Auto-fix yaml rules

In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.

In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.

Change-Id: I10eaed0d5f7b2a02379d9708da04ef26c31fba5e

.ansible-lint

@@ -1,4 +1,4 @@
 ---
 
 skip_list:
- - '106'
+  - "106"

.gitignore

@@ -45,6 +45,7 @@ logs/*
 # OS generated files #
 ######################
 ._*
+.ansible
 .tox
 *.egg-info
 .eggs

defaults/main.yml

@@ -39,7 +39,7 @@ security_package_state: present
 # Set the following variable to `no` to prevent the EPEL repository from being
 # installed by the role. This may prevent certain packages from installing,
 # such as ClamAV.
-security_epel_install_repository: yes
+security_epel_install_repository: true
 #
 # Some deployers install a customized EPEL package that redirects servers to
 # their internal EPEL mirrors. Provide the name of the EPEL repository package
@@ -62,13 +62,13 @@ security_epel_release_package: epel-release
 
 ## Accounts (accounts)
 # Set minimum password lifetime to 1 day for interactive accounts.
-security_set_minimum_password_lifetime: no                   # V-71927
+security_set_minimum_password_lifetime: false # V-71927
-security_set_maximum_password_lifetime: no                   # V-71931
+security_set_maximum_password_lifetime: false # V-71931
 
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
-security_rhel7_initialize_aide: no                           # V-71973
+security_rhel7_initialize_aide: false # V-71973
-security_rhel7_enable_aide: yes
+security_rhel7_enable_aide: true
 
