From 2de009e3b53324c2858487f9db6631ef1f6bd4de Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 10:28:11 +0200
Subject: [PATCH 01/18] use latest runner version

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/mysql_hardening.yml            | 6 +++---
 .github/workflows/nginx_hardening.yml            | 6 +++---
 .github/workflows/os_hardening.yml               | 6 +++---
 .github/workflows/ssh_hardening.yml              | 6 +++---
 .github/workflows/ssh_hardening_custom_tests.yml | 6 +++---
 5 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index 227d9bf7..ecc654e6 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -56,10 +56,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index 8bfe44bd..e76f1ad4 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -55,10 +55,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 1aa83eab..e8717a1e 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -54,10 +54,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index e3c2fefb..702eda65 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -55,10 +55,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index d5e4c40a..e016b730 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -55,10 +55,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |

From e346c2300ff562a6a36ee9aaa8b3cc9d6972ccb7 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 11:02:33 +0200
Subject: [PATCH 02/18] remove unneccessary symlink

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/mysql_hardening.yml            | 5 -----
 .github/workflows/nginx_hardening.yml            | 5 -----
 .github/workflows/os_hardening.yml               | 5 -----
 .github/workflows/ssh_hardening.yml              | 5 -----
 .github/workflows/ssh_hardening_custom_tests.yml | 5 -----
 5 files changed, 25 deletions(-)

diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index ecc654e6..7e9ecfe1 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -68,11 +68,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       # that was a hard one to fix. robert did it thankfully
       # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212
       - name: disable apparmor on debian systems
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index e76f1ad4..3e17b10f 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           molecule --version
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index e8717a1e..8df26514 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -66,11 +66,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index 702eda65..dd9802b4 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index e016b730..ed5a666e 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then

From e4ecfe208485d5ca3daebcc6fed4dc21ed039c18 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 11:03:33 +0200
Subject: [PATCH 03/18] add collection to verify

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/os_hardening/verify.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index 31a6a254..cd83c654 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -8,6 +8,8 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   roles:
     - geerlingguy.git
+  collections:
+    - devsec.hardening
   tasks:
     - name: install fake SuSE-release for cinc compatibility
       copy:

From 7b69c4bd47fea1b8cff2c6556429e2dbae753a85 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 11:21:12 +0200
Subject: [PATCH 04/18] add collection link

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/nginx_hardening/converge.yml | 2 ++
 molecule/nginx_hardening/prepare.yml  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/molecule/nginx_hardening/converge.yml b/molecule/nginx_hardening/converge.yml
index 4c563838..6ea30d8e 100644
--- a/molecule/nginx_hardening/converge.yml
+++ b/molecule/nginx_hardening/converge.yml
@@ -2,6 +2,8 @@
 - name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   become: true
   hosts: all
+  collections:
+    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml
index 4ab5f51d..642922d8 100644
--- a/molecule/nginx_hardening/prepare.yml
+++ b/molecule/nginx_hardening/prepare.yml
@@ -2,6 +2,8 @@
 - name: prepare playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   become: true
   hosts: all
+  collections:
+    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"

From 63dc9d3be89f93f1aede37e11401fef7198698bd Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 19:44:01 +0200
Subject: [PATCH 05/18] use current amazon linux

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/nginx_hardening.yml            | 2 +-
 .github/workflows/os_hardening.yml               | 2 +-
 .github/workflows/ssh_hardening.yml              | 2 +-
 .github/workflows/ssh_hardening_custom_tests.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index 3e17b10f..ba278ee0 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -44,7 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # no support from geerlingguy role
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 8df26514..2cfaa128 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -44,7 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2
           - opensuse_tumbleweed
           # - arch  # needs to be fixed
     steps:
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index dd9802b4..abae16ec 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -45,7 +45,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse
     steps:
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index ed5a666e..46800fcf 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -45,7 +45,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse
     steps:

From dd5ad568b3e78b5b83a6f16fd99352ed030daf73 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 20:36:03 +0200
Subject: [PATCH 06/18] fix deprecation warnings

