linting

ansible/playbooks/handlers/main.yml

@@ -13,3 +13,12 @@
   service:
     name: NetworkManager
     state: reloaded
+
+- name: regenerate_auditd_rules
+  command: /sbin/augenrules
+
+- name: restart_auditd
+  service:
+    name: auditd
+    state: restarted
+

ansible/playbooks/init-rocky-system-config.yml

@@ -35,4 +35,7 @@
       file:
         path: /var/log/ansible.run
         state: touch
+        mode: '0644'
+        user: root
+        group: root
 

ansible/playbooks/tasks/harden.yml

@@ -21,6 +21,9 @@
 - name: security limits
   copy:
     dest: "/etc/security/limits.d/cis.conf"
+    user: root
+    group: root
+    mode: '0644'
     content: |
       * hard core 0
 
@@ -109,27 +112,29 @@
         state: present
       tags:
         - harden
-    
+
     - name: Ensure auditd buffer is OK
       replace:
         path: /etc/audit/rules.d/audit.rules
         regexp: '-b \d+'
         replace: '-b {{ audit_buffer }}'
       notify:
-        - regenerate auditd rules
-      tags:
-        - harden
-    
-    - name: Ensure collection audit rules are available
-      template:
-        src: "etc/audit/rules.d/collection.rules.j2"
-        dest: "/etc/audit/rules.d/collection.rules"
-        owner: root
-        group: root
-        backup: yes
-      notify:
-        - regenerate auditd rules
-        - restart auditd
+        - regenerate_auditd_rules
       tags:
         - harden
 
+# Leaving this out for now as we don't know the implications of the audit rules
+# on build systems yet. 
+#    - name: Ensure collection audit rules are available
+#      template:
+#        src: "etc/audit/rules.d/collection.rules.j2"
+#        dest: "/etc/audit/rules.d/collection.rules"
+#        owner: root
+#        group: root
+#        backup: yes
+#      notify:
+#        - regenerate_auditd rules
+#        - restart_auditd
+#      tags:
+#        - harden
+

ansible/playbooks/tasks/ssh-config.yml

@@ -23,6 +23,7 @@
       dest: "/etc/rockybanner"
       owner: root
       group: root
+      mode: '0644'
     notify: restart_ssh
 
   - name: Remove dsa keys