---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
  hosts: localhost
  roles:
    - ansible-os-hardening
  pre_tasks:
    - name: Run the equivalent of "apt-get update" as a separate step
      apt:
        update_cache: yes
      when: ansible_os_family == 'Debian'
    - name: Install firefox to get Xorg
      package:
        name: firefox
        state: present
  vars:
    os_security_users_allow: change_user
    os_security_kernel_enable_core_dump: false
    os_security_suid_sgid_remove_from_unknown: true
    os_auth_pam_passwdqc_enable: false
    os_desktop_enable: true
    os_env_extra_user_paths: ['/home']
    os_auth_allow_homeless: true
    os_security_suid_sgid_blacklist: ['/bin/umount']
    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
    os_filesystem_whitelist: ['vfat']
    sysctl_config:
      net.ipv4.ip_forward: 0
      net.ipv6.conf.all.forwarding: 0
      net.ipv6.conf.all.accept_ra: 0
      net.ipv6.conf.default.accept_ra: 0
      net.ipv4.conf.all.rp_filter: 1
      net.ipv4.conf.default.rp_filter: 1
      net.ipv4.icmp_echo_ignore_broadcasts: 1
      net.ipv4.icmp_ignore_bogus_error_responses: 1
      net.ipv4.icmp_ratelimit: 100
      net.ipv4.icmp_ratemask: 88089
      net.ipv6.conf.all.disable_ipv6: 1
      net.ipv4.conf.all.arp_ignore: 1
      net.ipv4.conf.all.arp_announce: 2
      net.ipv4.conf.all.shared_media: 1
      net.ipv4.conf.default.shared_media: 1
      net.ipv4.conf.all.accept_source_route: 0
      net.ipv4.conf.default.accept_source_route: 0
      net.ipv4.conf.default.accept_redirects: 0
      net.ipv4.conf.all.accept_redirects: 0
      net.ipv4.conf.all.secure_redirects: 0
      net.ipv4.conf.default.secure_redirects: 0
      net.ipv6.conf.default.accept_redirects: 0
      net.ipv6.conf.all.accept_redirects: 0
      net.ipv4.conf.all.send_redirects: 0
      net.ipv4.conf.default.send_redirects: 0
      net.ipv4.conf.all.log_martians: 1
      net.ipv6.conf.default.router_solicitations: 0
      net.ipv6.conf.default.accept_ra_rtr_pref: 0
      net.ipv6.conf.default.accept_ra_pinfo: 0
      net.ipv6.conf.default.accept_ra_defrtr: 0
      net.ipv6.conf.default.autoconf: 0
      net.ipv6.conf.default.dad_transmits: 0
      net.ipv6.conf.default.max_addresses: 1
      kernel.sysrq: 0
      fs.suid_dumpable: 0
      kernel.randomize_va_space: 2


- name: wrapper playbook for kitchen testing "ansible-os-hardening"
  hosts: localhost
  pre_tasks:
    - name: Run the equivalent of "apt-get update" as a separate step
      apt:
        update_cache: yes
      when: ansible_os_family == 'Debian'
  roles:
    - ansible-os-hardening