diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 64a461f06..1e3fc1333 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -15,43 +15,4 @@ jobs: # replace "master" with any valid ref uses: ansible/ansible-lint-action@main with: - # [required] - # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) - # or valid Ansible directories according to the Ansible role - # directory structure. - # If you want to lint multiple ansible files, use the following syntax - # targets: | - # playbook_1.yml - # playbook_2.yml - targets: "roles/" - # [optional] - # Arguments to override a package and its version to be set explicitly. - # Must follow the example syntax. - # override-deps: | - # ansible==2.9 - # ansible-lint==4.2.0 - override-deps: | - rich>=9.5.1,<11.0.0 - # [optional] - # Arguments to be passed to the ansible-lint - - # Options: - # -q quieter, although not silent output - # -p parseable output in the format of pep8 - # --parseable-severity parseable output including severity of rule - # -r RULESDIR specify one or more rules directories using one or - # more -r arguments. Any -r flags override the default - # rules in ansiblelint/rules, unless -R is also used. - # -R Use default rules in ansiblelint/rules in addition to - # any extra - # rules directories specified with -r. There is no need - # to specify this if no -r flags are used - # -t TAGS only check rules whose id/tags match these values - # -x SKIP_LIST only check rules whose id/tags do not match these - # values - # --nocolor disable colored output - # --exclude=EXCLUDE_PATHS - # path to directories or files to skip. This option is - # repeatable. - # -c C Specify configuration file to use. Defaults to ".ansible-lint" - args: "" + path: "roles/" diff --git a/galaxy.yml b/galaxy.yml index 6bfbf80e1..984b5bc25 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,3 +1,4 @@ +--- namespace: devsec name: hardening version: 8.0.0 diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml index 5eb980c8f..df33c6212 100644 --- a/roles/mysql_hardening/meta/main.yml +++ b/roles/mysql_hardening/meta/main.yml @@ -8,15 +8,17 @@ galaxy_info: platforms: - name: EL versions: - - 6 - - 7 + - "7" + - "8" - name: Ubuntu versions: - - xenial - bionic + - focal + - jammy - name: Debian versions: - - jessie + - bullseye + - buster - name: Amazon - name: Fedora galaxy_tags: diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index 028c96b5b..932f9be59 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -8,15 +8,15 @@ galaxy_info: platforms: - name: EL versions: - - 6 - - 7 + - "7" + - "8" - name: Ubuntu versions: - - xenial - bionic + - focal + - jammy - name: Debian versions: - - stretch - buster - bullseye galaxy_tags: diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index 232827636..590897ab5 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -8,22 +8,22 @@ galaxy_info: platforms: - name: EL versions: - - 7 - - 8 + - "7" + - "8" - name: Ubuntu versions: - - xenial - bionic + - focal + - jammy - name: Debian versions: - - stretch - buster - bullseye - name: Amazon - name: Fedora - - name: Archlinux + - name: ArchLinux - name: SmartOS - - name: openSUSE + - name: opensuse galaxy_tags: - system - security diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index e3f38fe88..2d3bbb365 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -6,7 +6,7 @@ # also see: https://github.com/dev-sec/ansible-os-hardening/issues/219 - name: Find files with write-permissions for group shell: "find -L {{ item }} -perm /go+w -type f" # noqa command-instead-of-shell - with_flattened: + with_community.general.flattened: - '/usr/local/sbin' - '/usr/local/bin' - '/usr/sbin' diff --git a/roles/os_hardening/tasks/rhosts.yml b/roles/os_hardening/tasks/rhosts.yml index 91e5c274d..8af938844 100644 --- a/roles/os_hardening/tasks/rhosts.yml +++ b/roles/os_hardening/tasks/rhosts.yml @@ -15,4 +15,3 @@ file: dest: '/etc/hosts.equiv' state: 'absent' - diff --git a/roles/os_hardening/tasks/suid_sgid.yml b/roles/os_hardening/tasks/suid_sgid.yml index 8b857db99..10ef8ab3b 100644 --- a/roles/os_hardening/tasks/suid_sgid.yml +++ b/roles/os_hardening/tasks/suid_sgid.yml @@ -6,7 +6,7 @@ state: 'file' follow: 'yes' failed_when: false - with_flattened: + with_community.general.flattened: - '{{ os_security_suid_sgid_system_blacklist }}' - '{{ os_security_suid_sgid_blacklist }}' @@ -27,6 +27,6 @@ mode: 'a-s' state: 'file' follow: 'yes' - with_flattened: + with_community.general.flattened: - '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}' when: os_security_suid_sgid_remove_from_unknown | bool diff --git a/roles/os_hardening/tasks/user_accounts.yml b/roles/os_hardening/tasks/user_accounts.yml index f61397697..b7962fea9 100644 --- a/roles/os_hardening/tasks/user_accounts.yml +++ b/roles/os_hardening/tasks/user_accounts.yml @@ -43,7 +43,7 @@ shell: '{{ os_nologin_shell_path }}' password: '*' createhome: false - with_flattened: + with_community.general.flattened: - '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}' - name: get all home directories in /home, but skip ignored users diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index fa268e6b1..590897ab5 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -8,21 +8,22 @@ galaxy_info: platforms: - name: EL versions: - - 7 - - 8 + - "7" + - "8" - name: Ubuntu versions: - - xenial - bionic + - focal + - jammy - name: Debian versions: - - stretch - buster + - bullseye - name: Amazon - name: Fedora - - name: Archlinux + - name: ArchLinux - name: SmartOS - - name: openSUSE + - name: opensuse galaxy_tags: - system - security