fix lint findings

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -31,7 +31,7 @@ body:
     attributes:
       label: "Reproduction steps"
       render: Shell
-      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, so no need for backticks.
+      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, no need for backticks.
       value: |
         ...
     validations:

.github/workflows/mysql_hardening.yml

@@ -89,7 +89,8 @@ jobs:
       - name: Temporary fix for roles
         run: |
           mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+            /home/runner/.ansible/roles
 
       - name: Test with molecule
         run: |

.github/workflows/nginx_hardening.yml

@@ -78,7 +78,8 @@ jobs:
       - name: Temporary fix for roles
         run: |
           mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+            /home/runner/.ansible/roles
 
       - name: Test with molecule
         run: |

molecule/mysql_hardening/converge.yml

@@ -1,16 +1,14 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
+- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: all
   become: true
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
-      set_fact:
+      ansible.builtin.set_fact:
         mysql_python_package_debian: "python3-pymysql"
       when:
         - mysql_python_package_debian is not defined
@@ -18,7 +16,7 @@
         - ansible_distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
-      set_fact:
+      ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
@@ -26,13 +24,14 @@
         - ansible_distribution_major_version|int < 20
 
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
-    - include_role:
+    - name: Include mysql_hardening role
-        name: mysql_hardening
+      ansible.builtin.include_role:
+        name: devsec.hardening.mysql_hardening
   vars:
     overwrite_global_mycnf: false
     mysql_root_password: iloverandompasswordsbutthiswilldo

molecule/mysql_hardening/prepare.yml

@@ -1,35 +1,40 @@
 ---
-
+- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
-- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: all
   become: true
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  vars:
+    overwrite_global_mycnf: false
+    mysql_root_password: iloverandompasswordsbutthiswilldo
+    mysql_user_password: iloverandompasswordsbutthiswilldo
+    mysql_config_file: /etc/mysql/mariadb.cnf
+    mysql_root_password_update: true
   tasks:
     - name: Use Python 3 on Debian 11
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int >= 11
 
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
     - name: Use Python 2 on Debian 10
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python
       when:
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int == 10
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
-      apt:
+      ansible.builtin.apt:
         name: "*"
         state: latest
         update_cache: true
@@ -39,13 +44,13 @@
       ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
       when: ansible_os_family == 'Suse'
 
-    - name: create missing directory
+    - name: Create missing directory
       file:
         path: "/etc/mysql/conf.d"
         state: directory
 
     - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
-      set_fact:
+      ansible.builtin.set_fact:
         mysql_python_package_debian: "python3-pymysql"
       when:
         - mysql_python_package_debian is not defined
@@ -53,7 +58,7 @@
         - ansible_distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
-      set_fact:
+      ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
@@ -61,20 +66,14 @@
         - ansible_distribution_major_version|int < 20
 
     - name: Install required MySQL Python libraries on RHEL
-      yum:
+      ansible.builtin.yum:
         name: "{% if 'python3' in ansible_python_interpreter|default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
       when:
         - ansible_os_family == "RedHat"
         - ansible_distribution_major_version == "7"
-          
+
-    - include_role:
+    - ansible.builtin.include_role:
         name: dev-sec.mysql
 
-    - name: include MySQL user prepare tasks
+    - name: Include MySQL user prepare tasks
-      include_tasks: prepare_tasks/mysql_users.yml
+      ansible.builtin.include_tasks: prepare_tasks/mysql_users.yml
-  vars:
-    overwrite_global_mycnf: false
-    mysql_root_password: iloverandompasswordsbutthiswilldo
-    mysql_user_password: iloverandompasswordsbutthiswilldo
-    mysql_config_file: /etc/mysql/mariadb.cnf
-    mysql_root_password_update: true

molecule/mysql_hardening/prepare_tasks/mysql_users.yml

@@ -1,5 +1,5 @@
 ---
-- name: create users for test
+- name: Create users for test
   community.mysql.mysql_query:
     query:
       - "CREATE USER 'user'@'delete';"
@@ -23,10 +23,10 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_role_support
 
