add spellchecking with codespell

.github/workflows/codespell.yml

@@ -0,0 +1,14 @@
+---
+name: Codespell - Spellcheck
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  codespell:
+    uses: "dev-sec/.github/.github/workflows/codespell.yml@main"
+    with:
+      ignore_words_list: "chage"

OS_HARDENING_CHANGELOG.md

@@ -26,7 +26,7 @@
 
 - fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
 - do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([schurzi](https://github.com/schurzi))
-- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro))
+- move hidepid vars into defaults so they're overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) [[patch](https://github.com/dev-sec/ansible-os-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro))
 
 ## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
 
@@ -90,7 +90,7 @@
 - Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina))
 - Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz))
 - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
-- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
+- Add initial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([dustinmiller1337](https://github.com/dustinmiller1337))
 - Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jandd](https://github.com/jandd))
 - Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([ghost](https://github.com/ghost))
 - Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina))
@@ -165,7 +165,7 @@
 
 **Fixed bugs:**
 
-- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
+- auditd causing v5.0 to fail on unprivileged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
 - Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)]
 - add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)] ([ccolic](https://github.com/ccolic))
 - ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) [[bug](https://github.com/dev-sec/ansible-os-hardening/labels/bug)] ([szEvEz](https://github.com/szEvEz))
@@ -346,7 +346,7 @@
 - Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro))
 - debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro))
 - Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
-- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
+- replace ignore_errors to failed_when to suppress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
 - fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) [[enhancement](https://github.com/dev-sec/ansible-os-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123))
 
 **Fixed bugs:**
@@ -459,7 +459,7 @@
 - Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
 - Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
 - Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
-- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
+- Change playbook-path to accommodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
 - treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
 - Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))

molecule/os_hardening/verify_tasks/pam.yml

@@ -21,15 +21,15 @@
     name: testuser
     password: "{{ test_pw | password_hash('sha512') }}"
 
-- name: check successfull login with correct password
+- name: check successful login with correct password
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: check unsuccessfull login with incorrect password
+- name: check unsuccessful login with incorrect password
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
@@ -38,7 +38,7 @@
     LANG: "{{ locale | default('C.UTF-8') }}"
   with_sequence: count=6
 
-- name: check unsuccessfull login, with correct password (lockout)
+- name: check unsuccessful login, with correct password (lockout)
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
@@ -50,7 +50,7 @@
   pause:
     seconds: 20
 
-- name: check successfull login
+- name: check successful login
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:

molecule/os_hardening_vm/molecule.yml

@@ -8,7 +8,7 @@ driver:
   provider:
     name: libvirt
 platforms:
-  # we need to name every instance differntly to start multiple VMs on the same host (parallelization)
+  # we need to name every instance differently to start multiple VMs on the same host (parallelization)
   # since we also need to use different OS users to run the tests because of how molecule operates,
   # the VM names must be predictable by OS user (to clean up canceled runs)
   - name: "${USER}"

molecule/os_hardening_vm/verify_tasks/pam.yml

@@ -21,15 +21,15 @@
     name: testuser
     password: "{{ test_pw | password_hash('sha512') }}"
 
-- name: check successfull login with correct password
+- name: check successful login with correct password
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: check unsuccessfull login with incorrect password
+- name: check unsuccessful login with incorrect password
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
@@ -38,7 +38,7 @@
     LANG: "{{ locale | default('C.UTF-8') }}"
   with_sequence: count=6
 
-- name: check unsuccessfull login, with correct password (lockout)
+- name: check unsuccessful login, with correct password (lockout)
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
@@ -50,7 +50,7 @@
   pause:
     seconds: 20
 
-- name: check successfull login
+- name: check successful login
   shell:
     cmd: "pam-tester --user testuser --password {{ test_pw }}"
   environment:

molecule/ssh_hardening_bsd/molecule.yml

@@ -4,7 +4,7 @@ driver:
   provider:
     name: libvirt
 platforms:
-  # we need to name every instance differntly to start multiple VMs on the same host (parallelization)
+  # we need to name every instance differently to start multiple VMs on the same host (parallelization)
   # since we also need to use different OS users to run the tests because of how molecule operates,
   # the VM names must be predictable by OS user (to clean up canceled runs)
   - name: "${USER}"

roles/mysql_hardening/CHANGELOG.md

@@ -91,7 +91,7 @@
 
 **Implemented enhancements:**
 
-- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
+- add follow=yes to my.cnf protect task, in case its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
 - add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock))
 
