Merge branch 'master' into min_ansible_ver

Author: schurzi

.github/workflows/mysql_hardening.yml

@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -46,8 +46,8 @@ jobs:
           - debian10
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
-          # - arch  # needs to be fixed
-          - opensuse_tumbleweed  # needs to be fixed
+          # - arch  # geerlingguy.mysql does not support arch
+          - opensuse_tumbleweed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo
@@ -56,10 +56,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -68,11 +68,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       # that was a hard one to fix. robert did it thankfully
       # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212
       - name: disable apparmor on debian systems

.github/workflows/nginx_hardening.yml

@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -44,7 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # no support from geerlingguy role
@@ -55,10 +55,10 @@ jobs:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           molecule --version

.github/workflows/os_hardening.yml

@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -39,25 +39,26 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
+          - fedora
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
+          - amazon2023
           - opensuse_tumbleweed
-          # - arch  # needs to be fixed
+          - arch
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -66,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then

.github/workflows/os_hardening_vm.yml

@@ -39,13 +39,15 @@ jobs:
           - centos9s
           - rocky8
           - rocky9
+          - fedora36
+          - fedora37
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
           - debian10
           - debian11
           - opensuse15
-          # - arch  # arch is currently not supported by cinc-auditor
+          # - arch  # needs fix for audit
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

.github/workflows/ssh_hardening.yml

@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -45,20 +45,20 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # baseline is not compatible with suse
+          - amazon2023
+          - arch
+          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then

.github/workflows/ssh_hardening_custom_tests.yml

@@ -26,7 +26,7 @@ concurrency:
 
 jobs:
   build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -45,20 +45,20 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
-          - amazon
-          # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # baseline is not compatible with suse
+          - amazon2023
+          - arch
+          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
           path: ansible_collections/devsec/hardening
           submodules: true
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.11
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.11
 
       - name: Install dependencies
         run: |
@@ -67,11 +67,6 @@ jobs:
           pip install -r requirements.txt
         working-directory: ansible_collections/devsec/hardening
 
-      - name: Create default collection path symlink
-        run: |
-          mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
-
       - name: Test with molecule
         run: |
           if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then

molecule/mysql_hardening/molecule.yml

@@ -22,7 +22,7 @@ provisioner:
   config_options:
     defaults:
       interpreter_python: auto_silent
-      callback_whitelist: profile_tasks, timer, yaml
+      callbacks_enabled: profile_tasks, timer, yaml
 verifier:
   name: ansible
 

molecule/mysql_hardening/requirements.yml

@@ -1,7 +1,5 @@
 ---
 roles:
-  - name: geerlingguy.git
-    version: 3.0.1
   - name: dev-sec.mysql
     version: master
 

molecule/mysql_hardening/verify.yml

@@ -6,26 +6,12 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
 
     - name: install procps for debian systems
       apt:
@@ -34,29 +20,27 @@
         update_cache: true
       when: ansible_distribution == 'Debian'
 
-    - name: Use Python 3 on Suse
-      set_fact:
-        ansible_python_interpreter: /usr/bin/python3
-      when:
-        - ansible_os_family == 'Suse'
-
     - name: include tests for the service
       include_tasks: verify_tasks/service.yml
 
     - name: include tests for MySQL user
       include_tasks: verify_tasks/mysql_users.yml
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/nginx_hardening/converge.yml

@@ -2,6 +2,8 @@
 - name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   become: true
   hosts: all
+  collections:
+    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"