From 9aef4b6cbf46edaf3bd6ef095105df33774bb0fd Mon Sep 17 00:00:00 2001
From: Bas Meijer <bas.meijer@me.com>
Date: Fri, 12 Jul 2024 18:20:48 +0200
Subject: [PATCH] https://ansible.readthedocs.io/projects/lint/rules/yaml/

---
 .yamllint               |  6 ++++++
 tasks/Debian11.yml      | 12 +++++-------
 tasks/crypto_policy.yml |  8 ++++----
 tasks/main.yml          | 12 ++++++------
 tasks/sshd_crypto.yml   | 12 +++++-------
 tasks/strict_config.yml |  6 +++---
 vars/main.yml           | 11 ++++-------
 7 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/.yamllint b/.yamllint
index d50c7e1..50437fb 100644
--- a/.yamllint
+++ b/.yamllint
@@ -9,6 +9,9 @@ rules:
   brackets:
     max-spaces-inside: 1
     level: error
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
   indentation:
     indent-sequences: consistent
     spaces: 2
@@ -20,6 +23,9 @@ rules:
   new-line-at-end-of-file: enable
   new-lines:
     type: unix
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
   trailing-spaces: enable
   truthy:
     allowed-values: ['true', 'false']
diff --git a/tasks/Debian11.yml b/tasks/Debian11.yml
index b43d17e..874f0d7 100644
--- a/tasks/Debian11.yml
+++ b/tasks/Debian11.yml
@@ -7,17 +7,15 @@
     line: "{{ item.line }}"
     state: present
     create: true
-    mode: 0640
+    mode: '0640'
   loop:
     - regexp: '^(#)?Ciphers'
-      line: "Ciphers {{ Ciphers }}"
+      line: "Ciphers {{ ciphers }}"
     - regexp: '^(#)?HostKeyAlgorithms'
-      line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
+      line: "HostKeyAlgorithms {{ host_key_algorithms }}"
     - regexp: '^(#)?KexAlgorithms'
-      line: "KexAlgorithms {{ KexAlgorithms }}"
+      line: "KexAlgorithms {{ kex_algorithms }}"
     - regexp: '^(#)?MACs'
-      line: "MACs {{ MACs }}"
-      # - regexp: '^(#)?PubkeyAcceptedKeyTypes'
-      #  line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
+      line: "MACs {{ macs }}"
   notify: Restart sshd
 ...
diff --git a/tasks/crypto_policy.yml b/tasks/crypto_policy.yml
index 99cd51b..79cf09f 100644
--- a/tasks/crypto_policy.yml
+++ b/tasks/crypto_policy.yml
@@ -19,7 +19,7 @@
     dest: /usr/share/crypto-policies/policies/
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
 
 - name: "Ensure crypto-policy {{ crypto_policy }}"
   when: current_policy.stdout != crypto_policy
@@ -36,13 +36,13 @@
   ansible.builtin.copy:
     dest: /etc/profile.d/cc-ssh-strong-rng.sh
     content: "export SSH_USE_STRONG_RNG=32\n"
-    mode: 0644
+    mode: '0644'
 
 - name: SSH client uses strong entropy to seed (for CSH like shells)
   ansible.builtin.copy:
     dest: /etc/profile.d/cc-ssh-strong-rng.csh
     content: "setenv SSH_USE_STRONG_RNG 32\n"
-    mode: 0644
+    mode: '0644'
 
 - name: Remove RekeyLimit from ssh_config
   ansible.builtin.lineinfile:
@@ -57,6 +57,6 @@
     regexp: '^(#)?RekeyLimit'
     line: 'RekeyLimit 1G 1h'
     state: present
-    mode: 0644
+    mode: '0644'
 
 ...
diff --git a/tasks/main.yml b/tasks/main.yml
index 10105d9..9ce3144 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -26,7 +26,7 @@
   ansible.builtin.file:
     path: /run/sshd
     state: directory
-    mode: 0750
+    mode: '0750'
 
