dev-sec · rndmh3ro · Mar 25, 2021 · Mar 17, 2021
diff --git a/roles/mysql_hardening/handlers/main.yml b/roles/mysql_hardening/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: restart mysql
+- name: Restart mysql
   service:
     name: '{{ mysql_daemon }}'
     state: restarted

diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml
@@ -1,5 +1,5 @@
 ---
-- name: protect my.cnf
+- name: Protect my.cnf
   file:
     path: '{{ mysql_hardening_mysql_conf_file }}'
     mode: '0640'
@@ -8,49 +8,49 @@
     follow: true
     state: file
 
-- name: ensure permissions on mysql-datadir are correct
+- name: Ensure permissions on mysql-datadir are correct
   file:
     path: '{{ mysql_datadir }}'
     state: directory
     owner: '{{ mysql_hardening_user }}'
     group: '{{ mysql_hardening_user }}'
     mode: '0750'
 
-- name: ensure permissions on mysql-logfile are correct
+- name: Ensure permissions on mysql-logfile are correct
   file:
     path: '{{ mysql_hardening_log_file }}'
     state: file
     owner: '{{ mysql_hardening_user }}'
     group: '{{ mysql_hardening_group }}'
     mode: '0640'
 
-- name: check mysql configuration-directory exists and has right permissions
+- name: Check mysql configuration-directory exists and has right permissions
   file:
     path: '{{ mysql_hardening_mysql_confd_dir }}'
     state: directory
     owner: '{{ mysql_hardening_user }}'
     group: '{{ mysql_hardening_group }}'
     mode: '0750'
 
-- name: check include-dir directive is present in my.cnf
+- name: Check include-dir directive is present in my.cnf
   lineinfile:
     dest: '{{ mysql_hardening_mysql_conf_file }}'
     line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'
     insertafter: 'EOF'
     state: present
     backup: true
-  notify: restart mysql
+  notify: Restart mysql
 
-- name: apply hardening configuration
+- name: Apply hardening configuration
   template:
     src: 'hardening.cnf.j2'
     dest: '{{ mysql_hardening_mysql_hardening_conf_file }}'
     owner: '{{ mysql_cnf_owner }}'
     group: '{{ mysql_cnf_group }}'
     mode: '0640'
-  notify: restart mysql
+  notify: Restart mysql
 
-- name: enable mysql
+- name: Enable mysql
   service:
     name: '{{ mysql_daemon }}'
     enabled: '{{ mysql_daemon_enabled }}'
diff --git a/roles/mysql_hardening/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@@ -1,40 +1,40 @@
 ---
-- name: fail the role if the mysql root password was not set
+- name: Fail the role if the mysql root password was not set
   fail:
     msg: 'ERROR - you have to change default mysql_root_password'
   when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 
-- name: root password is present
+- name: Root password is present
   mysql_user:
     name: 'root'
     host_all: true
     password: '{{ mysql_root_password | mandatory }}'
     state: present
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
 
-- name: install .my.cnf with credentials
+- name: Install .my.cnf with credentials
   template:
     src: 'my.cnf.j2'
     dest: '{{ mysql_user_home }}/.my.cnf'
     mode: '0400'
   tags: my_cnf
 
-- name: test database is absent
+- name: Test database is absent
   mysql_db:
     name: test
     state: absent
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_test_database
 
-- name: anonymous users are absent
+- name: Anonymous users are absent
   mysql_user:
     name: ''
     state: absent
     host_all: true
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_anonymous_users
 
