diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 227d9bf7..9a241b09 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -27,7 +27,7 @@ concurrency: jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 @@ -46,8 +46,8 @@ jobs: - debian10 - debian11 # - amazon # geerlingguy.mysql does not support fedora - # - arch # needs to be fixed - - opensuse_tumbleweed # needs to be fixed + # - arch # geerlingguy.mysql does not support arch + - opensuse_tumbleweed # - fedora # geerlingguy.mysql does not support fedora steps: - name: Checkout repo @@ -56,10 +56,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | @@ -68,11 +68,6 @@ jobs: pip install -r requirements.txt working-directory: ansible_collections/devsec/hardening - - name: Create default collection path symlink - run: | - mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections - # that was a hard one to fix. robert did it thankfully # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212 - name: disable apparmor on debian systems diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 8bfe44bd..076a4b5d 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -26,7 +26,7 @@ concurrency: jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 @@ -44,7 +44,7 @@ jobs: - ubuntu2204 - debian10 - debian11 - - amazon + - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed # - fedora # no support from geerlingguy role @@ -55,10 +55,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | @@ -67,11 +67,6 @@ jobs: pip install -r requirements.txt working-directory: ansible_collections/devsec/hardening - - name: Create default collection path symlink - run: | - mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections - - name: Test with molecule run: | molecule --version diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 1aa83eab..685d3d45 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -26,7 +26,7 @@ concurrency: jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 @@ -39,14 +39,15 @@ jobs: - centosstream9 - rocky8 - rocky9 + - fedora - ubuntu1804 - ubuntu2004 - ubuntu2204 - debian10 - debian11 - - amazon + - amazon2023 - opensuse_tumbleweed - # - arch # needs to be fixed + - arch steps: - name: Checkout repo uses: actions/checkout@v3 @@ -54,10 +55,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | @@ -66,11 +67,6 @@ jobs: pip install -r requirements.txt working-directory: ansible_collections/devsec/hardening - - name: Create default collection path symlink - run: | - mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections - - name: Test with molecule run: | if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index c10d68ed..acd6f83e 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -39,13 +39,15 @@ jobs: - centos9s - rocky8 - rocky9 + - fedora36 + - fedora37 - ubuntu1804 - ubuntu2004 - ubuntu2204 - debian10 - debian11 - opensuse15 - # - arch # arch is currently not supported by cinc-auditor + # - arch # needs fix for audit steps: - name: Checkout repo uses: actions/checkout@v3 diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index e3c2fefb..28247f9f 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -26,7 +26,7 @@ concurrency: jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 @@ -45,9 +45,9 @@ jobs: - ubuntu2204 - debian10 - debian11 - - amazon - # - arch # needs to be fixed - # - opensuse_tumbleweed # baseline is not compatible with suse + - amazon2023 + - arch + # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) steps: - name: Checkout repo uses: actions/checkout@v3 @@ -55,10 +55,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | @@ -67,11 +67,6 @@ jobs: pip install -r requirements.txt working-directory: ansible_collections/devsec/hardening - - name: Create default collection path symlink - run: | - mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections - - name: Test with molecule run: | if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index d5e4c40a..8852350d 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -26,7 +26,7 @@ concurrency: jobs: build: - runs-on: ubuntu-18.04 + runs-on: ubuntu-latest env: PY_COLORS: 1 ANSIBLE_FORCE_COLOR: 1 @@ -45,9 +45,9 @@ jobs: - ubuntu2204 - debian10 - debian11 - - amazon - # - arch # needs to be fixed - # - opensuse_tumbleweed # baseline is not compatible with suse + - amazon2023 + - arch + # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) steps: - name: Checkout repo uses: actions/checkout@v3 @@ -55,10 +55,10 @@ jobs: path: ansible_collections/devsec/hardening submodules: true - - name: Set up Python 3.7 + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.11 - name: Install dependencies run: | @@ -67,11 +67,6 @@ jobs: pip install -r requirements.txt working-directory: ansible_collections/devsec/hardening - - name: Create default collection path symlink - run: | - mkdir -p /home/runner/.ansible - ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections - - name: Test with molecule run: | if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml index 332e039c..e1f8a327 100644 --- a/molecule/mysql_hardening/molecule.yml +++ b/molecule/mysql_hardening/molecule.yml @@ -22,7 +22,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible diff --git a/molecule/mysql_hardening/requirements.yml b/molecule/mysql_hardening/requirements.yml index 6748283b..df7f59cd 100644 --- a/molecule/mysql_hardening/requirements.yml +++ b/molecule/mysql_hardening/requirements.yml @@ -1,7 +1,5 @@ --- roles: - - name: geerlingguy.git - version: 3.0.1 - name: dev-sec.mysql version: master diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml index 74fa9db2..d042a07e 100644 --- a/molecule/mysql_hardening/verify.yml +++ b/molecule/mysql_hardening/verify.yml @@ -6,26 +6,12 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' + - name: Use Python 3 on Suse + set_fact: + ansible_python_interpreter: /usr/bin/python3 + when: + - ansible_os_family == 'Suse' - name: install procps for debian systems apt: @@ -34,29 +20,27 @@ update_cache: true when: ansible_distribution == 'Debian' - - name: Use Python 3 on Suse - set_fact: - ansible_python_interpreter: /usr/bin/python3 - when: - - ansible_os_family == 'Suse' - - name: include tests for the service include_tasks: verify_tasks/service.yml - name: include tests for MySQL user include_tasks: verify_tasks/mysql_users.yml - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' - - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - +- name: Verify + hosts: localhost + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: - name: Execute cinc-auditor tests - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip" + command: > + docker run + --volume /run/docker.sock:/run/docker.sock + docker.io/cincproject/auditor exec + -t docker://instance + --no-show-progress --no-color + --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip register: test_results changed_when: false ignore_errors: true diff --git a/molecule/nginx_hardening/converge.yml b/molecule/nginx_hardening/converge.yml index 4c563838..6ea30d8e 100644 --- a/molecule/nginx_hardening/converge.yml +++ b/molecule/nginx_hardening/converge.yml @@ -2,6 +2,8 @@ - name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings become: true hosts: all + collections: + - devsec.hardening environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml index e6bc2a13..d854d08d 100644 --- a/molecule/nginx_hardening/molecule.yml +++ b/molecule/nginx_hardening/molecule.yml @@ -21,7 +21,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible diff --git a/molecule/nginx_hardening/requirements.yml b/molecule/nginx_hardening/requirements.yml index a40368ae..6392c6f6 100644 --- a/molecule/nginx_hardening/requirements.yml +++ b/molecule/nginx_hardening/requirements.yml @@ -1,4 +1,3 @@ --- roles: - - geerlingguy.git - geerlingguy.nginx diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml index d54ec0a2..11cb6c81 100644 --- a/molecule/nginx_hardening/verify.yml +++ b/molecule/nginx_hardening/verify.yml @@ -6,48 +6,29 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' - - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: true - when: ansible_facts.os_family == 'Debian' - - - name: install required tools on debian + - name: install procps for debian systems apt: name: procps - when: ansible_facts.os_family == 'Debian' - - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' - - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" + state: present + update_cache: true + when: ansible_distribution == 'Debian' +- name: Verify + hosts: localhost + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: - name: Execute cinc-auditor tests - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip" + command: > + docker run + --volume /run/docker.sock:/run/docker.sock + docker.io/cincproject/auditor exec + -t docker://instance + --no-show-progress --no-color + --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip register: test_results changed_when: false ignore_errors: true diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml index a6070dff..31fdc6be 100644 --- a/molecule/os_hardening/molecule.yml +++ b/molecule/os_hardening/molecule.yml @@ -1,8 +1,4 @@ --- -dependency: - name: galaxy - options: - role-file: molecule/os_hardening/requirements.yml driver: name: docker platforms: @@ -21,7 +17,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index d85832c7..5479be75 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -2,8 +2,6 @@ - name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing hosts: all become: true - collections: - - devsec.hardening environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" diff --git a/molecule/os_hardening/requirements.yml b/molecule/os_hardening/requirements.yml deleted file mode 100644 index 53fa9b49..00000000 --- a/molecule/os_hardening/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -roles: - - geerlingguy.git diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 31a6a254..58e6d679 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -6,37 +6,7 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' - - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: true - when: ansible_facts.os_family == 'Debian' - - - name: install required tools on debian - apt: - name: procps - when: ansible_facts.os_family == 'Debian' - - name: include verification tasks ansible.builtin.include_tasks: file: "{{ item }}" @@ -54,17 +24,23 @@ include_tasks: verify_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' - - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - - - name: Execute cinc-auditor tests # noqa ignore-errors - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip" +- name: Verify + hosts: localhost + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: + - name: Execute cinc-auditor tests + command: > + docker run + --volume /run/docker.sock:/run/docker.sock + --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml + docker.io/cincproject/auditor exec + -t docker://instance + --no-show-progress --no-color + --waiver-file /waivers.yaml + --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip register: test_results changed_when: false ignore_errors: true @@ -78,6 +54,16 @@ msg: "Inspec failed to validate" when: test_results.rc != 0 +- name: Verify + hosts: all + become: true + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + collections: + - devsec.hardening + tasks: # test if variable can be overridden - name: workaround for https://github.com/ansible/ansible/issues/66304 set_fact: diff --git a/molecule/os_hardening_vm/molecule.yml b/molecule/os_hardening_vm/molecule.yml index f9bcbfa0..5681716a 100644 --- a/molecule/os_hardening_vm/molecule.yml +++ b/molecule/os_hardening_vm/molecule.yml @@ -24,7 +24,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible env: diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 014c0f6e..d4548eb2 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -2,8 +2,6 @@ - name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing hosts: all become: true - collections: - - devsec.hardening environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" diff --git a/molecule/os_hardening_vm/verify.yml b/molecule/os_hardening_vm/verify.yml