adopt all current suggestions from ansible-lint

.config/ansible-lint.yml

@@ -11,6 +11,7 @@ exclude_paths:
 
 skip_list:
   - fqcn-builtins
+  - name[template]
 
 mock_roles:
   - geerlingguy.git

roles/mysql_hardening/tasks/main.yml

@@ -59,12 +59,14 @@
     - mysql_version.version.full is version('8.0.3', '>=')
     - mysql_distribution == "mysql"
 
-- include: configure.yml
+- name: Include tasks for configuration
+  import_tasks: configure.yml
   when: mysql_hardening_enabled | bool
   tags:
     - mysql_hardening
 
-- include: mysql_secure_installation.yml
+- name: Include tasks to secure mysql installation
+  import_tasks: mysql_secure_installation.yml
   when: mysql_hardening_enabled | bool
   tags:
     - mysql_hardening

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -4,7 +4,7 @@
     msg: 'ERROR - you have to change default mysql_root_password'
   when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 
-- name: ensure that the root password is present
+- name: Ensure that the root password is present
   community.mysql.mysql_user:
     name: 'root'
     host_all: true
@@ -19,22 +19,22 @@
     mode: '0400'
   tags: my_cnf
 
-- name: ensure that the test database is absent
+- name: Ensure that the test database is absent
   community.mysql.mysql_db:
     name: test
     state: absent
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_test_database
 
-- name: ensure that anonymous users are absent
+- name: Ensure that anonymous users are absent
   community.mysql.mysql_user:
     name: ''
     state: absent
     host_all: true
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_anonymous_users
 
-- name: ensure that root can only login from localhost
+- name: Ensure that root can only login from localhost
   community.mysql.mysql_query:
     query:
       - DELETE
@@ -46,7 +46,7 @@
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_remote_root
 
-- name: get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
+- name: Get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
   community.mysql.mysql_query:
     query:
       - SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
@@ -62,7 +62,7 @@
     - (mysql_distribution == "mysql" and mysql_version.version.full is version('5.7.6', '>=')) or
       (mysql_distribution == "mariadb" and mysql_version.version.full is version('10.4.0', '>='))
 
-- name: get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
+- name: Get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
   community.mysql.mysql_query:
     query:
       - SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
@@ -80,21 +80,21 @@
     - (mysql_distribution == "mysql" and mysql_version.version.full is version('5.7.6', '<')) or
       (mysql_distribution == "mariadb" and mysql_version.version.full is version('10.4.0', '<'))
 
-- name: create a fact for users without password or authentication_string
+- name: Create a fact for users without password or authentication_string
   set_fact:
     users_wo_auth: "{{ mysql_users_wo_passwords_or_auth_string.query_result.0.0 | community.general.json_query('users') }}"
   when:
     - mysql_users_wo_passwords_or_auth_string.query_result is defined
     - mysql_users_wo_passwords_or_auth_string.query_result != ""  # noqa empty-string-compare
 
-- name: create a fact for users without password
+- name: Create a fact for users without password
   set_fact:
     users_wo_auth: "{{ mysql_users_wo_passwords.query_result.0.0 | community.general.json_query('users') }}"
   when:
     - mysql_users_wo_passwords.query_result is defined
     - mysql_users_wo_passwords.query_result != ""  # noqa empty-string-compare
 
-- name: ensure that there are no users without password or authentication_string
+- name: Ensure that there are no users without password or authentication_string
   community.mysql.mysql_query:
     query:
       - "DROP USER {{ users_wo_auth }}"

roles/os_hardening/handlers/main.yml

@@ -2,7 +2,7 @@
 - name: Update-initramfs
   command: 'update-initramfs -u'
 
