Fix linter errors
Work around the mutually incompatible W503 and W504. Change-Id: I45d0ca8a911d9cf1af2df52a1cf911db817b13b3
This commit is contained in:
parent
4e44a54b95
commit
c6703cd5e5
4
.ansible-lint
Normal file
4
.ansible-lint
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
|
||||
skip_list:
|
||||
- '106'
|
@ -109,8 +109,8 @@ def main():
|
||||
|
||||
# Get the users that match our criteria.
|
||||
user_list = [x for x in all_users
|
||||
if (x['uid'] >= module.params['min_uid'] and
|
||||
x['uid'] <= module.params['max_uid'])]
|
||||
if (x['uid'] >= module.params['min_uid']
|
||||
and x['uid'] <= module.params['max_uid'])] # noqa: W503
|
||||
|
||||
# Return the user data to the Ansible task.
|
||||
module.exit_json(
|
||||
@ -118,5 +118,6 @@ def main():
|
||||
users=user_list
|
||||
)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
@ -4,22 +4,25 @@ galaxy_info:
|
||||
description: Security hardening role for OpenStack-Ansible
|
||||
company: OpenStack
|
||||
license: Apache
|
||||
min_ansible_version: 2.3
|
||||
min_ansible_version: 2.10
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- buster
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 25
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- 8
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- focal
|
||||
- name: opensuse
|
||||
versions:
|
||||
- 42.1
|
||||
|
@ -83,7 +83,7 @@
|
||||
# may be attached to a Kerberos realm and they may not have shadow data on the
|
||||
# system. See bug 1659232 for more details.
|
||||
- name: Set minimum password lifetime limit to 24 hours for interactive accounts
|
||||
shell: "chage -m 1 {{ item.name }}"
|
||||
command: "chage -m 1 {{ item.name }}"
|
||||
when:
|
||||
- item.shadow is mapping
|
||||
- item.shadow.min_days != 1
|
||||
@ -99,7 +99,7 @@
|
||||
# may be attached to a Kerberos realm and they may not have shadow data on the
|
||||
# system. See bug 1659232 for more details.
|
||||
- name: Set maximum password lifetime limit to 60 days for interactive accounts
|
||||
shell: "chage -M 60 {{ item.name }}"
|
||||
command: "chage -M 60 {{ item.name }}"
|
||||
when:
|
||||
- item.shadow is mapping
|
||||
- item.shadow.max_days > 60
|
||||
@ -144,7 +144,7 @@
|
||||
line: "{{ item.parameter }} {{ item.value }}"
|
||||
state: present
|
||||
when:
|
||||
- item.value != ''
|
||||
- item.value is truthy(convert_bool=True)
|
||||
- item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
|
||||
with_items: "{{ shadow_utils_rhel7 }}"
|
||||
tags:
|
||||
@ -210,7 +210,7 @@
|
||||
stat:
|
||||
path: "{{ item['dir'] }}"
|
||||
when:
|
||||
- item['dir'] != ''
|
||||
- item['dir'] | length > 0
|
||||
with_items: "{{ user_list.users }}"
|
||||
register: home_directory_checks
|
||||
tags:
|
||||
|
@ -177,7 +177,8 @@
|
||||
|
||||
- name: Set a GRUB 2 password for single-user/maintenance modes
|
||||
block:
|
||||
- blockinfile:
|
||||
- name: Define password options for grub
|
||||
blockinfile:
|
||||
path: "{{ grub_custom_file }}"
|
||||
insertbefore: EOF
|
||||
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
|
||||
@ -187,7 +188,8 @@
|
||||
state: present
|
||||
notify:
|
||||
- update grub config
|
||||
- lineinfile:
|
||||
- name: Set CLASS for grub file
|
||||
lineinfile:
|
||||
path: "{{ grub_linux_file }}"
|
||||
regexp: '^CLASS=.*'
|
||||
line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
|
||||
@ -246,8 +248,8 @@
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: job_result
|
||||
until: job_result.finished | bool
|
||||
retries: 30
|
||||
until: job_result.finished
|
||||
retries: 60
|
||||
when:
|
||||
- shosts_find is not skipped
|
||||
tags:
|
||||
|
@ -49,7 +49,7 @@
|
||||
- C-00001
|
||||
|
||||
- name: Check kdump service
|
||||
command: systemctl status kdump
|
||||
command: systemctl status kdump # noqa 303
|
||||
register: kdump_service_check
|
||||
failed_when: kdump_service_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
|
@ -21,6 +21,7 @@
|
||||
failed_when: false
|
||||
when:
|
||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
tags:
|
||||
- high
|
||||
- V-71989
|
||||
@ -31,13 +32,14 @@
|
||||
# started apparmor each time. This breaks idempotency and we check
|
||||
# systemd's status directly as an alternative.
|
||||
- name: Check if apparmor is running
|
||||
command: "systemctl status apparmor"
|
||||
command: "systemctl status apparmor" # noqa 303
|
||||
register: systemctl_apparmor_status
|
||||
check_mode: no
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
when:
|
||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
tags:
|
||||
- high
|
||||
- V-71989
|
||||
@ -49,6 +51,7 @@
|
||||
when:
|
||||
- ansible_pkg_mgr in ['apt', 'zypper']
|
||||
- security_rhel7_enable_linux_security_module | bool
|
||||
- not check_mode
|
||||
tags:
|
||||
- high
|
||||
- V-71989
|
||||
|
@ -14,9 +14,10 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create temporary directory to hold any temporary files
|
||||
command: "mktemp -d"
|
||||
tempfile:
|
||||
state: directory
|
||||
suffix: hardening
|
||||
register: mktemp_result
|
||||
changed_when: False
|
||||
when:
|
||||
- not check_mode | bool
|
||||
tags:
|
||||
@ -24,7 +25,7 @@
|
||||
|
||||
- name: Set a fact for the temporary directory
|
||||
set_fact:
|
||||
temp_dir: "{{ mktemp_result.stdout }}"
|
||||
temp_dir: "{{ mktemp_result.path }}"
|
||||
changed_when: False
|
||||
when:
|
||||
- not check_mode | bool
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Check autofs service
|
||||
command: systemctl status autofs
|
||||
command: systemctl status autofs # noqa 303
|
||||
register: autofs_check
|
||||
failed_when: autofs_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
@ -289,7 +289,7 @@
|
||||
|
||||
# Returns 0 if installed, 3 if not installed
|
||||
- name: Check firewalld status
|
||||
command: systemctl status firewalld
|
||||
command: systemctl status firewalld # noqa 303
|
||||
register: firewalld_status_check
|
||||
failed_when: firewalld_status_check.rc not in [0,3,4]
|
||||
changed_when: False
|
||||
|
Loading…
Reference in New Issue
Block a user