mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
fix ansible lint remarks
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
This commit is contained in:
Sebastian Gumprich
parent
9a57c6edaf
commit
7a6b1f7d66
6 changed files with 17 additions and 12 deletions
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: "Sebastian Gumprich"
|
||||
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
|
||||
description: 'This role provides numerous security-related configurations, providing all-round base protection.'
|
||||
company: Hardening Framework Team
|
||||
license: Apache License 2.0
|
||||
min_ansible_version: '2.5'
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
limit_type: hard
|
||||
limit_item: core
|
||||
value: 0
|
||||
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
|
||||
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
|
||||
|
||||
- name: set 10.hardcore.conf perms to 0400 and root ownership
|
||||
file:
|
||||
|
|
|
|||
|
|
@ -6,4 +6,3 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0444'
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: install modprobe to disable filesystems | os-10
|
||||
package:
|
||||
name: '{{modprobe_package}}'
|
||||
name: '{{ modprobe_package }}'
|
||||
state: 'present'
|
||||
|
||||
- name: check if efi is installed
|
||||
|
|
@ -21,4 +21,3 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0640'
|
||||
|
||||
|
|
|
|||
|
|
@ -47,7 +47,8 @@
|
|||
apt:
|
||||
name: 'libpam-modules'
|
||||
state: 'present'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and
|
||||
not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
|
||||
- name: configure tally2
|
||||
template:
|
||||
|
|
@ -56,25 +57,29 @@
|
|||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and
|
||||
not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
|
||||
- name: delete tally2 when retries is 0
|
||||
file:
|
||||
path: '{{ tally2_path }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and
|
||||
not os_auth_pam_passwdqc_enable and os_auth_retries == 0
|
||||
|
||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||
yum:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon')
|
||||
and os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon')
|
||||
and os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
yum:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,8 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0544'
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or
|
||||
ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
|
||||
|
||||
- name: install initramfs-tools
|
||||
apt:
|
||||
|
|
@ -59,7 +60,8 @@
|
|||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
|
||||
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and
|
||||
ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
|
||||
|
||||
- name: Apply ufw defaults
|
||||
template:
|
||||
|
|
|
|||
Loading…
Reference in a new issue