Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
ansible-collection-hardening/molecule/os_hardening/verify.yml
schurzi 15f2de8b44
fix os ci (#711) 
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-12 20:45:30 +01:00

85 lines
2.8 KiB
YAML
Raw Blame History

---
- name: Verify
hosts: all
become: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3"
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: include verification tasks
ansible.builtin.include_tasks:
file: "{{ item }}"
loop:
- verify_tasks/sys_account_shell.yml
- verify_tasks/pw_ageing.yml
- verify_tasks/netrc.yml
- verify_tasks/ignore_home_folders.yml
# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
# - name: include PAM tests
# include_tasks: verify_tasks/pam.yml
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
- name: include YUM tests
include_tasks: verify_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'
- name: Verify
hosts: localhost
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
docker run
--volume /run/docker.sock:/run/docker.sock
--volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
docker.io/cincproject/auditor exec
-t docker://instance
--no-show-progress --no-color
--waiver-file /waivers.yaml
--no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
register: test_results
changed_when: false
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0
- name: Verify
hosts: all
become: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
collections:
- devsec.hardening
tasks:
# test if variable can be overridden
- name: workaround for https://github.com/ansible/ansible/issues/66304
set_fact:
ansible_virtualization_type: "docker"
os_env_umask: "027 #override"
- include_role:
name: os_hardening
- name: verify os_env_umask
shell:
cmd: "grep '027 #override' /etc/login.defs"
changed_when: false
Reference in a new issue View git blame Copy permalink