dev-sec · rndmh3ro · Aug 22, 2020 · Aug 21, 2020
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,7 @@
+---
 name: New release
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
@@ -59,7 +60,7 @@ jobs:
         id: create_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # This token is provided by Actions, you do not need to create your own token
         with:
           release_name: ${{ steps.version.outputs.next-version }}
           tag_name: ${{ steps.version.outputs.next-version }}

diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
@@ -24,50 +24,50 @@ transport:
   max_ssh_sessions: 1
 
 platforms:
-- name: ubuntu-16.04
-  driver_config:
-    box: bento/ubuntu-16.04
-- name: ubuntu-18.04
-  driver_config:
-    box: bento/ubuntu-18.04
-- name: centos-6
-  driver_config:
-    box: bento/centos-6.7
-    provision: true
-    vagrantfiles:
-      - rhel6_provision.rb
-- name: centos-7
-  driver_config:
-    box: bento/centos-7
-- name: centos-8
-  driver_config:
-    box: bento/centos-8
-- name: oracle-6
-  driver_config:
-    box: bento/oracle-6
-    provision: true
-    vagrantfiles:
-      - rhel6_provision.rb
-- name: oracle-7
-  driver_config:
-    box: bento/oracle-7
-- name: debian-9
-  driver_config:
-    box: bento/debian-9
-- name: debian-10
-  driver_config:
-    box: bento/debian-10
-- name: amazon
-  driver_config:
-    box: bento/amazonlinux-2
-- name: opensuse_tumbleweed
-  driver_config:
-    box: opensuse/Tumbleweed.x86_64
-    provision: true
-    vagrantfiles:
-      - suse_provision.rb
-  provisioner:
-    ansible_binary_path: "/usr/local/bin"
+  - name: ubuntu-16.04
+    driver_config:
+      box: bento/ubuntu-16.04
+  - name: ubuntu-18.04
+    driver_config:
+      box: bento/ubuntu-18.04
+  - name: centos-6
+    driver_config:
+      box: bento/centos-6.7
+      provision: true
+      vagrantfiles:
+        - rhel6_provision.rb
+  - name: centos-7
+    driver_config:
+      box: bento/centos-7
+  - name: centos-8
+    driver_config:
+      box: bento/centos-8
+  - name: oracle-6
+    driver_config:
+      box: bento/oracle-6
+      provision: true
+      vagrantfiles:
+        - rhel6_provision.rb
+  - name: oracle-7
+    driver_config:
+      box: bento/oracle-7
+  - name: debian-9
+    driver_config:
+      box: bento/debian-9
+  - name: debian-10
+    driver_config:
+      box: bento/debian-10
+  - name: amazon
+    driver_config:
+      box: bento/amazonlinux-2
+  - name: opensuse_tumbleweed
+    driver_config:
+      box: opensuse/Tumbleweed.x86_64
+      provision: true
+      vagrantfiles:
+        - suse_provision.rb
+    provisioner:
+      ansible_binary_path: "/usr/local/bin"
 
 verifier:
   name: inspec
@@ -76,4 +76,4 @@ verifier:
     - https://github.com/dev-sec/linux-baseline/
 
 suites:
-- name: os
+  - name: os
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -33,103 +33,103 @@ provisioner:
   playbook: tests/test.yml
 
 platforms:
-- name: centos6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos6-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/loginuid/d' /etc/pam.d/sshd
-
-- name: centos7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos7-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: centos8-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos8-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-  provisioner:
-    ansible_binary_path: "/usr/local/bin"
-
-- name: oracle6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle6-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/loginuid/d' /etc/pam.d/sshd
-
-- name: oracle7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle7-ansible:latest
-    platform: centos
-    provision_command:
-      - yum -y install initscripts
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: ubuntu1604-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1604-ansible:latest
-    platform: ubuntu
-    provision_command:
-      - systemctl enable ssh.service
-
-- name: ubuntu1804-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1804-ansible:latest
-    platform: ubuntu
-    provision_command:
-      - systemctl enable ssh.service
-
-- name: debian9-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian9-ansible:latest
-    platform: debian
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-
-- name: debian10-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian10-ansible:latest
-    platform: debian
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-
-- name: amazon-ansible-latest
-  driver:
-    image: rndmh3ro/docker-amazon-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: fedora-ansible-latest
-  driver:
-    image: rndmh3ro/docker-fedora-ansible:latest
-    platform: centos
-    provision_command:
-      - dnf install -y python
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: opensuse_tumbleweed-ansible-latest
-  driver:
-    image: rndmh3ro/docker-opensuse_tumbleweed-ansible
-    platform: opensuse
-    provision_command:
-      - zypper -n install python-xml
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - sed -i '/systemd/d' /etc/pam.d/common-session
-      - systemctl enable sshd.service
+  - name: centos6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos6-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/loginuid/d' /etc/pam.d/sshd
+
+  - name: centos7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos7-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: centos8-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos8-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+    provisioner:
+      ansible_binary_path: "/usr/local/bin"
+
+  - name: oracle6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle6-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/loginuid/d' /etc/pam.d/sshd
+
+  - name: oracle7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle7-ansible:latest
+      platform: centos
+      provision_command:
+        - yum -y install initscripts
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: ubuntu1604-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1604-ansible:latest
+      platform: ubuntu
+      provision_command:
+        - systemctl enable ssh.service
+
+  - name: ubuntu1804-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1804-ansible:latest
+      platform: ubuntu
+      provision_command:
+        - systemctl enable ssh.service
+
+  - name: debian9-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian9-ansible:latest
+      platform: debian
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+
+  - name: debian10-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian10-ansible:latest
+      platform: debian
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+
+  - name: amazon-ansible-latest
+    driver:
+      image: rndmh3ro/docker-amazon-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: fedora-ansible-latest
+    driver:
+      image: rndmh3ro/docker-fedora-ansible:latest
+      platform: centos
+      provision_command:
+        - dnf install -y python
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: opensuse_tumbleweed-ansible-latest
+    driver:
+      image: rndmh3ro/docker-opensuse_tumbleweed-ansible
+      platform: opensuse
+      provision_command:
+        - zypper -n install python-xml
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - sed -i '/systemd/d' /etc/pam.d/common-session
+        - systemctl enable sshd.service
 
 verifier:
   name: inspec
@@ -141,4 +141,4 @@ verifier:
     - /^(?!sysctl-|package-07).+/
 
 suites:
-- name: os
+  - name: os
diff --git a/.travis.yml b/.travis.yml
@@ -16,7 +16,7 @@ env:
     - distro=oracle6
       volume=":"
       run_opts=""
-#    - distro=oracle7
+    # - distro=oracle7
     - distro=ubuntu1604
     - distro=ubuntu1804
     - distro=debian9
@@ -43,10 +43,10 @@ script:
   # Output Ansible version from docker image
   - 'docker exec "$(cat ${container_id})" ansible-playbook --version'
 
-   # Test role.
+  # Test role.
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
 
-   # Verify role
+  # Verify role
   - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
 
 notifications:

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,14 +1,15 @@
+---
 os_desktop_enable: false
 os_env_extra_user_paths: []
 os_auth_pw_max_age: 60
-os_auth_pw_min_age: 7 # discourage password cycling
+os_auth_pw_min_age: 7  # discourage password cycling
 os_auth_retries: 5
-os_auth_lockout_time: 600 # 10min
+os_auth_lockout_time: 600  # 10min
 os_auth_timeout: 60
 os_auth_allow_homeless: false
 os_auth_pam_passwdqc_enable: true
-os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
-os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
+os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8'  # used in RHEL6
+os_auth_pam_pwquality_options: 'try_first_pass retry=3 type='  # used in RHEL7
 os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
 
 os_chfn_restrict: ''
@@ -258,10 +259,10 @@ os_unused_filesystems:
   - "vfat"
   # Obsolete network protocols that should be disabled
   # per CIS Oracle Linux 6 Benchmark (2016)
-  - "tipc" # CIS 3.5.4
-  - "sctp" # CIS 3.5.2
-  - "dccp" # CIS 3.5.1
-  - "rds"  # CIS 3.5.3
+  - "tipc"  # CIS 3.5.4
+  - "sctp"  # CIS 3.5.2
+  - "dccp"  # CIS 3.5.1
+  - "rds"   # CIS 3.5.3
 
 # whitelist for used filesystems
 os_filesystem_whitelist: []
@@ -279,5 +280,5 @@ os_selinux_state: enforcing
 # Set the SELinux polixy.
 os_selinux_policy: targeted
 
-hidepid_option: '2' # allowed values: 0, 1, 2
+hidepid_option: '2'  # allowed values: 0, 1, 2
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'