---
- name: "Compliance-Check: Führe OpenSCAP-Scan durch (sofern installiert)"
  ansible.builtin.shell: >-
    oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard
    --results {{ log_dir }}/oscap_result_{{ inventory_hostname }}.xml
    /usr/share/xml/scap/ssg/content/ssg-$(lsb_release -si | tr '[:upper:]' '[:lower:]')-ds.xml
  register: oscap_result
  ignore_errors: true
  changed_when: false

- name: "Compliance-Check: Führe Lynis-Scan durch (sofern installiert)"
  ansible.builtin.shell: lynis audit system --quiet --logfile {{ log_dir }}/lynis_{{ inventory_hostname }}.log
  register: lynis_result
  ignore_errors: true
  changed_when: false

- name: Sende Compliance-Report an Linux-Admins
  community.general.mail:
    host: "localhost"
    port: 25
    to: "{{ linux_admins_mail }}"
    subject: "[COMPLIANCE] Report für {{ inventory_hostname }} am {{ ansible_date_time.iso8601 }}"
    body: |
      Compliance-Report für {{ inventory_hostname }} (FQDN: {{ ansible_fqdn }})
      Zeit: {{ ansible_date_time.iso8601 }}
      OpenSCAP-Exit: {{ oscap_result.rc | default('N/A') }}
      Lynis-Exit: {{ lynis_result.rc | default('N/A') }}
      Siehe Anhang für Details.
    attach:
      - "{{ log_dir }}/oscap_result_{{ inventory_hostname }}.xml"
      - "{{ log_dir }}/lynis_{{ inventory_hostname }}.log"
  ignore_errors: true