dev-sec · schurzi · Dec 7, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023
diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml
@@ -5,13 +5,17 @@
 # option will be parsed relative to the CWD of execution.
 exclude_paths:
   - .cache/ # implicit unless exclude_paths is defined in config
-  - .yamllint
-  - ../molecule/
-  - ../.github/
+  # add all waivers individually, since exclude_files does not support globs
+  - molecule/os_hardening/waivers.yaml
+  - molecule/ssh_hardening_bsd/waivers_freebsd12.yaml
+  - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
+  - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
+  - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml
 
 mock_roles:
   - geerlingguy.git
   - nginxinc.nginx
 
 skip_list:
   - var-naming[no-role-prefix]
+  - meta-runtime[unsupported-version]
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -31,7 +31,7 @@ body:
     attributes:
       label: "Reproduction steps"
       render: Shell
-      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, so no need for backticks.
+      description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, no need for backticks.
       value: |
         ...
     validations:

diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -7,24 +7,26 @@ on:  # yamllint disable-line rule:truthy
     branches: [master]
     paths:
       - 'roles/**'
+      - 'molecule/**'
       - 'requirements.txt'
+      - '.github/workflows/ansible-lint.yml'
+      - '.config/ansible-lint.yml'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
     paths:
       - 'roles/**'
+      - 'molecule/**'
       - 'requirements.txt'
+      - '.github/workflows/ansible-lint.yml'
+      - '.config/ansible-lint.yml'
 
 jobs:
   ansible-lint:
     runs-on: ubuntu-latest
 
     steps:
-      # Important: This sets up your GITHUB_WORKSPACE environment variable
       - uses: actions/checkout@v4
 
       - name: Lint Ansible Playbook
-        # replace "master" with any valid ref
-        uses: ansible/ansible-lint-action@main
-        with:
-          path: "roles/"
+        uses: ansible/ansible-lint@v6
diff --git a/.github/workflows/galaxy.yml → .github/workflows/galaxy-publish.yml b/.github/workflows/galaxy.yml → .github/workflows/galaxy-publish.yml
diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
@@ -89,7 +89,8 @@ jobs:
       - name: Temporary fix for roles
         run: |
           mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+            /home/runner/.ansible/roles
 
       - name: Test with molecule
         run: |

diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
@@ -78,7 +78,8 @@ jobs:
       - name: Temporary fix for roles
         run: |
           mkdir -p /home/runner/.ansible
-          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
+          ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
+            /home/runner/.ansible/roles
 
       - name: Test with molecule
         run: |

diff --git a/galaxy.yml b/galaxy.yml
@@ -22,6 +22,9 @@ tags:
   - nginx_hardening
   - os_hardening
   - ssh_hardening
+  - database
+  - linux
+  - security
 dependencies:
   ansible.posix: '>=1.0.0'
   community.crypto: '>=1.0.0'

diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml
@@ -1,38 +1,37 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
+- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: all
   become: true
-  collections:
-    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
-      set_fact:
-        mysql_python_package_debian: "python3-pymysql"
+      ansible.builtin.set_fact:
+        mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
         - ansible_distribution == "Ubuntu"
         - ansible_distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
-      set_fact:
-        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
+      ansible.builtin.set_fact:
+        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
 
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
-    - include_role:
-        name: mysql_hardening
+    - name: Include mysql_hardening role
+      ansible.builtin.include_role:
+        name: devsec.hardening.mysql_hardening
   vars:
     overwrite_global_mycnf: false
     mysql_root_password: iloverandompasswordsbutthiswilldo

diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
@@ -8,7 +8,7 @@ driver:
   name: docker
 platforms:
   - name: instance
-    image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
+    image: rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest
     command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw

diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml
@@ -1,80 +1,81 @@
 ---
-
-- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
+- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: all
   become: true
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  vars:
+    overwrite_global_mycnf: false
+    mysql_root_password: iloverandompasswordsbutthiswilldo
+    mysql_user_password: iloverandompasswordsbutthiswilldo
+    mysql_config_file: /etc/mysql/mariadb.cnf
+    mysql_root_password_update: true
   tasks:
     - name: Use Python 3 on Debian 11
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int >= 11
 
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
     - name: Use Python 2 on Debian 10
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python
       when:
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int == 10
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
-      apt:
-        name: "*"
-        state: latest
+      ansible.builtin.apt:
+        upgrade: safe
         update_cache: true
       when: ansible_os_family == 'Debian'
 
     - name: Install required python packages on Suse
-      ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
+      ansible.builtin.command: zypper -n install python-xml python3-rpm python3-PyMySQL
+      changed_when: false
       when: ansible_os_family == 'Suse'
 
-    - name: create missing directory
-      file:
-        path: "/etc/mysql/conf.d"
+    - name: Create missing directory
+      ansible.builtin.file:
+        path: /etc/mysql
         state: directory
+        mode: "0755"
 
     - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
-      set_fact:
-        mysql_python_package_debian: "python3-pymysql"
+      ansible.builtin.set_fact:
+        mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
         - ansible_distribution == "Ubuntu"
         - ansible_distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
-      set_fact:
-        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
+      ansible.builtin.set_fact:
+        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
 
