ansible-collection-hardening/molecule/ssh_hardening/verify.yml
schurzi 2882a15ee1
Merge pull request #427 from dev-sec/snoopotic-fix/add_auditd_restart_handler
add restart-auditd handler after configuration change
2021-03-29 21:15:46 +02:00

57 lines
1.7 KiB
YAML

---
- name: Verify
hosts: all
become: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
roles:
- geerlingguy.git
tasks:
- name: install fake SuSE-release for cinc compatibility
copy:
content: |
openSUSE Faked Enterprise 2020 (x86_64)
VERSION = 2020
CODENAME = Faked Feature
dest: /etc/SuSE-release
owner: root
group: root
mode: '0444'
when: ansible_facts.os_family == 'Suse'
- name: install git for SuSE since geerlinguy.git does not support it
zypper:
name: git
state: present
when: ansible_facts.os_family == 'Suse'
- name: install crypto compat modules on fedora
dnf:
name: libxcrypt-compat
when: ansible_facts.distribution == 'Fedora'
- name: download cinc-auditor
get_url:
url: https://omnitruck.cinc.sh/install.sh
dest: /tmp/install.sh
mode: '0775'
- name: install cinc-auditor
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
- name: Execute cinc-auditor tests
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit supermarket://dev-sec/nginx-baseline"
register: test_results
changed_when: false
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0