diff --git a/molecule/vagrant/molecule.yml b/molecule/vagrant/molecule.yml index 77a7ec3..014126c 100644 --- a/molecule/vagrant/molecule.yml +++ b/molecule/vagrant/molecule.yml @@ -10,7 +10,7 @@ driver: parallel: false platforms: - - name: openscape-debian + - name: openscap-debian box: debian/bullseye64 # box: generic/ubuntu2204 memory: 1024 diff --git a/tasks/debian11-var.yml b/tasks/debian11-var.yml new file mode 100644 index 0000000..3b0a8d7 --- /dev/null +++ b/tasks/debian11-var.yml @@ -0,0 +1,3 @@ +--- +openscap_profile: "xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive" +openscap_security_policy: "ssg-debian11-ds-1.2.xml" \ No newline at end of file diff --git a/tasks/debian11.yml b/tasks/debian11.yml index 9895650..1406544 100644 --- a/tasks/debian11.yml +++ b/tasks/debian11.yml @@ -37,8 +37,3 @@ - unzip state: present become: true - -- name: Set profile variables - ansible.builtin.set_fact: - openscap_profile: "xccdf_org.ssgproject.content_profile_anssi_np_nt28_high" - openscap_security_policy: "ssg-debian11-ds.xml" \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 4cdeaf7..c4f778f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,65 +1,85 @@ -- name: Include task - ansible.builtin.include_tasks: - file: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}.yml" -- name: Clone oscap project - ansible.builtin.git: - repo: https://github.com/OpenSCAP/openscap.git - dest: /tmp/openscap - version: "{{ oscap_version }}" - recursive: true - force: true -- name: Cmake +- name: Include variables + ansible.builtin.include_vars: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}-var.yml" +- name: Test version ansible.builtin.shell: - cmd: cmake .. -DCMAKE_INSTALL_PREFIX=/usr - chdir: /tmp/openscap/build - register: my_output - changed_when: my_output.rc != 0 - tags: - - skip_ansible_lint -- name: Build OpenScap - ansible.builtin.shell: - cmd: make install - chdir: /tmp/openscap/build + cmd: "oscap --version | head -1 | awk '{print $6}'" + register: version + failed_when: false + changed_when: version.stdout != oscap_version +- name: Build oscap + when: version.changed and true + block: + - name: Include task + ansible.builtin.include_tasks: + file: "{{ ansible_distribution | lower }}{{ ansible_distribution_major_version }}.yml" + - name: Clone oscap project + ansible.builtin.git: + repo: https://github.com/OpenSCAP/openscap.git + dest: /tmp/openscap + version: "{{ oscap_version }}" + recursive: true + force: true + - name: Cmake + ansible.builtin.shell: + cmd: cmake .. -DCMAKE_INSTALL_PREFIX=/usr + chdir: /tmp/openscap/build + register: my_output + changed_when: my_output.rc != 0 + tags: + - skip_ansible_lint + - name: Build OpenScap + ansible.builtin.shell: + cmd: make install + chdir: /tmp/openscap/build + become: true + register: my_output + changed_when: my_output.rc != 0 + tags: + - skip_ansible_lint + - name: Install + ansible.builtin.shell: + cmd: make install + chdir: /tmp/openscap/build + become: true + register: my_output + changed_when: my_output.rc != 0 + tags: + - skip_ansible_lint +- name: Create folder to put ComplianceAsCode project + ansible.builtin.file: + mode: 0755 + owner: root + path: "{{ item }}" + state: directory become: true - register: my_output - changed_when: my_output.rc != 0 - tags: - - skip_ansible_lint -- name: Install - ansible.builtin.shell: - cmd: make install - chdir: /tmp/openscap/build + with_items: + - /opt/openscap-content + - /tmp/openscap-reports +- name: Test folder existence + ansible.builtin.lineinfile: + name: /opt/openscap-content/ubuntu2204-script-standard.sh + regex: "# Benchmark Version: {{ content_version }}" + line: "# Benchmark Version: {{ content_version }}" + state: present + register: test_content + ignore_errors: true become: true - register: my_output - changed_when: my_output.rc != 0 - tags: - - skip_ansible_lint - name: Install Content Block - when: install_content + when: install_content and (test_content.changed or 'rc' in test_content) block: - - name: Create folder to put ComplianceAsCode project - ansible.builtin.file: - mode: 0755 - owner: root - path: "{{ item }}" - state: directory - become: true - with_items: - - /opt/openscap-content - - /tmp/openscap-reports - name: Unzip ComplianceAsCode project ansible.builtin.unarchive: src: "https://github.com/ComplianceAsCode/content/releases/download/v{{ content_version }}/scap-security-guide-{{ content_version }}.zip" - dest: /opt/openscap-content + dest: /opt/openscap-content/ remote_src: true extra_opts: '-j' become: true -- name: Install Content Block +- name: Scan when: scan block: - name: Scan ansible.builtin.shell: - cmd: "oscap xccdf eval --profile {{ openscap_profile }} --results-arf /tmp/openscap-reports/arf-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.xml --report /tmp/openscap-reports/report-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.html /opt/openscap-content/{{ openscap_security_policy }}" + cmd: "oscap xccdf eval --fetch-remote-resources --profile {{ openscap_profile }} --results-arf /tmp/openscap-reports/arf-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.xml --report /tmp/openscap-reports/report-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.html /opt/openscap-content/{{ openscap_security_policy }}" become: true register: result failed_when: result.rc == 1 diff --git a/tasks/ubuntu22-var.yml b/tasks/ubuntu22-var.yml new file mode 100644 index 0000000..d2c94cb --- /dev/null +++ b/tasks/ubuntu22-var.yml @@ -0,0 +1,3 @@ +--- +openscap_profile: "xccdf_org.ssgproject.content_profile_cis_level2_server" +openscap_security_policy: "ssg-ubuntu2204-ds.xml" \ No newline at end of file diff --git a/tasks/ubuntu22.yml b/tasks/ubuntu22.yml index 65c0a28..f30bf86 100644 --- a/tasks/ubuntu22.yml +++ b/tasks/ubuntu22.yml @@ -37,7 +37,3 @@ - git state: present become: true -- name: Set profile variables - ansible.builtin.set_fact: - openscap_profile: "xccdf_org.ssgproject.content_profile_cis_level2_server" - openscap_security_policy: "ssg-ubuntu2204-ds.xml" \ No newline at end of file