 # The default Ubuntu configuration for AIDE will cause it to wander into some
 # terrible places on the system, such as /var/lib/lxc and images in /opt.
@@ -86,189 +86,190 @@ security_aide_exclude_dirs:
 # Encrypt audit records when they are transmitted over the network.
 # security_audisp_enable_krb5: yes                            # V-72085
 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
-security_rhel7_audit_failure_flag: 1                         # V-72081
+security_rhel7_audit_failure_flag: 1 # V-72081
 # Set the action to take when the disk is full or network events cannot be sent.
-security_rhel7_auditd_disk_full_action: syslog               # V-72087
+security_rhel7_auditd_disk_full_action: syslog # V-72087
-security_rhel7_auditd_network_failure_action: syslog         # V-72087
+security_rhel7_auditd_network_failure_action: syslog # V-72087
 # Size of remaining disk space (in MB) that triggers alerts.
 security_rhel7_auditd_space_left: >- # V-72089
   {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
 # Action to take when the space_left threshold is reached.
-security_rhel7_auditd_space_left_action: email               # V-72091
+security_rhel7_auditd_space_left_action: email # V-72091
 # Send auditd email alerts to this user.
-security_rhel7_auditd_action_mail_acct: root                 # V-72093
+security_rhel7_auditd_action_mail_acct: root # V-72093
 # Add audit rules for commands/syscalls.
-security_rhel7_audit_chsh: yes                               # V-72167
+security_rhel7_audit_chsh: true # V-72167
-security_rhel7_audit_chage: yes                              # V-72155
+security_rhel7_audit_chage: true # V-72155
-security_rhel7_audit_chcon: yes                              # V-72139
+security_rhel7_audit_chcon: true # V-72139
-security_rhel7_audit_chmod: no                               # V-72105
+security_rhel7_audit_chmod: false # V-72105
-security_rhel7_audit_chown: no                               # V-72097
+security_rhel7_audit_chown: false # V-72097
-security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}"  # V-72123
+security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123
-security_rhel7_audit_crontab: yes                            # V-72183
+security_rhel7_audit_crontab: true # V-72183
-security_rhel7_audit_delete_module: yes                      # V-72189
+security_rhel7_audit_delete_module: true # V-72189
-security_rhel7_audit_fchmod: no                              # V-72107
+security_rhel7_audit_fchmod: false # V-72107
-security_rhel7_audit_fchmodat: no                            # V-72109
+security_rhel7_audit_fchmodat: false # V-72109
-security_rhel7_audit_fchown: no                              # V-72099
+security_rhel7_audit_fchown: false # V-72099
-security_rhel7_audit_fchownat: no                            # V-72103
+security_rhel7_audit_fchownat: false # V-72103
-security_rhel7_audit_fremovexattr: no                        # V-72119
+security_rhel7_audit_fremovexattr: false # V-72119
-security_rhel7_audit_fsetxattr: no                           # V-72113
+security_rhel7_audit_fsetxattr: false # V-72113
-security_rhel7_audit_ftruncate: yes                          # V-72133
+security_rhel7_audit_ftruncate: true # V-72133
-security_rhel7_audit_init_module: yes                        # V-72187
+security_rhel7_audit_init_module: true # V-72187
-security_rhel7_audit_gpasswd: yes                            # V-72153
+security_rhel7_audit_gpasswd: true # V-72153
-security_rhel7_audit_lchown: no                              # V-72101
+security_rhel7_audit_lchown: false # V-72101
-security_rhel7_audit_lremovexattr: no                        # V-72121
+security_rhel7_audit_lremovexattr: false # V-72121
-security_rhel7_audit_lsetxattr: no                           # V-72115
+security_rhel7_audit_lsetxattr: false # V-72115
-security_rhel7_audit_mount: yes                              # V-72171
+security_rhel7_audit_mount: true # V-72171
