Skip to content

Commit

Permalink
Merge pull request #546 from dev-sec/linting
Browse files Browse the repository at this point in the history
Linting
  • Loading branch information
schurzi authored Jul 8, 2022
2 parents 3528fe9 + 21df60a commit dd919b5
Show file tree
Hide file tree
Showing 22 changed files with 55 additions and 54 deletions.
9 changes: 9 additions & 0 deletions .ansible-lint → .config/ansible-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,12 @@
exclude_paths:
- .cache/ # implicit unless exclude_paths is defined in config
- .yamllint
- ../molecule/
- ../.github/

skip_list:
- fqcn-builtins

mock_roles:
- geerlingguy.git
- nginxinc.nginx
7 changes: 0 additions & 7 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,12 @@ rules:
commas:
max-spaces-after: -1
level: error
# comments: disable
# comments-indentation: disable
# document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
# indentation: disable
key-duplicates: enable
line-length: disable
# new-line-at-end-of-file: disable
new-lines:
type: unix
# trailing-spaces: disable
# truthy: disable
1 change: 1 addition & 0 deletions galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
namespace: devsec
name: hardening
version: 7.14.3
Expand Down
2 changes: 1 addition & 1 deletion molecule/mysql_hardening/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
when: ansible_os_family == 'Debian'

- name: install required tools on SuSE
zypper:
community.general.zypper:
name: "python-xml"
state: present
when: ansible_facts.os_family == 'Suse'
Expand Down
4 changes: 2 additions & 2 deletions molecule/nginx_hardening/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: install required tools on SuSE
zypper:
community.general.zypper:
name: "python-xml"
state: present
when: ansible_facts.os_family == 'Suse'
Expand All @@ -17,7 +17,7 @@
package:
name: "python3-apt"
update_cache: true
ignore_errors: true
ignore_errors: true # noqa ignore-errors

- name: Set correct distribution Version for Amazon Linux
set_fact:
Expand Down
6 changes: 3 additions & 3 deletions molecule/os_hardening/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,14 @@
when: ansible_facts.distribution == 'Fedora'

- name: install required tools on Arch
pacman:
community.general.pacman:
name:
- awk
state: present
update_cache: true
when: ansible_facts.os_family == 'Archlinux'

- name: install required tools on RHEL
- name: install required tools on RHEL # noqa ignore-errors
yum:
name:
- openssh-clients
Expand All @@ -56,5 +56,5 @@
changed_when: false

- name: include YUM prepare tasks
include: prepare_yum.yml
include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
---
- name: create 'foo' repository
yum_repository:
ansible.builtin.yum_repository:
name: foo
description: mandatory description
baseurl: file:///mandatory-url
enabled: false
gpgcheck: false

- name: create 'bar' repository
yum_repository:
ansible.builtin.yum_repository:
name: bar
description: mandatory description
baseurl: file:///mandatory-url
Expand Down
6 changes: 3 additions & 3 deletions molecule/os_hardening/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,11 @@
when: ansible_facts.os_family == 'Debian'

- name: include PAM tests
include: verify_pam.yml
include_tasks: verify_tasks/pam.yml
when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'

- name: include YUM tests
include: verify_yum.yml
include_tasks: verify_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'

- name: download cinc-auditor
Expand All @@ -54,7 +54,7 @@
- name: install cinc-auditor
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"

- name: Execute cinc-auditor tests
- name: Execute cinc-auditor tests # noqa ignore-errors
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
register: test_results
changed_when: false
Expand Down
File renamed without changes.
File renamed without changes.
3 changes: 0 additions & 3 deletions molecule/os_hardening/waivers.yaml

This file was deleted.

8 changes: 4 additions & 4 deletions molecule/ssh_hardening/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'

- name: install packages
- name: install packages # noqa ignore-errors
yum:
name:
- openssh-clients
Expand All @@ -22,7 +22,7 @@
update_cache: true
ignore_errors: true

- name: install packages
- name: install packages # noqa ignore-errors
dnf:
name:
- openssh-clients
Expand All @@ -32,7 +32,7 @@
update_cache: true
ignore_errors: true

- name: install packages
- name: install packages # noqa ignore-errors
apt:
name:
- openssh-client
Expand Down Expand Up @@ -66,7 +66,7 @@
path: "/var/run/sshd"
state: directory

- name: create ssh host keys
- name: create ssh host keys # noqa ignore-errors
command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
Expand Down
8 changes: 4 additions & 4 deletions molecule/ssh_hardening_custom_tests/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'

- name: install packages
- name: install packages # noqa ignore-errors
yum:
name:
- openssh-clients
Expand All @@ -22,7 +22,7 @@
update_cache: true
ignore_errors: true

- name: install packages
- name: install packages # noqa ignore-errors
dnf:
name:
- openssh-clients
Expand All @@ -32,7 +32,7 @@
update_cache: true
ignore_errors: true