-- name: restart-auditd
+- name: Restart auditd
   command:
     cmd: 'service auditd restart'  # rhel: see: https://access.redhat.com/solutions/2664811
     warn: false  # sadly 'service' module fails in that case also by using 'use: service'

roles/os_hardening/tasks/auditd.yml

@@ -12,5 +12,5 @@
     owner: 'root'
     group: 'root'
     mode: '0640'
-  notify: 'restart-auditd'
+  notify: Restart auditd
   tags: auditd

roles/os_hardening/tasks/hardening.yml

@@ -22,79 +22,97 @@
   with_dict: '{{ os_vars }}'
   tags: always
 
-- import_tasks: auditd.yml
+- name: Import tasks for auditd
+  import_tasks: auditd.yml
   tags: auditd
   when: os_auditd_enabled | bool
 
-- import_tasks: cron.yml
+- name: Import tasks for cron
+  import_tasks: cron.yml
   tags: cron
   when: os_cron_enabled | bool
 
-- import_tasks: ctrlaltdel.yml
+- name: Import tasks to configure ctrl+alt+del
+  import_tasks: ctrlaltdel.yml
   tags: ctrlaltdel
   when: os_ctrlaltdel_disabled | bool
 
-- import_tasks: limits.yml
+- name: Import tasks to configure limits
+  import_tasks: limits.yml
   tags: limits
   when: os_limits_enabled | bool
 
-- import_tasks: login_defs.yml
+- name: Import tasks to configure login_defs
+  import_tasks: login_defs.yml
   tags: login_defs
   when: os_login_defs_enabled | bool
 
-- import_tasks: minimize_access.yml
+- name: Import tasks to minimize access permissions
+  import_tasks: minimize_access.yml
   tags: minimize_access
   when: os_minimize_access_enabled | bool
 
-- import_tasks: pam.yml
+- name: Import tasks to configure PAM
+  import_tasks: pam.yml
   tags: pam
   when: os_pam_enabled | bool
 
-- import_tasks: modprobe.yml
+- name: Import tasks to configure modules
+  import_tasks: modprobe.yml
   tags: modprobe
   when: os_modprobe_enabled | bool
 
-- import_tasks: profile.yml
+- name: Import tasks to configure profile
+  import_tasks: profile.yml
   tags: profile
   when: os_profile_enabled | bool
 
-- import_tasks: securetty.yml
+- name: Import tasks to configure securetty
+  import_tasks: securetty.yml
   tags: securetty
   when: os_securetty_enabled | bool
 
-- import_tasks: suid_sgid.yml
+- name: Import tasks to set suid and sgid
+  import_tasks: suid_sgid.yml
   when: os_security_suid_sgid_enforce  | bool
   tags: suid_sgid
 
-- import_tasks: sysctl.yml
+- name: Import tasks to configure sysctl
+  import_tasks: sysctl.yml
   tags: sysctl
   when: os_sysctl_enabled | bool
 
-- import_tasks: user_accounts.yml
+- name: Import tasks to harden user accounts
+  import_tasks: user_accounts.yml
   tags: user_accounts
   when: os_user_accounts_enabled | bool
 
-- import_tasks: rhosts.yml
+- name: Import tasks to configure rhosts
+  import_tasks: rhosts.yml
   tags: rhosts
   when: os_rhosts_enabled | bool
 
-- import_tasks: netrc.yml
+- name: Import tasks to configure netrc
+  import_tasks: netrc.yml
   tags: netrc
   when: os_netrc_enabled | bool
 
-- import_tasks: yum.yml
+- name: Import tasks to configure yum
+  import_tasks: yum.yml
   tags: yum
   when:
     - ansible_facts.os_family == 'RedHat'
     - os_yum_enabled | bool
 
-- import_tasks: apt.yml
+- name: Import tasks to configure apt
+  import_tasks: apt.yml
   tags: apt
   when:
     - ansible_facts.os_family == 'Debian'
     - os_apt_enabled | bool
 
