fix: sudo for validate

Author: samrose

ansible/files/cis_baseline_check.sh

@@ -2,7 +2,9 @@
 # Baseline Validation Check
 #
 # This script validates that the machine matches the committed baseline
-# specifications using supascan (pre-installed via nix profile).
+# specifications using supascan (pre-installed via nix profile for ubuntu user).
+#
+# Must be run as ubuntu user with sudo access (supascan calls sudo goss internally).
 #
 # Usage: cis_baseline_check.sh [baselines-dir]
 
@@ -23,17 +25,16 @@ if [[ ! -d $BASELINES_DIR ]]; then
   exit 1
 fi
 
-# Source nix environment
-if [[ -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh ]]; then
-  # shellcheck source=/dev/null
-  . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-fi
+# Source nix environment (for ubuntu user's profile)
+# shellcheck source=/dev/null
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
 
 # Verify supascan is available
 if ! command -v supascan &>/dev/null; then
-  echo "ERROR: supascan not found. It should be pre-installed via nix profile."
+  echo "ERROR: supascan not found in PATH"
+  echo "PATH: $PATH"
   exit 1
 fi
 
-# Run supascan validate
+# Run supascan validate (it calls sudo goss internally for privileged checks)
 exec supascan validate --verbose "$BASELINES_DIR"

ansible/playbook.yml

@@ -222,6 +222,7 @@
 
     - name: Run CIS baseline validation
       become: yes
+      become_user: ubuntu
       shell: |
         /bin/bash /tmp/ansible-playbook/ansible/files/cis_baseline_check.sh /tmp/ansible-playbook/audit-specs/baselines
       when: stage2_nix