lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-09-05 09:15:31 +01:00 · 2024-09-05 09:15:31 +01:00 · c090ca580e
parent 8e3457ee3c
commit c090ca580e
2 changed files with 145 additions and 148 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -677,7 +677,6 @@ ubtu24cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf
 # options = 1, 2 or 3
 ubtu24_ptrace_value: 1
 ## Controls 1.6.x  - Warning banners
 # The controls 1.6.x set various warning banners and protect the respective files
 # by tightening the access rights.
@ -718,20 +717,20 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
 ubtu24cis_time_pool:
-    - name: time.nist.gov
+  - name: time.nist.gov
-      options: iburst maxsources 4
+    options: iburst maxsources 4
 # The following variable represents a list of of time servers used
 # for configuring chrony and timesyncd
 # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`.
 # The default setting for the `options` is `iburst` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
 ubtu24cis_time_servers:
-    - name: time-a-g.nist.gov
+  - name: time-a-g.nist.gov
-      options: iburst
+    options: iburst
-    - name: time-b-g.nist.gov
+  - name: time-b-g.nist.gov
-      options: iburst
+    options: iburst
-    - name: time-c-g.nist.gov
+  - name: time-c-g.nist.gov
-      options: iburst
+    options: iburst
 ##
 ## Section 3 Control Variables
@ -784,9 +783,9 @@ ubtu24cis_ufw_use_sysctl: true
 # If you want to allow outbound traffic on all ports, set the variable to  `all`, e.g.,
 # `ubtu24cis_ufw_allow_out_ports: "all"`.
 ubtu24cis_ufw_allow_out_ports:
-    - 53
+  - 53
-    - 80
+  - 80
-    - 443
+  - 443
 ## Controls 4.2.x - nftables
 # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example
@ -810,86 +809,86 @@ ubtu24cis_sshd_default_client_alive_count_max: 3
 # all Ciphers, KEX and Macs set to FIPS 140
 # This will nee dto be adjusted according to your site requirements
 ubtu24cis_sshd_default_ciphers:
-    - aes256-gcm@openssh.com
+  - aes256-gcm@openssh.com
-    - aes128-gcm@openssh.com
+  - aes128-gcm@openssh.com
-    - aes256-ctr
+  - aes256-ctr
-    - aes192-ctr
+  - aes192-ctr
-    - aes128-ctr
+  - aes128-ctr
 ubtu24cis_sshd_default_macs:
-    - hmac-sha1
+  - hmac-sha1
-    - hmac-sha2-256
+  - hmac-sha2-256
-    #  - hmac-sha2-384  # hashed out seen as bad ssh2 MAC
+  #  - hmac-sha2-384  # hashed out seen as bad ssh2 MAC
-    - hmac-sha2-512
+  - hmac-sha2-512
 ubtu24cis_sshd_default_kex_algorithms:
-    - ecdh-sha2-nistp256
+  - ecdh-sha2-nistp256
-    - ecdh-sha2-nistp384
+  - ecdh-sha2-nistp384
-    - ecdh-sha2-nistp521
+  - ecdh-sha2-nistp521
-    - diffie-hellman-group-exchange-sha256
+  - diffie-hellman-group-exchange-sha256
-    - diffie-hellman-group16-sha512
+  - diffie-hellman-group16-sha512
-    - diffie-hellman-group18-sha512
+  - diffie-hellman-group18-sha512
-    - diffie-hellman-group14-sha256
+  - diffie-hellman-group14-sha256
 ubtu24cis_sshd:
-    # This variable is used to control the verbosity of the logging produced by the SSH server.
+  # This variable is used to control the verbosity of the logging produced by the SSH server.
-    # The options for setting it are as follows:
+  # The options for setting it are as follows:
-    # - `QUIET`: Minimal logging;
+  # - `QUIET`: Minimal logging;
-    # - `FATAL`: logs only fatal errors;
+  # - `FATAL`: logs only fatal errors;
-    # - `ERROR`: logs error messages;
+  # - `ERROR`: logs error messages;
-    # - `INFO`: logs informational messages in addition to errors;
+  # - `INFO`: logs informational messages in addition to errors;
-    # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
+  # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
-    # - `DEBUG`: generates very detailed debugging information including sensitive information.
+  # - `DEBUG`: generates very detailed debugging information including sensitive information.
-    log_level: "{{ ubtu24cis_sshd_default_log_level }}"
+  log_level: "{{ ubtu24cis_sshd_default_log_level }}"
-    # This variable specifies the maximum number of authentication attempts that are
+  # This variable specifies the maximum number of authentication attempts that are
-    # allowed for a single SSH session.