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/mysql_hardening/molecule.yml            | 2 +-
 molecule/nginx_hardening/molecule.yml            | 2 +-
 molecule/os_hardening/molecule.yml               | 2 +-
 molecule/os_hardening_vm/molecule.yml            | 2 +-
 molecule/ssh_hardening/molecule.yml              | 2 +-
 molecule/ssh_hardening_bsd/molecule.yml          | 2 +-
 molecule/ssh_hardening_custom_tests/molecule.yml | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
index 332e039c..e1f8a327 100644
--- a/molecule/mysql_hardening/molecule.yml
+++ b/molecule/mysql_hardening/molecule.yml
@@ -22,7 +22,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
 
diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml
index e6bc2a13..d854d08d 100644
--- a/molecule/nginx_hardening/molecule.yml
+++ b/molecule/nginx_hardening/molecule.yml
@@ -21,7 +21,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
 
diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml
index a6070dff..5c90675b 100644
--- a/molecule/os_hardening/molecule.yml
+++ b/molecule/os_hardening/molecule.yml
@@ -21,7 +21,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
 
diff --git a/molecule/os_hardening_vm/molecule.yml b/molecule/os_hardening_vm/molecule.yml
index f9bcbfa0..5681716a 100644
--- a/molecule/os_hardening_vm/molecule.yml
+++ b/molecule/os_hardening_vm/molecule.yml
@@ -24,7 +24,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
   env:
diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml
index 5c45d2de..10889d6f 100644
--- a/molecule/ssh_hardening/molecule.yml
+++ b/molecule/ssh_hardening/molecule.yml
@@ -21,7 +21,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
   inventory:
     host_vars:
       # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user
diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_bsd/molecule.yml
index 8ba74f19..2626b7f0 100644
--- a/molecule/ssh_hardening_bsd/molecule.yml
+++ b/molecule/ssh_hardening_bsd/molecule.yml
@@ -24,7 +24,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
   env:
diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml
index 2829a23c..6db3e7f2 100644
--- a/molecule/ssh_hardening_custom_tests/molecule.yml
+++ b/molecule/ssh_hardening_custom_tests/molecule.yml
@@ -21,7 +21,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
 

From 5357f9e7186a14dc7b45d4260f739cfbe40be574 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 22:23:48 +0200
Subject: [PATCH 07/18] use current version of amazon linux

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/nginx_hardening.yml            | 2 +-
 .github/workflows/os_hardening.yml               | 2 +-
 .github/workflows/ssh_hardening.yml              | 2 +-
 .github/workflows/ssh_hardening_custom_tests.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index ba278ee0..076a4b5d 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -44,7 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon2
+          - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # no support from geerlingguy role
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 2cfaa128..20a7e7fb 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -44,7 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon2
+          - amazon2023
           - opensuse_tumbleweed
           # - arch  # needs to be fixed
     steps:
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index abae16ec..bdf4af78 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -45,7 +45,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon2
+          - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse
     steps:
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index 46800fcf..b441f76e 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -45,7 +45,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon2
+          - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse
     steps:

From ebab98930ca0d1ace342d6df92182e3378327835 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 22:58:28 +0200
Subject: [PATCH 08/18] try docker for inspec-auditor

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/ssh_hardening.yml |  4 ++--
 molecule/ssh_hardening/verify.yml   | 17 +++++++----------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index bdf4af78..983384cd 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # baseline is not compatible with suse
+          - arch
+          - opensuse_tumbleweed
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml
index 159c7617..78f03d7b 100644
--- a/molecule/ssh_hardening/verify.yml
+++ b/molecule/ssh_hardening/verify.yml
@@ -32,17 +32,14 @@
         name: libxcrypt-compat
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --sudo --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

From 4a9d6033eb05bb316d07ff3c31e815a3418b50e3 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 23:04:46 +0200
Subject: [PATCH 09/18] try docker for inspec-auditor

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/ssh_hardening/verify.yml | 30 ++----------------------------
 1 file changed, 2 insertions(+), 28 deletions(-)

diff --git a/molecule/ssh_hardening/verify.yml b/molecule/ssh_hardening/verify.yml
index 78f03d7b..e5f85935 100644
--- a/molecule/ssh_hardening/verify.yml
+++ b/molecule/ssh_hardening/verify.yml
@@ -1,44 +1,18 @@
 ---
 - name: Verify
-  hosts: all
-  become: true
+  hosts: localhost
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install crypto compat modules on fedora
-      dnf:
-        name: libxcrypt-compat
-      when: ansible_facts.distribution == 'Fedora'
-
     - name: Execute cinc-auditor tests
       command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         docker.io/cincproject/auditor exec
         -t docker://instance
-        --sudo --no-show-progress --no-color
+        --no-show-progress --no-color
         --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false

