add verify-task to check if mysql is running and enabled (#608)

* add verify-task to check if mysql is running and enabled Signed-off-by: Sebastian Gumprich <[email protected]> * Update molecule/mysql_hardening/verify_tasks/service.yml Co-authored-by: schurzi <[email protected]> Signed-off-by: Sebastian Gumprich <[email protected]> Co-authored-by: schurzi <[email protected]>
dev-sec · Dec 7, 2022 · be0642b · be0642b
1 parent b0454fa
commit be0642b
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -34,6 +34,9 @@
         update_cache: true
       when: ansible_distribution == 'Debian'
 
+    - name: include tests for the service
+      include_tasks: verify_tasks/service.yml
+
     - name: download cinc-auditor
       get_url:
         url: https://omnitruck.cinc.sh/install.sh

diff --git a/molecule/mysql_hardening/verify_tasks/service.yml b/molecule/mysql_hardening/verify_tasks/service.yml
@@ -0,0 +1,16 @@
+---
+- name: Load variables from role to use the "mysql_daemon" variable
+  ansible.builtin.include_role:
+    name: devsec.hardening.mysql_hardening
+    apply:
+      tags:
+        - never
+
+- name: Populate service facts
+  ansible.builtin.service_facts:
+
+- name: Check if MySQL is running and enabled
+  assert:
+    that:
+      - "ansible_facts.services[mysql_daemon + '.service'].state == 'running'"
+      - "ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'"
diff --git a/roles/mysql_hardening/vars/Debian.yml b/roles/mysql_hardening/vars/Debian.yml
@@ -1,5 +1,5 @@
 ---
-mysql_daemon: mysql
+mysql_daemon: mariadb
 
 mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
 mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'