Merge pull request #324 from ansible-lockdown/collections_lint

Update to collection and linting
ansible-lockdown · Oct 10, 2023 · d7f643a · d7f643a
2 parents ba758e4 + 0e6102b
commit d7f643a
Show file tree

Hide file tree

Showing 15 changed files with 27 additions and 85 deletions.
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,70 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_password.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 382,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 22,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_password.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_password.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "vars/CentOS.yml": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "vars/CentOS.yml",
-        "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b",
-        "is_verified": false,
-        "line_number": 6,
-        "is_secret": false
-      }
-    ],
-    "vars/OracleLinux.yml": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "vars/OracleLinux.yml",
-        "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb",
-        "is_verified": false,
-        "line_number": 9,
-        "is_secret": false
-      }
-    ],
-    "vars/is_container.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "vars/is_container.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 377,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-13T08:05:26Z"
+  "results": {},
+  "generated_at": "2023-10-09T15:14:50Z"
 }
diff --git a/README.md b/README.md
@@ -11,7 +11,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

diff --git a/ansible.cfg b/ansible.cfg
@@ -22,4 +22,4 @@ transfer_method=scp
 
 [colors]
 
-[diff]
+[diff]
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -2,7 +2,13 @@
 
 collections:
     - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
     - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
     - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -379,7 +379,7 @@ rhel7cis_rhnsd_required: false
 
 # 1.4.2 Bootloader password
 rhel7cis_set_boot_pass: false
-rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'
+rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'  # pragma: allowlist secret
 
 # System network parameters (host only OR host and router)
 rhel7cis_is_router: false

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -19,8 +19,8 @@
 
 - name: Check rhel7cis_bootloader_password_hash variable has been changed
   ansible.builtin.assert:
-      that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart'
-      msg: "This role will not be able to run single user password commands as  rhel7cis_bootloader_password_hash variable has not been set"
+      that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart'  # pragma: allowlist secret
+      msg: "This role will not be able to run single user password commands as  rhel7cis_bootloader_password_hash variable has not been set"  # pragma: allowlist secret
   when:
       - ansible_distribution_version >= '7.2'
       - rhel7cis_set_boot_pass

diff --git a/templates/audit/access.rules.j2 b/templates/audit/access.rules.j2
@@ -1,4 +1,4 @@
--a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 
--a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access 
--a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access 
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
 -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
diff --git a/templates/audit/logins.rules.j2 b/templates/audit/logins.rules.j2
@@ -1,3 +1,3 @@
--w /var/log/faillog -p wa -k logins 
+-w /var/log/faillog -p wa -k logins
 -w /var/log/lastlog -p wa -k logins
 -w /var/run/faillock/ -p wa -k logins
diff --git a/templates/audit/priv_commands.rules.j2 b/templates/audit/priv_commands.rules.j2
@@ -1,4 +1,4 @@
-{% for proc in priv_procs.stdout_lines -%} 
+{% for proc in priv_procs.stdout_lines -%}
 -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 
 {% endfor %}
diff --git a/templates/audit/session.rules.j2 b/templates/audit/session.rules.j2
@@ -1,3 +1,3 @@
--w /var/run/utmp -p wa -k session 
--w /var/log/wtmp -p wa -k logins 
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k logins
 -w /var/log/btmp -p wa -k logins
diff --git a/templates/audit/system_local.rules.j2 b/templates/audit/system_local.rules.j2
@@ -1,5 +1,5 @@
--a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 
--a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 
+-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale

diff --git a/templates/audit/time_change.rules.j2 b/templates/audit/time_change.rules.j2
@@ -1,6 +1,6 @@
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
 -a always,exit -F arch=b32 -S clock_settime -k time-change
-{% if ansible_architecture == 'x86_64' -%} 
+{% if ansible_architecture == 'x86_64' -%}
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
 -a always,exit -F arch=b64 -S clock_settime -k time-change
 {% endif %}

diff --git a/vars/CentOS.yml b/vars/CentOS.yml
@@ -3,4 +3,4 @@
 
 rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 rpm_packager: "CentOS BuildSystem"
-rpm_key: "24c6a8a7f4a80eb5"  # found on https://www.centos.org/keys/
+rpm_key: "24c6a8a7f4a80eb5"  # found on https://www.centos.org/keys/  # pragma: allowlist secret
diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml
@@ -6,4 +6,4 @@ rpm_packager: "(none)"
 
 # found on https://linux.oracle.com/security/gpg/
 
-rpm_key: "72f97b74ec551f03"
+rpm_key: "72f97b74ec551f03"  # pragma: allowlist secret
diff --git a/vars/is_container.yml b/vars/is_container.yml
@@ -374,7 +374,7 @@ rhel7cis_rhnsd_required: false
 
 # 1.4.2 Bootloader password
 rhel7cis_set_boot_pass: false
-rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'
+rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'  # pragma: allowlist secret
 
 # System network parameters (host only OR host and router)
 rhel7cis_is_router: false
Original file line number	Diff line number	Diff line change
Expand Up		@@ -22,4 +22,4 @@ transfer_method=scp

		[colors]

		[diff]
		[diff]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,4 +6,4 @@ rpm_packager: "(none)"

		# found on https://linux.oracle.com/security/gpg/

		rpm_key: "72f97b74ec551f03"
		rpm_key: "72f97b74ec551f03" # pragma: allowlist secret