use docker for inspec-auditor

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

.github/workflows/mysql_hardening.yml

@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
-          # - arch  # needs to be fixed
-          - opensuse_tumbleweed  # needs to be fixed
+          - arch
+          - opensuse_tumbleweed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo

.github/workflows/nginx_hardening.yml

@@ -45,8 +45,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # needs to be fixed
+          - arch
+          - opensuse_tumbleweed
           # - fedora  # no support from geerlingguy role
     steps:
       - name: Checkout repo

.github/workflows/os_hardening.yml

@@ -46,7 +46,7 @@ jobs:
           - debian11
           - amazon2023
           - opensuse_tumbleweed
-          # - arch  # needs to be fixed
+          - arch
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

.github/workflows/os_hardening_vm.yml

@@ -45,7 +45,7 @@ jobs:
           - debian10
           - debian11
           - opensuse15
-          # - arch  # arch is currently not supported by cinc-auditor
+          - arch
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

.github/workflows/ssh_hardening_custom_tests.yml

@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # baseline is not compatible with suse
+          - arch
+          - opensuse_tumbleweed
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

molecule/mysql_hardening/requirements.yml

@@ -1,7 +1,5 @@
 ---
 roles:
-  - name: geerlingguy.git
-    version: 3.0.1
   - name: dev-sec.mysql
     version: master
 

molecule/mysql_hardening/verify.yml

@@ -6,34 +6,7 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install procps for debian systems
-      apt:
-        name: procps
-        state: present
-        update_cache: true
-      when: ansible_distribution == 'Debian'
-
     - name: Use Python 3 on Suse
       set_fact:
         ansible_python_interpreter: /usr/bin/python3
@@ -46,17 +19,21 @@
     - name: include tests for MySQL user
       include_tasks: verify_tasks/mysql_users.yml
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/nginx_hardening/requirements.yml

@@ -1,4 +1,3 @@
 ---
 roles:
-  - geerlingguy.git
   - geerlingguy.nginx

molecule/nginx_hardening/verify.yml

@@ -1,53 +1,18 @@
----
 - name: Verify
-  hosts: all
-  become: true
+  hosts: localhost
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/os_hardening/molecule.yml

@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/os_hardening/requirements.yml
 driver:
   name: docker
 platforms:

molecule/os_hardening/requirements.yml

@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git

molecule/os_hardening/verify.yml

@@ -6,39 +6,9 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   collections:
     - devsec.hardening
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
-
     - name: include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
@@ -56,17 +26,22 @@
       include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
-    - name: Execute cinc-auditor tests  # noqa ignore-errors
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        --volume ./waivers.yaml:/waivers.yaml
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/os_hardening_vm/verify.yml

@@ -6,36 +6,7 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
 
     - name: include PAM tests
       include_tasks: verify_tasks/pam.yml
@@ -45,17 +16,35 @@
       include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: get ssh-config
+      command:
+        cmd: "vagrant ssh-config"
+        chdir: "{{ molecule_ephemeral_directory }}"
+      register: ssh_config
+      changed_when: false
 
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
+    - name: create ssh-config file
+      copy:
+        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
+        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+      changed_when: false
 
-    - name: Execute cinc-auditor tests  # noqa ignore-errors
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
+        docker.io/cincproject/auditor exec
+        --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config
+        -t ssh://{{ lookup('env', 'USER') }}
+        --sudo --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/ssh_hardening/molecule.yml

@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening/requirements.yml
 driver:
   name: docker
 platforms:

molecule/ssh_hardening/requirements.yml

@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git

molecule/ssh_hardening_bsd/molecule.yml

@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening_bsd/requirements.yml
 driver:
   name: vagrant
   provider:

molecule/ssh_hardening_bsd/requirements.yml

@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git

molecule/ssh_hardening_custom_tests/molecule.yml

@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening/requirements.yml
 driver:
   name: docker
 platforms:

molecule/ssh_hardening_custom_tests/requirements.yml

@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git