From e49a40f47aea8dbcea5ffae5e14959d5dc0c7ebe Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@telekom.de>
Date: Mon, 23 Oct 2023 11:44:21 +0200
Subject: [PATCH] fix some wrong defaults and types in the readmes

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
---
 roles/mysql_hardening/README.md               | 17 ++++---
 roles/nginx_hardening/README.md               | 23 +++++-----
 roles/nginx_hardening/meta/argument_specs.yml |  6 +--
 roles/os_hardening/README.md                  |  2 -
 roles/ssh_hardening/README.md                 | 45 ++++++++++---------
 roles/ssh_hardening/meta/argument_specs.yml   |  9 +++-
 6 files changed, 53 insertions(+), 49 deletions(-)

diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md
index ca27e796b..fd48fd02f 100644
--- a/roles/mysql_hardening/README.md
+++ b/roles/mysql_hardening/README.md
@@ -22,16 +22,15 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek
 - python-jmespath on the ansible host
 
 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
-| Platform | Versions             |
-| -------- | -------------------- |
-| EL       | 7, 8, 9              |
-| Ubuntu   | bionic, focal, jammy |
-| Debian   | bullseye, buster     |
-| Amazon   |                      |
-| opensuse |                      |
+- EL
+  - 7, 8, 9
+- Ubuntu
+  - bionic, focal, jammy
+- Debian
+  - bullseye, buster
+- Amazon
+- opensuse
 
 ## Role Variables
 
diff --git a/roles/nginx_hardening/README.md b/roles/nginx_hardening/README.md
index f5d283419..c3b86276c 100644
--- a/roles/nginx_hardening/README.md
+++ b/roles/nginx_hardening/README.md
@@ -15,22 +15,21 @@ It works with the following nginx-roles, including, but not limited to:
 **NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!**
 
 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
-| Platform | Versions             |
-| -------- | -------------------- |
-| EL       | 7, 8, 9              |
-| Ubuntu   | bionic, focal, jammy |
-| Debian   | buster, bullseye     |
-| Amazon   |                      |
+- EL
+  - 7, 8, 9
+- Ubuntu
+  - bionic, focal, jammy
+- Debian
+  - buster, bullseye
+- Amazon
 
 ## Role Variables
 
 - `nginx_add_header`
-  - Default: `['X-Frame-Options SAMEORIGIN', 'X-Content-Type-Options nosniff', 'X-XSS-Protection "1; mode=block"', 'Content-Security-Policy \\"script-src \'self\'; object-src \'self\'\\"']`
+  - Default: `["X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", "Content-Security-Policy \\\"script-src 'self'; object-src 'self'\\\""]`
   - Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
-  - Type: str
+  - Type: list
   - Required: no
 - `nginx_client_body_buffer_size`
   - Default: `1k`
@@ -70,7 +69,7 @@ It works with the following nginx-roles, including, but not limited to:
 - `nginx_dh_size`
   - Default: `2048`
   - Description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam)
-  - Type: str
+  - Type: int
   - Required: no
 - `nginx_keepalive_timeout`
   - Default: `5 5`
@@ -113,7 +112,7 @@ It works with the following nginx-roles, including, but not limited to:
   - Type: int
   - Required: no
 - `nginx_server_tokens`
-  - Default: `False`
+  - Default: `off`
   - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
   - Type: str
   - Required: no
diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml
index 25e40aeab..50e36a28a 100644
--- a/roles/nginx_hardening/meta/argument_specs.yml
+++ b/roles/nginx_hardening/meta/argument_specs.yml
@@ -30,7 +30,7 @@ argument_specs:
           keep-alive client connections. The optional second parameter sets a value
           in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout)  # noqa yaml[line-length]
       nginx_server_tokens:
-        default: false
+        default: 'off'
         type: str
         description: Disables emitting nginx version in error messages and in the
           "Server" response header field. Set to on to enable the nginx version in
@@ -72,7 +72,7 @@ argument_specs:
         default: [X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, X-XSS-Protection
               "1; mode=block", Content-Security-Policy \"script-src 'self'; object-src
               'self'\"]
-        type: str
+        type: list
         description: Adds the specified field to a response header provided that the
           response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See
           [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header)
@@ -91,7 +91,7 @@ argument_specs:
           ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers)  # noqa yaml[line-length]
       nginx_dh_size:
         default: 2048
-        type: str
+        type: int
         description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam)  # noqa yaml[line-length]
       nginx_configuration_dir:
         default: /etc/nginx
diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
index b56be1dc0..e5c1f8e13 100644
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@@ -54,9 +54,7 @@ We disable the following filesystems, because they're most likely not used:
 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
 
 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
 - EL
   - 7, 8, 9
 - Ubuntu
diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 1aa20a848..0aedb852a 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -9,20 +9,21 @@ This role provides secure ssh-client and ssh-server configurations. It is intend
 Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.
 