+  # allowed for a single SSH session.
-    max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
+  max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
-    # This variable specifies the encryption algorithms that can be used for securing
+  # This variable specifies the encryption algorithms that can be used for securing
-    # data transmission.
+  # data transmission.
-    ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
+  ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
-    # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
+  # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
-    # the integrity of data exchanged.
+  # the integrity of data exchanged.
-    macs: "{{ ubtu24cis_sshd_default_macs }}"
+  macs: "{{ ubtu24cis_sshd_default_macs }}"
-    # This variable is used to state the key exchange algorithms used to establish secure encryption
+  # This variable is used to state the key exchange algorithms used to establish secure encryption
-    # keys during the initial connection setup.
+  # keys during the initial connection setup.
-    kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
+  kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
-    # This variable sets the time interval in seconds between sending "keep-alive"
+  # This variable sets the time interval in seconds between sending "keep-alive"
-    # messages from the server to the client. These types of messages are intended to
+  # messages from the server to the client. These types of messages are intended to
-    # keep the connection alive and prevent it being terminated due to inactivity.
+  # keep the connection alive and prevent it being terminated due to inactivity.
-    client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
+  client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
-    # This variable sets the maximum number of unresponsive "keep-alive" messages
+  # This variable sets the maximum number of unresponsive "keep-alive" messages
-    # that can be sent from the server to the client before the connection is considered
+  # that can be sent from the server to the client before the connection is considered
-    # inactive and thus, closed.
+  # inactive and thus, closed.
-    client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
+  client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
-    # This variable specifies the amount of seconds allowed for successful authentication to
+  # This variable specifies the amount of seconds allowed for successful authentication to
-    # the SSH server.
+  # the SSH server.
-    login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
+  login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
-    # This variables is used to set the maximum number of open sessions per connection.
+  # This variables is used to set the maximum number of open sessions per connection.
-    max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
+  max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
-    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
+  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
-    # access for users whose user name matches one of the patterns. This is done
+  # access for users whose user name matches one of the patterns. This is done
-    # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
+  # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
-    # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
+  # If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
-    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-    # For more info, see https://linux.die.net/man/5/sshd_config
+  # For more info, see https://linux.die.net/man/5/sshd_config
-    allow_users: ""
+  allow_users: ""
-    # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+  # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
-    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+  # for users whose primary group or supplementary group list matches one of the patterns. This is done
-    # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
+  # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
-    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-    # For more info, https://linux.die.net/man/5/sshd_config
+  # For more info, https://linux.die.net/man/5/sshd_config
-    allow_groups: ""
+  allow_groups: ""
-    # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
+  # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
-    # for users whose user name matches one of the patterns. This is done
+  # for users whose user name matches one of the patterns. This is done
-    # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
+  # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
-    # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
+  # If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
-    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-    # For more info, see https://linux.die.net/man/5/sshd_config
+  # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_users: ""
+  deny_users: ""
-    # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
+  # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
-    # for users whose primary group or supplementary group list matches one of the patterns. This is done
+  # for users whose primary group or supplementary group list matches one of the patterns. This is done
-    # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
+  # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
-    # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
+  # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
-    # For more info, see https://linux.die.net/man/5/sshd_config
+  # For more info, see https://linux.die.net/man/5/sshd_config
-    deny_groups: ""
+  deny_groups: ""
 ## Control 5.2.1
 # This variable represents the name of the sudo package to install
@ -1016,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24
 ## Controls 5.4.1.x - Password settings
 ubtu24cis_pass:
-    ## Control 5.4.1.1
+  ## Control 5.4.1.1
-    # This variable governs after how many days a  password expires.
+  # This variable governs after how many days a  password expires.
-    # CIS requires a value of 365 or less.
+  # CIS requires a value of 365 or less.
-    max_days: 365
+  max_days: 365
-    ## Control 5.4.1.2
+  ## Control 5.4.1.2
-    # This variable specifies the minimum number of days allowed between changing passwords.
+  # This variable specifies the minimum number of days allowed between changing passwords.
-    # CIS requires a value of at least 1.
+  # CIS requires a value of at least 1.
-    min_days: 1
+  min_days: 1
-    ## Control 5.5.1.3
+  ## Control 5.5.1.3
-    # This variable governs, how many days before a password expires, the user will be warned.
+  # This variable governs, how many days before a password expires, the user will be warned.
-    # CIS requires a value of at least 7.
+  # CIS requires a value of at least 7.
-    warn_age: 7
+  warn_age: 7
-    ## Control 5.4.1.5
+  ## Control 5.4.1.5
-    # This variable specifies the number of days of inactivity before an account will be locked.