index 232bd12d..360c9dea 100644 --- a/molecule/os_hardening_vm/verify.yml +++ b/molecule/os_hardening_vm/verify.yml @@ -6,36 +6,7 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' - - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: true - when: ansible_facts.os_family == 'Debian' - - - name: install required tools on debian - apt: - name: procps - when: ansible_facts.os_family == 'Debian' - name: include PAM tests include_tasks: verify_tasks/pam.yml @@ -45,17 +16,35 @@ include_tasks: verify_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' +- name: Verify + hosts: localhost + environment: + http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" + https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" + no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + tasks: + - name: get ssh-config + command: + cmd: "vagrant ssh-config" + chdir: "{{ molecule_ephemeral_directory }}" + register: ssh_config + changed_when: false - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" + - name: create ssh-config file + copy: + content: "{{ ssh_config.stdout_lines | join ('\n') }}" + dest: "{{ molecule_ephemeral_directory }}/ssh-config" + changed_when: false - - name: Execute cinc-auditor tests # noqa ignore-errors - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip" + - name: Execute cinc-auditor tests + command: > + docker run + --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }} + docker.io/cincproject/auditor exec + --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config + -t ssh://{{ lookup('env', 'USER') }} + --sudo --no-show-progress --no-color + --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip register: test_results changed_when: false ignore_errors: true diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml index 5c45d2de..591a5a51 100644 --- a/molecule/ssh_hardening/molecule.yml +++ b/molecule/ssh_hardening/molecule.yml @@ -1,8 +1,4 @@ --- -dependency: - name: galaxy - options: - role-file: molecule/ssh_hardening/requirements.yml driver: name: docker platforms: @@ -21,7 +17,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml inventory: host_vars: # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user diff --git a/molecule/ssh_hardening/requirements.yml b/molecule/ssh_hardening/requirements.yml deleted file mode 100644 index 53fa9b49..00000000 --- a/molecule/ssh_hardening/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -roles: - - geerlingguy.git diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml index 159c7617..e5f85935 100644 --- a/molecule/ssh_hardening/verify.yml +++ b/molecule/ssh_hardening/verify.yml @@ -1,48 +1,19 @@ --- - name: Verify - hosts: all - become: true + hosts: localhost environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' - - - name: install crypto compat modules on fedora - dnf: - name: libxcrypt-compat - when: ansible_facts.distribution == 'Fedora' - - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' - - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - - name: Execute cinc-auditor tests - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip" + command: > + docker run + --volume /run/docker.sock:/run/docker.sock + docker.io/cincproject/auditor exec + -t docker://instance + --no-show-progress --no-color + --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip register: test_results changed_when: false ignore_errors: true diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_bsd/molecule.yml index 8ba74f19..10460b7a 100644 --- a/molecule/ssh_hardening_bsd/molecule.yml +++ b/molecule/ssh_hardening_bsd/molecule.yml @@ -1,8 +1,4 @@ --- -dependency: - name: galaxy - options: - role-file: molecule/ssh_hardening_bsd/requirements.yml driver: name: vagrant provider: @@ -24,7 +20,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible env: diff --git a/molecule/ssh_hardening_bsd/requirements.yml b/molecule/ssh_hardening_bsd/requirements.yml deleted file mode 100644 index 53fa9b49..00000000 --- a/molecule/ssh_hardening_bsd/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -roles: - - geerlingguy.git diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml index 2829a23c..31fdc6be 100644 --- a/molecule/ssh_hardening_custom_tests/molecule.yml +++ b/molecule/ssh_hardening_custom_tests/molecule.yml @@ -1,8 +1,4 @@ --- -dependency: - name: galaxy - options: - role-file: molecule/ssh_hardening/requirements.yml driver: name: docker platforms: @@ -21,7 +17,7 @@ provisioner: config_options: defaults: interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml + callbacks_enabled: profile_tasks, timer, yaml verifier: name: ansible diff --git a/molecule/ssh_hardening_custom_tests/requirements.yml b/molecule/ssh_hardening_custom_tests/requirements.yml deleted file mode 100644 index 53fa9b49..00000000 --- a/molecule/ssh_hardening_custom_tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -roles: - - geerlingguy.git diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml index 2a1df16e..796bf0ac 100644 --- a/roles/mysql_hardening/meta/main.yml +++ b/roles/mysql_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "7" - "8" + - "9" - name: Ubuntu versions: - bionic @@ -20,7 +21,7 @@ galaxy_info: - bullseye - buster - name: Amazon - - name: Fedora + - name: opensuse galaxy_tags: - system - security diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index b87eb942..735b610a 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "7" - "8" + - "9" - name: Ubuntu versions: - bionic @@ -19,6 +20,7 @@ galaxy_info: versions: - buster - bullseye + - name: Amazon galaxy_tags: - system - security diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index 299f2928..232dd4cb 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "7" - "8" + - "9" - name: Ubuntu versions: - bionic diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index ac2f26f6..37f5b03b 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "7" - "8" + - "9" - name: Ubuntu versions: - bionic @@ -23,7 +24,6 @@ galaxy_info: - name: Fedora - name: ArchLinux - name: SmartOS - - name: opensuse - name: FreeBSD versions: - "12.2"