-security_rhel7_audit_newgrp: yes                             # V-72165
+security_rhel7_audit_newgrp: true # V-72165
-security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}"  # V-72125
+security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125
-security_rhel7_audit_openat: yes                             # V-72127
+security_rhel7_audit_openat: true # V-72127
-security_rhel7_audit_open_by_handle_at: yes                  # V-72129
+security_rhel7_audit_open_by_handle_at: true # V-72129
-security_rhel7_audit_pam_timestamp_check: yes                # V-72185
+security_rhel7_audit_pam_timestamp_check: true # V-72185
-security_rhel7_audit_passwd: yes                             # V-72149
+security_rhel7_audit_passwd: true # V-72149
-security_rhel7_audit_postdrop: yes                           # V-72175
+security_rhel7_audit_postdrop: true # V-72175
-security_rhel7_audit_postqueue: yes                          # V-72177
+security_rhel7_audit_postqueue: true # V-72177
-security_rhel7_audit_removexattr: no                         # V-72117
+security_rhel7_audit_removexattr: false # V-72117
-security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}"  # V-72199
+security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199
-security_rhel7_audit_renameat: yes                           # V-72201
+security_rhel7_audit_renameat: true # V-72201
-security_rhel7_audit_restorecon: yes                         # V-72141
+security_rhel7_audit_restorecon: true # V-72141
-security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}"  # V-72203
+security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203
-security_rhel7_audit_semanage: yes                           # V-72135
+security_rhel7_audit_semanage: true # V-72135
-security_rhel7_audit_setsebool: yes                          # V-72137
+security_rhel7_audit_setsebool: true # V-72137
-security_rhel7_audit_setxattr: no                            # V-72111
+security_rhel7_audit_setxattr: false # V-72111
-security_rhel7_audit_ssh_keysign: yes                        # V-72179
+security_rhel7_audit_ssh_keysign: true # V-72179
-security_rhel7_audit_su: yes                                 # V-72159
+security_rhel7_audit_su: true # V-72159
-security_rhel7_audit_sudo: yes                               # V-72161
+security_rhel7_audit_sudo: true # V-72161
-security_rhel7_audit_sudoedit: yes                           # V-72169
+security_rhel7_audit_sudoedit: true # V-72169
-security_rhel7_audit_truncate: yes                           # V-72131
+security_rhel7_audit_truncate: true # V-72131
-security_rhel7_audit_umount: yes                             # V-72173
+security_rhel7_audit_umount: true # V-72173
-security_rhel7_audit_unix_chkpwd: yes                        # V-72151
+security_rhel7_audit_unix_chkpwd: true # V-72151
-security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}"  # V-72205
+security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205
-security_rhel7_audit_unlinkat: yes                           # V-72207
+security_rhel7_audit_unlinkat: true # V-72207
-security_rhel7_audit_userhelper: yes                         # V-72157
+security_rhel7_audit_userhelper: true # V-72157
 # Add audit rules for other events.
-security_rhel7_audit_account_access: yes                     # V-72143
+security_rhel7_audit_account_access: true # V-72143
-security_rhel7_audit_sudo_config_changes: yes                # V-72163
+security_rhel7_audit_sudo_config_changes: true # V-72163
-security_rhel7_audit_insmod: yes                             # V-72191
+security_rhel7_audit_insmod: true # V-72191
-security_rhel7_audit_rmmod: yes                              # V-72193
+security_rhel7_audit_rmmod: true # V-72193
-security_rhel7_audit_modprobe: yes                           # V-72195
+security_rhel7_audit_modprobe: true # V-72195
-security_rhel7_audit_account_actions: yes                    # V-72197
+security_rhel7_audit_account_actions: true # V-72197
 
