manually fix remaining problems

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-09-20 05:11:53 +00:00 · 2023-12-06 15:27:21 +01:00 · 2023-12-06 15:27:21 +01:00 · 422fb940a9
commit 422fb940a9
parent 7e33ea0bae
23 changed files with 78 additions and 65 deletions
--- a/.config/ansible-lint.yml
+++ b/.config/ansible-lint.yml
@ -18,3 +18,4 @@ mock_roles:

 skip_list:
  - var-naming[no-role-prefix]
+  - meta-runtime[unsupported-version]
--- a/galaxy.yml
+++ b/galaxy.yml
@ -22,6 +22,9 @@ tags:
  - nginx_hardening
  - os_hardening
  - ssh_hardening
+  - database
+  - linux
+  - security
 dependencies:
  ansible.posix: '>=1.0.0'
  community.crypto: '>=1.0.0'
--- a/molecule/mysql_hardening/prepare.yml
+++ b/molecule/mysql_hardening/prepare.yml
@ -35,19 +35,20 @@

    - name: Run the equivalent of "apt-get update && apt-get upgrade"
      ansible.builtin.apt:
-        name: "*"
-        state: latest
+        upgrade: safe
        update_cache: true
      when: ansible_os_family == 'Debian'

    - name: Install required python packages on Suse
      ansible.builtin.command: zypper -n install python-xml python3-rpm python3-PyMySQL
+      changed_when: false
      when: ansible_os_family == 'Suse'

    - name: Create missing directory
      ansible.builtin.file:
        path: /etc/mysql/conf.d
        state: directory
+        mode: "0770"

    - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
      ansible.builtin.set_fact:
@ -72,7 +73,8 @@
        - ansible_os_family == "RedHat"
        - ansible_distribution_major_version == "7"

-    - ansible.builtin.include_role:
+    - name: Install mysql with a generic Ansible role
+      ansible.builtin.include_role:
        name: dev-sec.mysql

    - name: Include MySQL user prepare tasks
--- a/molecule/nginx_hardening/converge.yml
+++ b/molecule/nginx_hardening/converge.yml
@ -7,8 +7,9 @@
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  vars:
-    - nginx_ppa_use: true
-    - nginx_ppa_version: stable
+    nginx_ppa_use: true
+    nginx_ppa_version: stable
  tasks:
-    - ansible.builtin.include_role:
+    - name: Include nginx_hardening role
+      ansible.builtin.include_role:
        name: devsec.hardening.nginx_hardening
--- a/molecule/nginx_hardening/official-nginx-role-debian.yml
+++ b/molecule/nginx_hardening/official-nginx-role-debian.yml
@ -2,23 +2,23 @@
 - name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
  hosts: localhost
  vars:
-    - nginx_main_template_enable: true
-    - nginx_main_template:
-        template_file: nginx.conf.j2
-        conf_file_name: nginx.conf
-        conf_file_location: /etc/nginx/
-        user: www-data
-        worker_processes: auto
-        error_level: warn
-        worker_connections: 1024
-        http_enable: true
-        http_settings:
-          keepalive_timeout: 65
-          cache: false
-          rate_limit: false
-          keyval: false
-        stream_enable: false
-        http_global_autoindex: false
+    nginx_main_template_enable: true
+    nginx_main_template:
+      template_file: nginx.conf.j2
+      conf_file_name: nginx.conf
+      conf_file_location: /etc/nginx/
+      user: www-data
+      worker_processes: auto
+      error_level: warn
+      worker_connections: 1024
+      http_enable: true
+      http_settings:
+        keepalive_timeout: 65
+        cache: false
+        rate_limit: false
+        keyval: false
+      stream_enable: false
+      http_global_autoindex: false
  roles:
    - nginxinc.nginx
    - nginx_hardening
--- a/molecule/nginx_hardening/prepare.yml
+++ b/molecule/nginx_hardening/prepare.yml
@ -24,5 +24,6 @@
        ansible_distribution_major_version: 7
      when: ansible_distribution == 'Amazon'

