lint and v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

handlers/main.yml

@@ -5,36 +5,36 @@
   ansible.builtin.shell: sysctl --system
 
 - name: Sysctl flush ipv4 route table
-  ansible.posix.sysctl:
-      name: net.ipv4.route.flush
-      value: '1'
-      sysctl_set: true
-  ignore_errors: true  # noqa ignore-errors
   when:
-      - rhel9cis_flush_ipv4_route
+    - rhel9cis_flush_ipv4_route
-      - not system_is_container
+    - not system_is_container
+  ansible.posix.sysctl:
+    name: net.ipv4.route.flush
+    value: '1'
+    sysctl_set: true
+  ignore_errors: true  # noqa ignore-errors
 
 - name: Sysctl flush ipv6 route table
-  ansible.posix.sysctl:
-      name: net.ipv6.route.flush
-      value: '1'
-      sysctl_set: true
   when:
-      - rhel9cis_flush_ipv6_route
+    - rhel9cis_flush_ipv6_route
-      - not system_is_container
+    - not system_is_container
+  ansible.posix.sysctl:
+    name: net.ipv6.route.flush
+    value: '1'
+    sysctl_set: true
 
 - name: Systemd restart tmp.mount
   ansible.builtin.systemd:
-      name: tmp.mount
+    name: tmp.mount
-      daemon_reload: true
+    daemon_reload: true
-      enabled: true
+    enabled: true
-      masked: false
+    masked: false
-      state: reloaded
+    state: reloaded
 
 - name: Remount tmp
   ansible.posix.mount:
-      path: /tmp
+    path: /tmp
-      state: remounted
+    state: remounted
 
 - name: Update Crypto Policy
   ansible.builtin.set_fact:

meta/main.yml

@@ -1,32 +1,32 @@
 ---
 galaxy_info:
-    author: "MindPoint Group"
+  author: "MindPoint Group"
-    description: "Apply the RHEL 9 CIS"
+  description: "Apply the RHEL 9 CIS"
-    company: "MindPoint Group"
+  company: "MindPoint Group"
-    license: MIT
+  license: MIT
-    role_name: rhel9_cis
+  role_name: rhel9_cis
-    namespace: mindpointgroup
+  namespace: mindpointgroup
-    min_ansible_version: 2.10.1
+  min_ansible_version: 2.10.1
-    platforms:
+  platforms:
-        - name: EL
+    - name: EL
-          versions:
+      versions:
-              - "9"
+        - "9"
-    galaxy_tags:
+  galaxy_tags:
-        - system
+    - system
-        - security
+    - security
-        - stig
+    - stig
-        - hardening
+    - hardening
-        - benchmark
+    - benchmark
-        - compliance
+    - compliance
-        - redhat
+    - redhat
-        - complianceascode
+    - complianceascode
-        - disa
+    - disa
-        - rhel9
+    - rhel9
-        - cis
+    - cis
-        - rocky
+    - rocky
-        - alma
+    - alma
 collections:
-    - community.general
+  - community.general
-    - community.crypto
+  - community.crypto
-    - ansible.posix
+  - ansible.posix
 dependencies: []

site.yml

@@ -1,7 +1,7 @@
 ---
 
-- name: Apply RHEL9 CIS hardening
+- name: Apply ansible-lockdown hardening
   hosts: all
   become: true
   roles:
-      - role: "{{ playbook_dir }}"
+    - role: "{{ playbook_dir }}"

tasks/auditd.yml

@@ -2,46 +2,46 @@
 
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
   ansible.builtin.stat:
-      path: /etc/audit/rules.d/99_auditd.rules
+    path: /etc/audit/rules.d/99_auditd.rules
   register: rhel9cis_auditd_file
 
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
   ansible.builtin.template:
-      src: audit/99_auditd.rules.j2
+    src: audit/99_auditd.rules.j2
-      dest: /etc/audit/rules.d/99_auditd.rules
+    dest: /etc/audit/rules.d/99_auditd.rules
-      owner: root
+    owner: root
-      group: root
+    group: root
-      mode: '0640'
+    mode: '0640'
   diff: "{{ rhel9cis_auditd_file.stat.exists }}"  # Only run diff if not a new file
   register: rhel9cis_auditd_template_updated
   notify:
-      - Auditd immutable check
+    - Auditd immutable check
-      - Audit immutable fact
+    - Audit immutable fact
-      - Restart auditd
+    - Restart auditd
 
 - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa no-handler
-  ansible.builtin.import_tasks:
-      file: warning_facts.yml
-  vars:
-      warn_control_id: 'Auditd template updated, see diff output for details'
   when:
-      - rhel9cis_auditd_template_updated.changed
+    - rhel9cis_auditd_template_updated.changed
-      - rhel9cis_auditd_file.stat.exists
+    - rhel9cis_auditd_file.stat.exists
+  ansible.builtin.import_tasks:
+    file: warning_facts.yml
+  vars:
+    warn_control_id: 'Auditd template updated, see diff output for details'
 
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
   ansible.builtin.stat:
-      path: /etc/audit/rules.d/98_auditd_exceptions.rules
+    path: /etc/audit/rules.d/98_auditd_exceptions.rules
   register: rhel9cis_auditd_exception_file
 
 - name: POST | Set up auditd user logging exceptions | setup file
+  when:
+    - rhel9cis_allow_auditd_uid_user_exclusions
+    - rhel9cis_auditd_uid_exclude | length > 0
   ansible.builtin.template:
-      src: audit/98_auditd_exception.rules.j2
+    src: audit/98_auditd_exception.rules.j2
-      dest: /etc/audit/rules.d/98_auditd_exceptions.rules
+    dest: /etc/audit/rules.d/98_auditd_exceptions.rules
-      owner: root
+    owner: root
-      group: root
+    group: root
-      mode: '0640'
+    mode: '0640'
   diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
   notify: Restart auditd
-  when:
-      - rhel9cis_allow_auditd_uid_user_exclusions
-      - rhel9cis_auditd_uid_exclude | length > 0