 ## Authentication (auth)
 # Check if sudoers has the NOPASSWD rule enabled
-security_sudoers_nopasswd_check_enable: yes
+security_sudoers_nopasswd_check_enable: true
 
 # Disallow logins from accounts with blank/null passwords via PAM.
-security_disallow_blank_password_login: yes                  # V-71937
+security_disallow_blank_password_login: true # V-71937
 # Apply password quality rules.
 # NOTE: The security_pwquality_apply_rules variable is a "master switch".
 # Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
 # the password quality rules. Each rule can be disabled with a value of 'no'.
-security_pwquality_apply_rules: no
+security_pwquality_apply_rules: false
-security_pwquality_require_uppercase: yes                    # V-71903
+security_pwquality_require_uppercase: true # V-71903
-security_pwquality_require_lowercase: yes                    # V-71905
+security_pwquality_require_lowercase: true # V-71905
-security_pwquality_require_numeric: yes                      # V-71907
+security_pwquality_require_numeric: true # V-71907
-security_pwquality_require_special: yes                      # V-71909
+security_pwquality_require_special: true # V-71909
-security_pwquality_require_characters_changed: yes           # V-71911
+security_pwquality_require_characters_changed: true # V-71911
-security_pwquality_require_character_classes_changed: yes    # V-71913
+security_pwquality_require_character_classes_changed: true # V-71913
-security_pwquality_limit_repeated_characters: yes            # V-71915
+security_pwquality_limit_repeated_characters: true # V-71915
-security_pwquality_limit_repeated_character_classes: yes     # V-71917
+security_pwquality_limit_repeated_character_classes: true # V-71917
-security_pwquality_require_minimum_password_length: no       # V-71935
+security_pwquality_require_minimum_password_length: false # V-71935
 # Use pwquality when passwords are changed or established.
-security_enable_pwquality_password_set: no                   # V-73159
+security_enable_pwquality_password_set: false # V-73159
 # Ensure passwords are stored using SHA512.
-security_password_encrypt_method: SHA512                     # V-71921
+security_password_encrypt_method: SHA512 # V-71921
 # Ensure user/group admin utilities only store encrypted passwords.
-security_libuser_crypt_style_sha512: yes                     # V-71923
+security_libuser_crypt_style_sha512: true # V-71923
 # Set a minimum/maximum lifetime limit for user passwords.
 # security_password_min_lifetime_days: 1                      # V-71925
 # security_password_max_lifetime_days: 60                     # V-71929
 # Set a delay (in seconds) between failed login attempts.
-security_shadow_utils_fail_delay: 4                          # V-71951
+security_shadow_utils_fail_delay: 4 # V-71951
 # Set a umask for all authenticated users.
 # security_shadow_utils_umask: '077'                         # V-71995
 # Create home directories for new users by default.
-security_shadow_utils_create_home: yes                       # V-72013
+security_shadow_utils_create_home: true # V-72013
 # How many old user password to remember to prevent password re-use.
 # security_password_remember_password: 5                      # V-71933
 # Disable user accounts if the password expires.
-security_disable_account_if_password_expires: no             # V-71941
+security_disable_account_if_password_expires: false # V-71941
 # Lock user accounts with excessive login failures. See documentation.
-security_pam_faillock_enable: no                             # V-71945 / V-71943 / RHEL-07-010373
+security_pam_faillock_enable: false # V-71945 / V-71943 / RHEL-07-010373
 security_pam_faillock_interval: 900
 security_pam_faillock_attempts: 3
-security_pam_faillock_deny_root: yes                         # RHEL-07-010373
+security_pam_faillock_deny_root: true # RHEL-07-010373
-security_pam_faillock_unlock_time: 604800                    # V-71943
+security_pam_faillock_unlock_time: 604800 # V-71943
 # Limit the number of concurrent connections per account.
 # security_rhel7_concurrent_session_limit: 10                 # V-72217
 # Remove .shosts and shosts.equiv files.
-security_rhel7_remove_shosts_files: no                       # V-72277
+security_rhel7_remove_shosts_files: false # V-72277
 # Exclude these directories from the shosts files find
 security_rhel7_remove_shosts_exclude_dirs:
-  - '/sys'
+  - "/sys"
-  - '/proc'
+  - "/proc"
-  - '/dev'
+  - "/dev"
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
-security_reset_perm_ownership: no                            # V-71849
+security_reset_perm_ownership: false # V-71849
 # Search for files/directories owned by invalid users or groups.
-security_search_for_invalid_owner: no                        # V-72007
+security_search_for_invalid_owner: false # V-72007
-security_search_for_invalid_group_owner: no                  # V-72009
+security_search_for_invalid_group_owner: false # V-72009
 # Set user/group owners on each home directory and set mode to 0750.
-security_set_home_directory_permissions_and_owners: no       # V-72017 / V-72019 / V-72021
+security_set_home_directory_permissions_and_owners: false # V-72017 / V-72019 / V-72021
 # Find all world-writable directories and display them.
-security_find_world_writable_dirs: no                        # V-72047
+security_find_world_writable_dirs: false # V-72047
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
-security_disable_gdm_automatic_login: yes                    # V-71953
+security_disable_gdm_automatic_login: true # V-71953
 # Disable timed gdm logins for guests
-security_disable_gdm_timed_login: yes                        # V-71955
+security_disable_gdm_timed_login: true # V-71955
 # Enable session locking for graphical logins.
-security_lock_session: no                                    # V-71891
+security_lock_session: false # V-71891
 # Set a timer (in seconds) when an inactive session is locked.
-security_lock_session_inactive_delay: 900                    # V-71893
+security_lock_session_inactive_delay: 900 # V-71893
 # Prevent users from modifying session lock settings.
-security_lock_session_override_user: yes                     # RHEL-07-010071
+security_lock_session_override_user: true # RHEL-07-010071
 # Lock a session (start screensaver) when a session is inactive.
-security_lock_session_when_inactive: yes                     # V-71893
+security_lock_session_when_inactive: true # V-71893
 # Time after screensaver starts when user login is required.
-security_lock_session_screensaver_lock_delay: 5              # V-71901
+security_lock_session_screensaver_lock_delay: 5 # V-71901
 # Enable a login banner and set the text for the banner.
-security_enable_graphical_login_message: yes                 # V-71859
+security_enable_graphical_login_message: true # V-71859
 security_enable_graphical_login_message_text: >
-    You are accessing a secured system and your actions will be logged along
+  You are accessing a secured system and your actions will be logged along
-    with identifying information. Disconnect immediately if you are not an
+  with identifying information. Disconnect immediately if you are not an
-    authorized user of this system.
+  authorized user of this system.
 
 ## Linux Security Module (lsm)
 # Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
-security_rhel7_enable_linux_security_module: yes             # V-71989 / V-71991
+security_rhel7_enable_linux_security_module: true # V-71989 / V-71991
 
