linting

.config/ansible-lint.yml

@@ -4,7 +4,7 @@
 # and not relative to the CWD of execution. CLI arguments passed to the --exclude
 # option will be parsed relative to the CWD of execution.
 exclude_paths:
-  - .cache/  # implicit unless exclude_paths is defined in config
+  - .cache/ # implicit unless exclude_paths is defined in config
   - .yamllint
   - ../molecule/
   - ../.github/

galaxy.yml

@@ -1,13 +1,14 @@
+---
 namespace: devsec
 name: hardening
 version: 8.4.0
 readme: README.md
 authors:
   - dev-sec <[email protected]>
-description: 'This collection provides battle tested hardening for Linux, SSH, nginx, MySQL'
+description: This collection provides battle tested hardening for Linux, SSH, nginx, MySQL
 license:
   - Apache-2.0
-license_file: ''
+license_file: ""
 tags:
   - devsec
   - hardening
@@ -23,13 +24,13 @@ tags:
   - os_hardening
   - ssh_hardening
 dependencies:
-  ansible.posix: '>=1.0.0'
-  community.crypto: '>=1.0.0'
-  community.general: '>=1.0.0'
-  community.mysql: '>=1.3.0'
-repository: 'https://github.com/dev-sec/ansible-collection-hardening/'
-homepage: 'https://dev-sec.io/'
-issues: 'https://github.com/dev-sec/ansible-collection-hardening/issues'
+  ansible.posix: ">=1.0.0"
+  community.crypto: ">=1.0.0"
+  community.general: ">=1.0.0"
+  community.mysql: ">=1.3.0"
+repository: https://github.com/dev-sec/ansible-collection-hardening/
+homepage: https://dev-sec.io/
+issues: https://github.com/dev-sec/ansible-collection-hardening/issues
 build_ignore:
   - codecov.yml
   - .github

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: '>=2.9.10'
+requires_ansible: ">=2.9.10"

roles/mysql_hardening/defaults/main.yml

@@ -7,9 +7,9 @@ mysql_daemon_enabled: true
 mysql_hardening_restart_mysql: true
 
 # general configuration
-mysql_hardening_mysql_hardening_conf_file: '{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf'
+mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf"
 # You have to change this to your own strong enough mysql root password
-mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
+mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----"
 # There .my.cnf with mysql root credentials will be installed
 mysql_user_home: "{{ ansible_env.HOME }}"
 
@@ -48,6 +48,6 @@ mysql_hardening_options:
   automatic-sp-privileges: 0
 
   # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv
-  secure-file-priv: '/tmp'
+  secure-file-priv: /tmp
   # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user
-  user: '{{ mysql_hardening_user }}'
+  user: "{{ mysql_hardening_user }}"

roles/mysql_hardening/handlers/main.yml

@@ -1,7 +1,6 @@
 ---
-
 - name: Restart mysql
-  service:
-    name: '{{ mysql_daemon }}'
+  ansible.builtin.service:
+    name: "{{ mysql_daemon }}"
     state: restarted
   when: mysql_hardening_restart_mysql | bool

roles/mysql_hardening/meta/main.yml

@@ -1,10 +1,10 @@
 ---
 galaxy_info:
-  author: "Sebastian Gumprich"
-  description: 'This Ansible playbook provides security configuration for mysql.'
+  author: Sebastian Gumprich
+  description: This Ansible playbook provides security configuration for mysql.
   company: Hardening Framework Team
   license: Apache License 2.0
-  min_ansible_version: '2.9.10'
+  min_ansible_version: 2.9.10
   platforms:
     - name: EL
       versions:

roles/mysql_hardening/tasks/configure.yml

@@ -1,64 +1,64 @@
 ---
 - name: Protect my.cnf
-  file:
-    path: '{{ mysql_hardening_mysql_conf_file }}'
-    mode: '0640'
-    owner: '{{ mysql_cnf_owner }}'
-    group: '{{ mysql_cnf_group }}'
+  ansible.builtin.file:
+    path: "{{ mysql_hardening_mysql_conf_file }}"
+    mode: "0640"
+    owner: "{{ mysql_cnf_owner }}"
+    group: "{{ mysql_cnf_group }}"
     follow: true
     state: file
 
 - name: Ensure permissions on mysql-datadir are correct
-  file:
-    path: '{{ item }}'
+  ansible.builtin.file:
+    path: "{{ item }}"
     state: directory
-    owner: '{{ mysql_hardening_user }}'
-    group: '{{ mysql_hardening_user }}'
-    mode: '0750'
+    owner: "{{ mysql_hardening_user }}"
+    group: "{{ mysql_hardening_user }}"
+    mode: "0750"
   when: item is defined and item != ""
   loop:
-    - '{{ mysql_settings.settings.datadir }}'
+    - "{{ mysql_settings.settings.datadir }}"
     - '{{ mysql_datadir | default("") }}'
 
 - name: Ensure permissions on mysql-logfile are correct
-  file:
-    path: '{{ item }}'
+  ansible.builtin.file:
+    path: "{{ item }}"
     state: file
-    owner: '{{ mysql_hardening_user }}'
-    group: '{{ mysql_hardening_group }}'
-    mode: '0640'
+    owner: "{{ mysql_hardening_user }}"
+    group: "{{ mysql_hardening_group }}"
+    mode: "0640"
   when: item is defined and item != ""
   loop:
-    - '{{ mysql_settings.settings.log_error }}'
+    - "{{ mysql_settings.settings.log_error }}"
     - '{{ mysql_hardening_log_file | default("") }}'
 
