dj-wasabi · rsanzante · Dec 22, 2022
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -5,7 +5,7 @@ ossec_server_config: []
 ossec_agent_configs: []
 ossec_server_fqdn: "ossec-server"
 ossec_server_atomic_release: 1.0-21
-ossec_server_disable_gpgkey: False
+ossec_server_disable_gpgkey: false
 install_postfix: false
 
 ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ ansible_distribution_major_version }}.art.noarch.rpm"

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,13 +1,13 @@
 ---
 # handlers file for ossec-server
 
-- name: restart ossec-server
-  service:
+- name: Restart ossec-server
+  ansible.builtin.service:
     name: "{{ ossec_init_name }}"
     state: restarted
-    enabled: yes
+    enabled: true
 
-- name: systemd daemon-reload
+- name: Systemd daemon-reload
   command: systemctl daemon-reload
   tags:
     - skip_ansible_lint
diff --git a/meta/main.yml b/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
   description: Installing and maintaining the ossec-server.
   company: myCompany.Dotcom
   license: MIT
-  min_ansible_version: 2.4
+  min_ansible_version: "2.4"
   platforms:
     - name: EL
       versions:

diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -19,7 +19,7 @@
         - ansible_os_family == "Debian"
 
     - name: "Installing tools on NON-CentOS"
-      apt:
+      ansible.builtin.apt:
         name:
           - net-tools
           - apt-transport-https

diff --git a/tasks/Amazon.yml b/tasks/Amazon.yml
@@ -3,32 +3,32 @@
 
 # I'm sincerely sorry to anyone reading this
 - name: "Amazon | Find Corresponding Centos Version"
+  tags:
+    - always
   block:
     - name: "Amazon | Find Corresponding Centos Version to Amazon 2"
-      set_fact:
+      ansible.builtin.set_fact:
         corresponding_centos_version: 7
       when: ansible_distribution_major_version == '2'
     - name: "Amazon | Find Corresponding Centos Version to Amazon 1"
-      set_fact:
+      ansible.builtin.set_fact:
         corresponding_centos_version: 6
       when: ansible_distribution_major_version == '1'
-  tags:
-    - always
 
 - name: "Amazon | set ossec repo facts"
   block:
-    - name: url
-      set_fact:
+    - name: Url
+      ansible.builtin.set_fact:
         amazon_ossec_url: "https://www.atomicorp.com/channels/atomic/centos/{{ corresponding_centos_version }}/x86_64/RPMS"
         amazon_ossec_filename: "atomic-release-{{ ossec_server_atomic_release }}.el{{ corresponding_centos_version }}.art.noarch.rpm"
 
 - name: "Amazon | Install atomicorp repo"
-  yum:
+  ansible.builtin.yum:
     name: "{{ amazon_ossec_url }}/{{ amazon_ossec_filename }}"
     state: present
 
 - name: "Amazon | Install atomicorp repo"
-  debug:
+  ansible.builtin.debug:
     msg: "{{ amazon_ossec_url }}/{{ amazon_ossec_filename }}"
 
 # - name: "Amazon | Install epel repo"
@@ -37,15 +37,15 @@
 #     state: present
 
 - name: "Amazon | Use corresponding centos repo version"
-  replace:
+  ansible.builtin.replace:
     path: /etc/yum.repos.d/atomic.repo
     regexp: '^(?P<firstpart>.*)\$releasever(?P<lastpart>.*)$'
     replace: '\g<firstpart>{{ corresponding_centos_version }}\g<lastpart>'
     mode: '0644'
 
 
 - name: "Amazon | Install ossec-hids-server"
-  yum:
+  ansible.builtin.yum:
     # releasever: '{{ corresponding_centos_version }}'
     pkg:
       - ossec-hids
@@ -55,21 +55,21 @@
     - init
 
 - name: "Amazon | set facts"
+  tags:
+    - always
   block:
     - name: "Set Distribution CIS filename for Amazon 1"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel6_linux_rcl.txt
       when: ansible_distribution_major_version == "1"
 
     - name: "Set Distribution CIS filename for Amazon 2"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel7_linux_rcl.txt
       when: ansible_distribution_major_version == "2"
 