 ## Miscellaneous (misc)
 # Disable the autofs service.
-security_rhel7_disable_autofs: yes                           # V-71985
+security_rhel7_disable_autofs: true # V-71985
 # Enable virus scanning with clamav
-security_enable_virus_scanner: no                            # V-72213
+security_enable_virus_scanner: false # V-72213
 # Run the virus scanner update during the deployment (if scanner is deployed)
-security_run_virus_scanner_update: yes
+security_run_virus_scanner_update: true
 # Disable ctrl-alt-delete key sequence on the console.
-security_rhel7_disable_ctrl_alt_delete: yes                  # V-71993
+security_rhel7_disable_ctrl_alt_delete: true # V-71993
 # Install and enable firewalld for iptables management.
-security_enable_firewalld: no                                # V-72273
+security_enable_firewalld: false # V-72273
 # Rate limit TCP connections to 25/min and burstable to 100.
-security_enable_firewalld_rate_limit: no                     # V-72271
+security_enable_firewalld_rate_limit: false # V-72271
 security_enable_firewalld_rate_limit_per_minute: 25
 security_enable_firewalld_rate_limit_burst: 100
 # Update the grub configuration.
-security_enable_grub_update: yes
+security_enable_grub_update: true
 # Require authentication in GRUB to boot into single-user or maintenance modes.
-security_require_grub_authentication: no                     # V-71961 / V-71963
+security_require_grub_authentication: false # V-71961 / V-71963
 # The default password for grub authentication is 'secrete'.
-security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
+security_grub_password_hash:
+  grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
 # Set session timeout.
-security_rhel7_session_timeout: 600                          # V-72223
+security_rhel7_session_timeout: 600 # V-72223
 # Enable chrony for NTP time synchronization.
-security_rhel7_enable_chrony: yes                            # V-72269
+security_rhel7_enable_chrony: true # V-72269
 # Use the following NTP servers.
 security_ntp_servers:
   - 0.pool.ntp.org
@@ -286,9 +287,9 @@ security_allowed_ntp_subnets:
   - 192.168/16
   - 172.16/12
 # Listen for NTP requests only on local interfaces.
-security_ntp_bind_local_interfaces_only: yes
+security_ntp_bind_local_interfaces_only: true
 # Restrict mail relaying.
-security_rhel7_restrict_mail_relaying: yes                   # V-72297
+security_rhel7_restrict_mail_relaying: true # V-72297
 # Deploy a login banner.                                     # V-72225 / V-71863
 security_login_banner_text: |
   ------------------------------------------------------------------------------
@@ -302,90 +303,90 @@ security_login_banner_text: |
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
 # to 'no' to skip their removal.
-security_rhel7_remove_rsh_server: yes                        # V-71967
+security_rhel7_remove_rsh_server: true # V-71967
-security_rhel7_remove_telnet_server: yes                     # V-72077
+security_rhel7_remove_telnet_server: true # V-72077
-security_rhel7_remove_tftp_server: yes                       # V-72301
+security_rhel7_remove_tftp_server: true # V-72301
-security_rhel7_remove_xorg: yes                              # V-72307
+security_rhel7_remove_xorg: true # V-72307
-security_rhel7_remove_ypserv: yes                            # V-71969
+security_rhel7_remove_ypserv: true # V-71969
 # Automatically remove dependencies when removing packages.
-security_package_clean_on_remove: no                         # V-71987
+security_package_clean_on_remove: false # V-71987
 # Automatically update packages.
-security_rhel7_automatic_package_updates: no                 # V-71999
+security_rhel7_automatic_package_updates: false # V-71999
 # Install packages for multi-factor authentication.
-security_install_multifactor_auth_packages: yes              # V-72417
+security_install_multifactor_auth_packages: true # V-72417
-security_check_package_checksums: no                         # V-71855
+security_check_package_checksums: false # V-71855
 
 ## RPM (rpm)
 # Enable GPG checks for packages and repository data.
-security_enable_gpgcheck_packages: yes                       # V-71977
+security_enable_gpgcheck_packages: true # V-71977
-security_enable_gpgcheck_packages_local: yes                 # V-71979
+security_enable_gpgcheck_packages_local: true # V-71979
-security_enable_gpgcheck_repo: no                            # V-71981
+security_enable_gpgcheck_repo: false # V-71981
 