-    - ansible.builtin.include_role:
+    - name: Install nginx with a generic Ansible role
+      ansible.builtin.include_role:
        name: geerlingguy.nginx
--- a/molecule/nginx_hardening/requirements.yml
+++ b/molecule/nginx_hardening/requirements.yml
@ -1,3 +1,3 @@
 ---
 roles:
-  - geerlingguy.nginx
+  - name: geerlingguy.nginx
--- a/molecule/os_hardening/converge.yml
+++ b/molecule/os_hardening/converge.yml
@ -6,14 +6,13 @@
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
  tasks:
    - name: Workaround for https://github.com/ansible/ansible/issues/66304
      ansible.builtin.set_fact:
        ansible_virtualization_type: docker
-    - ansible.builtin.include_role:
-        name: os_hardening
+    - name: Include os_hardening role
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening
  vars:
    os_security_users_allow: change_user
    os_security_kernel_enable_core_dump: false
@ -73,8 +72,6 @@
 # - name: wrapper playbook for kitchen testing "ansible-os-hardening"
 #  hosts: all
 #  become: true
-#  collections:
-#    - devsec.hardening
 #  vars:
 #    os_auditd_enabled: false
 #  tasks:
@ -89,4 +86,4 @@
 #      when: ansible_facts.os_family == 'Debian'
 #
 #    - include_role:
-#        name: os_hardening
+#        name: devsec.hardening.os_hardening
--- a/molecule/os_hardening/prepare.yml
+++ b/molecule/os_hardening/prepare.yml
@ -14,14 +14,14 @@

    - name: Run the equivalent of "apt-get update && apt-get upgrade"
      ansible.builtin.apt:
-        name: "*"
-        state: latest
+        upgrade: safe
        update_cache: true
      when: ansible_os_family == 'Debian'

    - name: Install required tools on SuSE
      # cannot use zypper module, since it depends on python-xml
      ansible.builtin.command: zypper -n install python-xml awk
+      changed_when: false
      when: ansible_facts.os_family == 'Suse'

    - name: Install required tools on fedora
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@ -67,8 +67,6 @@
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
  tasks:
    # test if variable can be overridden
    - name: Workaround for https://github.com/ansible/ansible/issues/66304
@ -76,8 +74,9 @@
        ansible_virtualization_type: docker
        os_env_umask: "027 #override"

-    - ansible.builtin.include_role:
-        name: os_hardening
+    - name: Include os_hardening role
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening

    - name: Verify os_env_umask
      ansible.builtin.command:
--- a/molecule/os_hardening_vm/converge.yml
+++ b/molecule/os_hardening_vm/converge.yml
@ -6,8 +6,6 @@
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
  tasks:
    - name: Override for arch
      ansible.builtin.set_fact:
@ -22,8 +20,9 @@
        os_mnt_tmp_src: tmpfs
        os_mnt_tmp_filesystem: tmpfs
      when: ansible_facts.distribution == 'Fedora'
-    - ansible.builtin.include_role:
-        name: os_hardening
+    - name: Include os_hardening role
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening
  vars:
    os_auth_pam_passwdqc_enable: false
    os_auth_lockout_time: 15
--- a/molecule/os_hardening_vm/prepare.yml
+++ b/molecule/os_hardening_vm/prepare.yml
@ -14,12 +14,14 @@

    - name: Run the equivalent of "apt-get update && apt-get upgrade"
      ansible.builtin.apt:
+        upgrade: safe
        update_cache: true
      when: ansible_os_family == 'Debian'

    - name: Install required tools on SuSE
      # cannot use zypper module, since it depends on python-xml
      ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
      when: ansible_facts.os_family == 'Suse'

    - name: Install required tools on fedora
--- a/molecule/os_hardening_vm/requirements.yml
+++ b/molecule/os_hardening_vm/requirements.yml
@ -1,3 +1,3 @@
 ---
 roles:
-  - geerlingguy.git
+  - name: geerlingguy.git
--- a/molecule/os_hardening_vm/verify.yml
+++ b/molecule/os_hardening_vm/verify.yml
@ -34,6 +34,7 @@
      ansible.builtin.copy:
        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+        mode: "0400"
      changed_when: false

