Merge pull request #546 from dev-sec/linting

Linting

.config/ansible-lint.yml

@@ -6,3 +6,12 @@
 exclude_paths:
   - .cache/  # implicit unless exclude_paths is defined in config
   - .yamllint
+  - ../molecule/
+  - ../.github/
+
+skip_list:
+  - fqcn-builtins
+
+mock_roles:
+  - geerlingguy.git
+  - nginxinc.nginx

.yamllint

@@ -15,19 +15,12 @@ rules:
   commas:
     max-spaces-after: -1
     level: error
-#  comments: disable
-#  comments-indentation: disable
-#  document-start: disable
   empty-lines:
     max: 3
     level: error
   hyphens:
     level: error
-#  indentation: disable
   key-duplicates: enable
   line-length: disable
-#  new-line-at-end-of-file: disable
   new-lines:
     type: unix
-#  trailing-spaces: disable
-#  truthy: disable

galaxy.yml

@@ -1,3 +1,4 @@
+---
 namespace: devsec
 name: hardening
 version: 7.14.3

molecule/mysql_hardening/prepare.yml

@@ -16,7 +16,7 @@
       when: ansible_os_family == 'Debian'
 
     - name: install required tools on SuSE
-      zypper:
+      community.general.zypper:
         name: "python-xml"
         state: present
       when: ansible_facts.os_family == 'Suse'

molecule/nginx_hardening/prepare.yml

@@ -8,7 +8,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: install required tools on SuSE
-      zypper:
+      community.general.zypper:
         name: "python-xml"
         state: present
       when: ansible_facts.os_family == 'Suse'
@@ -17,7 +17,7 @@
       package:
         name: "python3-apt"
         update_cache: true
-      ignore_errors: true
+      ignore_errors: true  # noqa ignore-errors
 
     - name: Set correct distribution Version for Amazon Linux
       set_fact:

molecule/os_hardening/prepare.yml

@@ -35,14 +35,14 @@
       when: ansible_facts.distribution == 'Fedora'
 
     - name: install required tools on Arch
-      pacman:
+      community.general.pacman:
         name:
           - awk
         state: present
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: install required tools on RHEL
+    - name: install required tools on RHEL  # noqa ignore-errors
       yum:
         name:
           - openssh-clients
@@ -56,5 +56,5 @@
       changed_when: false
 
     - name: include YUM prepare tasks
-      include: prepare_yum.yml
+      include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'

molecule/os_hardening/prepare_tasks/yum.yml

@@ -1,6 +1,6 @@
 ---
 - name: create 'foo' repository
-  yum_repository:
+  ansible.builtin.yum_repository:
     name: foo
     description: mandatory description
     baseurl: file:///mandatory-url
@@ -8,7 +8,7 @@
     gpgcheck: false
 
 - name: create 'bar' repository
-  yum_repository:
+  ansible.builtin.yum_repository:
     name: bar
     description: mandatory description
     baseurl: file:///mandatory-url

molecule/os_hardening/verify.yml

@@ -38,11 +38,11 @@
       when: ansible_facts.os_family == 'Debian'
 
     - name: include PAM tests
-      include: verify_pam.yml
+      include_tasks: verify_tasks/pam.yml
       when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
 
     - name: include YUM tests
-      include: verify_yum.yml
+      include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
     - name: download cinc-auditor
@@ -54,7 +54,7 @@
     - name: install cinc-auditor
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
-    - name: Execute cinc-auditor tests
+    - name: Execute cinc-auditor tests  # noqa ignore-errors
       command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit  --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
       register: test_results
       changed_when: false

molecule/os_hardening/waivers.yaml

@@ -1,3 +0,0 @@
-os-14:
-  run: false
-  justification: "not yet implemented"

molecule/ssh_hardening/prepare.yml

@@ -12,7 +12,7 @@
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       yum:
         name:
           - openssh-clients
@@ -22,7 +22,7 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       dnf:
         name:
           - openssh-clients
@@ -32,7 +32,7 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       apt:
         name:
           - openssh-client
@@ -66,7 +66,7 @@
         path: "/var/run/sshd"
         state: directory
 
-    - name: create ssh host keys
+    - name: create ssh host keys  # noqa ignore-errors
       command: "ssh-keygen -A"
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -12,7 +12,7 @@
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       yum:
         name:
           - openssh-clients
@@ -22,7 +22,7 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       dnf:
         name:
           - openssh-clients
@@ -32,7 +32,7 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages
+    - name: install packages  # noqa ignore-errors
       apt:
         name:
           - openssh-client
@@ -66,7 +66,7 @@
         path: "/var/run/sshd"
         state: directory
 
-    - name: create ssh host keys
+    - name: create ssh host keys  # noqa ignore-errors
       command: "ssh-keygen -A"
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or

roles/mysql_hardening/defaults/main.yml

@@ -7,11 +7,11 @@ mysql_daemon_enabled: true
 mysql_hardening_restart_mysql: true
 
