intent of role?

[kidbrax]

Is this role intended to make this spec(https://github.com/dev-sec/linux-baseline) pass? Just curious, since that repo links to this role but currently it does not pass that spec.

[rndmh3ro]

The intention is to harden your server but it is done according to the inspec-baseline you linked.
I will update the readme accordingly to clarify this!

[kidbrax]

So it currently doesn't pass that spec. Is that just because it hasn't been completed yet?

[rndmh3ro]

Where do you see its not passing? Looks good to me: https://travis-ci.org/dev-sec/ansible-os-hardening

[kidbrax]

Hmm, I'm getting a different result. I'm also showing more tests:

Profile Summary: 33 successful, 17 failures, 0 skipped
Test Summary: 77 successful, 35 failures, 0 skipped

I installed the role using:
ansible-galaxy install dev-sec.os-hardening

Then ran it against my server, then ran the inspec test and got the results above. Is that the correct process?

[kidbrax]

I just noticed you are passing the --controls switch. When I mimic that, it does pass. Can you provide some clarification on why you don't run all controls?

[rndmh3ro]

Sorry, I forgot to mention that there are missing sysctl-settings in the role. They are currently being added here: #120

The reason there are less (and no failing) tests in travis is, that there the sysctl-tests are missing there. That's because the travis tests run in docker, where you cannot easily set sysctl-parameter.

[kidbrax]

Gotcha, so the idea is that eventually all specs will pass if run against a regular (non-docker) host?

[rndmh3ro]

Yes, when the PR is merged, then all tests should pass!

[kidbrax]

Great, thanks for the info!