-- name: remove remote root
+- name: Remove remote root
   community.mysql.mysql_query:
     query:
       - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')

diff --git a/roles/nginx_hardening/handlers/main.yml b/roles/nginx_hardening/handlers/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: restart nginx
+- name: Restart nginx
   service:
     name: "nginx"
     state: restarted
diff --git a/roles/nginx_hardening/tasks/main.yml b/roles/nginx_hardening/tasks/main.yml
@@ -1,14 +1,14 @@
 ---
-- name: create additional configuration
+- name: Create additional configuration
   template:
     src: "hardening.conf.j2"
     dest: "/etc/nginx/conf.d/90.hardening.conf"
     mode: '0600'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change configuration in main nginx.conf
+- name: Change configuration in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*server_tokens'
@@ -17,9 +17,9 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change ssl_protocols in main nginx.conf
+- name: Change ssl_protocols in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*ssl_protocols'
@@ -28,9 +28,9 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change ssl_prefer_server_ciphers in main nginx.conf
+- name: Change ssl_prefer_server_ciphers in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*ssl_prefer_server_ciphers'
@@ -39,9 +39,9 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change client_max_body_size in main nginx.conf
+- name: Change client_max_body_size in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*client_max_body_size'
@@ -50,9 +50,9 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change client_body_buffer_size in main nginx.conf
+- name: Change client_body_buffer_size in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*client_body_buffer_size'
@@ -61,9 +61,9 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: change keepalive_timeout in main nginx.conf
+- name: Change keepalive_timeout in main nginx.conf
   lineinfile:
     dest: "/etc/nginx/nginx.conf"
     regexp: '^\s*keepalive_timeout'
@@ -72,23 +72,23 @@
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
 
-- name: remove default.conf
+- name: Remove default.conf
   file:
     path: "{{ item }}"
     state: absent
   when: nginx_remove_default_site
-  notify: restart nginx
+  notify: Restart nginx
   loop:
     - "/etc/nginx/conf.d/default.conf"
     - "/etc/nginx/sites-enabled/default"
 
-- name: generate dh group
+- name: Generate dh group
   openssl_dhparam:
     path: "/etc/nginx/dh{{ nginx_dh_size }}.pem"
     size: "{{ nginx_dh_size }}"
     mode: '0640'
     owner: "root"
     group: "root"
-  notify: restart nginx
+  notify: Restart nginx
diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml
@@ -1,3 +1,3 @@
 ---
-- name: update-initramfs
+- name: Update-initramfs
   command: 'update-initramfs -u'
diff --git a/roles/os_hardening/tasks/apt.yml b/roles/os_hardening/tasks/apt.yml
@@ -1,5 +1,5 @@
 ---
-- name: remove deprecated or insecure packages | package-01 - package-09
+- name: Remove deprecated or insecure packages | package-01 - package-09
   apt:
     name: '{{ os_security_packages_list }}'
     state: 'absent'

diff --git a/roles/os_hardening/tasks/auditd.yml b/roles/os_hardening/tasks/auditd.yml
@@ -1,10 +1,10 @@
 ---
-- name: install auditd package | package-08
+- name: Install auditd package | package-08
   package:
     name: '{{ auditd_package }}'
     state: 'present'
 
-- name: configure auditd | package-08
+- name: Configure auditd | package-08
   template:
     src: 'etc/audit/auditd.conf.j2'
     dest: '/etc/audit/auditd.conf'

diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml
@@ -1,14 +1,14 @@
 ---
 - block:
-  - name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
+  - name: Create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
     file:
       path: '/etc/security/limits.d'
       owner: 'root'
       group: 'root'
       mode: '0755'
       state: 'directory'
 
-  - name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
+  - name: Create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
     pam_limits:
       dest: '/etc/security/limits.d/10.hardcore.conf'
       domain: '*'
@@ -17,7 +17,7 @@
       value: '0'
       comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
 
-  - name: set 10.hardcore.conf perms to 0400 and root ownership
+  - name: Set 10.hardcore.conf perms to 0400 and root ownership
     file:
       path: /etc/security/limits.d/10.hardcore.conf
       owner: 'root'
@@ -29,7 +29,7 @@
 
   when: not os_security_kernel_enable_core_dump | bool
 
-- name: remove 10.hardcore.conf config file
+- name: Remove 10.hardcore.conf config file
   file:
     path: /etc/security/limits.d/10.hardcore.conf
     state: absent

diff --git a/roles/os_hardening/tasks/login_defs.yml b/roles/os_hardening/tasks/login_defs.yml
@@ -1,5 +1,5 @@
 ---
-- name: create login.defs | os-05, os-05b
+- name: Create login.defs | os-05, os-05b
   template:
     src: 'etc/login.defs.j2'
     dest: '/etc/login.defs'

diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml
@@ -4,7 +4,7 @@
 # still getting found and the permissions minimized in the next task.
 # This is also the reason why there's ignore_errors: true on the task.
 # also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
-- name: find files with write-permissions for group
+- name: Find files with write-permissions for group
   shell: "find -L {{ item }} -perm /go+w -type f"  # noqa command-instead-of-shell
   with_flattened:
     - '/usr/local/sbin'
@@ -18,7 +18,7 @@
   ignore_errors: true
   changed_when: false
 
-- name: minimize access on found files
+- name: Minimize access on found files
   file:
     path: '{{ item.1 }}'
     mode: 'go-w'
@@ -27,29 +27,29 @@
     - "{{ minimize_access_directories.results }}"
     - stdout_lines
 
-- name: change shadow ownership to root and mode to 0600 | os-02
+- name: Change shadow ownership to root and mode to 0600 | os-02
   file:
     dest: '/etc/shadow'
     owner: '{{ os_shadow_perms.owner }}'
     group: '{{ os_shadow_perms.group }}'
     mode: '{{ os_shadow_perms.mode }}'
 
-- name: change passwd ownership to root and mode to 0644 | os-03
+- name: Change passwd ownership to root and mode to 0644 | os-03
   file:
     dest: '/etc/passwd'
     owner: '{{ os_passwd_perms.owner }}'
     group: '{{ os_passwd_perms.group }}'
     mode: '{{ os_passwd_perms.mode }}'
 
-- name: change su-binary to only be accessible to user and group root
+- name: Change su-binary to only be accessible to user and group root
   file:
     dest: '/bin/su'
     owner: 'root'
     group: 'root'
     mode: '0750'
   when: '"change_user" not in os_security_users_allow'
 
-- name: set option hidepid for proc filesystem
+- name: Set option hidepid for proc filesystem
   mount:
     path: /proc
     src: proc

diff --git a/roles/os_hardening/tasks/modprobe.yml b/roles/os_hardening/tasks/modprobe.yml
@@ -1,28 +1,28 @@
 ---
-- name: install modprobe to disable filesystems | os-10
+- name: Install modprobe to disable filesystems | os-10
   package:
     name: '{{ modprobe_package }}'
     state: 'present'
 
-- name: check if efi is installed
+- name: Check if efi is installed
   stat:
     path: "/sys/firmware/efi"
   register: efi_installed
 
-- name: remove vfat from fs-list if efi is used
+- name: Remove vfat from fs-list if efi is used
   set_fact:
     os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
   when:
     - efi_installed.stat.isdir is defined
     - efi_installed.stat.isdir
 
-- name: remove used filesystems from fs-list
+- name: Remove used filesystems from fs-list
   set_fact:
     os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
   # we cannot do this on el6 and below, because these systems don't support the map function
   when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
 
-- name: disable unused filesystems | os-10
+- name: Disable unused filesystems | os-10
   template:
     src: 'etc/modprobe.d/modprobe.j2'
     dest: '/etc/modprobe.d/dev-sec.conf'

diff --git a/roles/os_hardening/tasks/pam.yml b/roles/os_hardening/tasks/pam.yml
@@ -10,7 +10,7 @@
 # that isn't connected to an LDAP server anymore.
 # normally caching credentials shouldn't be necessary for most machines.
 # removing it provides some more security while not removing usability.
-- name: remove pam ccreds to disable password caching
+- name: Remove pam ccreds to disable password caching
   package:
     name: '{{ os_packages_pam_ccreds }}'
     state: 'absent'