- name: install packages
- name: install packages # noqa ignore-errors
apt:
name:
- openssh-client
Expand Down Expand Up @@ -66,7 +66,7 @@
path: "/var/run/sshd"
state: directory

- name: create ssh host keys
- name: create ssh host keys # noqa ignore-errors
command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
Expand Down
6 changes: 3 additions & 3 deletions roles/mysql_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ mysql_daemon_enabled: true
mysql_hardening_restart_mysql: true

# general configuration
mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'
mysql_hardening_mysql_hardening_conf_file: '{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf'
# You have to change this to your own strong enough mysql root password
mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
# There .my.cnf with mysql root credentials will be installed
mysql_user_home: "{{ ansible_env.HOME}}"
mysql_user_home: "{{ ansible_env.HOME }}"

# ensure the following parameters are set properly
mysql_remove_remote_root: true
Expand Down Expand Up @@ -50,4 +50,4 @@ mysql_hardening_options:
# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv
secure-file-priv: '/tmp'
# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user
user: '{{mysql_hardening_user}}'
user: '{{ mysql_hardening_user }}'
4 changes: 2 additions & 2 deletions roles/mysql_hardening/tasks/configure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
when: item is defined and item != ""
loop:
- '{{ mysql_settings.settings.datadir }}'
- '{{ mysql_datadir|default("") }}'
- '{{ mysql_datadir | default("") }}'

- name: Ensure permissions on mysql-logfile are correct
file:
Expand All @@ -30,7 +30,7 @@
when: item is defined and item != ""
loop:
- '{{ mysql_settings.settings.log_error }}'
- '{{ mysql_hardening_log_file|default("") }}'
- '{{ mysql_hardening_log_file | default("") }}'

- name: Check mysql configuration-directory exists and has right permissions
file:
Expand Down
2 changes: 1 addition & 1 deletion roles/mysql_hardening/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
# dict2items and vice versa magic
- name: Drop the secure-auth parameter on MySQL >=8.0.3 (not mariadb)
set_fact:
mysql_hardening_options: "{{ mysql_hardening_options| dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
mysql_hardening_options: "{{ mysql_hardening_options | dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
when:
- mysql_version.version.full is version('8.0.3', '>=')
- mysql_distribution == "mysql"
Expand Down
2 changes: 1 addition & 1 deletion roles/os_hardening/handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@

- name: Reload systemd
systemd:
daemon_reload: yes
daemon_reload: true
4 changes: 2 additions & 2 deletions roles/os_hardening/tasks/ctrlaltdel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@
- name: Disable CTRL-ALT-DEL
systemd:
name: ctrl-alt-del.target
masked: yes
daemon_reload: yes
masked: true
daemon_reload: true
when: ansible_service_mgr == "systemd"
20 changes: 10 additions & 10 deletions roles/os_hardening/tasks/limits.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,15 @@

- name: enable coredumps
block:
- name: Remove coredump.conf.d directory with files
file:
path: /etc/systemd/coredump.conf.d
state: absent
when: ansible_service_mgr == "systemd"
notify: Reload systemd
- name: Remove coredump.conf.d directory with files
file:
path: /etc/systemd/coredump.conf.d
state: absent
when: ansible_service_mgr == "systemd"
notify: Reload systemd

- name: Remove 10.hardcore.conf config file
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
- name: Remove 10.hardcore.conf config file
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
when: os_security_kernel_enable_core_dump | bool
2 changes: 1 addition & 1 deletion roles/os_hardening/tasks/minimize_access.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@
opts: '{{ os_mnt_boot_options }}'
state: present
register: bootmount
when:
when:
- os_mnt_boot_enabled | bool
- boot_exists | bool

Expand Down
2 changes: 1 addition & 1 deletion roles/ssh_hardening/tasks/ca_keys_and_principals.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,6 @@
src: 'authorized_principals.j2'
dest: '{{ item.path }}'
mode: '{{ item.filemode | default("600") }}'
owner: '{{ item.owner| default(ssh_owner) }}'
owner: '{{ item.owner | default(ssh_owner) }}'
group: '{{ item.group | default(ssh_group) }}'
loop: '{{ ssh_authorized_principals }}'
9 changes: 5 additions & 4 deletions roles/ssh_hardening/tasks/selinux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@
# The following tasks only get executed when selinux is in state enforcing,
# UsePam is 'no' and the ssh_password module is not installed. See this issue for
# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
- when:
- name: run selinux tasks
when:
- not (ssh_use_pam | bool)
- ('ssh_password' not in ssh_password_module.stdout)
block:
Expand All @@ -44,13 +45,13 @@
group: 'root'
mode: '0600'

- name: Check and compile policy
- name: Check and compile policy # noqa no-changed-when
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password

- name: Create selinux policy module package
- name: Create selinux policy module package # noqa no-changed-when
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod

- name: Install selinux policy
- name: Install selinux policy # noqa no-changed-when
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp


Expand Down

0 comments on commit dd919b5

Please sign in to comment.