---
- name: Verify
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
    - name: set ansible_python_interpreter to "/usr/bin/python3"
      set_fact:
        ansible_python_interpreter: "/usr/bin/python3"
      when: ansible_facts.distribution == 'Fedora'

    - name: include verification tasks
      ansible.builtin.include_tasks:
        file: "{{ item }}"
      loop: 
        - verify_tasks/sys_account_shell.yml
        - verify_tasks/pw_ageing.yml
        - verify_tasks/netrc.yml
        - verify_tasks/ignore_home_folders.yml

# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
#    - name: include PAM tests
#      include_tasks: verify_tasks/pam.yml
#      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

    - name: include YUM tests
      include_tasks: verify_tasks/yum.yml
      when: ansible_facts.os_family == 'RedHat'

- name: Verify
  hosts: localhost
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
    - name: Execute cinc-auditor tests
      command: >
        docker run
        --volume /run/docker.sock:/run/docker.sock
        --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
        docker.io/cincproject/auditor exec
        -t docker://instance
        --no-show-progress --no-color
        --waiver-file /waivers.yaml
        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
      register: test_results
      changed_when: false
      ignore_errors: true

    - name: Display details about the cinc-auditor results
      debug:
        msg: "{{ test_results.stdout_lines }}"

    - name: Fail when tests fail
      fail:
        msg: "Inspec failed to validate"
      when: test_results.rc != 0

- name: Verify
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  collections:
    - devsec.hardening
  tasks:
    # test if variable can be overridden
    - name: workaround for https://github.com/ansible/ansible/issues/66304
      set_fact:
        ansible_virtualization_type: "docker"
        os_env_umask: "027 #override"

    - include_role:
        name: os_hardening

    - name: verify os_env_umask
      shell:
        cmd: "grep '027 #override' /etc/login.defs"
      changed_when: false