-- name: create roles for test
+- name: Create roles for test
   community.mysql.mysql_query:
     query:
-       - "CREATE ROLE 'role_keep';"
+      - "CREATE ROLE 'role_keep';"
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when:
     - mysql_role_support.rowcount[0] > 0

molecule/mysql_hardening/verify.yml

@@ -8,23 +8,23 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
     - name: install procps for debian systems
-      apt:
+      ansible.builtin.apt:
         name: procps
         state: present
         update_cache: true
       when: ansible_distribution == 'Debian'
 
     - name: include tests for the service
-      include_tasks: verify_tasks/service.yml
+      ansible.builtin.include_tasks: verify_tasks/service.yml
 
     - name: include tests for MySQL user
-      include_tasks: verify_tasks/mysql_users.yml
+      ansible.builtin.include_tasks: verify_tasks/mysql_users.yml
 
 - name: Verify
   hosts: localhost
@@ -34,7 +34,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         docker.io/cincproject/auditor exec
@@ -46,10 +46,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0

molecule/mysql_hardening/verify_tasks/mysql_users.yml

@@ -6,11 +6,11 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users
 
-- name: create list of users from mysql query
+- name: Create list of users from mysql query
-  set_fact:
+  ansible.builtin.set_fact:
     mysql_users_list: "{{ mysql_users.query_result.0  | json_query('[*].users') | list }}"
 
-- name: assert that only accounts with password remain
+- name: Assert that only accounts with password remain
   ansible.builtin.assert:
     that:
       - '"user@delete" not in mysql_users_list'
@@ -33,9 +33,9 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_role_support
 
-- name: assert that roles remain
+- name: Assert that roles remain
   ansible.builtin.assert:
     that:
-       - '"role_keep@" in mysql_users_list'
+      - '"role_keep@" in mysql_users_list'
   when:
     - mysql_role_support.rowcount[0] > 0

molecule/mysql_hardening/verify_tasks/service.yml

@@ -10,7 +10,7 @@
   ansible.builtin.service_facts:
 
 - name: Check if MySQL is running and enabled
-  assert:
+  ansible.builtin.assert:
     that:
       - "ansible_facts.services[mysql_daemon + '.service'].state == 'running'"
       - "ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'"

molecule/nginx_hardening/converge.yml

@@ -1,9 +1,7 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
+- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   become: true
   hosts: all
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
@@ -13,4 +11,4 @@
     - nginx_ppa_version: stable
   tasks:
     - include_role:
-        name: nginx_hardening
+        name: devsec.hardening.nginx_hardening

molecule/nginx_hardening/official-nginx-role-debian.yml

@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
+- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   hosts: localhost
   vars:
     - nginx_main_template_enable: true

molecule/nginx_hardening/official-nginx-role-redhat.yml

@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
+- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
   hosts: localhost
   roles:
     - nginxinc.nginx

molecule/nginx_hardening/prepare.yml

@@ -20,7 +20,7 @@
       ignore_errors: true  # noqa ignore-errors
 
     - name: Set correct distribution Version for Amazon Linux
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_distribution_major_version: 7
       when: ansible_distribution == 'Amazon'
 

molecule/nginx_hardening/verify.yml

@@ -7,8 +7,8 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: install procps for debian systems
+    - name: Install procps for debian systems
-      apt:
+      ansible.builtin.apt:
         name: procps
         state: present
         update_cache: true
@@ -22,7 +22,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         docker.io/cincproject/auditor exec
@@ -34,10 +34,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0

molecule/os_hardening/converge.yml

@@ -10,7 +10,7 @@
     - devsec.hardening
   tasks:
     - name: workaround for https://github.com/ansible/ansible/issues/66304
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_virtualization_type: "docker"
     - include_role:
         name: os_hardening
@@ -84,7 +84,7 @@
 #      when: ansible_facts.distribution == 'Fedora'
 #
 #    - name: Run the equivalent of "apt-get update" as a separate step
-#      apt:
+#      ansible.builtin.apt:
 #        update_cache: yes
 #      when: ansible_facts.os_family == 'Debian'
 #

molecule/os_hardening/prepare.yml

@@ -8,12 +8,12 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: "/usr/bin/python3"
       when: ansible_facts.distribution == 'Fedora'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
-      apt:
+      ansible.builtin.apt:
         name: "*"
         state: latest
         update_cache: true
@@ -21,11 +21,11 @@
 
     - name: install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml awk"
+      ansible.builtin.shell: "zypper -n install python-xml awk"
       when: ansible_facts.os_family == 'Suse'
 
     - name: install required tools on fedora
-      dnf:
+      ansible.builtin.dnf:
         name:
           - python
           - findutils
@@ -41,7 +41,7 @@
       when: ansible_facts.os_family == 'Archlinux'
 
     - name: install required tools on RHEL  # noqa ignore-errors
-      yum:
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh
@@ -50,11 +50,11 @@
       ignore_errors: true
 
     - name: create recursing symlink to test minimize access
-      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+      ansible.builtin.shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
       changed_when: false
 
     - name: include YUM prepare tasks
-      include_tasks: prepare_tasks/yum.yml
+      ansible.builtin.include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
     - name: include preparation tasks

molecule/os_hardening/verify.yml

@@ -7,12 +7,12 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: set ansible_python_interpreter to "/usr/bin/python3"
+    - name: Set ansible_python_interpreter to "/usr/bin/python3"
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: "/usr/bin/python3"
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: include verification tasks
+    - name: Include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
       loop: 
@@ -22,12 +22,12 @@
         - verify_tasks/ignore_home_folders.yml
 
 # temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
-#    - name: include PAM tests
+#    - name: Include PAM tests
-#      include_tasks: verify_tasks/pam.yml
+#      ansible.builtin.include_tasks: verify_tasks/pam.yml
 #      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
 
-    - name: include YUM tests
+    - name: Include YUM tests
-      include_tasks: verify_tasks/yum.yml
+      ansible.builtin.include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
 - name: Verify
@@ -38,7 +38,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
@@ -52,11 +52,11 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0
 
@@ -72,7 +72,7 @@
   tasks:
     # test if variable can be overridden
     - name: workaround for https://github.com/ansible/ansible/issues/66304
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_virtualization_type: "docker"
         os_env_umask: "027 #override"
 
@@ -80,6 +80,6 @@
         name: os_hardening
 
     - name: verify os_env_umask
-      shell:
+      ansible.builtin.shell:
         cmd: "grep '027 #override' /etc/login.defs"
       changed_when: false

molecule/os_hardening/verify_tasks/netrc.yml

@@ -1,18 +1,18 @@
 ---
-- name: test that .netrc in root homedir exists
+- name: Test that .netrc in root homedir exists
   ansible.builtin.file:
     path: '/root/.netrc'
     state: file
   register: result_test_netrc
 
-- name: output result if .netrc for user root exists
+- name: Output result if .netrc for user root exists
   ansible.builtin.assert:
     that:
       - "result_test_netrc.state == 'file'"
     fail_msg: ".netrc in /root/ not present"
     success_msg: ".netrc exists in /root/"
 
-- name: delete '.netrc' in /root
+- name: Delete '.netrc' in /root
   ansible.builtin.file:
     path: '/root/.netrc'
     state: absent

molecule/os_hardening/verify_tasks/pam.yml

@@ -14,11 +14,11 @@
     executable: /usr/bin/pip3
 
 - name: set password for test
-  set_fact:
+  ansible.builtin.set_fact:
     test_pw: "myTest!pw"
 
 - name: set locale for test
-  set_fact:
+  ansible.builtin.set_fact:
     locale: "en_US.UTF-8"
   when:
     - ansible_facts.os_family == 'RedHat'
@@ -30,7 +30,7 @@
     password: "{{ test_pw | password_hash('sha512') }}"
 
