fix linting errors

dev-sec · Aug 8, 2023 · 8220ae9 · 8220ae9
1 parent a9f19a0
commit 8220ae9
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 59 deletions.
diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
@@ -1,5 +1,5 @@
 ---
-- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
+- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
   hosts: all
   become: true
   environment:
@@ -21,43 +21,43 @@
 
     - name: install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
-      shell: "zypper -n install python-xml"
+      ansible.builtin.shell: zypper -n install python-xml
       when: ansible_facts.os_family == 'Suse'
 
-    - name: install required tools on fedora
-      dnf:
+    - name: Install required tools on fedora
+      ansible.builtin.dnf:
         name:
           - python
           - findutils
           - procps-ng
       when: ansible_facts.distribution == 'Fedora'
 
-    - name: install required tools on Arch
+    - name: Install required tools on Arch
       community.general.pacman:
         name:
           - awk
         state: present
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: install required tools on RHEL  # noqa ignore-errors
-      yum:
+    - name: Install required tools on RHEL # noqa ignore-errors
+      ansible.builtin.yum:
         name:
           - openssh-clients
           - openssh
         state: present
         update_cache: true
       ignore_errors: true
 
-    - name: create recursing symlink to test minimize access
-      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+    - name: Create recursing symlink to test minimize access
+      ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz
       changed_when: false
 
-    - name: include YUM prepare tasks
-      include_tasks: prepare_tasks/yum.yml
+    - name: Include YUM prepare tasks
+      ansible.builtin.include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
 
-    - name: include preparation tasks
+    - name: Include preparation tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
       loop:

diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
@@ -7,14 +7,14 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: set ansible_python_interpreter to "/usr/bin/python3"
-      set_fact:
-        ansible_python_interpreter: "/usr/bin/python3"
+    - name: Set ansible_python_interpreter to "/usr/bin/python3"
+      ansible.builtin.set_fact:
+        ansible_python_interpreter: /usr/bin/python3
 
-    - name: include verification tasks
+    - name: Include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
-      loop: 
+      loop:
         - verify_tasks/sys_account_shell.yml
         - verify_tasks/pw_ageing.yml
         - verify_tasks/netrc.yml
@@ -37,7 +37,7 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
     - name: Execute cinc-auditor tests
-      command: >
+      ansible.builtin.command: >
         docker run
         --volume /run/docker.sock:/run/docker.sock
         --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
@@ -51,12 +51,12 @@
       ignore_errors: true
 
     - name: Display details about the cinc-auditor results
-      debug:
+      ansible.builtin.debug:
         msg: "{{ test_results.stdout_lines }}"
 
     - name: Fail when tests fail
-      fail:
-        msg: "Inspec failed to validate"
+      ansible.builtin.fail:
+        msg: Inspec failed to validate
       when: test_results.rc != 0
 
 - name: Verify
@@ -70,15 +70,15 @@
     - devsec.hardening
   tasks:
     # test if variable can be overridden
-    - name: workaround for https://github.com/ansible/ansible/issues/66304
-      set_fact:
-        ansible_virtualization_type: "docker"
+    - name: Workaround for https://github.com/ansible/ansible/issues/66304
+      ansible.builtin.set_fact:
+        ansible_virtualization_type: docker
         os_env_umask: "027 #override"
 
-    - include_role:
+    - ansible.builtin.include_role:
         name: os_hardening
 
-    - name: verify os_env_umask
-      shell:
+    - name: Verify os_env_umask
+      ansible.builtin.shell:
         cmd: "grep '027 #override' /etc/login.defs"
       changed_when: false
diff --git a/molecule/os_hardening/verify_tasks/netrc.yml b/molecule/os_hardening/verify_tasks/netrc.yml
@@ -1,19 +1,19 @@
 ---
 - name: test that .netrc in root homedir exists
   ansible.builtin.file:
-    path: '/root/.netrc'
+    path: /root/.netrc
     state: file
   register: result_test_netrc
 
 - name: output result if .netrc for user root exists
   ansible.builtin.assert:
     that:
-      - "result_test_netrc.state == 'file'"
-    fail_msg: ".netrc in /root/ not present"
-    success_msg: ".netrc exists in /root/"
+      - result_test_netrc.state == 'file'
+    fail_msg: .netrc in /root/ not present
+    success_msg: .netrc exists in /root/
 
 - name: delete '.netrc' in /root
   ansible.builtin.file:
-    path: '/root/.netrc'
+    path: /root/.netrc
     state: absent
   when: result_test_netrc.state == 'file'
diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml
@@ -1,13 +1,12 @@
 ---
-
-- name: install pip
-  package:
+- name: Install pip
+  ansible.builtin.package:
     name:
       - python3-pip
       - python3-setuptools
     state: present
 
-- name: install pam-tester
+- name: Install pam-tester
   ansible.builtin.pip:
     name: pam-tester
     state: present
@@ -17,50 +16,50 @@
   set_fact:
     test_pw: "myTest!pw"
 
-- name: set locale for test
-  set_fact:
-    locale: "en_US.UTF-8"
+- name: Set locale for test
+  ansible.builtin.set_fact:
+    locale: en_US.UTF-8
   when:
     - ansible_facts.os_family == 'RedHat'
     - ansible_facts.distribution_major_version < '8'
 
-- name: create testuser
-  user:
+- name: Create testuser
+  ansible.builtin.user:
     name: testuser
     password: "{{ test_pw | password_hash('sha512') }}"
 
-- name: check successful login with correct password
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
+- name: Check successful login with correct password
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: check unsuccessful login with incorrect password
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+- name: Check unsuccessful login with incorrect password
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
   with_sequence: count=6
 
-- name: check unsuccessful login, with correct password (lockout)
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
+- name: Check unsuccessful login, with correct password (lockout)
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
-- name: wait for account to unlock
-  pause:
+- name: Wait for account to unlock
+  ansible.builtin.pause:
     seconds: 20
 
-- name: check successful login
-  shell:
-    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
+- name: Check successful login
+  ansible.builtin.shell:
+    cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"

diff --git a/molecule/os_hardening/verify_tasks/sys_account_shell.yml b/molecule/os_hardening/verify_tasks/sys_account_shell.yml
@@ -1,8 +1,9 @@
+---
 - name: Read local linux user database
-  getent:
+  ansible.builtin.getent:
     database: passwd
 
 - name: Check that shell_sys_acc's shell is still bash
-  assert:
+  ansible.builtin.assert:
     that:
       - getent_passwd['shell_sys_acc'][5] == "/bin/bash"
diff --git a/molecule/os_hardening/verify_tasks/yum.yml b/molecule/os_hardening/verify_tasks/yum.yml
@@ -1,8 +1,8 @@
 ---
 - name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
   changed_when: false
 
 - name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
-  command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
+  ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
   changed_when: false
diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml
@@ -10,6 +10,7 @@
   ansible.builtin.pip:
     name: pam-tester
     state: present
+    executable: /usr/bin/pip3
 
 - name: set password for test
   set_fact: