        - no_reboot_needed
76240a
+
76240a
diff --git a/tests/test_check_playbook_file_removed_and_added.py b/tests/test_check_playbook_file_removed_and_added.py
76240a
new file mode 100644
76240a
index 00000000000..181bb14ed46
76240a
--- /dev/null
76240a
+++ b/tests/test_check_playbook_file_removed_and_added.py
76240a
@@ -0,0 +1,39 @@
76240a
+import os
76240a
+import pytest
76240a
+
76240a
+from .test_ansible_file_removed_and_added import check_playbook_file_removed_and_added
76240a
+
76240a
+
76240a
+def test_file_removed_and_added():
76240a
+    playbook_path = os.path.join(os.path.dirname(__file__),
76240a
+                                 "ansible_file_removed_and_added",
76240a
+                                 "file_removed_and_added.yml")
76240a
+    assert not check_playbook_file_removed_and_added(playbook_path)
76240a
+
76240a
+
76240a
+def test_file_removed_and_not_added():
76240a
+    playbook_path = os.path.join(os.path.dirname(__file__),
76240a
+                                 "ansible_file_removed_and_added",
76240a
+                                 "file_removed_and_not_added.yml")
76240a
+    assert check_playbook_file_removed_and_added(playbook_path)
76240a
+
76240a
+
76240a
+def test_file_not_removed_and_added():
76240a
+    playbook_path = os.path.join(os.path.dirname(__file__),
76240a
+                                 "ansible_file_removed_and_added",
76240a
+                                 "file_not_removed_and_added.yml")
76240a
+    assert check_playbook_file_removed_and_added(playbook_path)
76240a
+
76240a
+
76240a
+def test_file_block_removed_and_added():
76240a
+    playbook_path = os.path.join(os.path.dirname(__file__),
76240a
+                                 "ansible_file_removed_and_added",
76240a
+                                 "file_block_removed_and_added.yml")
76240a
+    assert not check_playbook_file_removed_and_added(playbook_path)
76240a
+
76240a
+
76240a
+def test_file_block_removed_and_not_added():
76240a
+    playbook_path = os.path.join(os.path.dirname(__file__),
76240a
+                                 "ansible_file_removed_and_added",
76240a
+                                 "file_block_removed_and_not_added.yml")
76240a
+    assert check_playbook_file_removed_and_added(playbook_path)
76240a
76240a
From 741ec823ac39341f8aa0649031b72d2ac36e8a64 Mon Sep 17 00:00:00 2001
76240a
From: Watson Sato <wsato@redhat.com>
76240a
Date: Thu, 12 Aug 2021 10:36:47 +0200
76240a
Subject: [PATCH 3/3] Mention Ansible static yamlpath test in docs
76240a
76240a
---
76240a
 .../developer/02_building_complianceascode.md      | 14 ++++++++++++++
76240a
 1 file changed, 14 insertions(+)
76240a
76240a
diff --git a/docs/manual/developer/02_building_complianceascode.md b/docs/manual/developer/02_building_complianceascode.md
76240a
index d536df0a259..87469bf5f9b 100644
76240a
--- a/docs/manual/developer/02_building_complianceascode.md
76240a
+++ b/docs/manual/developer/02_building_complianceascode.md
76240a
@@ -64,6 +64,20 @@ yum install yamllint ansible-lint
76240a
 apt-get install yamllint ansible-lint
76240a
 ```
76240a
 
76240a
+### Static Ansible Playbooks tests
76240a
+
76240a
+Install `yamlpath` and `pytest` to run tests cases that analyse the Ansible
76240a
+Playbooks' yaml nodes.
76240a
+```bash
76240a
+pip3 install yamlpath
76240a
+
76240a
+# Fedora/RHEL
76240a
+yum install python3-pytest
76240a
+
76240a
+# Ubuntu/Debian
76240a
+apt-get install python-pytest
76240a
+```
76240a
+
76240a
 ### Ninja (Faster Builds)
76240a
 
76240a
 Install the `ninja` build system if you want to use it instead of