 ## ssh server (sshd)
 # Ensure sshd is running and enabled at boot time.
-security_enable_sshd: yes                                    # V-72235
+security_enable_sshd: true # V-72235
 # Disallow logins from users with empty/null passwords.
-security_sshd_disallow_empty_password: yes                   # V-71939 / RHEL-07-010440
+security_sshd_disallow_empty_password: true # V-71939 / RHEL-07-010440
 # Disallow users from overriding the ssh environment variables.
-security_sshd_disallow_environment_override: yes             # V-71957
+security_sshd_disallow_environment_override: true # V-71957
 # Disallow host based authentication.
-security_sshd_disallow_host_based_auth: yes                  # V-71959
+security_sshd_disallow_host_based_auth: true # V-71959
 # Set a list of allowed ssh ciphers.
-security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
+security_sshd_cipher_list: "aes128-ctr,aes192-ctr,aes256-ctr" # V-72221
 # Specify a text file to be displayed as the banner/MOTD for all sessions.
-security_sshd_banner_file: /etc/motd                         # V-71861 / V-72225
+security_sshd_banner_file: /etc/motd # V-71861 / V-72225
 # Disable dynamic MOTD banner that is provided by /run/motd.dynamic
-security_sshd_dynamic_banner_disable: True
+security_sshd_dynamic_banner_disable: true
 # Set the interval for max session length and the number of intervals to allow.
-security_sshd_client_alive_interval: 600                     # V-72237
+security_sshd_client_alive_interval: 600 # V-72237
-security_sshd_client_alive_count_max: 0                      # V-72241
+security_sshd_client_alive_count_max: 0 # V-72241
 # Print the last login for a user when they log in over ssh.
-security_sshd_print_last_log: yes                            # V-72245
+security_sshd_print_last_log: true # V-72245
 # Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
-security_sshd_permit_root_login: no                          # V-72247
+security_sshd_permit_root_login: false # V-72247
 # Disallow authentication using known hosts authentication.
-security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
+security_sshd_disallow_known_hosts_auth: true # V-72249 / V-72239
 # Disallow rhosts authentication.
-security_sshd_disallow_rhosts_auth: yes                      # V-72243
+security_sshd_disallow_rhosts_auth: true # V-72243
 # Enable X11 forwarding.
-security_sshd_enable_x11_forwarding: yes                     # V-72303
+security_sshd_enable_x11_forwarding: true # V-72303
 # Set the allowed ssh protocols.
-security_sshd_protocol: 2                                    # V-72251
+security_sshd_protocol: 2 # V-72251
 # Set the list of allowed Message Authentication Codes (MACs) for ssh.
-security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'    # V-72253
+security_sshd_allowed_macs: "hmac-sha2-256,hmac-sha2-512" # V-72253
 # Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
-security_sshd_disallow_gssapi: yes                           # V-72259
+security_sshd_disallow_gssapi: true # V-72259
 # Disallow compression or delay after login.
-security_sshd_compression: 'delayed'                         # V-72267
+security_sshd_compression: "delayed" # V-72267
 # Require privilege separation at every opportunity.
-security_sshd_enable_privilege_separation: no                # V-72265
+security_sshd_enable_privilege_separation: false # V-72265
 # Require strict mode checking of home directory configuration files.
-security_sshd_enable_strict_modes: yes                       # V-72263
+security_sshd_enable_strict_modes: true # V-72263
 # Disallow Kerberos authentication.
-security_sshd_disable_kerberos_auth: yes                     # V-72261
+security_sshd_disable_kerberos_auth: true # V-72261
 # Disallow GSSAPI authentication.
-security_sshd_disable_gssapi_auth: yes                       # V-204598
+security_sshd_disable_gssapi_auth: true # V-204598
 
