fix litner errors (#322)

schurzi · web-flow · commit a82e1a7a9f92 · 2020-08-22T18:14:54.000+02:00
* fix litner errors

Signed-off-by: Martin Schurz &lt;Martin.Schurz@t-systems.com&gt;

* make linter more happy

Signed-off-by: Martin Schurz &lt;Martin.Schurz@t-systems.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,7 @@
+---
 name: New release
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
@@ -59,7 +60,7 @@ jobs:
         id: create_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # This token is provided by Actions, you do not need to create your own token
         with:
           release_name: ${{ steps.version.outputs.next-version }}
           tag_name: ${{ steps.version.outputs.next-version }}
diff --git a/.kitchen.aws.yml b/.kitchen.aws.yml
@@ -24,8 +24,8 @@ provisioner:
   playbook: default.yml
 
 platforms:
-- name: centos-7
-- name: ubuntu-16.04
+  - name: centos-7
+  - name: ubuntu-16.04
 
 verifier:
   name: inspec
@@ -34,4 +34,4 @@ verifier:
     - https://github.com/dev-sec/tests-ssh-hardening
 
 suites:
-- name: os
+  - name: os
diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
@@ -21,36 +21,36 @@ provisioner:
   https_proxy: <%= ENV['https_proxy'] || nil %>
 
 platforms:
-- name: ubuntu-16.04
-  driver_config:
-    box: bento/ubuntu-16.04
-- name: ubuntu-18.04
-  driver_config:
-    box: bento/ubuntu-18.04
-- name: centos-6
-  driver_config:
-    box: bento/centos-6
-- name: centos-7
-  driver_config:
-    box: bento/centos-7
-- name: centos-8
-  driver_config:
-    box: bento/centos-8
-- name: oracle-6
-  driver_config:
-    box: bento/oracle-6
-- name: oracle-7
-  driver_config:
-    box: bento/oracle-7
-- name: debian-9
-  driver_config:
-    box: bento/debian-9
-- name: debian-10
-  driver_config:
-    box: bento/debian-10
-- name: amazon
-  driver_config:
-    box: bento/amazonlinux-2
+  - name: ubuntu-16.04
+    driver_config:
+      box: bento/ubuntu-16.04
+  - name: ubuntu-18.04
+    driver_config:
+      box: bento/ubuntu-18.04
+  - name: centos-6
+    driver_config:
+      box: bento/centos-6
+  - name: centos-7
+    driver_config:
+      box: bento/centos-7
+  - name: centos-8
+    driver_config:
+      box: bento/centos-8
+  - name: oracle-6
+    driver_config:
+      box: bento/oracle-6
+  - name: oracle-7
+    driver_config:
+      box: bento/oracle-7
+  - name: debian-9
+    driver_config:
+      box: bento/debian-9
+  - name: debian-10
+    driver_config:
+      box: bento/debian-10
+  - name: amazon
+    driver_config:
+      box: bento/amazonlinux-2
 
 verifier:
   name: inspec
@@ -59,4 +59,4 @@ verifier:
     - https://github.com/dev-sec/ssh-baseline/
 
 suites:
-- name: ssh
+  - name: ssh
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -33,101 +33,101 @@ provisioner:
     - "--skip-tags=sysctl"
 
