Merge pull request dev-sec#49 from dev-sec/collection

Fix linting errors and simplivy vars-handling

.github/workflows/release.yml

@@ -1,6 +1,7 @@
+---
 name: New release
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
@@ -59,7 +60,7 @@ jobs:
         id: create_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # This token is provided by Actions, you do not need to create your own token
         with:
           release_name: ${{ steps.version.outputs.next-version }}
           tag_name: ${{ steps.version.outputs.next-version }}

.kitchen.vagrant.yml

@@ -19,33 +19,33 @@ transport:
   max_ssh_sessions: 5
 
 platforms:
-- name: ubuntu-16.04
-  driver_config:
-    box: bento/ubuntu-16.04
-- name: ubuntu-18.04
-  driver_config:
-    box: bento/ubuntu-18.04
-- name: centos-6
-  driver_config:
-    box: bento/centos-6
-- name: centos-7
-  driver_config:
-    box: bento/centos-7
-- name: oracle-6
-  driver_config:
-    box: bento/oracle-6
-- name: oracle-7
-  driver_config:
-    box: bento/oracle-7
-- name: debian-9
-  driver_config:
-    box: bento/debian-9
-- name: debian-10
-  driver_config:
-    box: bento/debian-10
-- name: amazon
-  driver_config:
-    box: bento/amazonlinux-2
+  - name: ubuntu-16.04
+    driver_config:
+      box: bento/ubuntu-16.04
+  - name: ubuntu-18.04
+    driver_config:
+      box: bento/ubuntu-18.04
+  - name: centos-6
+    driver_config:
+      box: bento/centos-6
+  - name: centos-7
+    driver_config:
+      box: bento/centos-7
+  - name: oracle-6
+    driver_config:
+      box: bento/oracle-6
+  - name: oracle-7
+    driver_config:
+      box: bento/oracle-7
+  - name: debian-9
+    driver_config:
+      box: bento/debian-9
+  - name: debian-10
+    driver_config:
+      box: bento/debian-10
+  - name: amazon
+    driver_config:
+      box: bento/amazonlinux-2
 
 verifier:
   name: inspec
@@ -54,4 +54,4 @@ verifier:
     - https://github.com/dev-sec/mysql-baseline/
 
 suites:
-- name: mysql
+  - name: mysql

.kitchen.yml

@@ -27,66 +27,64 @@ provisioner:
   galaxy_ignore_certs: true
 
 platforms:
-- name: centos6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos6-ansible:latest
-    platform: centos
-- name: centos7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos7-ansible:latest
-    platform: centos
-    run_command: /sbin/init
-    provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
-      - systemctl enable sshd.service
-- name: oracle6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle6-ansible:latest
-    platform: centos
-- name: oracle7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle7-ansible:latest
-    run_command: /sbin/init
-    platform: centos
-    run_command: /sbin/init
-    provision_command:
-      - systemctl enable ssh.service
-- name: ubuntu1804-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1804-ansible:latest
-    platform: ubuntu
-    provision_command:
-      - systemctl enable ssh.service
-- name: debian9-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian9-ansible:latest
-    platform: debian
-    run_command: /sbin/init
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-- name: debian10-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian10-ansible:latest
-    platform: debian
-    run_command: /sbin/init
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-- name: amazon-ansible-latest
-  driver:
-    image: rndmh3ro/docker-amazon-ansible:latest
-    platform: centos
-    run_command: /sbin/init
-    provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
-      - systemctl enable sshd.service
+  - name: centos6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos6-ansible:latest
+      platform: centos
+  - name: centos7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos7-ansible:latest
+      platform: centos
+      run_command: /sbin/init
+      provision_command:
+        - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+        - systemctl enable sshd.service
+  - name: oracle6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle6-ansible:latest
+      platform: centos
+  - name: oracle7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle7-ansible:latest
+      run_command: /sbin/init
+      platform: centos
+      provision_command:
+        - systemctl enable ssh.service
+  - name: ubuntu1804-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1804-ansible:latest
+      platform: ubuntu
+      provision_command:
+        - systemctl enable ssh.service
+  - name: debian9-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian9-ansible:latest
+      platform: debian
+      run_command: /sbin/init
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+  - name: debian10-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian10-ansible:latest
+      platform: debian
+      run_command: /sbin/init
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+  - name: amazon-ansible-latest
+    driver:
+      image: rndmh3ro/docker-amazon-ansible:latest
+      platform: centos
+      run_command: /sbin/init
+      provision_command:
+        - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+        - systemctl enable sshd.service
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-     - ../mysql-baseline
-#    - https://github.com/dev-sec/mysql-baseline
+    - https://github.com/dev-sec/mysql-baseline
 
 suites:
-- name: mysql
+  - name: mysql

defaults/main.yml

@@ -1,13 +1,10 @@
+---
 # switcher to enable/disable role
-mysql_hardening_enabled: yes
+mysql_hardening_enabled: true
 
