diff --git a/.ansible-lint b/.config/ansible-lint.yml similarity index 74% rename from .ansible-lint rename to .config/ansible-lint.yml index 9cbfc830b..d286c8bc9 100644 --- a/.ansible-lint +++ b/.config/ansible-lint.yml @@ -6,3 +6,12 @@ exclude_paths: - .cache/ # implicit unless exclude_paths is defined in config - .yamllint + - ../molecule/ + - ../.github/ + +skip_list: + - fqcn-builtins + +mock_roles: + - geerlingguy.git + - nginxinc.nginx diff --git a/.yamllint b/.yamllint index 29f823d5e..372338d45 100644 --- a/.yamllint +++ b/.yamllint @@ -15,19 +15,12 @@ rules: commas: max-spaces-after: -1 level: error -# comments: disable -# comments-indentation: disable -# document-start: disable empty-lines: max: 3 level: error hyphens: level: error -# indentation: disable key-duplicates: enable line-length: disable -# new-line-at-end-of-file: disable new-lines: type: unix -# trailing-spaces: disable -# truthy: disable diff --git a/galaxy.yml b/galaxy.yml index 9c0a538db..cf3e00edc 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,3 +1,4 @@ +--- namespace: devsec name: hardening version: 7.14.3 diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 7156321b7..5133c0e92 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -16,7 +16,7 @@ when: ansible_os_family == 'Debian' - name: install required tools on SuSE - zypper: + community.general.zypper: name: "python-xml" state: present when: ansible_facts.os_family == 'Suse' diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml index 7301d86df..4ab5f51d9 100644 --- a/molecule/nginx_hardening/prepare.yml +++ b/molecule/nginx_hardening/prepare.yml @@ -8,7 +8,7 @@ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - name: install required tools on SuSE - zypper: + community.general.zypper: name: "python-xml" state: present when: ansible_facts.os_family == 'Suse' @@ -17,7 +17,7 @@ package: name: "python3-apt" update_cache: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors - name: Set correct distribution Version for Amazon Linux set_fact: diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 7f9e5f40e..2fdcbe9e9 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -35,14 +35,14 @@ when: ansible_facts.distribution == 'Fedora' - name: install required tools on Arch - pacman: + community.general.pacman: name: - awk state: present update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: install required tools on RHEL + - name: install required tools on RHEL # noqa ignore-errors yum: name: - openssh-clients @@ -56,5 +56,5 @@ changed_when: false - name: include YUM prepare tasks - include: prepare_yum.yml + include_tasks: prepare_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' diff --git a/molecule/os_hardening/prepare_yum.yml b/molecule/os_hardening/prepare_tasks/yum.yml similarity index 82% rename from molecule/os_hardening/prepare_yum.yml rename to molecule/os_hardening/prepare_tasks/yum.yml index e24601467..4d4bb92d6 100644 --- a/molecule/os_hardening/prepare_yum.yml +++ b/molecule/os_hardening/prepare_tasks/yum.yml @@ -1,6 +1,6 @@ --- - name: create 'foo' repository - yum_repository: + ansible.builtin.yum_repository: name: foo description: mandatory description baseurl: file:///mandatory-url @@ -8,7 +8,7 @@ gpgcheck: false - name: create 'bar' repository - yum_repository: + ansible.builtin.yum_repository: name: bar description: mandatory description baseurl: file:///mandatory-url diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 799bded38..fa866b3f5 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -38,11 +38,11 @@ when: ansible_facts.os_family == 'Debian' - name: include PAM tests - include: verify_pam.yml + include_tasks: verify_tasks/pam.yml when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' - name: include YUM tests - include: verify_yum.yml + include_tasks: verify_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' - name: download cinc-auditor @@ -54,7 +54,7 @@ - name: install cinc-auditor shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - - name: Execute cinc-auditor tests + - name: Execute cinc-auditor tests # noqa ignore-errors