 platforms:
-- name: centos6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos6-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/loginuid/d' /etc/pam.d/sshd
-
-- name: centos7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos7-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: centos8-ansible-latest
-  driver:
-    image: rndmh3ro/docker-centos8-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-  provisioner:
-    ansible_binary_path: "/usr/local/bin"
-
-- name: oracle6-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle6-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/loginuid/d' /etc/pam.d/sshd
-
-- name: oracle7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-oracle7-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: ubuntu1604-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1604-ansible:latest
-    platform: ubuntu
-    provision_command:
-      - systemctl enable ssh.service
-
-- name: ubuntu1804-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1804-ansible:latest
-    platform: ubuntu
-    provision_command:
-      - systemctl enable ssh.service
-
-- name: debian9-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian9-ansible:latest
-    platform: debian
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-
-- name: debian10-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian10-ansible
-    platform: debian
-    provision_command:
-      - apt install -y systemd-sysv
-      - systemctl enable ssh.service
-
-- name: amazon-ansible-latest
-  driver:
-    image: rndmh3ro/docker-amazon-ansible:latest
-    platform: centos
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: fedora-ansible-latest
-  driver:
-    image: rndmh3ro/docker-fedora-ansible:latest
-    platform: centos
-    provision_command:
-      - dnf install -y python procps-ng
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
-
-- name: arch-ansible-latest
-  driver:
-    image: rndmh3ro/docker-arch-ansible:latest
-    platform: arch
-    run_command: /usr/lib/systemd/systemd
-    provision_command:
-      - sed -i '/nologin/d' /etc/pam.d/sshd
-      - systemctl enable sshd.service
+  - name: centos6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos6-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/loginuid/d' /etc/pam.d/sshd
+
+  - name: centos7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos7-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: centos8-ansible-latest
+    driver:
+      image: rndmh3ro/docker-centos8-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+    provisioner:
+      ansible_binary_path: "/usr/local/bin"
+
+  - name: oracle6-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle6-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/loginuid/d' /etc/pam.d/sshd
+
+  - name: oracle7-ansible-latest
+    driver:
+      image: rndmh3ro/docker-oracle7-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: ubuntu1604-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1604-ansible:latest
+      platform: ubuntu
+      provision_command:
+        - systemctl enable ssh.service
+
+  - name: ubuntu1804-ansible-latest
+    driver:
+      image: rndmh3ro/docker-ubuntu1804-ansible:latest
+      platform: ubuntu
+      provision_command:
+        - systemctl enable ssh.service
+
+  - name: debian9-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian9-ansible:latest
+      platform: debian
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+
+  - name: debian10-ansible-latest
+    driver:
+      image: rndmh3ro/docker-debian10-ansible
+      platform: debian
+      provision_command:
+        - apt install -y systemd-sysv
+        - systemctl enable ssh.service
+
+  - name: amazon-ansible-latest
+    driver:
+      image: rndmh3ro/docker-amazon-ansible:latest
+      platform: centos
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: fedora-ansible-latest
+    driver:
+      image: rndmh3ro/docker-fedora-ansible:latest
+      platform: centos
+      provision_command:
+        - dnf install -y python procps-ng
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
+
+  - name: arch-ansible-latest
+    driver:
+      image: rndmh3ro/docker-arch-ansible:latest
+      platform: arch
+      run_command: /usr/lib/systemd/systemd
+      provision_command:
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
 
 verifier:
   name: inspec
@@ -136,4 +136,4 @@ verifier:
     - https://github.com/dev-sec/ssh-baseline
 
 suites:
-- name: ssh
+  - name: ssh
diff --git a/.travis.yml b/.travis.yml
@@ -16,7 +16,7 @@ env:
     - distro=oracle6
       volume=":"
       run_opts=""
-#    - distro=oracle7
+    # - distro=oracle7
     - distro=ubuntu1604
     - distro=ubuntu1804
     - distro=debian9
diff --git a/README.md b/README.md
@@ -85,7 +85,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
 |`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
 |`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd |
-|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
+|`sshd_strict_modes` | true | Check file modes and ownership of the user's files and home directory before accepting login |
 |`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
 
 ## Configuring settings not listed in role-variables
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,3 +1,4 @@
+---
 # true if IPv6 is needed
 network_ipv6_enable: false          # sshd + ssh
 
@@ -141,7 +142,7 @@ ssh_print_last_log: false           # sshd
 # false to disable serving ssh warning banner before authentication is allowed
 ssh_banner: false                   # sshd
 
-# path to file with ssh warning banner 
+# path to file with ssh warning banner
 ssh_banner_path: '/etc/ssh/banner.txt'
 
 # false to disable distribution version leakage during initial protocol handshake
@@ -233,7 +234,7 @@ ssh_kex_59_default:
 ssh_kex_66_default:
   - curve25519-sha256@libssh.org
   - diffie-hellman-group-exchange-sha256
-  
+
 ssh_kex_80_default:
   - sntrup4591761x25519-sha512@tinyssh.org
   - curve25519-sha256@libssh.org
@@ -265,7 +266,7 @@ sshd_custom_options: []
 sshd_syslog_facility: 'AUTH'
 sshd_log_level: 'VERBOSE'
 
-sshd_strict_modes: yes
+sshd_strict_modes: true
 
 # disable CRYPTO_POLICY to take settings from sshd configuration
 # see: https://access.redhat.com/solutions/4410591
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,6 +1,7 @@
+---
 - name: restart sshd
   service:
     name: '{{ sshd_service_name }}'
     state: restarted
   when: ssh_server_enabled | bool
-  become: yes
+  become: true
diff --git a/tasks/hardening.yml b/tasks/hardening.yml
diff --git a/tasks/selinux.yml b/tasks/selinux.yml
diff --git a/tests/default_custom.yml b/tests/default_custom.yml
diff --git a/vars/Archlinux.yml b/vars/Archlinux.yml