     - name: Install required MySQL Python libraries on RHEL
-      yum:
-        name: "{% if 'python3' in ansible_python_interpreter|default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
+      ansible.builtin.yum:
+        name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
       when:
         - ansible_os_family == "RedHat"
         - ansible_distribution_major_version == "7"
-
-    - include_role:
+
+    - name: Install mysql with a generic Ansible role
+      ansible.builtin.include_role:
         name: dev-sec.mysql
 
-    - name: include MySQL user prepare tasks
-      include_tasks: prepare_tasks/mysql_users.yml
-  vars:
-    overwrite_global_mycnf: false
-    mysql_root_password: iloverandompasswordsbutthiswilldo
-    mysql_user_password: iloverandompasswordsbutthiswilldo
-    mysql_config_file: /etc/mysql/mariadb.cnf
-    mysql_root_password_update: true
+    - name: Include MySQL user prepare tasks
+      ansible.builtin.include_tasks: prepare_tasks/mysql_users.yml
diff --git a/molecule/mysql_hardening/prepare_tasks/mysql_users.yml b/molecule/mysql_hardening/prepare_tasks/mysql_users.yml
@@ -1,17 +1,17 @@
 ---
-- name: create users for test
+- name: Create users for test
   community.mysql.mysql_query:
     query:
-      - "CREATE USER 'user'@'delete';"
-      - "CREATE USER 'user'@'127.0.0.1';"
-      - "CREATE USER 'user'@'::1';"
-      - "CREATE USER 'user'@'%';"
-      - "CREATE USER 'user'@'192.168.0.%';"
-      - "CREATE USER 'user'@'192.168.0.1';"
-      - "CREATE USER    '%'@'192.168.0.1';"
-      - "CREATE USER 'user'@'192.168.0.2' IDENTIFIED BY 'keep';"
-      - "CREATE USER 'user'@'keep' IDENTIFIED BY 'keep';"
-      - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
+      - CREATE USER 'user'@'delete';
+      - CREATE USER 'user'@'127.0.0.1';
+      - CREATE USER 'user'@'::1';
+      - CREATE USER 'user'@'%';
+      - CREATE USER 'user'@'192.168.0.%';
+      - CREATE USER 'user'@'192.168.0.1';
+      - CREATE USER    '%'@'192.168.0.1';
+      - CREATE USER 'user'@'192.168.0.2' IDENTIFIED BY 'keep';
+      - CREATE USER 'user'@'keep' IDENTIFIED BY 'keep';
+      - CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
 
 - name: Detect role support on MySQL
@@ -23,10 +23,10 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_role_support
 
-- name: create roles for test
+- name: Create roles for test
   community.mysql.mysql_query:
     query:
-       - "CREATE ROLE 'role_keep';"
+      - CREATE ROLE 'role_keep';
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when:
     - mysql_role_support.rowcount[0] > 0
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -8,23 +8,23 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Use Python 3 on Suse
-      set_fact:
+      ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
         - ansible_os_family == 'Suse'
 
-    - name: install procps for debian systems
-      apt:
+    - name: Install procps for debian systems
+      ansible.builtin.apt:
         name: procps
         state: present
         update_cache: true
       when: ansible_distribution == 'Debian'
 
-    - name: include tests for the service
-      include_tasks: verify_tasks/service.yml
+    - name: Include tests for the service
+      ansible.builtin.include_tasks: verify_tasks/service.yml
 
-    - name: include tests for MySQL user
-      include_tasks: verify_tasks/mysql_users.yml
+    - name: Include tests for MySQL user
+      ansible.builtin.include_tasks: verify_tasks/mysql_users.yml
 
 - name: Verify
   hosts: localhost
@@ -34,7 +34,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         docker.io/cincproject/auditor exec
@@ -46,10 +46,10 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
-        msg: "Inspec failed to validate"
+      ansible.builtin.fail:
+        msg: Inspec failed to validate
       when: test_results.rc != 0
diff --git a/molecule/mysql_hardening/verify_tasks/mysql_users.yml b/molecule/mysql_hardening/verify_tasks/mysql_users.yml
@@ -6,11 +6,11 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users
 
-- name: create list of users from mysql query
-  set_fact:
+- name: Create list of users from mysql query
+  ansible.builtin.set_fact:
     mysql_users_list: "{{ mysql_users.query_result.0  | json_query('[*].users') | list }}"
 
-- name: assert that only accounts with password remain
+- name: Assert that only accounts with password remain
   ansible.builtin.assert:
     that:
       - '"user@delete" not in mysql_users_list'
@@ -33,9 +33,9 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_role_support
 
-- name: assert that roles remain
+- name: Assert that roles remain
   ansible.builtin.assert:
     that:
-       - '"role_keep@" in mysql_users_list'
+      - '"role_keep@" in mysql_users_list'
   when:
     - mysql_role_support.rowcount[0] > 0
diff --git a/molecule/mysql_hardening/verify_tasks/service.yml b/molecule/mysql_hardening/verify_tasks/service.yml
@@ -10,7 +10,7 @@
   ansible.builtin.service_facts:
 
 - name: Check if MySQL is running and enabled
-  assert:
+  ansible.builtin.assert:
     that:
-      - "ansible_facts.services[mysql_daemon + '.service'].state == 'running'"
-      - "ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'"
+      - ansible_facts.services[mysql_daemon + '.service'].state == 'running'
+      - ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'