command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip" register: test_results changed_when: false diff --git a/molecule/os_hardening/verify_pam.yml b/molecule/os_hardening/verify_tasks/pam.yml similarity index 100% rename from molecule/os_hardening/verify_pam.yml rename to molecule/os_hardening/verify_tasks/pam.yml diff --git a/molecule/os_hardening/verify_yum.yml b/molecule/os_hardening/verify_tasks/yum.yml similarity index 100% rename from molecule/os_hardening/verify_yum.yml rename to molecule/os_hardening/verify_tasks/yum.yml diff --git a/molecule/os_hardening/waivers.yaml b/molecule/os_hardening/waivers.yaml deleted file mode 100644 index 538ff121c..000000000 --- a/molecule/os_hardening/waivers.yaml +++ /dev/null @@ -1,3 +0,0 @@ -os-14: - run: false - justification: "not yet implemented" diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index f91ecaf3d..b321de295 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -12,7 +12,7 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - name: install packages + - name: install packages # noqa ignore-errors yum: name: - openssh-clients @@ -22,7 +22,7 @@ update_cache: true ignore_errors: true - - name: install packages + - name: install packages # noqa ignore-errors dnf: name: - openssh-clients @@ -32,7 +32,7 @@ update_cache: true ignore_errors: true - - name: install packages + - name: install packages # noqa ignore-errors apt: name: - openssh-client @@ -66,7 +66,7 @@ path: "/var/run/sshd" state: directory - - name: create ssh host keys + - name: create ssh host keys # noqa ignore-errors command: "ssh-keygen -A" when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index f91ecaf3d..b321de295 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -12,7 +12,7 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - name: install packages + - name: install packages # noqa ignore-errors yum: name: - openssh-clients @@ -22,7 +22,7 @@ update_cache: true ignore_errors: true - - name: install packages + - name: install packages # noqa ignore-errors dnf: name: - openssh-clients @@ -32,7 +32,7 @@ update_cache: true ignore_errors: true - - name: install packages + - name: install packages # noqa ignore-errors apt: name: - openssh-client @@ -66,7 +66,7 @@ path: "/var/run/sshd" state: directory - - name: create ssh host keys + - name: create ssh host keys # noqa ignore-errors command: "ssh-keygen -A" when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or diff --git a/roles/mysql_hardening/defaults/main.yml b/roles/mysql_hardening/defaults/main.yml index 865a85395..37111fa37 100644 --- a/roles/mysql_hardening/defaults/main.yml +++ b/roles/mysql_hardening/defaults/main.yml @@ -7,11 +7,11 @@ mysql_daemon_enabled: true mysql_hardening_restart_mysql: true # general configuration -mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' +mysql_hardening_mysql_hardening_conf_file: '{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # There .my.cnf with mysql root credentials will be installed -mysql_user_home: "{{ ansible_env.HOME}}" +mysql_user_home: "{{ ansible_env.HOME }}" # ensure the following parameters are set properly mysql_remove_remote_root: true @@ -50,4 +50,4 @@ mysql_hardening_options: # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv secure-file-priv: '/tmp' # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user - user: '{{mysql_hardening_user}}' + user: '{{ mysql_hardening_user }}' diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml index 44bb39c2b..e0bc61e62 100644 --- a/roles/mysql_hardening/tasks/configure.yml +++ b/roles/mysql_hardening/tasks/configure.yml @@ -18,7 +18,7 @@ when: item is defined and item != "" loop: - '{{ mysql_settings.settings.datadir }}' - - '{{ mysql_datadir|default("") }}' + - '{{ mysql_datadir | default("") }}' - name: Ensure permissions on mysql-logfile are correct file: @@ -30,7 +30,7 @@ when: item is defined and item != "" loop: - '{{ mysql_settings.settings.log_error }}' - - '{{ mysql_hardening_log_file|default("") }}' + - '{{ mysql_hardening_log_file | default("") }}' - name: Check mysql configuration-directory exists and has right permissions file: diff --git a/roles/mysql_hardening/tasks/main.yml b/roles/mysql_hardening/tasks/main.yml index 50ad4c4c4..bac9aeca1 100644 --- a/roles/mysql_hardening/tasks/main.yml +++ b/roles/mysql_hardening/tasks/main.yml @@ -54,7 +54,7 @@ # dict2items and vice versa magic - name: Drop the secure-auth parameter on MySQL >=8.0.3 (not mariadb) set_fact: - mysql_hardening_options: "{{ mysql_hardening_options| dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}" + mysql_hardening_options: "{{ mysql_hardening_options | dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}" when: - mysql_version.version.full is version('8.0.3', '>=') - mysql_distribution == "mysql" diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 65319e080..91f49fabb 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -10,4 +10,4 @@ - name: Reload systemd systemd: - daemon_reload: yes + daemon_reload: true diff --git a/roles/os_hardening/tasks/ctrlaltdel.yml b/roles/os_hardening/tasks/ctrlaltdel.yml index 6489df43c..7daaf8c66 100644 --- a/roles/os_hardening/tasks/ctrlaltdel.yml +++ b/roles/os_hardening/tasks/ctrlaltdel.yml @@ -2,6 +2,6 @@ - name: Disable CTRL-ALT-DEL systemd: name: ctrl-alt-del.target - masked: yes - daemon_reload: yes + masked: true + daemon_reload: true when: ansible_service_mgr == "systemd" diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml index dab083229..bbd8e98b4 100644 --- a/roles/os_hardening/tasks/limits.yml +++ b/roles/os_hardening/tasks/limits.yml @@ -51,15 +51,15 @@ - name: enable coredumps block: - - name: Remove coredump.conf.d directory with files - file: - path: /etc/systemd/coredump.conf.d - state: absent - when: ansible_service_mgr == "systemd" - notify: Reload systemd + - name: Remove coredump.conf.d directory with files + file: + path: /etc/systemd/coredump.conf.d + state: absent + when: ansible_service_mgr == "systemd" + notify: Reload systemd - - name: Remove 10.hardcore.conf config file - file: - path: /etc/security/limits.d/10.hardcore.conf - state: absent + - name: Remove 10.hardcore.conf config file + file: + path: /etc/security/limits.d/10.hardcore.conf + state: absent when: os_security_kernel_enable_core_dump | bool diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index 00edcdb9e..bb0543a4f 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -94,7 +94,7 @@ opts: '{{ os_mnt_boot_options }}' state: present register: bootmount - when: + when: - os_mnt_boot_enabled | bool - boot_exists | bool diff --git a/roles/ssh_hardening/tasks/ca_keys_and_principals.yml b/roles/ssh_hardening/tasks/ca_keys_and_principals.yml index 8f30fc466..a3c451921 100644 --- a/roles/ssh_hardening/tasks/ca_keys_and_principals.yml +++ b/roles/ssh_hardening/tasks/ca_keys_and_principals.yml @@ -22,6 +22,6 @@ src: 'authorized_principals.j2' dest: '{{ item.path }}' mode: '{{ item.filemode | default("600") }}' - owner: '{{ item.owner| default(ssh_owner) }}' + owner: '{{ item.owner | default(ssh_owner) }}' group: '{{ item.group | default(ssh_group) }}' loop: '{{ ssh_authorized_principals }}' diff --git a/roles/ssh_hardening/tasks/selinux.yml b/roles/ssh_hardening/tasks/selinux.yml index 4d091c1b7..78c4330fc 100644 --- a/roles/ssh_hardening/tasks/selinux.yml +++ b/roles/ssh_hardening/tasks/selinux.yml @@ -24,7 +24,8 @@ # The following tasks only get executed when selinux is in state enforcing, # UsePam is 'no' and the ssh_password module is not installed. See this issue for # more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 -- when: +- name: run selinux tasks + when: - not (ssh_use_pam | bool) - ('ssh_password' not in ssh_password_module.stdout) block: @@ -44,13 +45,13 @@ group: 'root' mode: '0600' - - name: Check and compile policy + - name: Check and compile policy # noqa no-changed-when command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password - - name: Create selinux policy module package + - name: Create selinux policy module package # noqa no-changed-when command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod - - name: Install selinux policy + - name: Install selinux policy # noqa no-changed-when command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp