ansible-collection-hardening/molecule/os_hardening_vm/verify.yml

---
- name: Verify
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  roles:
    - geerlingguy.git
  tasks:
    - name: install fake SuSE-release for cinc compatibility
      copy:
        content: |
          openSUSE Faked Enterprise 2020 (x86_64)
          VERSION = 2020
          CODENAME = Faked Feature
        dest: /etc/SuSE-release
        owner: root
        group: root
        mode: '0444'
      when: ansible_facts.os_family == 'Suse'

    - name: install git for SuSE since geerlinguy.git does not support it
      zypper:
        name: git
        state: present
      when: ansible_facts.os_family == 'Suse'

    - name: Run the equivalent of "apt-get update" as a separate step
      apt:
        update_cache: true
      when: ansible_facts.os_family == 'Debian'

    - name: install required tools on debian
      apt:
        name: procps
      when: ansible_facts.os_family == 'Debian'

    - name: include PAM tests
      include_tasks: verify_tasks/pam.yml
      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

    - name: include YUM tests
      include_tasks: verify_tasks/yum.yml
      when: ansible_facts.os_family == 'RedHat'

    - name: download cinc-auditor
      get_url:
        url: https://omnitruck.cinc.sh/install.sh
        dest: /tmp/install.sh
        mode: '0775'

    - name: install cinc-auditor
      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"

    - name: Execute cinc-auditor tests  # noqa ignore-errors
      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
      register: test_results
      changed_when: false
      ignore_errors: true

    - name: Display details about the cinc-auditor results
      debug:
        msg: "{{ test_results.stdout_lines }}"

    - name: Fail when tests fail
      fail:
        msg: "Inspec failed to validate"
      when: test_results.rc != 0
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`---`
			`- name: Verify`
			`hosts: all`
			`become: true`
			`environment:`
			`http_proxy: "{{ lookup('env', 'http_proxy') \| default(omit) }}"`
			`https_proxy: "{{ lookup('env', 'https_proxy') \| default(omit) }}"`
			`no_proxy: "{{ lookup('env', 'no_proxy') \| default(omit) }}"`
			`roles:`
			`- geerlingguy.git`
			`tasks:`
			`- name: install fake SuSE-release for cinc compatibility`
			`copy:`
			`content: \|`
			`openSUSE Faked Enterprise 2020 (x86_64)`
			`VERSION = 2020`
			`CODENAME = Faked Feature`
			`dest: /etc/SuSE-release`
			`owner: root`
			`group: root`
			`mode: '0444'`
			`when: ansible_facts.os_family == 'Suse'`

			`- name: install git for SuSE since geerlinguy.git does not support it`
			`zypper:`
			`name: git`
			`state: present`
			`when: ansible_facts.os_family == 'Suse'`

			`- name: Run the equivalent of "apt-get update" as a separate step`
			`apt:`
			`update_cache: true`
			`when: ansible_facts.os_family == 'Debian'`

			`- name: install required tools on debian`
			`apt:`
			`name: procps`
			`when: ansible_facts.os_family == 'Debian'`

			`- name: include PAM tests`
			`include_tasks: verify_tasks/pam.yml`
			`when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'`

			`- name: include YUM tests`
			`include_tasks: verify_tasks/yum.yml`
			`when: ansible_facts.os_family == 'RedHat'`

			`- name: download cinc-auditor`
			`get_url:`
			`url: https://omnitruck.cinc.sh/install.sh`
			`dest: /tmp/install.sh`
			`mode: '0775'`

			`- name: install cinc-auditor`
			`shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"`

			`- name: Execute cinc-auditor tests # noqa ignore-errors`
remove waiver Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-09 00:22:35 +00:00			`command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`register: test_results`
			`changed_when: false`
			`ignore_errors: true`

			`- name: Display details about the cinc-auditor results`
			`debug:`
			`msg: "{{ test_results.stdout_lines }}"`

			`- name: Fail when tests fail`
			`fail:`
			`msg: "Inspec failed to validate"`
			`when: test_results.rc != 0`