 **Closed issues:**

roles/mysql_hardening/tasks/main.yml

@@ -14,7 +14,7 @@
 
 # we only override variables with our default if they have not been specified already.
 # by default the lookup functions finds all varnames containing the string, therefore
-# we add ^ and $ to denote start and end of string, so this returns only exact maches.
+# we add ^ and $ to denote start and end of string, so this returns only exact matches.
 - name: Set OS dependent variables, if not already defined by user # noqa var-naming
   ansible.builtin.set_fact:
     "{{ item.key }}": "{{ item.value }}"

roles/os_hardening/CHANGELOG.md

@@ -54,7 +54,7 @@
 
 - fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
 - do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
-- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
+- move hidepid vars into defaults so they're overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
 
 ## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
 
@@ -118,7 +118,7 @@
 - Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
 - Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
 - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
-- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
+- Add initial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
 - Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
 - Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
 - Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
@@ -193,7 +193,7 @@
 
 **Fixed bugs:**
 
-- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
+- auditd causing v5.0 to fail on unprivileged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
 - Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
 - add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
 - ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
@@ -374,7 +374,7 @@
 - Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
 - debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
 - Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
-- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
+- replace ignore_errors to failed_when to suppress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
 - fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))
 
 **Fixed bugs:**
@@ -487,7 +487,7 @@
 - Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
 - Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
 - Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
-- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
+- Change playbook-path to accommodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
 - treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
 - Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))

roles/os_hardening/README.md

@@ -58,7 +58,7 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 
 ### hidepid on RHEL/CentOS 7
 
-When having `polkit-0.112-18.el7` (and later) installed and `/proc` mounted with `hidepid=2`, everytime someone uses `systemctl` the following error is displayed, but systemctl runs successfully.
+When having `polkit-0.112-18.el7` (and later) installed and `/proc` mounted with `hidepid=2`, every time someone uses `systemctl` the following error is displayed, but systemctl runs successfully.
 
 ```
 Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

roles/os_hardening/defaults/main.yml

@@ -157,8 +157,8 @@ sysctl_config:
   # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
   #
   # For applications launching crash handlers that need PTRACE, exceptions can
-  # be registered by the debugee by declaring in the segfault handler
-  # specifically which process will be using PTRACE on the debugee:
+  # be registered by the debuggee by declaring in the segfault handler
+  # specifically which process will be using PTRACE on the debuggee:
   #   prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
   #
   # In general, PTRACE is not needed for the average running Ubuntu system.

roles/os_hardening/templates/etc/login.defs.j2

@@ -136,7 +136,7 @@ SUB_GID_MIN       {{ os_auth_sub_gid_min }}
 SUB_GID_MAX       {{ os_auth_sub_gid_max }}
 SUB_GID_COUNT     {{ os_auth_sub_gid_count }}
 
-# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
+# Max number of login retries if password is bad. This will most likely be overridden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
 LOGIN_RETRIES     {{ os_auth_retries }}
 
 # Max time in seconds for login
@@ -155,7 +155,7 @@ DEFAULT_HOME      {{ 'yes' if os_auth_allow_homeless else 'no' }}
 # the user to be removed (passed as the first argument).
 #USERDEL_CMD       /usr/sbin/userdel_local
 
-# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
+# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentication, banner, ...) before running the actual shell.
 #FAKE_SHELL        /bin/fakeshell
 
 # If defined, either full pathname of a file containing device names or a ":" delimited list of device names.  Root logins will be allowed only upon these devices.

roles/os_hardening/vars/Amazon.yml

@@ -81,6 +81,6 @@ os_useradd_create_home: true
 modprobe_package: module-init-tools
 auditd_package: audit
 
-# system accounts that do not get their login disabled and pasword changed
+# system accounts that do not get their login disabled and password changed
 os_always_ignore_users: [root, sync, shutdown, halt, ec2-user]
 hidepid_option: "2" # allowed values: 0, 1, 2

roles/os_hardening/vars/main.yml

@@ -108,5 +108,5 @@ os_security_suid_sgid_system_whitelist:
   - /usr/lib/libvte9/gnome-pty-helper # gnome
   - /usr/lib/libvte-2.90-9/gnome-pty-helper # gnome
 
-# system accounts that do not get their login disabled and pasword changed
+# system accounts that do not get their login disabled and password changed
 os_always_ignore_users: [root, sync, shutdown, halt]