-- import_tasks: selinux.yml
+- name: Import tasks to configure selinux
+  import_tasks: selinux.yml
   tags: selinux
   when:
     - ansible_facts.selinux.status == 'enabled'

roles/os_hardening/tasks/limits.yml

@@ -1,5 +1,6 @@
 ---
-- name: disable coredumps
+- name: Disable coredumps
+  when: not os_security_kernel_enable_core_dump | bool
   block:
   - name: Create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
     file:
@@ -28,7 +29,7 @@
       modification_time: preserve
       access_time: preserve
 
-  - name: create coredump.conf.d-directory if it does not exist
+  - name: Create coredump.conf.d-directory if it does not exist
     file:
       path: '/etc/systemd/coredump.conf.d'
       owner: root
@@ -37,7 +38,7 @@
       state: directory
     when: ansible_service_mgr == "systemd"
 
-  - name: create custom.conf for disabling coredumps
+  - name: Create custom.conf for disabling coredumps
     template:
       src: 'etc/systemd/coredump.conf.d/coredumps.conf.j2'
       dest: '/etc/systemd/coredump.conf.d/custom.conf'
@@ -47,9 +48,8 @@
     when: ansible_service_mgr == "systemd"
     notify: Reload systemd
 
-  when: not os_security_kernel_enable_core_dump | bool
-
-- name: enable coredumps
+- name: Enable coredumps
+  when: os_security_kernel_enable_core_dump | bool
   block:
     - name: Remove coredump.conf.d directory with files
       file:
@@ -62,4 +62,3 @@
       file:
         path: /etc/security/limits.d/10.hardcore.conf
         state: absent
-  when: os_security_kernel_enable_core_dump | bool

roles/os_hardening/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
-- include_tasks: hardening.yml
+- name: Include hardening tasks
+  include_tasks: hardening.yml
   when: os_hardening_enabled | bool
   tags:
     - always

roles/os_hardening/tasks/pam.yml

@@ -17,11 +17,13 @@
   when:
     - ansible_facts.os_family != 'Archlinux'
 
-- import_tasks: pam_debian.yml
+- name: Import tasks for Debian PAM
+  import_tasks: pam_debian.yml
   when:
     - ansible_facts.os_family == 'Debian'
 
-- import_tasks: pam_rhel.yml
+- name: Import tasks for RedHat PAM
+  import_tasks: pam_rhel.yml
   when:
     - ansible_facts.os_family == 'RedHat'
 

roles/os_hardening/tasks/pam_debian.yml

@@ -25,6 +25,9 @@
     - os_auth_retries > 0
 
 - name: Manage tally on Debian stable
+  when:
+    - "'libpam-modules' in ansible_facts.packages"
+    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '<')"
   block:
     - name: Configure tally2
       template:
@@ -42,18 +45,18 @@
         state: 'absent'
       when:
         - os_auth_retries == 0
-  when:
-    - "'libpam-modules' in ansible_facts.packages"
-    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '<')"
 
 - name: Manage tally/faillock on Debian unstable
+  when:
+    - "'libpam-modules' in ansible_facts.packages"
+    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"
   block:
     - name: Delete tally2
       file:
         path: '{{ tally2_path }}'
         state: 'absent'
 
-    - name:  create tally directory
+    - name: Create tally directory
       file:
         path: '/var/run/faillock'
         state: 'directory'
@@ -102,9 +105,6 @@
         state: 'absent'
       when:
         - os_auth_retries == 0
-  when:
-    - "'libpam-modules' in ansible_facts.packages"
-    - "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"
 
 - name: Update pam on Debian systems
   command: 'pam-auth-update --package'

roles/os_hardening/tasks/sysctl.yml

@@ -42,6 +42,7 @@
   register: initramfs
 
 - name: Change sysctls
+  when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
   block:
     - name: Create a combined sysctl-dict if os-dependent sysctls are defined
       set_fact:
@@ -69,7 +70,6 @@
         ignoreerrors: true
       with_dict: '{{ sysctl_config }}'
       when: item.key not in sysctl_unsupported_entries | default()
-  when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
 
 - name: Apply ufw defaults
   template: