Fix linter errors

Work around the mutually incompatible W503 and W504.

Change-Id: I45d0ca8a911d9cf1af2df52a1cf911db817b13b3

.ansible-lint

@@ -0,0 +1,4 @@
+---
+
+skip_list:
+ - '106'

library/get_users

@@ -109,8 +109,8 @@ def main():
 
     # Get the users that match our criteria.
     user_list = [x for x in all_users
-                 if (x['uid'] >= module.params['min_uid'] and
-                     x['uid'] <= module.params['max_uid'])]
+                 if (x['uid'] >= module.params['min_uid']
+                     and x['uid'] <= module.params['max_uid'])]   # noqa: W503
 
     # Return the user data to the Ansible task.
     module.exit_json(
@@ -118,5 +118,6 @@ def main():
         users=user_list
     )
 
+
 if __name__ == '__main__':
     main()

meta/main.yml

@@ -4,22 +4,25 @@ galaxy_info:
   description: Security hardening role for OpenStack-Ansible
   company: OpenStack
   license: Apache
-  min_ansible_version: 2.3
+  min_ansible_version: 2.10
   platforms:
   - name: Debian
     versions:
       - jessie
+      - buster
   - name: Fedora
     versions:
       - 25
   - name: EL
     versions:
       - 7
+      - 8
   - name: Ubuntu
     versions:
       - trusty
       - xenial
       - bionic
+      - focal
   - name: opensuse
     versions:
       - 42.1

tasks/rhel7stig/accounts.yml

@@ -83,7 +83,7 @@
 # may be attached to a Kerberos realm and they may not have shadow data on the
 # system. See bug 1659232 for more details.
 - name: Set minimum password lifetime limit to 24 hours for interactive accounts
-  shell: "chage -m 1 {{ item.name }}"
+  command: "chage -m 1 {{ item.name }}"
   when:
     - item.shadow is mapping
     - item.shadow.min_days != 1
@@ -99,7 +99,7 @@
 # may be attached to a Kerberos realm and they may not have shadow data on the
 # system. See bug 1659232 for more details.
 - name: Set maximum password lifetime limit to 60 days for interactive accounts
-  shell: "chage -M 60 {{ item.name }}"
+  command: "chage -M 60 {{ item.name }}"
   when:
     - item.shadow is mapping
     - item.shadow.max_days > 60
@@ -144,7 +144,7 @@
     line: "{{ item.parameter }} {{ item.value }}"
     state: present
   when:
-    - item.value != ''
+    - item.value is truthy(convert_bool=True)
     - item.ansible_os_family == 'all' or item.ansible_os_family == ansible_os_family
   with_items: "{{ shadow_utils_rhel7 }}"
   tags:
@@ -210,7 +210,7 @@
   stat:
     path: "{{ item['dir'] }}"
   when:
-    - item['dir'] != ''
+    - item['dir'] | length > 0
   with_items: "{{ user_list.users }}"
   register: home_directory_checks
   tags:

tasks/rhel7stig/auth.yml

@@ -177,7 +177,8 @@
 
 - name: Set a GRUB 2 password for single-user/maintenance modes
   block:
-    - blockinfile:
+    - name: Define password options for grub
+      blockinfile:
         path: "{{ grub_custom_file }}"
         insertbefore: EOF
         marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@@ -187,7 +188,8 @@
         state: present
       notify:
         - update grub config
-    - lineinfile:
+    - name: Set CLASS for grub file
+      lineinfile:
         path: "{{ grub_linux_file }}"
         regexp: '^CLASS=.*'
         line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
@@ -246,8 +248,8 @@
   failed_when: False
   changed_when: False
   register: job_result
-  until: job_result.finished | bool
-  retries: 30
+  until: job_result.finished
+  retries: 60
   when:
     - shosts_find is not skipped
   tags:

tasks/rhel7stig/kernel.yml

@@ -49,7 +49,7 @@
     - C-00001
 
 - name: Check kdump service
-  command: systemctl status kdump
+  command: systemctl status kdump # noqa 303
   register: kdump_service_check
   failed_when: kdump_service_check.rc not in [0,3,4]
   changed_when: False

tasks/rhel7stig/lsm.yml

@@ -21,6 +21,7 @@
   failed_when: false
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
+    - security_rhel7_enable_linux_security_module | bool
   tags:
     - high
     - V-71989
@@ -31,13 +32,14 @@
 # started apparmor each time. This breaks idempotency and we check
 # systemd's status directly as an alternative.
 - name: Check if apparmor is running
-  command: "systemctl status apparmor"
+  command: "systemctl status apparmor" # noqa 303
   register: systemctl_apparmor_status
   check_mode: no
   changed_when: false
   failed_when: false
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
+    - security_rhel7_enable_linux_security_module | bool
   tags:
     - high
     - V-71989
@@ -49,6 +51,7 @@
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
+    - not check_mode
   tags:
     - high
     - V-71989

tasks/rhel7stig/main.yml

@@ -14,9 +14,10 @@
 # limitations under the License.
 
 - name: Create temporary directory to hold any temporary files
-  command: "mktemp -d"
+  tempfile:
+    state: directory
+    suffix: hardening
   register: mktemp_result
-  changed_when: False
   when:
     - not check_mode | bool
   tags:
@@ -24,7 +25,7 @@
 
 - name: Set a fact for the temporary directory
   set_fact:
-    temp_dir: "{{ mktemp_result.stdout }}"
+    temp_dir: "{{ mktemp_result.path }}"
   changed_when: False
   when:
     - not check_mode | bool

tasks/rhel7stig/misc.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Check autofs service
-  command: systemctl status autofs
+  command: systemctl status autofs # noqa 303
   register: autofs_check
   failed_when: autofs_check.rc not in [0,3,4]
   changed_when: False
@@ -289,7 +289,7 @@
 
 # Returns 0 if installed, 3 if not installed
 - name: Check firewalld status
-  command: systemctl status firewalld
+  command: systemctl status firewalld # noqa 303
   register: firewalld_status_check
   failed_when: firewalld_status_check.rc not in [0,3,4]
   changed_when: False