manually fix remaining problems

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

.config/ansible-lint.yml

@@ -18,3 +18,4 @@ mock_roles:
 
 skip_list:
   - var-naming[no-role-prefix]
+  - meta-runtime[unsupported-version]

galaxy.yml

@@ -22,6 +22,9 @@ tags:
   - nginx_hardening
   - os_hardening
   - ssh_hardening
+  - database
+  - linux
+  - security
 dependencies:
   ansible.posix: '>=1.0.0'
   community.crypto: '>=1.0.0'

molecule/mysql_hardening/prepare.yml

@@ -35,19 +35,20 @@
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
-        name: "*"
+        upgrade: safe
-        state: latest
         update_cache: true
       when: ansible_os_family == 'Debian'
 
     - name: Install required python packages on Suse
       ansible.builtin.command: zypper -n install python-xml python3-rpm python3-PyMySQL
+      changed_when: false
       when: ansible_os_family == 'Suse'
 
     - name: Create missing directory
       ansible.builtin.file:
         path: /etc/mysql/conf.d
         state: directory
+        mode: "0770"
 
     - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
       ansible.builtin.set_fact:
@@ -72,7 +73,8 @@
         - ansible_os_family == "RedHat"
         - ansible_distribution_major_version == "7"
 
-    - ansible.builtin.include_role:
+    - name: Install mysql with a generic Ansible role
+      ansible.builtin.include_role:
         name: dev-sec.mysql
 
     - name: Include MySQL user prepare tasks

molecule/nginx_hardening/converge.yml

@@ -7,8 +7,9 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   vars:
-    - nginx_ppa_use: true
+    nginx_ppa_use: true
-    - nginx_ppa_version: stable
+    nginx_ppa_version: stable
   tasks:
-    - ansible.builtin.include_role:
+    - name: Include nginx_hardening role
+      ansible.builtin.include_role:
         name: devsec.hardening.nginx_hardening

molecule/nginx_hardening/official-nginx-role-debian.yml

@@ -2,23 +2,23 @@
 - name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   hosts: localhost
   vars:
-    - nginx_main_template_enable: true
+    nginx_main_template_enable: true
-    - nginx_main_template:
+    nginx_main_template:
-        template_file: nginx.conf.j2
+      template_file: nginx.conf.j2
-        conf_file_name: nginx.conf
+      conf_file_name: nginx.conf
-        conf_file_location: /etc/nginx/
+      conf_file_location: /etc/nginx/
-        user: www-data
+      user: www-data
-        worker_processes: auto
+      worker_processes: auto
-        error_level: warn
+      error_level: warn
-        worker_connections: 1024
+      worker_connections: 1024
-        http_enable: true
+      http_enable: true
-        http_settings:
+      http_settings:
-          keepalive_timeout: 65
+        keepalive_timeout: 65
-          cache: false
+        cache: false
-          rate_limit: false
+        rate_limit: false
-          keyval: false
+        keyval: false
-        stream_enable: false
+      stream_enable: false
-        http_global_autoindex: false
+      http_global_autoindex: false
   roles:
     - nginxinc.nginx
     - nginx_hardening

molecule/nginx_hardening/prepare.yml

@@ -24,5 +24,6 @@
         ansible_distribution_major_version: 7
       when: ansible_distribution == 'Amazon'
 
-    - ansible.builtin.include_role:
+    - name: Install nginx with a generic Ansible role
+      ansible.builtin.include_role:
         name: geerlingguy.nginx

molecule/nginx_hardening/requirements.yml

@@ -1,3 +1,3 @@
 ---
 roles:
-  - geerlingguy.nginx
+  - name: geerlingguy.nginx

molecule/os_hardening/converge.yml

@@ -6,14 +6,13 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     - name: Workaround for https://github.com/ansible/ansible/issues/66304
       ansible.builtin.set_fact:
         ansible_virtualization_type: docker
-    - ansible.builtin.include_role:
+    - name: Include os_hardening role
-        name: os_hardening
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening
   vars:
     os_security_users_allow: change_user
     os_security_kernel_enable_core_dump: false
@@ -73,8 +72,6 @@
 # - name: wrapper playbook for kitchen testing "ansible-os-hardening"
 #  hosts: all
 #  become: true
-#  collections:
-#    - devsec.hardening
 #  vars:
 #    os_auditd_enabled: false
 #  tasks:
@@ -89,4 +86,4 @@
 #      when: ansible_facts.os_family == 'Debian'
 #
 #    - include_role:
-#        name: os_hardening
+#        name: devsec.hardening.os_hardening

molecule/os_hardening/prepare.yml

@@ -14,14 +14,14 @@
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
-        name: "*"
+        upgrade: safe
-        state: latest
         update_cache: true
       when: ansible_os_family == 'Debian'
 
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
       ansible.builtin.command: zypper -n install python-xml awk
+      changed_when: false
       when: ansible_facts.os_family == 'Suse'
 
     - name: Install required tools on fedora

molecule/os_hardening/verify.yml

@@ -67,8 +67,6 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     # test if variable can be overridden
     - name: Workaround for https://github.com/ansible/ansible/issues/66304
@@ -76,8 +74,9 @@
         ansible_virtualization_type: docker
         os_env_umask: "027 #override"
 
-    - ansible.builtin.include_role:
+    - name: Include os_hardening role
-        name: os_hardening
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening
 