    - name: Execute cinc-auditor tests
--- a/molecule/ssh_hardening/converge.yml
+++ b/molecule/ssh_hardening/converge.yml
@ -6,7 +6,8 @@
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
-    - ansible.builtin.include_role:
+    - name: Include ssh_hardening role
+      ansible.builtin.include_role:
        name: devsec.hardening.ssh_hardening
  vars:
    sftp_enabled: false
--- a/molecule/ssh_hardening/prepare.yml
+++ b/molecule/ssh_hardening/prepare.yml
@ -44,6 +44,7 @@
    - name: Install required tools on SuSE
      # cannot use zypper module, since it depends on python-xml
      ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
      when: ansible_facts.os_family == 'Suse'

    - name: Install packages
@ -65,10 +66,13 @@
      ansible.builtin.file:
        path: /var/run/sshd
        state: directory
+        mode: "0755"

    - name: Create ssh host keys # noqa ignore-errors
      ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
      changed_when: false
      ignore_errors: true
--- a/molecule/ssh_hardening_bsd/converge.yml
+++ b/molecule/ssh_hardening_bsd/converge.yml
@ -6,7 +6,8 @@
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
-    - ansible.builtin.include_role:
+    - name: Include ssh_hardening role
+      ansible.builtin.include_role:
        name: devsec.hardening.ssh_hardening
  vars:
    sftp_enabled: false
--- a/molecule/ssh_hardening_bsd/prepare.yml
+++ b/molecule/ssh_hardening_bsd/prepare.yml
@ -7,6 +7,7 @@
    - name: Install python
      # BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
      ansible.builtin.raw: pkg_add python%3.10
+      changed_when: false
      when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'

 - name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
@ -21,10 +22,13 @@
      ansible.builtin.file:
        path: /var/run/sshd
        state: directory
+        mode: "0755"

    - name: Create ssh host keys # noqa ignore-errors
      ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
      changed_when: false
      ignore_errors: true
--- a/molecule/ssh_hardening_bsd/verify.yml
+++ b/molecule/ssh_hardening_bsd/verify.yml
@ -8,6 +8,7 @@
        src: /usr/bin/which
        dest: /usr/bin/type
        state: hard
+        mode: "0770"
      when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'

 - name: Verify
@ -28,6 +29,7 @@
      ansible.builtin.copy:
        content: "{{ ssh_config.stdout_lines | join ('\n') }}"
        dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+        mode: "0400"
      changed_when: false

    - name: Execute cinc-auditor tests
--- a/molecule/ssh_hardening_custom_tests/converge.yml
+++ b/molecule/ssh_hardening_custom_tests/converge.yml
@ -6,11 +6,10 @@
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
  tasks:
-    - ansible.builtin.include_role:
-        name: ssh_hardening
+    - name: Include ssh_hardening role
+      ansible.builtin.include_role:
+        name: devsec.hardening.ssh_hardening
  vars:
    ssh_trusted_user_ca_keys_file: /etc/ssh/ca.pub
    ssh_trusted_user_ca_keys:
--- a/molecule/ssh_hardening_custom_tests/prepare.yml
+++ b/molecule/ssh_hardening_custom_tests/prepare.yml
@ -44,6 +44,7 @@
    - name: Install required tools on SuSE
      # cannot use zypper module, since it depends on python-xml
      ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
      when: ansible_facts.os_family == 'Suse'

    - name: Install packages
@ -65,10 +66,13 @@
      ansible.builtin.file:
        path: /var/run/sshd
        state: directory
+        mode: "0755"

    - name: Create ssh host keys # noqa ignore-errors
      ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
      changed_when: false
      ignore_errors: true
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@ -933,8 +933,6 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f

 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
  roles:
    - devsec.hardening.os_hardening
  vars:
@ -961,8 +959,6 @@ We are setting this sysctl to a default of `32`, some systems only support small

 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
  roles:
    - devsec.hardening.os_hardening
  vars:
@ -984,10 +980,8 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`

 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
  roles:
-    - os_hardening
+    - devsec.hardening.os_hardening
  vars:
    sysctl_overwrite:
      # Enable IPv4 traffic forwarding.
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@ -453,10 +453,8 @@ Example playbook:

 ```yml
 - hosts: localhost
-  collections:
-    - devsec.hardening
  roles:
-    - ssh_hardening
+    - devsec.hardening.ssh_hardening
  vars:
    ssh_custom_options:
      - "Include /etc/ssh/ssh_config.d/*"