add testing and support for current versions of Fedora and FreeBSD (#709)

* add testing and support for current versions of Fedora and FreeBSD

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* add waivers for FreeBSD

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* use original fedora images

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* also harden /home mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* also harden /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* test mock efi directory

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* remove mock

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* umount efi

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* add /tmp to special mountpoints

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* set options for /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* create /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* create /tmp mount and mount it ...

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* make fewer changes to default test run

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* use correct Ansible var

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
schurzi 2023-11-16 09:14:03 +01:00 committed by GitHub
parent 4a5a6e18e7
commit 3d98cbf67b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 43 additions and 20 deletions

View file

@ -39,8 +39,8 @@ jobs:
- centosstream9 - centosstream9
- rocky8 - rocky8
- rocky9 - rocky9
- fedora37
- fedora38 - fedora38
- fedora39
- ubuntu1804 - ubuntu1804
- ubuntu2004 - ubuntu2004
- ubuntu2204 - ubuntu2204

View file

@ -34,21 +34,21 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
molecule_distro: molecule_distro:
- centos7 - generic/centos7
- centos8s - generic/centos8s
- centos9s - generic/centos9s
- rocky8 - generic/rocky8
- rocky9 - generic/rocky9
- fedora37 - fedora/38-cloud-base
- fedora38 - fedora/39-cloud-base
- ubuntu1804 - generic/ubuntu1804
- ubuntu2004 - generic/ubuntu2004
- ubuntu2204 - generic/ubuntu2204
- debian10 - generic/debian10
- debian11 - generic/debian11
- debian12 - generic/debian12
- opensuse15 - generic/opensuse15
# - arch # needs fix for audit # - generic/arch # needs fix for audit
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v4 uses: actions/checkout@v4

View file

@ -39,8 +39,8 @@ jobs:
- centosstream9 - centosstream9
- rocky8 - rocky8
- rocky9 - rocky9
- fedora37
- fedora38 - fedora38
- fedora39
- ubuntu1804 - ubuntu1804
- ubuntu2004 - ubuntu2004
- ubuntu2204 - ubuntu2204

View file

@ -36,6 +36,8 @@ jobs:
molecule_distro: molecule_distro:
- openbsd7 - openbsd7
- freebsd12 - freebsd12
- freebsd13
- freebsd14
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@v4 uses: actions/checkout@v4

View file

@ -39,8 +39,8 @@ jobs:
- centosstream9 - centosstream9
- rocky8 - rocky8
- rocky9 - rocky9
- fedora37
- fedora38 - fedora38
- fedora39
- ubuntu1804 - ubuntu1804
- ubuntu2004 - ubuntu2004
- ubuntu2204 - ubuntu2204

View file

@ -13,6 +13,12 @@
set_fact: set_fact:
os_mnt_boot_enabled: false os_mnt_boot_enabled: false
when: ansible_facts.os_family == 'Archlinux' when: ansible_facts.os_family == 'Archlinux'
- name: overrides for Fedora image
set_fact:
os_mnt_tmp_enabled: true
os_mnt_tmp_src: "tmpfs"
os_mnt_tmp_filesystem: "tmpfs"
when: ansible_facts.distribution == 'Fedora'
- include_role: - include_role:
name: os_hardening name: os_hardening
vars: vars:
@ -20,4 +26,5 @@
os_auth_lockout_time: 15 os_auth_lockout_time: 15
os_yum_repo_file_whitelist: ['foo.repo'] os_yum_repo_file_whitelist: ['foo.repo']
os_mnt_boot_enabled: true os_mnt_boot_enabled: true
os_mnt_home_enabled: true
os_mnt_boot_src: "/dev/vda1" os_mnt_boot_src: "/dev/vda1"

View file

@ -12,7 +12,7 @@ platforms:
# since we also need to use different OS users to run the tests because of how molecule operates, # since we also need to use different OS users to run the tests because of how molecule operates,
# the VM names must be predictable by OS user (to clean up canceled runs) # the VM names must be predictable by OS user (to clean up canceled runs)
- name: "${USER}" - name: "${USER}"
box: "generic/${MOLECULE_DISTRO}" box: "${MOLECULE_DISTRO}"
memory: 1024 memory: 1024
cpus: 2 cpus: 2
provisioner: provisioner:

View file

@ -51,6 +51,12 @@
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
changed_when: false changed_when: false
- name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
ansible.posix.mount:
path: /boot/efi
state: unmounted
when: ansible_facts.distribution == 'Fedora'
- name: include YUM prepare tasks - name: include YUM prepare tasks
include_tasks: prepare_tasks/yum.yml include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'

View file

@ -0,0 +1,3 @@
sshd-45:
run: false
justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"

View file

@ -0,0 +1,3 @@
sshd-45:
run: false
justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"

View file

@ -93,7 +93,7 @@
- name: Append special devices list to valid mountpoint list - name: Append special devices list to valid mountpoint list
ansible.builtin.set_fact: ansible.builtin.set_fact:
mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run'] }}" mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}"
- name: Minimize access for filesystems - name: Minimize access for filesystems
ansible.builtin.include_tasks: minimize_access_fs.yml ansible.builtin.include_tasks: minimize_access_fs.yml

View file

@ -27,6 +27,8 @@ galaxy_info:
- name: FreeBSD - name: FreeBSD
versions: versions:
- "12.2" - "12.2"
- "13.2"
- "14.0"
- name: OpenBSD - name: OpenBSD
versions: versions:
- "7.0" - "7.0"