From 4d48ae5b5db7e0e63ec3775ddc0816dc0ebb17ab Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Oct 2022 15:03:46 +0100 Subject: [PATCH] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +++ .yamllint | 5 +---- meta/main.yml | 3 ++- site.yml | 2 +- tasks/fix-cat1.yml | 6 +++--- tasks/fix-cat2.yml | 20 ++++++++++---------- vars/main.yml | 2 +- 7 files changed, 21 insertions(+), 20 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 0aa54448..16e2ebb2 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,6 +6,9 @@ skip_list: - 'no-changed-when' - 'var-spacing' - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index 693eec6c..a3c37e1c 100644 --- a/.yamllint +++ b/.yamllint @@ -14,16 +14,13 @@ rules: spaces: 4 # Requiring consistent indentation within a file, either indented or not indent-sequences: consistent - truthy: disable + level: error braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error - indentation: - indent-sequences: consistent - level: error line-length: disable key-duplicates: enable new-line-at-end-of-file: enable diff --git a/meta/main.yml b/meta/main.yml index a6042839..22851f9a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,8 @@ galaxy_info: description: "Apply the DISA RHEL 8 STIG" company: "MindPoint Group" license: MIT - # role_name: rhel8_stig + role_name: rhel8_stig + namespace: mindpointgroup min_ansible_version: '2.9.0' platforms: - name: EL diff --git a/site.yml b/site.yml index 379549f7..c56b473f 100644 --- a/site.yml +++ b/site.yml @@ -1,5 +1,5 @@ --- -- hosts: all +- hosts: all # noqa: name[play] become: true roles: diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 48d83fa8..a1f61da8 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -18,9 +18,9 @@ block: - name: "HIGH | RHEL-08-010020 | PATCH | The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | install FIPS" package: - name: - - dracut-fips - - crypto-policies-scripts + name: + - dracut-fips + - crypto-policies-scripts state: present notify: - rebuild initramfs diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 8b133086..2911a793 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -85,7 +85,7 @@ - name: | "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message"" "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message"" - copy: + copy: # noqa: template-instead-of-copy dest: "{{ item }}" content: "{{ rhel8stig_logon_banner }}" owner: root @@ -133,7 +133,7 @@ - banner - name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon." - copy: + copy: # noqa: template-instead-of-copy dest: /etc/dconf/db/local.d/01-banner-message content: | [org/gnome/login-screen] @@ -295,11 +295,11 @@ "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance." "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes." template: - src: 01_users.j2 - dest: /etc/grub.d/01_users - owner: root - group: root - mode: 0644 + src: 01_users.j2 + dest: /etc/grub.d/01_users + owner: root + group: root + mode: 0644 notify: confirm grub2 user cfg when: - rhel_08_010141 or @@ -771,9 +771,9 @@ "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers" "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers" lineinfile: - path: /etc/crypto-policies/back-ends/opensshserver.config - regexp: '^CRYPTO_POLICY=' - line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' + path: /etc/crypto-policies/back-ends/opensshserver.config + regexp: '^CRYPTO_POLICY=' + line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}' notify: change_requires_reboot when: - rhel_08_010290 or diff --git a/vars/main.yml b/vars/main.yml index f5f5c7c4..6f058f6f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -rhel8stig_min_ansible_version: 2.6 +rhel8stig_min_ansible_version: 2.9.0 rhel8stig_dconf_available: "{{ rhel8stig_gui or rhel8stig_dconf_audit.rc == 0 or rhel8stig_always_configure_dconf }}"