From 31c9885610e4c305f0aa0f088e3aa06c8443806a Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 23:22:41 +0200
Subject: [PATCH 10/18] use docker for inspec-auditor

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/mysql_hardening.yml         |  4 +-
 .github/workflows/nginx_hardening.yml         |  4 +-
 .github/workflows/os_hardening.yml            |  2 +-
 .github/workflows/os_hardening_vm.yml         |  2 +-
 .../workflows/ssh_hardening_custom_tests.yml  |  4 +-
 molecule/mysql_hardening/requirements.yml     |  2 -
 molecule/mysql_hardening/verify.yml           | 51 ++++-----------
 molecule/nginx_hardening/requirements.yml     |  1 -
 molecule/nginx_hardening/verify.yml           | 51 +++------------
 molecule/os_hardening/molecule.yml            |  4 --
 molecule/os_hardening/requirements.yml        |  3 -
 molecule/os_hardening/verify.yml              | 57 +++++-----------
 molecule/os_hardening_vm/verify.yml           | 65 ++++++++-----------
 molecule/ssh_hardening/molecule.yml           |  4 --
 molecule/ssh_hardening/requirements.yml       |  3 -
 molecule/ssh_hardening_bsd/molecule.yml       |  4 --
 molecule/ssh_hardening_bsd/requirements.yml   |  3 -
 .../ssh_hardening_custom_tests/molecule.yml   |  4 --
 .../requirements.yml                          |  3 -
 19 files changed, 73 insertions(+), 198 deletions(-)
 delete mode 100644 molecule/os_hardening/requirements.yml
 delete mode 100644 molecule/ssh_hardening/requirements.yml
 delete mode 100644 molecule/ssh_hardening_bsd/requirements.yml
 delete mode 100644 molecule/ssh_hardening_custom_tests/requirements.yml

diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index 7e9ecfe1..03ffc5bf 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
-          # - arch  # needs to be fixed
-          - opensuse_tumbleweed  # needs to be fixed
+          - arch
+          - opensuse_tumbleweed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index 076a4b5d..653d0bfb 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -45,8 +45,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # needs to be fixed
+          - arch
+          - opensuse_tumbleweed
           # - fedora  # no support from geerlingguy role
     steps:
       - name: Checkout repo
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 20a7e7fb..62b68371 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -46,7 +46,7 @@ jobs:
           - debian11
           - amazon2023
           - opensuse_tumbleweed
-          # - arch  # needs to be fixed
+          - arch
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
index c10d68ed..a8bad664 100644
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@@ -45,7 +45,7 @@ jobs:
           - debian10
           - debian11
           - opensuse15
-          # - arch  # arch is currently not supported by cinc-auditor
+          - arch
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index b441f76e..4e3918c9 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # baseline is not compatible with suse
+          - arch
+          - opensuse_tumbleweed
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/molecule/mysql_hardening/requirements.yml b/molecule/mysql_hardening/requirements.yml
index 6748283b..df7f59cd 100644
--- a/molecule/mysql_hardening/requirements.yml
+++ b/molecule/mysql_hardening/requirements.yml
@@ -1,7 +1,5 @@
 ---
 roles:
-  - name: geerlingguy.git
-    version: 3.0.1
   - name: dev-sec.mysql
     version: master
 
