From 001900ac3500feb383bed012126ffc6ee0f5e124 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 10 Apr 2023 23:42:27 +0200 Subject: [PATCH 1/4] require ansible.builtin.user to be at least 2.11 since options are needed Signed-off-by: Martin Schurz --- roles/os_hardening/meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index 308450c8..22e0ccbb 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: This Ansible role provides numerous security-related ssh configurations, providing all-round base protection. company: Hardening Framework Team license: Apache License 2.0 - min_ansible_version: 2.9.10 + min_ansible_version: 2.11 platforms: - name: EL versions: From ea922f6dcad6eed01ad85979777418c0fc0299cb Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 10 Apr 2023 23:49:52 +0200 Subject: [PATCH 2/4] fix lint error Signed-off-by: Martin Schurz --- roles/os_hardening/meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index 22e0ccbb..299f2928 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: This Ansible role provides numerous security-related ssh configurations, providing all-round base protection. company: Hardening Framework Team license: Apache License 2.0 - min_ansible_version: 2.11 + min_ansible_version: "2.11" platforms: - name: EL versions: From bc9795c215c9e960c54c943b698e122391d93469 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 11 Apr 2023 07:37:07 +0200 Subject: [PATCH 3/4] add noqa for linter Signed-off-by: Martin Schurz --- roles/os_hardening/handlers/main.yml | 4 ++-- roles/os_hardening/tasks/limits.yml | 4 ++-- roles/os_hardening/tasks/user_accounts.yml | 4 ++-- roles/ssh_hardening/tasks/hardening.yml | 2 +- roles/ssh_hardening/tasks/selinux.yml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 4b11d022..bcc2e3fd 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -1,8 +1,8 @@ --- -- name: Update-initramfs +- name: Update-initramfs # noqa no-changed-when ansible.builtin.command: update-initramfs -u -- name: Restart auditd # noqa command-instead-of-module +- name: Restart auditd # noqa command-instead-of-module no-changed-when ansible.builtin.command: cmd: service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 when: molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml index f5d25640..b6916b4b 100644 --- a/roles/os_hardening/tasks/limits.yml +++ b/roles/os_hardening/tasks/limits.yml @@ -35,7 +35,7 @@ path: /etc/systemd/coredump.conf.d owner: root group: root - mode: 0755 + mode: "0755" state: directory when: ansible_service_mgr == "systemd" @@ -45,7 +45,7 @@ dest: /etc/systemd/coredump.conf.d/custom.conf owner: root group: root - mode: 0644 + mode: "0644" when: ansible_service_mgr == "systemd" notify: Reload systemd diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml index 74d16ac7..3a45a1b5 100644 --- a/roles/os_hardening/tasks/user_accounts.yml +++ b/roles/os_hardening/tasks/user_accounts.yml @@ -53,7 +53,7 @@ - name: Set ownership of root user home directory(s) to 0700 ansible.builtin.file: - mode: 0700 + mode: "0700" owner: "{{ item }}" path: "{{ getent_passwd[item][4] }}" state: directory @@ -100,7 +100,7 @@ - name: Limit access to home directories of regular (non-system, non-root) accounts ansible.builtin.file: - mode: 0700 + mode: "0700" owner: "{{ item }}" path: "{{ getent_passwd[item][4] }}" state: directory diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml index 8c7d32c4..8708964e 100644 --- a/roles/ssh_hardening/tasks/hardening.yml +++ b/roles/ssh_hardening/tasks/hardening.yml @@ -100,7 +100,7 @@ check_mode: false when: ssh_server_hardening | bool -- name: Remove all small primes +- name: Remove all small primes # noqa no-changed-when ansible.builtin.shell: > awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ; [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true diff --git a/roles/ssh_hardening/tasks/selinux.yml b/roles/ssh_hardening/tasks/selinux.yml index c7a35535..9d3adc66 100644 --- a/roles/ssh_hardening/tasks/selinux.yml +++ b/roles/ssh_hardening/tasks/selinux.yml @@ -57,7 +57,7 @@ # The following tasks only get executed when selinux is installed, UsePam is # 'yes' and the ssh_password module is installed. See # http://danwalsh.livejournal.com/12333.html for more info -- name: Remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk +- name: Remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk # noqa no-changed-when ansible.builtin.command: semodule -r ssh_password when: - ssh_use_pam | bool From a5a065f880ab742c4089162757d3c95171d0d900 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 11 Apr 2023 07:49:38 +0200 Subject: [PATCH 4/4] shorten text Signed-off-by: Martin Schurz --- roles/ssh_hardening/tasks/selinux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ssh_hardening/tasks/selinux.yml b/roles/ssh_hardening/tasks/selinux.yml index 9d3adc66..fd87bb5b 100644 --- a/roles/ssh_hardening/tasks/selinux.yml +++ b/roles/ssh_hardening/tasks/selinux.yml @@ -57,7 +57,7 @@ # The following tasks only get executed when selinux is installed, UsePam is # 'yes' and the ssh_password module is installed. See # http://danwalsh.livejournal.com/12333.html for more info -- name: Remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk # noqa no-changed-when +- name: Remove selinux-policy when PAM is used, because allowing sshd to read the shadow file is considered a security risk # noqa no-changed-when ansible.builtin.command: semodule -r ssh_password when: - ssh_use_pam | bool