 - name: check successful login with correct password
-  shell:
+  ansible.builtin.shell:
     cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
@@ -38,7 +38,7 @@
     LANG: "{{ locale | default('C.UTF-8') }}"
 
 - name: check unsuccessful login with incorrect password
-  shell:
+  ansible.builtin.shell:
     cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
     TMPDIR: /var/tmp
@@ -47,7 +47,7 @@
   with_sequence: count=6
 
 - name: check unsuccessful login, with correct password (lockout)
-  shell:
+  ansible.builtin.shell:
     cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
     TMPDIR: /var/tmp
@@ -59,7 +59,7 @@
     seconds: 20
 
 - name: check successful login
-  shell:
+  ansible.builtin.shell:
     cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp

molecule/os_hardening/verify_tasks/sys_account_shell.yml

@@ -3,6 +3,6 @@
     database: passwd
 
 - name: Check that shell_sys_acc's shell is still bash
-  assert:
+  asansible.builtin.assertsert:
     that:
       - getent_passwd['shell_sys_acc'][5] == "/bin/bash"

molecule/os_hardening/verify_tasks/yum.yml

@@ -1,8 +1,8 @@
 ---
-- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
+- name: Verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
   command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
   changed_when: false
 
-- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
+- name: Verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
   command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
   changed_when: false

molecule/os_hardening_vm/converge.yml

@@ -10,14 +10,14 @@
     - devsec.hardening
   tasks:
     - name: override for arch
-      set_fact: 
+      ansible.builtin.set_fact: 
         os_mnt_boot_enabled: false
         os_mnt_tmp_enabled: true
         os_mnt_tmp_src: "tmpfs"
         os_mnt_tmp_filesystem: "tmpfs"
       when: ansible_facts.os_family == 'Archlinux'
     - name: overrides for Fedora image
-      set_fact: 
+      ansible.builtin.set_fact: 
         os_mnt_tmp_enabled: true
         os_mnt_tmp_src: "tmpfs"
         os_mnt_tmp_filesystem: "tmpfs"

molecule/os_hardening_vm/prepare.yml

@@ -8,22 +8,22 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: "/usr/bin/python3"
       when: ansible_facts.distribution == 'Fedora'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
-      apt:
+      ansible.builtin.apt:
         update_cache: true
       when: ansible_os_family == 'Debian'
 
     - name: install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml"
+      ansible.builtin.shell: "zypper -n install python-xml"
       when: ansible_facts.os_family == 'Suse'
 
     - name: install required tools on fedora
-      dnf:
+      ansible.builtin.dnf:
         name:
           - python
           - findutils
@@ -39,7 +39,7 @@
       when: ansible_facts.os_family == 'Archlinux'
 
     - name: install required tools on RHEL  # noqa ignore-errors
-      yum:
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh
@@ -48,7 +48,7 @@
       ignore_errors: true
 
     - name: create recursing symlink to test minimize access
-      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+      sheansible.builtin.shellll: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
       changed_when: false
 
     - name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
@@ -58,5 +58,5 @@
       when: ansible_facts.distribution == 'Fedora'
 
     - name: include YUM prepare tasks
-      include_tasks: prepare_tasks/yum.yml
+      ansible.builtin.include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'

molecule/os_hardening_vm/prepare_tasks/yum.yml

@@ -1,5 +1,5 @@
 ---
-- name: create 'foo' repository
+- name: Create 'foo' repository
   ansible.builtin.yum_repository:
     name: foo
     description: mandatory description
@@ -7,7 +7,7 @@
     enabled: false
     gpgcheck: false
 
-- name: create 'bar' repository
+- name: Create 'bar' repository
   ansible.builtin.yum_repository:
     name: bar
     description: mandatory description

molecule/os_hardening_vm/verify.yml

@@ -9,12 +9,12 @@
   tasks:
 
 # temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
-#    - name: include PAM tests
+#    - name: Include PAM tests
-#      include_tasks: verify_tasks/pam.yml
+#      ansible.builtin.include_tasks: verify_tasks/pam.yml
 #      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
 
-    - name: include YUM tests
+    - name: Include YUM tests
-      include_tasks: verify_tasks/yum.yml
+      ansible.builtin.include_tasks: verify_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
 - name: Verify
@@ -24,21 +24,21 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: get ssh-config
+    - name: Get ssh-config
-      command:
+      ansible.builtin.command:
         cmd: "vagrant ssh-config"
         chdir: "{{ molecule_ephemeral_directory }}"
       register: ssh_config
       changed_when: false
 
-    - name: create ssh-config file
+    - name: Create ssh-config file
       copy:
         content: "{{ ssh_config.stdout_lines | join ('\n') }}"
         dest: "{{ molecule_ephemeral_directory }}/ssh-config"
       changed_when: false
 
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
         docker.io/cincproject/auditor exec
@@ -51,10 +51,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0

molecule/os_hardening_vm/verify_tasks/pam.yml

@@ -12,11 +12,11 @@
     state: present
 
 - name: set password for test
-  set_fact:
+  ansible.builtin.set_fact:
     test_pw: "myTest!pw"
 
 - name: set locale for test
-  set_fact:
+  ansible.builtin.set_fact:
     locale: "en_US.UTF-8"
   when:
     - ansible_facts.os_family == 'RedHat'
@@ -28,7 +28,7 @@
     password: "{{ test_pw | password_hash('sha512') }}"
 
 - name: check successful login with correct password
-  shell:
+  ansible.builtin.shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
@@ -36,7 +36,7 @@
     LANG: "{{ locale | default('C.UTF-8') }}"
 
 - name: check unsuccessful login with incorrect password
-  shell:
+  ansible.builtin.shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
     TMPDIR: /var/tmp
@@ -45,7 +45,7 @@
   with_sequence: count=6
 
 - name: check unsuccessful login, with correct password (lockout)
-  shell:
+  ansible.builtin.shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
     TMPDIR: /var/tmp
@@ -57,7 +57,7 @@
     seconds: 20
 
 - name: check successful login
-  shell:
+  ansible.builtin.shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp

molecule/os_hardening_vm/verify_tasks/yum.yml

@@ -1,8 +1,8 @@
 ---
 - name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
   changed_when: false
 
 - name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
   changed_when: false

molecule/ssh_hardening/converge.yml

@@ -1,14 +1,12 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: all
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     - include_role:
-        name: ssh_hardening
+        name: devsec.hardening.ssh_hardening
   vars:
     sftp_enabled: false

molecule/ssh_hardening/prepare.yml

@@ -8,12 +8,12 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: use python3
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
     - name: install packages  # noqa ignore-errors
-      yum:
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh-server
@@ -23,7 +23,7 @@
       ignore_errors: true
 
     - name: install packages  # noqa ignore-errors
-      dnf:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh-server
@@ -33,7 +33,7 @@
       ignore_errors: true
 
     - name: install packages  # noqa ignore-errors
-      apt:
+      ansible.builtin.apt:
         name:
           - openssh-client
           - openssh-server
@@ -43,7 +43,7 @@
 
     - name: install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml"
+      ansible.builtin.shell: "zypper -n install python-xml"
       when: ansible_facts.os_family == 'Suse'
 