+  # This variable specifies the number of days of inactivity before an account will be locked.
-    # CIS requires a value of 45 days or less.
+  # CIS requires a value of 45 days or less.
-    inactive: 45
+  inactive: 45
 # 5.4.2.6 root umask
 ubtu24cis_root_umask: '0027'  # 0027 or more restrictive
@ -1119,14 +1118,13 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false
 # add a list of uids
 ubtu24cis_auditd_uid_exclude:
-    - 1999
+  - 1999
 # 6.1.3.8
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"
 ##  Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
 # system can buffer in memory, if the audit subsystem is unable to process them in real-time.
@ -1190,10 +1188,10 @@ ubtu24cis_config_aide: true
 ## When Initializing aide this can take longer on some systems
 # changing the values enables user to change to thier own requirements
 ubtu24cis_aide_init:
-    # Maximum Time in seconds
+  # Maximum Time in seconds
-    async: 45
+  async: 45
-    # Polling Interval in seconds
+  # Polling Interval in seconds
-    poll: 0
+  poll: 0
 ## Control 6.3
 # Set how aide is scanned either cron or timer
@ -1204,36 +1202,35 @@ ubtu24cis_aide_scan: cron
 # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
 # and executed automatically at a certain point in time.
 ubtu24cis_aide_cron:
-    # This variable represents the user account under which the cron job for AIDE will run.
+  # This variable represents the user account under which the cron job for AIDE will run.
-    cron_user: root
+  cron_user: root
-    # This variable represents the path to the AIDE crontab file.
+  # This variable represents the path to the AIDE crontab file.
-    cron_file: /etc/cron.d/aide_cron
+  cron_file: /etc/cron.d/aide_cron
-    # This variable represents the actual command or script that the cron job
+  # This variable represents the actual command or script that the cron job
-    # will execute for running AIDE.
+  # will execute for running AIDE.
-    aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
+  aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
-    # These variables define the schedule for the cron job
+  # These variables define the schedule for the cron job
-    # This variable governs the minute of the time of day when the AIDE cronjob is run.
+  # This variable governs the minute of the time of day when the AIDE cronjob is run.
-    # It must be in the range `0-59`.
+  # It must be in the range `0-59`.
-    aide_minute: 0
+  aide_minute: 0
-    # This variable governs the hour of the time of day when the AIDE cronjob is run.
+  # This variable governs the hour of the time of day when the AIDE cronjob is run.
-    # It must be in the range `0-23`.
+  # It must be in the range `0-23`.
-    aide_hour: 5
+  aide_hour: 5
-    # This variable governs the day of the month when the AIDE cronjob is run.
+  # This variable governs the day of the month when the AIDE cronjob is run.
-    # `*` signifies that the job is run on all days; furthermore, specific days
+  # `*` signifies that the job is run on all days; furthermore, specific days
-    # can be given in the range `1-31`; several days can be concatenated with a comma.
+  # can be given in the range `1-31`; several days can be concatenated with a comma.
-    # The specified day(s) can must be in the range  `1-31`.
+  # The specified day(s) can must be in the range  `1-31`.
-    aide_day: '*'
+  aide_day: '*'
-    # This variable governs months when the AIDE cronjob is run.
+  # This variable governs months when the AIDE cronjob is run.
-    # `*` signifies that the job is run in every month; furthermore, specific months
+  # `*` signifies that the job is run in every month; furthermore, specific months
-    # can be given in the range `1-12`; several months can be concatenated with commas.
+  # can be given in the range `1-12`; several months can be concatenated with commas.
-    # The specified month(s) can must be in the range  `1-12`.
+  # The specified month(s) can must be in the range  `1-12`.
-    aide_month: '*'
+  aide_month: '*'
-    # This variable governs the weekdays, when the AIDE cronjob is run.
+  # This variable governs the weekdays, when the AIDE cronjob is run.
-    # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
+  # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
-    # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
+  # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
-    # can be concatenated with commas.
+  # can be concatenated with commas.
-    aide_weekday: '*'
+  aide_weekday: '*'
 ##
 ## Section 7 Control Variables
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -128,15 +128,15 @@
 - name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
  when:
-      - ubtu24cis_rule_5_2_7
+    - ubtu24cis_rule_5_2_7
  tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - patch
+    - patch
-      - sudo
+    - sudo
-      - rule_5.2.7
+    - rule_5.2.7
-      - NIST800-53R5_AC-3
+    - NIST800-53R5_AC-3
-      - NIST800-53R5_MP-2
+    - NIST800-53R5_MP-2
  block:
    - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
      ansible.builtin.group: