ansible-collection-hardening/molecule/os_hardening_vm/verify.yml

---
- name: Verify
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
    # temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
    #    - name: Include PAM tests
    #      ansible.builtin.include_tasks: verify_tasks/pam.yml
    #      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

    - name: Include YUM tests
      ansible.builtin.include_tasks: verify_tasks/yum.yml
      when: ansible_facts.os_family == 'RedHat'

- name: Verify
  hosts: localhost
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
    - name: Get ssh-config
      ansible.builtin.command:
        cmd: vagrant ssh-config
        chdir: "{{ molecule_ephemeral_directory }}"
      register: ssh_config
      changed_when: false

    - name: Create ssh-config file
      ansible.builtin.copy:
        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
        mode: "0400"
      changed_when: false

    - name: Execute cinc-auditor tests
      ansible.builtin.command: >
        docker run --rm
        --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
        docker.io/cincproject/auditor exec
        --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config
        -t ssh://{{ lookup('env', 'USER') }}
        --sudo --no-show-progress --no-color
        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
      register: test_results
      changed_when: false
      ignore_errors: true

    - name: Display details about the cinc-auditor results
      ansible.builtin.debug:
        msg: "{{ test_results.stdout_lines }}"

    - name: Fail when tests fail
      ansible.builtin.fail:
        msg: Inspec failed to validate
      when: test_results.rc != 0
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`---`
			`- name: Verify`
			`hosts: all`
			`become: true`
			`environment:`
			`http_proxy: "{{ lookup('env', 'http_proxy') \| default(omit) }}"`
			`https_proxy: "{{ lookup('env', 'https_proxy') \| default(omit) }}"`
			`no_proxy: "{{ lookup('env', 'no_proxy') \| default(omit) }}"`
			`tasks:`
use ansible-lint to autofix problems Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 13:37:09 +00:00			`# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690`
			`# - name: Include PAM tests`
			`# ansible.builtin.include_tasks: verify_tasks/pam.yml`
			`# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`- name: Include YUM tests`
			`ansible.builtin.include_tasks: verify_tasks/yum.yml`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`when: ansible_facts.os_family == 'RedHat'`

use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`- name: Verify`
			`hosts: localhost`
			`environment:`
			`http_proxy: "{{ lookup('env', 'http_proxy') \| default(omit) }}"`
			`https_proxy: "{{ lookup('env', 'https_proxy') \| default(omit) }}"`
			`no_proxy: "{{ lookup('env', 'no_proxy') \| default(omit) }}"`
			`tasks:`
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`- name: Get ssh-config`
			`ansible.builtin.command:`
use ansible-lint to autofix problems Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 13:37:09 +00:00			`cmd: vagrant ssh-config`
use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`chdir: "{{ molecule_ephemeral_directory }}"`
			`register: ssh_config`
			`changed_when: false`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`- name: Create ssh-config file`
use ansible-lint to autofix problems Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 13:37:09 +00:00			`ansible.builtin.copy:`
use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`content: "{{ ssh_config.stdout_lines \| join ('\n') }}"`
			`dest: "{{ molecule_ephemeral_directory }}/ssh-config"`
manually fix remaining problems Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 14:27:21 +00:00			`mode: "0400"`
use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`changed_when: false`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00
use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`- name: Execute cinc-auditor tests`
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`ansible.builtin.command: >`
Remove Docker containers on self-hosted runner after tests Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2024-02-04 09:54:22 +00:00			`docker run --rm`
use docker for inspec-auditor Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2023-04-10 21:22:41 +00:00			`--volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}`
			`docker.io/cincproject/auditor exec`
			`--ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config`
			`-t ssh://{{ lookup('env', 'USER') }}`
			`--sudo --no-show-progress --no-color`
			`--no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`register: test_results`
			`changed_when: false`
			`ignore_errors: true`

			`- name: Display details about the cinc-auditor results`
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`ansible.builtin.debug:`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`msg: "{{ test_results.stdout_lines }}"`

			`- name: Fail when tests fail`
fix lint findings Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 10:18:56 +00:00			`ansible.builtin.fail:`
use ansible-lint to autofix problems Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> 2023-12-06 13:37:09 +00:00			`msg: Inspec failed to validate`
add testing of os_hardning on vm Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-07-08 22:52:58 +00:00			`when: test_results.rc != 0`