     - name: install packages
@@ -67,7 +67,7 @@
         state: directory
 
     - name: create ssh host keys  # noqa ignore-errors
-      command: "ssh-keygen -A"
+      ansible.builtin.command: "ssh-keygen -A"
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or
             ansible_facts.distribution == "Amazon" or

molecule/ssh_hardening/verify.yml

@@ -7,7 +7,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         docker.io/cincproject/auditor exec
@@ -19,10 +19,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0

molecule/ssh_hardening_bsd/converge.yml

@@ -1,14 +1,12 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: all
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
-  collections:
-    - devsec.hardening
   tasks:
     - include_role:
-        name: ssh_hardening
+        name: devsec.hardening.ssh_hardening
   vars:
     sftp_enabled: false

molecule/ssh_hardening_bsd/prepare.yml

@@ -1,15 +1,15 @@
 ---
-- name: prepare OpenBSD host
+- name: Prepare OpenBSD host
   hosts: all
   become: true
   gather_facts: false
   tasks:
-    - name: install python
+    - name: Install python
       # BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
       raw: "pkg_add python%3.10"
       when: "lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'"
 
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: all
   become: true
   environment:
@@ -17,13 +17,13 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: created needed directory
+    - name: Created needed directory
       file:
         path: "/var/run/sshd"
         state: directory
 
-    - name: create ssh host keys  # noqa ignore-errors
+    - name: Create ssh host keys  # noqa ignore-errors
-      command: "ssh-keygen -A"
+      ansible.builtin.command: "ssh-keygen -A"
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or
             ansible_facts.distribution == "Amazon" or

molecule/ssh_hardening_bsd/verify.yml

@@ -3,7 +3,7 @@
   hosts: all
   become: true
   tasks:
-    - name: use the type command instead of which to detect existing commands
+    - name: Use the type command instead of which to detect existing commands
       file:
         src: "/usr/bin/which"
         dest: "/usr/bin/type"
@@ -17,21 +17,21 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: get ssh-config
+    - name: Get ssh-config
-      command: 
+      ansible.builtin.command: 
         cmd: "vagrant ssh-config"
         chdir: "{{ molecule_ephemeral_directory }}"
       register: ssh_config
       changed_when: false
 
-    - name: create ssh-config file
+    - name: Create ssh-config file
       copy:
         content: "{{ ssh_config.stdout_lines | join ('\n') }}"
         dest: "{{ molecule_ephemeral_directory }}/ssh-config"
       changed_when: false
 
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
         --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
@@ -46,10 +46,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
+      ansible.builtin.fail:
         msg: "Inspec failed to validate"
       when: test_results.rc != 0

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
+- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
   hosts: all
   become: true
   environment:
@@ -7,13 +7,13 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: use python3
+    - name: Use python3
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: install packages  # noqa ignore-errors
+    - name: Install packages  # noqa ignore-errors
-      yum:
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh-server
@@ -22,8 +22,8 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages  # noqa ignore-errors
+    - name: Install packages  # noqa ignore-errors
-      dnf:
+      ansible.builtin.dnf:
         name:
           - openssh-clients
           - openssh-server
@@ -32,8 +32,8 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install packages  # noqa ignore-errors
+    - name: Install packages  # noqa ignore-errors
-      apt:
+      ansible.builtin.apt:
         name:
           - openssh-client
           - openssh-server
@@ -41,18 +41,18 @@
         update_cache: true
       ignore_errors: true
 
-    - name: install required tools on SuSE
+    - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml"
+      ansible.builtin.shell: "zypper -n install python-xml"
       when: ansible_facts.os_family == 'Suse'
 
-    - name: install packages
+    - name: Install packages
       zypper:
         name:
           - "openssh"
       when: ansible_facts.os_family == 'Suse'
 
-    - name: install required tools on Arch
+    - name: Install required tools on Arch
       pacman:
         name:
           - openssh
@@ -61,13 +61,13 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: created needed directory
+    - name: Created needed directory
       file:
         path: "/var/run/sshd"
         state: directory
 
-    - name: create ssh host keys  # noqa ignore-errors
+    - name: Create ssh host keys  # noqa ignore-errors
-      command: "ssh-keygen -A"
+      ansible.builtin.command: "ssh-keygen -A"
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
             ansible_facts.distribution == "Fedora" or
             ansible_facts.distribution == "Amazon" or