 - name: "Fedora crypto-policy {{ crypto_policy }}"
   when: ansible_distribution == 'Fedora'
@@ -94,13 +94,13 @@
   ansible.builtin.copy:
     src: issue
     dest: /etc/issue
-    mode: 0644
+    mode: '0644'
 
 - name: Create login banner
   ansible.builtin.copy:
     src: issue
     dest: /etc/issue.net
-    mode: 0644
+    mode: '0644'
 
 - name: Manage ed25519 host key
   when: crypto_policy == 'STRICT'
@@ -123,14 +123,14 @@
     - name: Set host key permissions
       ansible.builtin.file:
         path: /etc/ssh/ssh_host_ed25519_key
-        mode: 0600
+        mode: '0600'
 
     - name: Configure ed25519 host key
       ansible.builtin.lineinfile:
         dest: /etc/ssh/sshd_config
         regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
         line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
-        mode: 0600
+        mode: '0600'
         state: present
       notify: Restart sshd
 
@@ -146,7 +146,7 @@
   ansible.builtin.lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
-    mode: 0600
+    mode: '0600'
     state: absent
   notify: Restart sshd
   when: crypto_policy in ['FIPS', 'FIPS:OSPP']
diff --git a/tasks/sshd_crypto.yml b/tasks/sshd_crypto.yml
index 02b4288..430e454 100644
--- a/tasks/sshd_crypto.yml
+++ b/tasks/sshd_crypto.yml
@@ -7,17 +7,15 @@
     line: "{{ item.line }}"
     state: present
     create: true
-    mode: 0600
+    mode: '0600'
   loop:
     - regexp: '^Ciphers'
-      line: "Ciphers {{ Ciphers }}"
+      line: "Ciphers {{ ciphers }}"
     - regexp: '^HostKeyAlgorithms'
-      line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
+      line: "HostKeyAlgorithms {{ host_key_algorithms }}"
     - regexp: '^KexAlgorithms'
-      line: "KexAlgorithms {{ KexAlgorithms }}"
+      line: "KexAlgorithms {{ kex_algorithms }}"
     - regexp: '^MACs'
-      line: "MACs {{ MACs }}"
-      # - regexp: '^(#)?PubkeyAcceptedKeyTypes'
-      #  line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
+      line: "MACs {{ macs }}"
   notify: Restart sshd
 ...
diff --git a/tasks/strict_config.yml b/tasks/strict_config.yml
index d603251..60be756 100644
--- a/tasks/strict_config.yml
+++ b/tasks/strict_config.yml
@@ -7,10 +7,10 @@
   ansible.builtin.lineinfile:
     path: /etc/sysconfig/sshd
     regex: '^CRYPTO_POLICY'
-    line: "CRYPTO_POLICY='-oCiphers={{ Ciphers }} -oMACs={{ MACs }} -oKexAlgorithms={{ KexAlgorithms }} -oHostKeyAlgorithms={{ HostKeyAlgorithms }}'"
+    line: "CRYPTO_POLICY='-oCiphers={{ ciphers }} -oMACs={{ macs }} -oKexAlgorithms={{ kex_algorithms }} -oHostKeyAlgorithms={{ host_key_algorithms }}'"
     state: present
     create: true
-    mode: 0640
+    mode: '0640'
   notify: Restart sshd
 
 - name: Install rgn-tools for entropy, if available
@@ -27,7 +27,7 @@
     regexp: '^SSH_USE_STRONG_RNG'
     line: 'SSH_USE_STRONG_RNG=32'
     state: present
-    mode: 0640
+    mode: '0640'
   when: entropy.changed | bool  # noqa no-handler
   notify: Start RNG Entropy Gatherer
 ...
diff --git a/vars/main.yml b/vars/main.yml
index 745cc36..e287b35 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -14,14 +14,11 @@ weak_host_keys:
 
 # https://www.ssh-audit.com/hardening_guides.html
 
-Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
-HostKeyAlgorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+host_key_algorithms: ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
 # This is a compatible subset
-KexAlgorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
+kex_algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
 
-MACs: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
-
-# Not enforced!
-PubkeyAcceptedKeyTypes: ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
+macs: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
 ...