     - name: "Set ossec deploy facts for RedHat"
-      set_fact:
+      ansible.builtin.set_fact:
         ossec_server_config_filename: ossec-server.conf
         ossec_init_name: ossec-hids
         ossec_authd_init_name: ossec-hids-authd
-  tags:
-    - always
diff --git a/tasks/Debian.yml b/tasks/Debian.yml
@@ -1,27 +1,28 @@
 ---
 - name: "Debian/Ubuntu | Installing repository key"
-  apt_key:
+  ansible.builtin.apt_key:
     url: https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
 
 - name: "Debian/Ubuntu | Installing repository"
-  apt_repository:
+  ansible.builtin.apt_repository:
     repo: "deb https://updates.atomicorp.com/channels/atomic/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main"
     state: present
 
 - name: "Debian/Ubuntu | Install ossec-hids"
-  apt:
+  ansible.builtin.apt:
     pkg: ossec-hids-server
     state: present
 
-- block:
+- name: Set variables
+  tags:
+    - always
+  block:
     - name: "Set Distribution CIS filename for Debian/Ubuntu"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_debian_linux_rcl.txt
 
     - name: "Set ossec deploy facts for Debian"
-      set_fact:
+      ansible.builtin.set_fact:
         ossec_server_config_filename: ossec.conf
         ossec_init_name: ossec
         ossec_authd_init_name: ossec
-  tags:
-    - always
diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml
@@ -2,30 +2,30 @@
 # Tasks specific for RedHat systems
 
 - name: "RedHat | Set some facts"
-  set_fact:
+  ansible.builtin.set_fact:
     ansible_distribution: CentOS
   when: ansible_distribution == "RedHat"
   tags:
     - always
 
 - name: "RedHat | Install atomicorp repo"
-  yum:
+  ansible.builtin.yum:
     name: "{{ ossec_download_url }}"
     disable_gpg_check: "{{ ossec_server_disable_gpgkey }}"
     state: present
 
 - name: "RedHat | Install epel repo rpm key"
-  rpm_key:
+  ansible.builtin.rpm_key:
     state: present
     key: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
 
 - name: "RedHat | Install epel repo"
-  yum:
+  ansible.builtin.yum:
     name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
     state: present
 
 - name: "RedHat | Install ossec-hids-server"
-  yum:
+  ansible.builtin.yum:
     pkg:
       - ossec-hids
       - ossec-hids-server
@@ -34,41 +34,41 @@
     - init
 
 - name: "RedHat | set facts"
+  tags:
+    - always
   block:
     - name: "Set Distribution CIS filename for RHEL below 5"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel_linux_rcl.txt
       when: ansible_distribution_major_version < "5"
 
     - name: "Set Distribution CIS filename for RHEL5"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel5_linux_rcl.txt
       when: ansible_distribution_major_version == "5"
 
     - name: "Set Distribution CIS filename for RHEL6"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel6_linux_rcl.txt
       when: ansible_distribution_major_version == "6"
 
     - name: "Set Distribution CIS filename for RHEL7"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel7_linux_rcl.txt
       when: ansible_distribution_major_version == "7"
 
     - name: "Set Distribution CIS filename for RHEL7"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel7_linux_rcl.txt
       when: ansible_distribution_major_version == "7"
 
     - name: "Set Distribution CIS filename for RHEL8 to that of RHEL7"
-      set_fact:
+      ansible.builtin.set_fact:
         cis_distribution_filename: cis_rhel7_linux_rcl.txt
       when: ansible_distribution_major_version == "8"
 
     - name: "Set ossec deploy facts for RedHat"
-      set_fact:
+      ansible.builtin.set_fact:
         ossec_server_config_filename: ossec-server.conf
         ossec_init_name: ossec-hids
         ossec_authd_init_name: ossec-hids-authd
-  tags:
-    - always
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -19,23 +19,23 @@
     - ansible_os_family == "Debian"
 
