update verify tasks

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
dev-sec · Nov 11, 2023 · cacf228 · cacf228
1 parent fb35f3d
commit cacf228
Showing 1 changed file with 20 additions and 36 deletions.
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -6,26 +6,12 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  roles:
-    - geerlingguy.git
   tasks:
-    - name: install fake SuSE-release for cinc compatibility
-      copy:
-        content: |
-          openSUSE Faked Enterprise 2020 (x86_64)
-          VERSION = 2020
-          CODENAME = Faked Feature
-        dest: /etc/SuSE-release
-        owner: root
-        group: root
-        mode: '0444'
-      when: ansible_facts.os_family == 'Suse'
-
-    - name: install git for SuSE since geerlinguy.git does not support it
-      zypper:
-        name: git
-        state: present
-      when: ansible_facts.os_family == 'Suse'
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
 
     - name: install procps for debian systems
       apt:
@@ -34,29 +20,27 @@
         update_cache: true
       when: ansible_distribution == 'Debian'
 
-    - name: Use Python 3 on Suse
-      set_fact:
-        ansible_python_interpreter: /usr/bin/python3
-      when:
-        - ansible_os_family == 'Suse'
-
     - name: include tests for the service
       include_tasks: verify_tasks/service.yml
 
     - name: include tests for MySQL user
       include_tasks: verify_tasks/mysql_users.yml
 
-    - name: download cinc-auditor
-      get_url:
-        url: https://omnitruck.cinc.sh/install.sh
-        dest: /tmp/install.sh
-        mode: '0775'
-
-    - name: install cinc-auditor
-      shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
-
+- name: Verify
+  hosts: localhost
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
     - name: Execute cinc-auditor tests
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/roles.zip"
+      command: >
+        docker run
+        --volume /run/docker.sock:/run/docker.sock
+        docker.io/cincproject/auditor exec
+        -t docker://instance
+        --no-show-progress --no-color
+        --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/roles.zip
       register: test_results
       changed_when: false
       ignore_errors: true
@@ -68,4 +52,4 @@
     - name: Fail when tests fail
       fail:
         msg: "Inspec failed to validate"
-      when: test_results.rc != 0
+      when: test_results.rc != 0