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
index 74fa9db2..24ebc3ff 100644
--- a/molecule/mysql_hardening/verify.yml
+++ b/molecule/mysql_hardening/verify.yml
@@ -6,34 +6,7 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install procps for debian systems
-      apt:
-        name: procps
-        state: present
-        update_cache: true
-      when: ansible_distribution == 'Debian'
-
     - name: Use Python 3 on Suse
       set_fact:
         ansible_python_interpreter: /usr/bin/python3
@@ -46,17 +19,21 @@
     - name: include tests for MySQL user
       include_tasks: verify_tasks/mysql_users.yml
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/nginx_hardening/requirements.yml b/molecule/nginx_hardening/requirements.yml
index a40368ae..6392c6f6 100644
--- a/molecule/nginx_hardening/requirements.yml
+++ b/molecule/nginx_hardening/requirements.yml
@@ -1,4 +1,3 @@
 ---
 roles:
-  - geerlingguy.git
   - geerlingguy.nginx
diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml
index d54ec0a2..d7bea68c 100644
--- a/molecule/nginx_hardening/verify.yml
+++ b/molecule/nginx_hardening/verify.yml
@@ -1,53 +1,18 @@
----
 - name: Verify
-  hosts: all
-  become: true
+  hosts: localhost
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/nginx-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml
index 5c90675b..31fdc6be 100644
--- a/molecule/os_hardening/molecule.yml
+++ b/molecule/os_hardening/molecule.yml
@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/os_hardening/requirements.yml
 driver:
   name: docker
 platforms:
diff --git a/molecule/os_hardening/requirements.yml b/molecule/os_hardening/requirements.yml
deleted file mode 100644
index 53fa9b49..00000000
--- a/molecule/os_hardening/requirements.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index cd83c654..e54cf4fd 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -6,39 +6,9 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   collections:
     - devsec.hardening
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
-
     - name: include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
@@ -56,17 +26,22 @@
       include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
-    - name: Execute cinc-auditor tests  # noqa ignore-errors
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        --volume ./waivers.yaml:/waivers.yaml
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/os_hardening_vm/verify.yml b/molecule/os_hardening_vm/verify.yml
index 232bd12d..360c9dea 100644
--- a/molecule/os_hardening_vm/verify.yml
+++ b/molecule/os_hardening_vm/verify.yml
@@ -6,36 +6,7 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: Run the equivalent of "apt-get update" as a separate step
-      apt:
-        update_cache: true
-      when: ansible_facts.os_family == 'Debian'
-
-    - name: install required tools on debian
-      apt:
-        name: procps
-      when: ansible_facts.os_family == 'Debian'
 
     - name: include PAM tests
       include_tasks: verify_tasks/pam.yml
@@ -45,17 +16,35 @@
       include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: get ssh-config
+      command:
+        cmd: "vagrant ssh-config"
+        chdir: "{{ molecule_ephemeral_directory }}"
+      register: ssh_config
+      changed_when: false
 
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
+    - name: create ssh-config file
+      copy:
+        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
+        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+      changed_when: false
 
-    - name: Execute cinc-auditor tests  # noqa ignore-errors
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
+    - name: Execute cinc-auditor tests
+      command: >
+        docker run
+        --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
+        docker.io/cincproject/auditor exec
+        --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config
+        -t ssh://{{ lookup('env', 'USER') }}
+        --sudo --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true
diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml
index 10889d6f..591a5a51 100644
--- a/molecule/ssh_hardening/molecule.yml
+++ b/molecule/ssh_hardening/molecule.yml
@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening/requirements.yml
 driver:
   name: docker
 platforms:
diff --git a/molecule/ssh_hardening/requirements.yml b/molecule/ssh_hardening/requirements.yml
deleted file mode 100644
index 53fa9b49..00000000
--- a/molecule/ssh_hardening/requirements.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git
diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_bsd/molecule.yml
index 2626b7f0..10460b7a 100644
--- a/molecule/ssh_hardening_bsd/molecule.yml
+++ b/molecule/ssh_hardening_bsd/molecule.yml
@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening_bsd/requirements.yml
 driver:
   name: vagrant
   provider:
diff --git a/molecule/ssh_hardening_bsd/requirements.yml b/molecule/ssh_hardening_bsd/requirements.yml
deleted file mode 100644
index 53fa9b49..00000000
--- a/molecule/ssh_hardening_bsd/requirements.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git
diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml
index 6db3e7f2..31fdc6be 100644
--- a/molecule/ssh_hardening_custom_tests/molecule.yml
+++ b/molecule/ssh_hardening_custom_tests/molecule.yml
@@ -1,8 +1,4 @@
 ---
-dependency:
-  name: galaxy
-  options:
-    role-file: molecule/ssh_hardening/requirements.yml
 driver:
   name: docker
 platforms:
diff --git a/molecule/ssh_hardening_custom_tests/requirements.yml b/molecule/ssh_hardening_custom_tests/requirements.yml
deleted file mode 100644
index 53fa9b49..00000000
--- a/molecule/ssh_hardening_custom_tests/requirements.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-roles:
-  - geerlingguy.git

From e43f18011247675a81eb7bbec675d52f2c430d75 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Mon, 10 Apr 2023 23:48:52 +0200
Subject: [PATCH 11/18] update waiver path

