fix: optimize installation

molecule/vagrant/molecule.yml

@@ -10,7 +10,7 @@ driver:
   parallel: false
 
 platforms:
-  - name: openscape-debian
+  - name: openscap-debian
     box: debian/bullseye64
     # box: generic/ubuntu2204
     memory: 1024

tasks/debian11-var.yml

@@ -0,0 +1,3 @@
+---
+openscap_profile: "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive"
+openscap_security_policy: "ssg-debian11-ds-1.2.xml"

tasks/debian11.yml

@@ -37,8 +37,3 @@
       - unzip
     state: present
   become: true
-
-- name: Set profile variables
-  ansible.builtin.set_fact:
-    openscap_profile: "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high"
-    openscap_security_policy: "ssg-debian11-ds.xml"

tasks/main.yml

@@ -1,65 +1,85 @@
-- name: Include task
-  ansible.builtin.include_tasks:
-    file: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}.yml"
-- name: Clone oscap project
-  ansible.builtin.git:
-    repo: https://github.com/OpenSCAP/openscap.git
-    dest: /tmp/openscap
-    version: "{{ oscap_version }}"
-    recursive: true
-    force: true
-- name: Cmake
+- name: Include variables
+  ansible.builtin.include_vars: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}-var.yml"
+- name: Test version
   ansible.builtin.shell:
-    cmd: cmake .. -DCMAKE_INSTALL_PREFIX=/usr
-    chdir: /tmp/openscap/build
-  register: my_output
-  changed_when: my_output.rc != 0
-  tags:
-    - skip_ansible_lint
-- name: Build OpenScap
-  ansible.builtin.shell:
-    cmd: make install
-    chdir: /tmp/openscap/build
+    cmd: "oscap --version | head -1 | awk '{print $6}'"
+  register: version
+  failed_when: false
+  changed_when: version.stdout != oscap_version
+- name: Build oscap
+  when: version.changed and true
+  block:
+    - name: Include task
+      ansible.builtin.include_tasks:
+        file: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}.yml"
+    - name: Clone oscap project
+      ansible.builtin.git:
+        repo: https://github.com/OpenSCAP/openscap.git
+        dest: /tmp/openscap
+        version: "{{ oscap_version }}"
+        recursive: true
+        force: true
+    - name: Cmake
+      ansible.builtin.shell:
+        cmd: cmake .. -DCMAKE_INSTALL_PREFIX=/usr
+        chdir: /tmp/openscap/build
+      register: my_output
+      changed_when: my_output.rc != 0
+      tags:
+        - skip_ansible_lint
+    - name: Build OpenScap
+      ansible.builtin.shell:
+        cmd: make install
+        chdir: /tmp/openscap/build
+      become: true
+      register: my_output
+      changed_when: my_output.rc != 0
+      tags:
+        - skip_ansible_lint
+    - name: Install
+      ansible.builtin.shell:
+        cmd: make install
+        chdir: /tmp/openscap/build
+      become: true
+      register: my_output
+      changed_when: my_output.rc != 0
+      tags:
+        - skip_ansible_lint
+- name: Create folder to put ComplianceAsCode project
+  ansible.builtin.file:
+    mode: 0755
+    owner: root
+    path: "{{ item }}"
+    state: directory
   become: true
-  register: my_output
-  changed_when: my_output.rc != 0
-  tags:
-    - skip_ansible_lint
-- name: Install
-  ansible.builtin.shell:
-    cmd: make install
-    chdir: /tmp/openscap/build
+  with_items:
+    - /opt/openscap-content
+    - /tmp/openscap-reports
+- name: Test folder existence
+  ansible.builtin.lineinfile:
+    name: /opt/openscap-content/ubuntu2204-script-standard.sh
+    regex: "# Benchmark Version:  {{ content_version }}"
+    line: "# Benchmark Version:  {{ content_version }}"
+    state: present
+  register: test_content
+  ignore_errors: true
   become: true
-  register: my_output
-  changed_when: my_output.rc != 0
-  tags:
-    - skip_ansible_lint
 - name: Install Content Block
-  when: install_content
+  when: install_content and (test_content.changed or 'rc' in test_content)
   block:
-    - name: Create folder to put ComplianceAsCode project
-      ansible.builtin.file:
-        mode: 0755
-        owner: root
-        path: "{{ item }}"
-        state: directory
-      become: true
-      with_items:
-        - /opt/openscap-content
-        - /tmp/openscap-reports
     - name: Unzip ComplianceAsCode project
       ansible.builtin.unarchive:
         src: "https://github.com/ComplianceAsCode/content/releases/download/v{{ content_version }}/scap-security-guide-{{ content_version }}.zip"
-        dest: /opt/openscap-content
+        dest: /opt/openscap-content/
         remote_src: true
         extra_opts: '-j'
       become: true
-- name: Install Content Block
+- name: Scan
   when: scan
   block:
     - name: Scan
       ansible.builtin.shell:
-        cmd: "oscap xccdf eval --profile {{ openscap_profile }} --results-arf /tmp/openscap-reports/arf-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.xml --report /tmp/openscap-reports/report-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.html /opt/openscap-content/{{ openscap_security_policy }}"
+        cmd: "oscap xccdf eval --fetch-remote-resources --profile {{ openscap_profile }} --results-arf /tmp/openscap-reports/arf-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.xml --report /tmp/openscap-reports/report-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.html /opt/openscap-content/{{ openscap_security_policy }}"
       become: true
       register: result
       failed_when: result.rc == 1

tasks/ubuntu22-var.yml

@@ -0,0 +1,3 @@
+---
+openscap_profile: "xccdf_org.ssgproject.content_profile_cis_level2_server"
+openscap_security_policy: "ssg-ubuntu2204-ds.xml"

tasks/ubuntu22.yml

@@ -37,7 +37,3 @@
       - git
     state: present
   become: true
-- name: Set profile variables
-  ansible.builtin.set_fact:
-    openscap_profile: "xccdf_org.ssgproject.content_profile_cis_level2_server"
-    openscap_security_policy: "ssg-ubuntu2204-ds.xml"