--- - name: Verify hosts: all become: true environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" roles: - geerlingguy.git tasks: - name: install fake SuSE-release for cinc compatibility copy: content: | openSUSE Faked Enterprise 2020 (x86_64) VERSION = 2020 CODENAME = Faked Feature dest: /etc/SuSE-release owner: root group: root mode: '0444' when: ansible_facts.os_family == 'Suse' - name: install git for SuSE since geerlinguy.git does not support it zypper: name: git state: present when: ansible_facts.os_family == 'Suse' - name: Run the equivalent of "apt-get update" as a separate step apt: update_cache: true when: ansible_facts.os_family == 'Debian' - name: install required tools on debian apt: name: procps when: ansible_facts.os_family == 'Debian' - name: include PAM tests include_tasks: verify_tasks/pam.yml when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' - name: include YUM tests include_tasks: verify_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' - name: download cinc-auditor get_url: url: https://omnitruck.cinc.sh/install.sh dest: /tmp/install.sh mode: '0775' - name: install cinc-auditor shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - name: Execute cinc-auditor tests # noqa ignore-errors command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip" register: test_results changed_when: false ignore_errors: true - name: Display details about the cinc-auditor results debug: msg: "{{ test_results.stdout_lines }}" - name: Fail when tests fail fail: msg: "Inspec failed to validate" when: test_results.rc != 0