fix linting issues (dev-sec#30)

* fix linting issues Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * set file permissions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
divialth · Aug 24, 2020 · 508f9bc · 508f9bc
1 parent 8a007da
commit 508f9bc
Show file tree

Hide file tree

Showing 9 changed files with 135 additions and 127 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,7 @@
+---
 name: New release
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
@@ -59,7 +60,7 @@ jobs:
         id: create_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # This token is provided by Actions, you do not need to create your own token
         with:
           release_name: ${{ steps.version.outputs.next-version }}
           tag_name: ${{ steps.version.outputs.next-version }}

diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
@@ -25,33 +25,33 @@ transport:
   max_ssh_sessions: 5
 
 platforms:
-- name: ubuntu-16.04
-  driver_config:
-    box: bento/ubuntu-16.04
-- name: ubuntu-18.04
-  driver_config:
-    box: bento/ubuntu-18.04
-- name: centos-6
-  driver_config:
-    box: bento/centos-6
-- name: centos-7
-  driver_config:
-    box: bento/centos-7
-- name: oracle-6
-  driver_config:
-    box: bento/oracle-6
-- name: oracle-7
-  driver_config:
-    box: bento/oracle-7
-- name: debian-9
-  driver_config:
-    box: bento/debian-9
-- name: debian-10
-  driver_config:
-    box: bento/debian-10
-- name: amazon
-  driver_config:
-    box: bento/amazonlinux-2
+  - name: ubuntu-16.04
+    driver_config:
+      box: bento/ubuntu-16.04
+  - name: ubuntu-18.04
+    driver_config:
+      box: bento/ubuntu-18.04
+  - name: centos-6
+    driver_config:
+      box: bento/centos-6
+  - name: centos-7
+    driver_config:
+      box: bento/centos-7
+  - name: oracle-6
+    driver_config:
+      box: bento/oracle-6
+  - name: oracle-7
+    driver_config:
+      box: bento/oracle-7
+  - name: debian-9
+    driver_config:
+      box: bento/debian-9
+  - name: debian-10
+    driver_config:
+      box: bento/debian-10
+  - name: amazon
+    driver_config:
+      box: bento/amazonlinux-2
 
 verifier:
   name: inspec
@@ -60,4 +60,4 @@ verifier:
     - https://github.com/dev-sec/nginx-baseline/
 
 suites:
-- name: nginx
+  - name: nginx
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -26,75 +26,74 @@ provisioner:
   galaxy_ignore_certs: true
 
 platforms:
-- name: centos6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos6-ansible:latest
-    platform: centos
-- name: centos7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos7-ansible:latest
-    platform: centos
-    run_command: /sbin/init
-    provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
-      - systemctl enable sshd.service
-- name: oracle6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle6-ansible:latest
-    platform: centos
-- name: oracle7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle7-ansible:latest
-    run_command: /sbin/init
-    platform: centos
-    provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
-      - systemctl enable sshd.service
-- name: ubuntu1604-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1604-ansible:latest
-    platform: ubuntu
-    run_command: /sbin/init
-    provision_command:
-      - systemctl enable ssh.service
-- name: ubuntu1804-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1804-ansible:latest
-    platform: ubuntu
-    run_command: /sbin/init
-    provision_command:
-      - systemctl enable ssh.service
-- name: debian9-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian9-ansible:latest
-    platform: debian
-    run_command: /sbin/init
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-- name: debian10-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian10-ansible:latest
-    platform: debian
-    run_command: /sbin/init
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-- name: amazon-ansible-latest
-  driver:
-    image: rndmh3ro/docker-amazon-ansible:latest
-    platform: centos
-    run_command: /sbin/init
-    provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
-      - systemctl enable sshd.service
+  - name: centos6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos6-ansible:latest
+      platform: centos
+  - name: centos7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos7-ansible:latest
+      platform: centos
+      run_command: /sbin/init
+      provision_command:
+        - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+        - systemctl enable sshd.service
+  - name: oracle6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle6-ansible:latest
+      platform: centos
+  - name: oracle7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle7-ansible:latest
+      run_command: /sbin/init
+      platform: centos
+      provision_command:
+        - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+        - systemctl enable sshd.service
+  - name: ubuntu1604-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1604-ansible:latest
+      platform: ubuntu
+      run_command: /sbin/init
+      provision_command:
+        - systemctl enable ssh.service
+  - name: ubuntu1804-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1804-ansible:latest
+      platform: ubuntu
+      run_command: /sbin/init
+      provision_command:
+        - systemctl enable ssh.service
+  - name: debian9-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian9-ansible:latest
+      platform: debian
+      run_command: /sbin/init
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+  - name: debian10-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian10-ansible:latest
+      platform: debian
+      run_command: /sbin/init
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+  - name: amazon-ansible-latest
+    driver:
+      image: rndmh3ro/docker-amazon-ansible:latest
+      platform: centos
+      run_command: /sbin/init
+      provision_command:
+        - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+        - systemctl enable sshd.service
 
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - ../nginx-baseline
-    #- https://github.com/dev-sec/nginx-baseline
+    - https://github.com/dev-sec/nginx-baseline
   controls:
     - nginx-01
     - nginx-02
@@ -113,4 +112,4 @@ verifier:
     - nginx-17
 
 suites:
-- name: nginx
+  - name: nginx
diff --git a/.travis.yml b/.travis.yml
@@ -42,17 +42,17 @@ env:
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     test_playbook: test.yml
 
-#  - distro: amazon
-#    init: /lib/systemd/systemd
-#    version: latest
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    test_playbook: test.yml
-#
-#  - distro: fedora
-#    init: /lib/systemd/systemd
-#    version: latest
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    test_playbook: test.yml
+  #  - distro: amazon
+  #    init: /lib/systemd/systemd
+  #    version: latest
+  #    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  #    test_playbook: test.yml
+  #
+  #  - distro: fedora
+  #    init: /lib/systemd/systemd
+  #    version: latest
+  #    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  #    test_playbook: test.yml
 
   - distro: centos6
     version: latest
@@ -89,19 +89,6 @@ env:
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     test_playbook: official-nginx-role-debian.yml
 
-#  - distro: amazon
-#    init: /lib/systemd/systemd
-#    version: latest
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    test_playbook: official-nginx-role-debian.yml
-#
-#  - distro: fedora
-#    init: /lib/systemd/systemd
-#    version: latest
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    test_playbook: official-nginx-role-debian.yml
-
-
 before_install:
   # Pull container
   - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
@@ -116,7 +103,7 @@ script:
 
   # Install ansible galaxy requirements
   - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
-  
+
   # Test role
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/"${test_playbook}" -vv'
 

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,3 +1,4 @@
+---
 - name: restart nginx
   service:
     name: "nginx"

diff --git a/requirements.yml b/requirements.yml
@@ -1,2 +1,3 @@
+---
 - src: nginxinc.nginx
 - src: geerlingguy.nginx
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -5,12 +5,13 @@
     mode: "o-rw"
     owner: "root"
     group: "root"
-    recurse: yes
+    recurse: true
 
 - name: create additional configuration
   template:
     src: "hardening.conf.j2"
     dest: "/etc/nginx/conf.d/90.hardening.conf"
+    mode: '0600'
     owner: "root"
     group: "root"
   notify: restart nginx
@@ -21,6 +22,9 @@
     regexp: '^\s*server_tokens'
     line: "    server_tokens {{ nginx_server_tokens }};"
     insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: change ssl_protocols in main nginx.conf
@@ -29,14 +33,20 @@
     regexp: '^\s*ssl_protocols'
     line: "    ssl_protocols {{ nginx_ssl_protocols }};"
     insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: change ssl_prefer_server_ciphers in main nginx.conf
   lineinfile:
-     dest: "/etc/nginx/nginx.conf"
-     regexp: '^\s*ssl_prefer_server_ciphers'
-     line: "    ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
-     insertafter: "http {"
+    dest: "/etc/nginx/nginx.conf"
+    regexp: '^\s*ssl_prefer_server_ciphers'
+    line: "    ssl_prefer_server_ciphers {{ nginx_ssl_prefer_server_ciphers }};"
+    insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: change client_max_body_size in main nginx.conf
@@ -45,6 +55,9 @@
     regexp: '^\s*client_max_body_size'
     line: "    client_max_body_size {{ nginx_client_max_body_size }};"
     insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: change client_body_buffer_size in main nginx.conf
@@ -53,6 +66,9 @@
     regexp: '^\s*client_body_buffer_size'
     line: "    client_body_buffer_size {{ nginx_client_body_buffer_size }};"
     insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: change keepalive_timeout in main nginx.conf
@@ -61,6 +77,9 @@
     regexp: '^\s*keepalive_timeout'
     line: "    keepalive_timeout {{ nginx_keepalive_timeout }};"
     insertafter: "http {"
+    mode: '0640'
+    owner: "root"
+    group: "root"
   notify: restart nginx
 
 - name: remove default.conf

diff --git a/tests/official-nginx-role-debian.yml b/tests/official-nginx-role-debian.yml
@@ -37,4 +37,4 @@
       ignore_errors: true
   roles:
     - nginxinc.nginx
-    - ansible-nginx-hardening
+    - ansible-nginx-hardening
diff --git a/tests/official-nginx-role-redhat.yml b/tests/official-nginx-role-redhat.yml
@@ -12,4 +12,4 @@
       ignore_errors: true
   roles:
     - nginxinc.nginx
-    - ansible-nginx-hardening
+    - ansible-nginx-hardening