 # general configuration
-mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'
+mysql_hardening_mysql_hardening_conf_file: '{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf'
 # You have to change this to your own strong enough mysql root password
 mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 # There .my.cnf with mysql root credentials will be installed
-mysql_user_home: "{{ ansible_env.HOME}}"
+mysql_user_home: "{{ ansible_env.HOME }}"
 
 # ensure the following parameters are set properly
 mysql_remove_remote_root: true
@@ -50,4 +50,4 @@ mysql_hardening_options:
   # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv
   secure-file-priv: '/tmp'
   # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user
-  user: '{{mysql_hardening_user}}'
+  user: '{{ mysql_hardening_user }}'

roles/mysql_hardening/tasks/configure.yml

@@ -18,7 +18,7 @@
   when: item is defined and item != ""
   loop:
     - '{{ mysql_settings.settings.datadir }}'
-    - '{{ mysql_datadir|default("") }}'
+    - '{{ mysql_datadir | default("") }}'
 
 - name: Ensure permissions on mysql-logfile are correct
   file:
@@ -30,7 +30,7 @@
   when: item is defined and item != ""
   loop:
     - '{{ mysql_settings.settings.log_error }}'
-    - '{{ mysql_hardening_log_file|default("") }}'
+    - '{{ mysql_hardening_log_file | default("") }}'
 
 - name: Check mysql configuration-directory exists and has right permissions
   file:

roles/mysql_hardening/tasks/main.yml

@@ -54,7 +54,7 @@
 # dict2items and vice versa magic
 - name: Drop the secure-auth parameter on MySQL >=8.0.3 (not mariadb)
   set_fact:
-    mysql_hardening_options: "{{ mysql_hardening_options| dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
+    mysql_hardening_options: "{{ mysql_hardening_options | dict2items | rejectattr('key', 'search', 'secure-auth') | list | items2dict }}"
   when:
     - mysql_version.version.full is version('8.0.3', '>=')
     - mysql_distribution == "mysql"

roles/os_hardening/handlers/main.yml

@@ -10,4 +10,4 @@
 
 - name: Reload systemd
   systemd:
-    daemon_reload: yes
+    daemon_reload: true

roles/os_hardening/tasks/ctrlaltdel.yml

@@ -2,6 +2,6 @@
 - name: Disable CTRL-ALT-DEL
   systemd:
     name: ctrl-alt-del.target
-    masked: yes
-    daemon_reload: yes
+    masked: true
+    daemon_reload: true
   when: ansible_service_mgr == "systemd"

roles/os_hardening/tasks/limits.yml

@@ -51,15 +51,15 @@
 
 - name: enable coredumps
   block:
-  - name: Remove coredump.conf.d directory with files
-    file:
-      path: /etc/systemd/coredump.conf.d
-      state: absent
-    when: ansible_service_mgr == "systemd"
-    notify: Reload systemd
+    - name: Remove coredump.conf.d directory with files
+      file:
+        path: /etc/systemd/coredump.conf.d
+        state: absent
+      when: ansible_service_mgr == "systemd"
+      notify: Reload systemd
 
-  - name: Remove 10.hardcore.conf config file
-    file:
-      path: /etc/security/limits.d/10.hardcore.conf
-      state: absent
+    - name: Remove 10.hardcore.conf config file
+      file:
+        path: /etc/security/limits.d/10.hardcore.conf
+        state: absent
   when: os_security_kernel_enable_core_dump | bool

roles/os_hardening/tasks/minimize_access.yml

@@ -94,7 +94,7 @@
     opts: '{{ os_mnt_boot_options }}'
     state: present
   register: bootmount
-  when: 
+  when:
     - os_mnt_boot_enabled | bool
     - boot_exists | bool
 

roles/ssh_hardening/tasks/ca_keys_and_principals.yml

@@ -22,6 +22,6 @@
     src: 'authorized_principals.j2'
     dest: '{{ item.path }}'
     mode: '{{ item.filemode | default("600") }}'
-    owner: '{{ item.owner| default(ssh_owner) }}'
+    owner: '{{ item.owner | default(ssh_owner) }}'
     group: '{{ item.group | default(ssh_group) }}'
   loop: '{{ ssh_authorized_principals }}'

roles/ssh_hardening/tasks/selinux.yml

@@ -24,7 +24,8 @@
 # The following tasks only get executed when selinux is in state enforcing,
 # UsePam is 'no' and the ssh_password module is not installed. See this issue for
 # more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
-- when:
+- name: run selinux tasks
+  when:
     - not (ssh_use_pam | bool)
     - ('ssh_password' not in ssh_password_module.stdout)
   block:
@@ -44,13 +45,13 @@
         group: 'root'
         mode: '0600'
 
-    - name: Check and compile policy
+    - name: Check and compile policy  # noqa no-changed-when
       command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
 
-    - name: Create selinux policy module package
+    - name: Create selinux policy module package  # noqa no-changed-when
       command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
 
-    - name: Install selinux policy
+    - name: Install selinux policy  # noqa no-changed-when
       command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp