Collections lint

.config/.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,78 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_passwd.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 467,
-        "is_secret": false
-      }
-    ],
-    "tasks/fix-cat2.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/fix-cat2.yml",
-        "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859",
-        "is_verified": false,
-        "line_number": 1450,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e",
-        "is_verified": false,
-        "line_number": 39,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 56,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_passwd.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_passwd.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "tasks/prelim.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/prelim.yml",
-        "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a",
-        "is_verified": false,
-        "line_number": 232,
-        "is_secret": false
-      }
-    ],
-    "templates/pam_pkcs11.conf.j2": [
-      {
-        "type": "Secret Keyword",
-        "filename": "templates/pam_pkcs11.conf.j2",
-        "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-        "is_verified": false,
-        "line_number": 173,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-15T16:02:38Z"
+  "results": {},
+  "generated_at": "2023-10-09T14:42:52Z"
 }

CONTRIBUTING.rst

@@ -65,4 +65,3 @@ following text in your contribution commit message:
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
-

ChangeLog.md

@@ -115,14 +115,14 @@ README
 
 ## Release 1.9.0
 
-- RHEL-07-010271 - New Control Added 
+- RHEL-07-010271 - New Control Added
 - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below
   - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text.
   - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives.
   - RHEL-07-030840 - Updated check and fix text.
   - RHEL-07-040160 - Updated check text.
   - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion.
-  - RHEL-07-040360, RHEL-07-040530 - Updated CCI. 
+  - RHEL-07-040360, RHEL-07-040530 - Updated CCI.
 - Update to README and requirements
 - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information
 

README.md

@@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on  July 23
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

ansible.cfg

@@ -23,4 +23,3 @@ transfer_method=scp
 [colors]
 
 [diff]
-

collections/requirements.yml

@@ -1,8 +1,14 @@
 ---
 
 collections:
-- name: community.general
+    - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
-- name: community.crypto
+    - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
-- name: ansible.posix
+    - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git

defaults/main.yml

@@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
 # RHEL-07-010480 and RHEL-07-010490
 # Password protect the boot loader
 
-rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
+rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 rhel7stig_boot_superuser: root
 
 # RHEL-07-021700 set the value for correctly configured grub bootloader sequence

doc/README.md

@@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step
    * `sudo pip3 install -r requirements.txt`
 3. Generate the documentation:
    * `make singlehtml`
-

tasks/fix-cat2.yml

@@ -1447,7 +1447,7 @@
         ansible.builtin.include_tasks:
             file: parse_etc_passwd.yml
         vars:
-            rhel7stig_passwd_tasks: "RHEL-07-020270"  # noqa: no-handler
+            rhel7stig_passwd_tasks: "RHEL-07-020270"  # noqa: no-handler  # pragma: allowlist secret
         when: rhel_07_020270_patch is changed
   when:
       - rhel_07_020270

tasks/main.yml

@@ -36,7 +36,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}"
         vars:
-            sudo_password_rule: RHEL-07-010340
+            sudo_password_rule: RHEL-07-010340  # pragma: allowlist secret
   when:
       - rhel_07_010340
       - ansible_env.SUDO_USER is defined
@@ -53,8 +53,8 @@
 
 - name: Check rhel7stig_bootloader_password_hash variable has been changed
   ansible.builtin.assert:
-      that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
-      msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'"
+      that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+      msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'"  # pragma: allowlist secret
   when:
       - rhel_07_010481 or
         rhel_07_010482 or

tasks/prelim.yml

@@ -229,7 +229,7 @@
   ansible.builtin.include_tasks:
       file: parse_etc_passwd.yml
   vars:
-      rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690"
+      rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690"  # pragma: allowlist secret
   when:
       - rhel_07_020600 or
         rhel_07_020620 or

templates/01-banner-message.j2

@@ -1,4 +1,4 @@
-[org/gnome/login-screen] 
+[org/gnome/login-screen]
 banner-message-enable=true
 
 banner-message-text='{{ rhel7stig_logon_banner }}'

templates/ansible_vars_goss.yml.j2

@@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }}
 rhel7stig_cat2: {{ rhel7stig_cat2_patch }}
 rhel7stig_cat3: {{ rhel7stig_cat3_patch }}
 
-## CAT I 
+## CAT I
 RHEL_07_010010: {{ rhel_07_010010 }}
 RHEL_07_010020: {{ rhel_07_010020 }}
 RHEL_07_010290: {{ rhel_07_010290 }}
@@ -337,7 +337,7 @@ rhel7stig_staff_u:
 
 # host intrision protection e.g. Mcafee HIPS
 rhel7stig_hip_enabled: false
-rhel7stig_hip_pkg: 
+rhel7stig_hip_pkg:
 rhel7stig_hip_proc:
 
 # RHEL-07-010483 & RHEL-07-010492

templates/audit/99_auditd.rules.j2

@@ -50,7 +50,7 @@
 {% endif %}
 
 {% if rhel_07_030620 %}
--w /var/log/lastlog -p wa -k logins 
+-w /var/log/lastlog -p wa -k logins
 {% endif %}
 
 {% if rhel_07_030630 %}

templates/pam_pkcs11.conf.j2

@@ -9,7 +9,7 @@ pam_pkcs11 {
   nullok = true;
 
   # Enable debugging support.
-  debug = false; 
+  debug = false;
 
   # If the smart card is inserted, only use it
   card_only = true;
@@ -32,7 +32,7 @@ pam_pkcs11 {
   screen_savers = gnome-screensaver,xscreensaver,kscreensaver
 
   pkcs11_module {{ rhel07stig_smartcarddriver }} {
-    {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} 
+    {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %}
     module = /usr/lib64/libcackey.so;
     description = "{{ rhel07stig_smartcarddriver }}";
     slot_num = 0;
@@ -54,7 +54,7 @@ pam_pkcs11 {
     # you can mange the certs in this database with the certutil command in
     # the package nss-tools
     nss_dir = /etc/pki/nssdb;
-  
+
     # Sets the Certificate Policy, (see above)
     cert_policy = ca, signature;
   }
@@ -96,10 +96,10 @@ pam_pkcs11 {
   # When no absolute path or module info is provided, use this
   # value as module search path
   # TODO:
-  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
+  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
   mapper_search_path = /usr/$LIB/pam_pkcs11;
 
-  # 
+  #
   # Generic certificate contents mapper
   mapper generic {
         debug = true;
@@ -170,7 +170,7 @@ pam_pkcs11 {
   # DN to bind with. Must have read-access for user entries under "base"
         binddn = "cn=pam,o=example,c=com";
   # Password for above DN
-        passwd = "test";
+        passwd = "test";  # pragma: allowlist secret
   # Searchbase for user entries
         base = "ou=People,o=example,c=com";
   # Attribute of user entry which contains the certificate
@@ -194,7 +194,7 @@ pam_pkcs11 {
   module = internal;
   # module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
   # Declare mapfile or
-  # leave empty "" or "none" to use no map 
+  # leave empty "" or "none" to use no map
   mapfile = file:///etc/pam_pkcs11/mail_mapping;
   # Some certs store email in uppercase. take care on this
   ignorecase = true;