 <!-- BEGIN_ANSIBLE_DOCS -->
-
 ## Supported Operating Systems
-
-| Platform  | Versions             |
-| --------- | -------------------- |
-| EL        | 7, 8, 9              |
-| Ubuntu    | bionic, focal, jammy |
-| Debian    | buster, bullseye     |
-| Amazon    |                      |
-| Fedora    |                      |
-| ArchLinux |                      |
-| SmartOS   |                      |
-| FreeBSD   | 12.2                 |
-| OpenBSD   | 7.0                  |
+- EL
+  - 7, 8, 9
+- Ubuntu
+  - bionic, focal, jammy
+- Debian
+  - buster, bullseye
+- Amazon
+- Fedora
+- ArchLinux
+- SmartOS
+- FreeBSD
+  - 12.2
+- OpenBSD
+  - 7.0
 
 ## Role Variables
 
@@ -109,12 +110,12 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `ssh_client_alive_count`
   - Default: `3`
   - Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients.
-  - Type: str
+  - Type: int
   - Required: no
 - `ssh_client_alive_interval`
-  - Default: `600`
+  - Default: `300`
   - Description: specifies an interval for sending keepalive messages.
-  - Type: str
+  - Type: int
   - Required: no
 - `ssh_client_compression`
   - Default: `false`
@@ -157,9 +158,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
   - Type: bool
   - Required: no
 - `ssh_custom_options`
-  - Default: `[]`
+  - Default: ``
   - Description: Custom lines for SSH client configuration.
-  - Type: str
+  - Type: list
   - Required: no
 - `ssh_custom_selinux_dir`
   - Default: `/etc/selinux/local-policies`
@@ -214,7 +215,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `ssh_host_rsa_key_size`
   - Default: `4096`
   - Description: Specifies the number of bits in the private host RSA key to create.
-  - Type: str
+  - Type: int
   - Required: no
 - `ssh_kerberos_support`
   - Default: `true`
@@ -244,12 +245,12 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `ssh_max_auth_retries`
   - Default: `2`
   - Description: Specifies the maximum number of authentication attempts permitted per connection.
-  - Type: str
+  - Type: int
   - Required: no
 - `ssh_max_sessions`
   - Default: `10`
   - Description: Specifies the maximum number of open sessions permitted from a given connection.
-  - Type: str
+  - Type: int
   - Required: no
 - `ssh_max_startups`
   - Default: `10:30:60`
@@ -409,7 +410,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `sshd_moduli_minimum`
   - Default: `2048`
   - Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam.
-  - Type: str
+  - Type: int
   - Required: no
 - `sshd_strict_modes`
   - Default: `true`
diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml
index 5879bd3a5..da60c1b65 100644
--- a/roles/ssh_hardening/meta/argument_specs.yml
+++ b/roles/ssh_hardening/meta/argument_specs.yml
@@ -36,6 +36,7 @@ argument_specs:
           installed sshd version.
       ssh_host_rsa_key_size:
         default: 4096
+        type: int
         description: Specifies the number of bits in the private host RSA key to create.
       ssh_host_key_algorithms:
         default: []
@@ -53,12 +54,14 @@ argument_specs:
           `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make
           sure you check the correct version!
       ssh_client_alive_interval:
-        default: 600
+        default: 300
         description: specifies an interval for sending keepalive messages.
+        type: int
       ssh_client_alive_count:
         default: 3
         description: Defines the number of acceptable unanswered client alive messages
           before disconnecting clients.
+        type: int
       ssh_permit_tunnel:
         default: false
         type: bool
@@ -191,6 +194,7 @@ argument_specs:
         default: 2048
         description: remove Diffie-Hellman parameters smaller than the defined size
           to mitigate logjam.
+        type: int
       ssh_challengeresponseauthentication:
         default: false
         type: bool
@@ -235,10 +239,12 @@ argument_specs:
         default: 2
         description: Specifies the maximum number of authentication attempts permitted
           per connection.
+        type: int
       ssh_max_sessions:
         default: 10
         description: Specifies the maximum number of open sessions permitted from
           a given connection.
+        type: int
       ssh_print_debian_banner:
         default: false
         type: bool
@@ -315,6 +321,7 @@ argument_specs:
         description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
       ssh_custom_options:
         default: []
+        type: list
         description: Custom lines for SSH client configuration.
       sshd_custom_options:
         default: []