mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
2882a15ee1
add restart-auditd handler after configuration change
57 lines
1.7 KiB
YAML
57 lines
1.7 KiB
YAML
---
|
|
- name: Verify
|
|
hosts: all
|
|
become: true
|
|
environment:
|
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
|
roles:
|
|
- geerlingguy.git
|
|
tasks:
|
|
- name: install fake SuSE-release for cinc compatibility
|
|
copy:
|
|
content: |
|
|
openSUSE Faked Enterprise 2020 (x86_64)
|
|
VERSION = 2020
|
|
CODENAME = Faked Feature
|
|
dest: /etc/SuSE-release
|
|
owner: root
|
|
group: root
|
|
mode: '0444'
|
|
when: ansible_facts.os_family == 'Suse'
|
|
|
|
- name: install git for SuSE since geerlinguy.git does not support it
|
|
zypper:
|
|
name: git
|
|
state: present
|
|
when: ansible_facts.os_family == 'Suse'
|
|
|
|
- name: install crypto compat modules on fedora
|
|
dnf:
|
|
name: libxcrypt-compat
|
|
when: ansible_facts.distribution == 'Fedora'
|
|
|
|
- name: download cinc-auditor
|
|
get_url:
|
|
url: https://omnitruck.cinc.sh/install.sh
|
|
dest: /tmp/install.sh
|
|
mode: '0775'
|
|
|
|
- name: install cinc-auditor
|
|
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
|
|
|
|
- name: Execute cinc-auditor tests
|
|
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/nginx-baseline"
|
|
register: test_results
|
|
changed_when: false
|
|
ignore_errors: true
|
|
|
|
- name: Display details about the cinc-auditor results
|
|
debug:
|
|
msg: "{{ test_results.stdout_lines }}"
|
|
|
|
- name: Fail when tests fail
|
|
fail:
|
|
msg: "Inspec failed to validate"
|
|
when: test_results.rc != 0
|