-mysql_daemon_enabled: yes
+mysql_daemon_enabled: true
 
 # general configuration
-mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'root' # owner of /etc/mysql/*.cnf files
-mysql_hardening_user: 'mysql' # owner of data
-mysql_hardening_group: 'mysql'
 mysql_datadir: '/var/lib/mysql'
 mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'
 # You have to change this to your own strong enough mysql root password

requirements.yml

@@ -1 +1,2 @@
+---
 - src: geerlingguy.mysql

tasks/configure.yml

@@ -3,10 +3,10 @@
 - name: protect my.cnf
   file:
     path: '{{ mysql_hardening_mysql_conf_file }}'
-    mode: 0400
+    mode: '0400'
     owner: '{{ mysql_cnf_owner }}'
     group: '{{ mysql_cnf_owner }}'
-    follow: yes
+    follow: true
     state: file
 
 - name: ensure permissions on mysql-datadir are correct
@@ -18,7 +18,7 @@
 
 - name: ensure permissions on mysql-logfile are correct
   file:
-    path: '{{ mysql_hardening_log_dir }}/{{ mysql_hardening_log_file }}'
+    path: '{{ mysql_hardening_log_file }}'
     state: file
     owner: '{{ mysql_hardening_user }}'
     group: '{{ mysql_hardening_group }}'
@@ -29,15 +29,15 @@
     state: directory
     owner: '{{ mysql_hardening_user }}'
     group: '{{ mysql_hardening_group }}'
-    mode: "0570"
+    mode: '0570'
 
 - name: check include-dir directive is present in my.cnf
   lineinfile:
     dest: '{{ mysql_hardening_mysql_conf_file }}'
     line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'
     insertafter: 'EOF'
     state: present
-    backup: yes
+    backup: true
   notify: restart mysql
 
 - name: apply hardening configuration
@@ -46,7 +46,7 @@
     dest: '{{ mysql_hardening_mysql_hardening_conf_file }}'
     owner: '{{ mysql_cnf_owner }}'
     group: '{{ mysql_cnf_group }}'
-    mode: "0460"
+    mode: '0460'
   notify: restart mysql
 
 - name: enable mysql

tasks/main.yml

@@ -1,12 +1,11 @@
 ---
-
-- name: add the OS specific variables
-  include_vars: "{{ item }}"
+- name: set OS dependent variables
+  include_vars: '{{ item }}'
   with_first_found:
-    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ ansible_distribution }}.yml"
-    - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ ansible_os_family }}.yml"
+    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.distribution }}.yml'
+    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.os_family }}.yml'
   tags: always
 
 - include: configure.yml

tasks/mysql_secure_installation.yml

@@ -1,11 +1,11 @@
 ---
 - name: Install mysqld python libary for Ansible
   package:
-    name: "{{ mysql_python_package }}"
+    name: '{{ mysql_python_package }}'
     state: present
 
 - debug:
-    msg: "WARNING - you have to change default mysql_root_password"
+    msg: 'WARNING - you have to change default mysql_root_password'
   when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 
 - name: root password is present
@@ -32,7 +32,7 @@
   mysql_user:
     name: ''
     state: absent
-    host_all: yes
+    host_all: true
   when: mysql_remove_anonymous_users
 
 - name: copy mysql_remove_remote_root

tests/test.yml

@@ -1,11 +1,10 @@
 ---
-
 - name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: localhost
   pre_tasks:
     - name: Run the equivalent of "apt-get update" as a separate step
       apt:
-        update_cache: yes
+        update_cache: true
       when: ansible_os_family == 'Debian'
     - file:
         path: "/etc/mysql"
@@ -14,7 +13,7 @@
       apt:
         name: procps
         state: installed
-        update_cache: yes
+        update_cache: true
       when: ansible_distribution == 'Debian'
     - name: set logfile according to OS
       set_fact:
@@ -25,11 +24,11 @@
         mysql_log_error: "/var/log/mysqld.log"
       when: ansible_os_family == "RedHat"
   vars:
-    overwrite_global_mycnf: no
+    overwrite_global_mycnf: false
     mysql_root_password: iloverandompasswordsbutthiswilldo
     mysql_user_password: iloverandompasswordsbutthiswilldo
     mysql_config_file: /etc/mysql/mariadb.cnf
-    mysql_root_password_update: yes
+    mysql_root_password_update: true
   roles:
     - geerlingguy.mysql
     - ansible-mysql-hardening

vars/Debian.yml

@@ -4,11 +4,11 @@ mysql_daemon: mysql
 mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
 mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
 
-mysql_hardening_log_dir: '/var/log'
-mysql_hardening_log_file: 'mysql.log'
+mysql_hardening_log_dir: '/var/log/mysql/error.log'
 
-mysql_hardening_user: 'mysql' # owner of data
 mysql_hardening_group: 'adm'
 
+mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
-mysql_python_package: "python-mysqldb"
+mysql_python_package: "python3-pymysql"

vars/Fedora.yml

@@ -1,3 +1,4 @@
+---
 mysql_daemon: mysqld
 mysql_hardening_mysql_conf_file: '/etc/my.cnf'
 mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'

vars/Oracle Linux.yml

@@ -4,8 +4,6 @@ mysql_daemon: mysqld
 mysql_hardening_mysql_conf_file: '/etc/my.cnf'
 mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
 
-mysql_hardening_log_dir: '/var/log'
-mysql_hardening_log_file: 'mysqld.log'
+mysql_hardening_log_dir: '/var/log/mysqld.log'
 
-mysql_hardening_user: 'mysql' # owner of data
 mysql_hardening_group: 'adm'