     - name: Verify os_env_umask
       ansible.builtin.command:

molecule/os_hardening_vm/converge.yml

@@ -6,8 +6,6 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     - name: Override for arch
       ansible.builtin.set_fact:
@@ -22,8 +20,9 @@
         os_mnt_tmp_src: tmpfs
         os_mnt_tmp_filesystem: tmpfs
       when: ansible_facts.distribution == 'Fedora'
-    - ansible.builtin.include_role:
+    - name: Include os_hardening role
-        name: os_hardening
+      ansible.builtin.include_role:
+        name: devsec.hardening.os_hardening
   vars:
     os_auth_pam_passwdqc_enable: false
     os_auth_lockout_time: 15

molecule/os_hardening_vm/prepare.yml

@@ -14,12 +14,14 @@
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
+        upgrade: safe
         update_cache: true
       when: ansible_os_family == 'Debian'
 
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
       ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
       when: ansible_facts.os_family == 'Suse'
 
     - name: Install required tools on fedora

molecule/os_hardening_vm/requirements.yml

@@ -1,3 +1,3 @@
 ---
 roles:
-  - geerlingguy.git
+  - name: geerlingguy.git

molecule/os_hardening_vm/verify.yml

@@ -34,6 +34,7 @@
       ansible.builtin.copy:
         content: "{{ ssh_config.stdout_lines | join ('\n') }}"
         dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+        mode: "0400"
       changed_when: false
 
     - name: Execute cinc-auditor tests

molecule/ssh_hardening/converge.yml

@@ -6,7 +6,8 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - ansible.builtin.include_role:
+    - name: Include ssh_hardening role
+      ansible.builtin.include_role:
         name: devsec.hardening.ssh_hardening
   vars:
     sftp_enabled: false

molecule/ssh_hardening/prepare.yml

@@ -44,6 +44,7 @@
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
       ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
       when: ansible_facts.os_family == 'Suse'
 
     - name: Install packages
@@ -65,10 +66,13 @@
       ansible.builtin.file:
         path: /var/run/sshd
         state: directory
+        mode: "0755"
 
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
       changed_when: false
       ignore_errors: true

molecule/ssh_hardening_bsd/converge.yml

@@ -6,7 +6,8 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - ansible.builtin.include_role:
+    - name: Include ssh_hardening role
+      ansible.builtin.include_role:
         name: devsec.hardening.ssh_hardening
   vars:
     sftp_enabled: false

molecule/ssh_hardening_bsd/prepare.yml

@@ -7,6 +7,7 @@
     - name: Install python
       # BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
       ansible.builtin.raw: pkg_add python%3.10
+      changed_when: false
       when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
 
 - name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
@@ -21,10 +22,13 @@
       ansible.builtin.file:
         path: /var/run/sshd
         state: directory
+        mode: "0755"
 
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
       changed_when: false
       ignore_errors: true

molecule/ssh_hardening_bsd/verify.yml

@@ -8,6 +8,7 @@
         src: /usr/bin/which
         dest: /usr/bin/type
         state: hard
+        mode: "0770"
       when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
 
 - name: Verify
@@ -28,6 +29,7 @@
       ansible.builtin.copy:
         content: "{{ ssh_config.stdout_lines | join ('\n') }}"
         dest: "{{ molecule_ephemeral_directory }}/ssh-config"
+        mode: "0400"
       changed_when: false
 
     - name: Execute cinc-auditor tests

molecule/ssh_hardening_custom_tests/converge.yml

@@ -6,11 +6,10 @@
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
-    - ansible.builtin.include_role:
+    - name: Include ssh_hardening role
-        name: ssh_hardening
+      ansible.builtin.include_role:
+        name: devsec.hardening.ssh_hardening
   vars:
     ssh_trusted_user_ca_keys_file: /etc/ssh/ca.pub
     ssh_trusted_user_ca_keys:

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -44,6 +44,7 @@
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
       ansible.builtin.command: zypper -n install python-xml
+      changed_when: false
       when: ansible_facts.os_family == 'Suse'
 
     - name: Install packages
@@ -65,10 +66,13 @@
       ansible.builtin.file:
         path: /var/run/sshd
         state: directory
+        mode: "0755"
 
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
+      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
+        or ansible_facts.distribution == "Fedora"
+        or ansible_facts.distribution == "Amazon"
+        or ansible_facts.os_family == "Suse"
       changed_when: false
       ignore_errors: true

roles/os_hardening/README.md

@@ -933,8 +933,6 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 
 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
   roles:
     - devsec.hardening.os_hardening
   vars:
@@ -961,8 +959,6 @@ We are setting this sysctl to a default of `32`, some systems only support small
 
 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
   roles:
     - devsec.hardening.os_hardening
   vars:
@@ -984,10 +980,8 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
 
 ```yaml
 - hosts: localhost
-  collections:
-    - devsec.hardening
   roles:
-    - os_hardening
+    - devsec.hardening.os_hardening
   vars:
     sysctl_overwrite:
       # Enable IPv4 traffic forwarding.

roles/ssh_hardening/README.md

@@ -453,10 +453,8 @@ Example playbook:
 
 ```yml
 - hosts: localhost
-  collections:
-    - devsec.hardening
   roles:
-    - ssh_hardening
+    - devsec.hardening.ssh_hardening
   vars:
     ssh_custom_options:
       - "Include /etc/ssh/ssh_config.d/*"