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/os_hardening/verify.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index e54cf4fd..aefea16b 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -37,7 +37,7 @@
       command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
-        --volume ./waivers.yaml:/waivers.yaml
+        --volume /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/molecule/os_hardening/waivers.yaml:/waivers.yaml
         docker.io/cincproject/auditor exec
         -t docker://instance
         --no-show-progress --no-color
@@ -55,6 +55,16 @@
         msg: "Inspec failed to validate"
       when: test_results.rc != 0
 
+- name: Verify
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  collections:
+    - devsec.hardening
+  tasks:
     # test if variable can be overridden
     - name: workaround for https://github.com/ansible/ansible/issues/66304
       set_fact:

From 5cc7b8dee328b200e8849757a7fa1ff5a30c7176 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Tue, 11 Apr 2023 07:17:29 +0200
Subject: [PATCH 12/18] add waivers for os_hardening

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/os_hardening/verify.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index aefea16b..57be5f6a 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -37,10 +37,11 @@
       command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
-        --volume /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/molecule/os_hardening/waivers.yaml:/waivers.yaml
+        --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
         docker.io/cincproject/auditor exec
         -t docker://instance
         --no-show-progress --no-color
+        --waiver-file /waivers.yaml
         --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false

From f02f8b9a90ab86598ccbcd02065814a8d54efedf Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Tue, 11 Apr 2023 07:20:44 +0200
Subject: [PATCH 13/18] add procps for Debian

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/mysql_hardening/verify.yml |  7 +++++++
 molecule/nginx_hardening/verify.yml | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
index 24ebc3ff..d042a07e 100644
--- a/molecule/mysql_hardening/verify.yml
+++ b/molecule/mysql_hardening/verify.yml
@@ -13,6 +13,13 @@
       when:
         - ansible_os_family == 'Suse'
 
+    - name: install procps for debian systems
+      apt:
+        name: procps
+        state: present
+        update_cache: true
+      when: ansible_distribution == 'Debian'
+
     - name: include tests for the service
       include_tasks: verify_tasks/service.yml
 
diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml
index d7bea68c..11cb6c81 100644
--- a/molecule/nginx_hardening/verify.yml
+++ b/molecule/nginx_hardening/verify.yml
@@ -1,3 +1,19 @@
+---
+- name: Verify
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: install procps for debian systems
+      apt:
+        name: procps
+        state: present
+        update_cache: true
+      when: ansible_distribution == 'Debian'
+
 - name: Verify
   hosts: localhost
   environment:

From a186760b45bd466f4cfc4eded68555e4c9a94d43 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Tue, 11 Apr 2023 09:51:05 +0200
Subject: [PATCH 14/18] exclude broken tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/mysql_hardening.yml            | 2 +-
 .github/workflows/nginx_hardening.yml            | 4 ++--
 .github/workflows/os_hardening_vm.yml            | 2 +-
 .github/workflows/ssh_hardening.yml              | 2 +-
 .github/workflows/ssh_hardening_custom_tests.yml | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
index 03ffc5bf..9a241b09 100644
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@@ -46,7 +46,7 @@ jobs:
           - debian10
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
-          - arch
+          # - arch  # geerlingguy.mysql does not support arch
           - opensuse_tumbleweed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
index 653d0bfb..076a4b5d 100644
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@@ -45,8 +45,8 @@ jobs:
           - debian10
           - debian11
           - amazon2023
-          - arch
-          - opensuse_tumbleweed
+          # - arch  # needs to be fixed
+          # - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # no support from geerlingguy role
     steps:
       - name: Checkout repo
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
index a8bad664..ff00f07a 100644
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@@ -45,7 +45,7 @@ jobs:
           - debian10
           - debian11
           - opensuse15
-          - arch
+          # - arch  # needs fix for audit
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
index 983384cd..28247f9f 100644
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@@ -47,7 +47,7 @@ jobs:
           - debian11
           - amazon2023
           - arch
-          - opensuse_tumbleweed
+          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
index 4e3918c9..8852350d 100644
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -47,7 +47,7 @@ jobs:
           - debian11
           - amazon2023
           - arch
-          - opensuse_tumbleweed
+          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

From 0014a3be3609a8694516e42dd48384ea1dd6530d Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Wed, 12 Apr 2023 20:18:29 +0200
Subject: [PATCH 15/18] update metadata