 - name: Check mysql configuration-directory exists and has right permissions
-  file:
-    path: '{{ mysql_hardening_mysql_confd_dir }}'
+  ansible.builtin.file:
+    path: "{{ mysql_hardening_mysql_confd_dir }}"
     state: directory
-    owner: '{{ mysql_hardening_user }}'
-    group: '{{ mysql_hardening_group }}'
-    mode: '0750'
+    owner: "{{ mysql_hardening_user }}"
+    group: "{{ mysql_hardening_group }}"
+    mode: "0750"
 
 - name: Check include-dir directive is present in my.cnf
-  lineinfile:
-    dest: '{{ mysql_hardening_mysql_conf_file }}'
-    line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'
-    insertafter: 'EOF'
+  ansible.builtin.lineinfile:
+    dest: "{{ mysql_hardening_mysql_conf_file }}"
+    line: "!includedir {{ mysql_hardening_mysql_confd_dir }}"
+    insertafter: EOF
     state: present
     backup: true
   notify: Restart mysql
 
 - name: Apply hardening configuration
-  template:
-    src: 'hardening.cnf.j2'
-    dest: '{{ mysql_hardening_mysql_hardening_conf_file }}'
-    owner: '{{ mysql_cnf_owner }}'
-    group: '{{ mysql_cnf_group }}'
-    mode: '0640'
+  ansible.builtin.template:
+    src: hardening.cnf.j2
+    dest: "{{ mysql_hardening_mysql_hardening_conf_file }}"
+    owner: "{{ mysql_cnf_owner }}"
+    group: "{{ mysql_cnf_group }}"
+    mode: "0640"
   notify: Restart mysql
 
 - name: Enable mysql
-  service:
-    name: '{{ mysql_daemon }}'
-    enabled: '{{ mysql_daemon_enabled }}'
+  ansible.builtin.service:
+    name: "{{ mysql_daemon }}"
+    enabled: "{{ mysql_daemon_enabled }}"

roles/mysql_hardening/tasks/main.yml

@@ -1,31 +1,31 @@
 ---
 - name: Fetch OS dependent variables
-  include_vars:
-    file: '{{ item }}'
-    name: 'os_vars'
+  ansible.builtin.include_vars:
+    file: "{{ item }}"
+    name: os_vars
   with_first_found:
     - files:
-        - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
-        - '{{ ansible_facts.distribution }}.yml'
-        - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
-        - '{{ ansible_facts.os_family }}.yml'
+        - "{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml"
+        - "{{ ansible_facts.distribution }}.yml"
+        - "{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml"
+        - "{{ ansible_facts.os_family }}.yml"
       skip: true
   tags: always
 
 # we only override variables with our default if they have not been specified already.
 # by default the lookup functions finds all varnames containing the string, therefore
 # we add ^ and $ to denote start and end of string, so this returns only exact maches.
-- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
-  set_fact:
-    '{{ item.key }}': '{{ item.value }}'
-  when: "not lookup('varnames', '^' + item.key + '$')"
-  with_dict: '{{ os_vars }}'
+- name: Set OS dependent variables, if not already defined by user # noqa var-naming
+  ansible.builtin.set_fact:
+    "{{ item.key }}": "{{ item.value }}"
+  when: not lookup('varnames', '^' + item.key + '$')
+  with_dict: "{{ os_vars }}"
   tags: always
 
 - name: Check that the variable mysql_distribution is set correctly
   ansible.builtin.assert:
     that: mysql_distribution == 'mysql' or mysql_distribution == 'mariadb'
-    fail_msg: 'mysql_distribution must be set to either mysql or mariadb!'
+    fail_msg: mysql_distribution must be set to either mysql or mariadb!
   when: mysql_distribution is defined
 
 - name: Gather package facts to check for mysql/mariadb version
@@ -34,7 +34,7 @@
   when: not mysql_distribution is defined
 
 - name: Check if MySQL or MariaDB is used
-  set_fact:
+  ansible.builtin.set_fact:
     mysql_distribution: "{{ ansible_facts.packages['mysql-server'] is defined | ternary('mysql', 'mariadb') }}"
   when: not mysql_distribution is defined
 
@@ -53,20 +53,20 @@
 # see https://stackoverflow.com/a/59451077/2953919 for the
 # dict2items and vice versa magic
 - name: Drop the secure-auth parameter on MySQL >=8.0.3 (not mariadb)
-  set_fact:
+  ansible.builtin.set_fact:
     mysql_hardening_options: "{{ mysql_hardening_options | dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
   when:
     - mysql_version.version.full is version('8.0.3', '>=')
     - mysql_distribution == "mysql"
 
 - name: Include tasks for configuration
-  import_tasks: configure.yml
+  ansible.builtin.import_tasks: configure.yml
   when: mysql_hardening_enabled | bool
   tags:
     - mysql_hardening
 
 - name: Include tasks to secure mysql installation
-  import_tasks: mysql_secure_installation.yml
+  ansible.builtin.import_tasks: mysql_secure_installation.yml
   when: mysql_hardening_enabled | bool
   tags:
     - mysql_hardening