 - name: "Install CIS Root Checks"
-  get_url:
+  ansible.builtin.get_url:
     url: "https://raw.githubusercontent.com/ossec/ossec-hids/master/src/rootcheck/db/{{ cis_distribution_filename }}"
     dest: "/var/ossec/etc/shared/{{ cis_distribution_filename }}"
     mode: 0660
     owner: root
     group: ossec
 
 - name: "Generate SSL files"
-  command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:3072 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ ossec_server_fqdn }}/"
+  ansible.builtin.command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:3072 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ ossec_server_fqdn }}/" # yamllint disable-line rule:line-length
   args:
     creates: sslmanager.cert
     chdir: /var/ossec/etc/
   tags:
     - config
 
 - name: "Installing SSL files."
-  file:
+  ansible.builtin.file:
     path: /var/ossec/etc/{{ item }}
     owner: root
     group: root
@@ -47,7 +47,7 @@
     - config
 
 - name: "Configure the shared-agent.conf"
-  template:
+  ansible.builtin.template:
     src: var-ossec-etc-shared-agent.conf.j2
     dest: /var/ossec/etc/shared/agent.conf
     owner: ossec
@@ -60,7 +60,7 @@
     - config
 
 - name: "Installing custom local_rules.xml"
-  template:
+  ansible.builtin.template:
     src: "{{ playbook_dir }}/{{ ossec_server_config.local_rules_template }}"
     dest: /var/ossec/rules/local_rules.xml
     owner: root
@@ -76,7 +76,7 @@
     - rules
 
 - name: "Installing the local_rules.xml (default local_rules.xml)"
-  template:
+  ansible.builtin.template:
     src: var-ossec-rules-local_rules.xml.j2
     dest: /var/ossec/rules/local_rules.xml
     owner: root
@@ -92,7 +92,7 @@
     - rules
 
 - name: "Configure the ossec-server"
-  template:
+  ansible.builtin.template:
     src: var-ossec-etc-ossec-server.conf.j2
     dest: /var/ossec/etc/{{ ossec_server_config_filename }}
     owner: root
@@ -105,31 +105,31 @@
     - config
 
 - name: "Check if client-syslog is enabled"
-  shell: |
+  ansible.builtin.shell: |
     set -o pipefail
     "/var/ossec/bin/ossec-control status | grep -c 'ossec-csyslogd is running' | xargs echo"
   register: csyslog_running
-  changed_when: False
-  check_mode: False
+  changed_when: false
+  check_mode: false
   args:
     executable: /bin/bash
   when:
     - ossec_server_config.syslog_outputs is defined
 
 - name: "Enable client-syslog if not running and ossec_server_config.syslog_outputs is given"
-  command: /var/ossec/bin/ossec-control enable client-syslog
+  ansible.builtin.command: /var/ossec/bin/ossec-control enable client-syslog
   when:
     - ossec_server_config.syslog_outputs is defined
     - csyslog_running.stdout == '0'
 
 - name: "Start client-syslog if not running and ossec_server_config.syslog_outputs is given"
-  command: /var/ossec/bin/ossec-control start client-syslog
+  ansible.builtin.command: /var/ossec/bin/ossec-control start client-syslog
   when:
     - ossec_server_config.syslog_outputs is defined
     - csyslog_running.stdout == '0'
 
 - name: "Write ossec-authd init file"
-  template:
+  ansible.builtin.template:
     src: ossec-authd-init.service
     dest: /etc/init.d/ossec-authd
     owner: root
@@ -143,7 +143,7 @@
     - config
 
 - name: "Write ossec-authd systemd file"
-  template:
+  ansible.builtin.template:
     src: ossec-authd.service
     dest: /lib/systemd/system/ossec-authd.service
     mode: 0755
@@ -157,7 +157,7 @@
     - config
 
 - name: "Remove pidfile line from startup script (breaks systemd controlled rc script)"
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/rc.d/init.d/ossec-hids-authd
     regex: '^# pidfile:'
     state: absent
@@ -166,7 +166,7 @@
     - ansible_os_family == "RedHat"
 
 - name: "Ensure ossec authd service is started and enabled"
-  service:
+  ansible.builtin.service:
     name: "{{ ossec_authd_init_name }}"
-    enabled: yes
+    enabled: true
     state: started