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 roles/mysql_hardening/meta/main.yml | 3 ++-
 roles/nginx_hardening/meta/main.yml | 2 ++
 roles/os_hardening/meta/main.yml    | 1 +
 roles/ssh_hardening/meta/main.yml   | 2 +-
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml
index 2a1df16e..796bf0ac 100644
--- a/roles/mysql_hardening/meta/main.yml
+++ b/roles/mysql_hardening/meta/main.yml
@@ -10,6 +10,7 @@ galaxy_info:
       versions:
         - "7"
         - "8"
+        - "9"
     - name: Ubuntu
       versions:
         - bionic
@@ -20,7 +21,7 @@ galaxy_info:
         - bullseye
         - buster
     - name: Amazon
-    - name: Fedora
+    - name: opensuse
   galaxy_tags:
     - system
     - security
diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml
index b87eb942..735b610a 100644
--- a/roles/nginx_hardening/meta/main.yml
+++ b/roles/nginx_hardening/meta/main.yml
@@ -10,6 +10,7 @@ galaxy_info:
       versions:
         - "7"
         - "8"
+        - "9"
     - name: Ubuntu
       versions:
         - bionic
@@ -19,6 +20,7 @@ galaxy_info:
       versions:
         - buster
         - bullseye
+    - name: Amazon
   galaxy_tags:
     - system
     - security
diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml
index 308450c8..7c06d5ee 100644
--- a/roles/os_hardening/meta/main.yml
+++ b/roles/os_hardening/meta/main.yml
@@ -10,6 +10,7 @@ galaxy_info:
       versions:
         - "7"
         - "8"
+        - "9"
     - name: Ubuntu
       versions:
         - bionic
diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml
index ac2f26f6..37f5b03b 100644
--- a/roles/ssh_hardening/meta/main.yml
+++ b/roles/ssh_hardening/meta/main.yml
@@ -10,6 +10,7 @@ galaxy_info:
       versions:
         - "7"
         - "8"
+        - "9"
     - name: Ubuntu
       versions:
         - bionic
@@ -23,7 +24,6 @@ galaxy_info:
     - name: Fedora
     - name: ArchLinux
     - name: SmartOS
-    - name: opensuse
     - name: FreeBSD
       versions:
         - "12.2"

From 6e48f686a945670adb20c39f7697c141d9f34a3a Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Wed, 12 Apr 2023 20:21:27 +0200
Subject: [PATCH 16/18] add fedora to testing

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 .github/workflows/os_hardening.yml    | 1 +
 .github/workflows/os_hardening_vm.yml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
index 62b68371..685d3d45 100644
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@@ -39,6 +39,7 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
+          - fedora
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
index ff00f07a..acd6f83e 100644
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@@ -39,6 +39,8 @@ jobs:
           - centos9s
           - rocky8
           - rocky9
+          - fedora36
+          - fedora37
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

From de0439ed58f38cebed397da2cff14e07a87e0dac Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Wed, 12 Apr 2023 20:22:22 +0200
Subject: [PATCH 17/18] remove unneccessary collection include

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/nginx_hardening/prepare.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml
index 642922d8..4ab5f51d 100644
--- a/molecule/nginx_hardening/prepare.yml
+++ b/molecule/nginx_hardening/prepare.yml
@@ -2,8 +2,6 @@
 - name: prepare playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   become: true
   hosts: all
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"

From bb473007984c903d2206b5bbfe264f9720a4f641 Mon Sep 17 00:00:00 2001
From: Martin Schurz <Martin.Schurz@t-systems.com>
Date: Wed, 12 Apr 2023 20:27:35 +0200
Subject: [PATCH 18/18] remove unneccessary collection include

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---
 molecule/os_hardening/prepare.yml    | 2 --
 molecule/os_hardening/verify.yml     | 2 --
 molecule/os_hardening_vm/prepare.yml | 2 --
 3 files changed, 6 deletions(-)

diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
index d85832c7..5479be75 100644
--- a/molecule/os_hardening/prepare.yml
+++ b/molecule/os_hardening/prepare.yml
@@ -2,8 +2,6 @@
 - name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
   hosts: all
   become: true
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
index 57be5f6a..58e6d679 100644
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@@ -6,8 +6,6 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     - name: include verification tasks
       ansible.builtin.include_tasks:
diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
index 014c0f6e..d4548eb2 100644
--- a/molecule/os_hardening_vm/prepare.yml
+++ b/molecule/os_hardening_vm/prepare.yml
@@ -2,8 +2,6 @@
 - name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
   hosts: all
   become: true
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"