2020-11-07 20:19:43 +00:00
|
|
|
---
|
|
|
|
|
- name: Verify
|
|
|
|
|
hosts: all
|
|
|
|
|
become: true
|
2021-03-19 14:45:06 +00:00
|
|
|
environment:
|
|
|
|
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
|
|
|
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
|
|
|
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
2020-11-07 20:19:43 +00:00
|
|
|
roles:
|
|
|
|
|
- geerlingguy.git
|
|
|
|
|
tasks:
|
|
|
|
|
- name: install fake SuSE-release for cinc compatibility
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
openSUSE Faked Enterprise 2020 (x86_64)
|
|
|
|
|
VERSION = 2020
|
|
|
|
|
CODENAME = Faked Feature
|
|
|
|
|
dest: /etc/SuSE-release
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: '0444'
|
|
|
|
|
when: ansible_facts.os_family == 'Suse'
|
|
|
|
|
|
|
|
|
|
- name: install git for SuSE since geerlinguy.git does not support it
|
|
|
|
|
zypper:
|
|
|
|
|
name: git
|
|
|
|
|
state: present
|
|
|
|
|
when: ansible_facts.os_family == 'Suse'
|
|
|
|
|
|
|
|
|
|
- name: Run the equivalent of "apt-get update" as a separate step
|
|
|
|
|
apt:
|
|
|
|
|
update_cache: true
|
|
|
|
|
when: ansible_facts.os_family == 'Debian'
|
|
|
|
|
|
|
|
|
|
- name: install required tools on debian
|
|
|
|
|
apt:
|
|
|
|
|
name: procps
|
|
|
|
|
when: ansible_facts.os_family == 'Debian'
|
|
|
|
|
|
2021-02-22 14:54:03 +00:00
|
|
|
- name: include PAM tests
|
|
|
|
|
include: verify_pam.yml
|
|
|
|
|
when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
|
|
|
|
|
|
2020-11-07 20:19:43 +00:00
|
|
|
- name: download cinc-auditor
|
|
|
|
|
get_url:
|
|
|
|
|
url: https://omnitruck.cinc.sh/install.sh
|
|
|
|
|
dest: /tmp/install.sh
|
|
|
|
|
mode: '0775'
|
|
|
|
|
|
|
|
|
|
- name: install cinc-auditor
|
|
|
|
|
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
|
|
|
|
|
|
|
|
|
|
- name: Execute cinc-auditor tests
|
2021-10-18 18:28:19 +00:00
|
|
|
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
|
2020-11-07 20:19:43 +00:00
|
|
|
register: test_results
|
|
|
|
|
changed_when: false
|
|
|
|
|
ignore_errors: true
|
|
|
|
|
|
|
|
|
|
- name: Display details about the cinc-auditor results
|
|
|
|
|
debug:
|
|
|
|
|
msg: "{{ test_results.stdout_lines }}"
|
|
|
|
|
|
|
|
|
|
- name: Fail when tests fail
|
|
|
|
|
fail:
|
|
|
|
|
msg: "Inspec failed to validate"
|
|
|
|
|
when: test_results.rc != 0
|
2020-12-20 19:46:57 +00:00
|
|
|
|
|
|
|
|
# test if variable can be overridden
|
|
|
|
|
- name: workaround for https://github.com/ansible/ansible/issues/66304
|
|
|
|
|
set_fact:
|
|
|
|
|
ansible_virtualization_type: "docker"
|
|
|
|
|
os_env_umask: "027 #override"
|
|
|
|
|
|
|
|
|
|
- include_role:
|
|
|
|
|
name: os_hardening
|
|
|
|
|
|
|
|
|
|
- name: verify os_env_umask
|
|
|
|
|
shell:
|
|
|
|
|
cmd: "grep '027 #override' /etc/login.defs"
|
|
|
|
|
changed_when: false
|