 ## Kernel settings (kernel)
 # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
 # immediately and by default on new interfaces.
-security_disallow_source_routed_packet_forward_ipv4: yes     # V-72283 / V-72285
+security_disallow_source_routed_packet_forward_ipv4: true # V-72283 / V-72285
-security_disallow_source_routed_packet_forward_ipv6: yes     # V-72319
+security_disallow_source_routed_packet_forward_ipv6: true # V-72319
 # Disallow responses to IPv4 ICMP echoes sent to broadcast address.
-security_disallow_echoes_broadcast_address: yes              # V-72287
+security_disallow_echoes_broadcast_address: true # V-72287
 # Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
 # new interfaces.
-security_disallow_icmp_redirects: yes                        # V-73175 / V-72289 / V-72291 / V-72293
+security_disallow_icmp_redirects: true # V-73175 / V-72289 / V-72291 / V-72293
 # Disallow IP forwarding.
-security_disallow_ip_forwarding: no                          # V-72309
+security_disallow_ip_forwarding: false # V-72309
 # Disable USB storage support.
-security_rhel7_disable_usb_storage: yes                      # V-71983
+security_rhel7_disable_usb_storage: true # V-71983
 # Disable kdump.
-security_disable_kdump: yes                                  # V-72057
+security_disable_kdump: true # V-72057
 # Disable Datagram Congestion Control Protocol (DCCP).
-security_rhel7_disable_dccp: yes                             # V-77821
+security_rhel7_disable_dccp: true # V-77821
 # Enable Address Space Layout Randomization (ASLR).
-security_enable_aslr: yes                                    # V-77825
+security_enable_aslr: true # V-77825
 
 ###############################################################################
 #   ____            _        _ _
@@ -405,12 +406,12 @@ security_enable_aslr: yes                                    # V-77825
 ###############################################################################
 
 # To enable the contrib tasks, set this variable to 'yes'.
-security_contrib_enabled: no
+security_contrib_enabled: false
 
 # Disable IPv6.
 # DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
 # DANGER: SYSTEM. This will cause downtime for any services that depend on
 # DANGER: IPv6 network connectivity.
-security_contrib_disable_ipv6: no                            # C-00001
+security_contrib_disable_ipv6: false # C-00001
 
 security_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"

examples/playbook.yml

@@ -1,7 +1,7 @@
 ---
 - name: Gather security hardening facts
   hosts: "{{ security_host_group|default('hosts') }}"
-  gather_facts: True
+  gather_facts: true
   tags:
     - always
 

tasks/main.yml

@@ -32,7 +32,7 @@
 - name: Check for check/audit mode
   command: /bin/true
   register: noop_result
-  changed_when: False
+  changed_when: false
   tags:
     - always
 

tasks/rhel7stig/accounts.yml

@@ -16,7 +16,7 @@
 - name: Check if /etc/security/pwquality.conf exists
   stat:
     path: /etc/security/pwquality.conf
-  check_mode: no
+  check_mode: false
   register: pwquality_config_check
   tags:
     - always
@@ -24,7 +24,7 @@
 - name: Set password quality requirements
   blockinfile:
     dest: /etc/security/pwquality.conf
-    backup: yes
+    backup: true
     insertbefore: EOF
     marker: "# {mark} Added by ansible-hardening role"
     state: present
@@ -47,8 +47,8 @@
 - name: Check for SHA512 password storage in PAM
   command: "grep pam_unix.so {{ pam_password_file }}"
   register: password_sha512_check
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -70,7 +70,7 @@
     section: defaults
     option: crypt_style
     value: sha512
-    backup: yes
+    backup: true
     mode: "0644"
   when:
     - security_libuser_crypt_style_sha512 | bool
@@ -117,9 +117,9 @@
 - name: Ensure that users cannot reuse one of their last 5 passwords
   lineinfile:
     dest: "{{ pam_password_file }}"
-    regexp: '^(password\s+[a-z0-9\=\[\] ]+\s+pam_unix\.so.+?)\s+(?:remember=\d+)?$'
+    regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$"
-    line: '\1 remember={{ security_password_remember_password }}'
+    line: "\\1 remember={{ security_password_remember_password }}"
-    backrefs: yes
+    backrefs: true
     state: present
   when:
     - security_password_remember_password is defined
@@ -131,8 +131,8 @@
 - name: Ensure accounts are disabled if the password expires
   lineinfile:
     dest: /etc/default/useradd
-    regexp: '^[#\s]*INACTIVE'
+    regexp: "^[#\\s]*INACTIVE"
-    line: 'INACTIVE=0'
+    line: "INACTIVE=0"
   when:
     - security_disable_account_if_password_expires | bool
   tags:
@@ -175,8 +175,8 @@
 
 - name: Get all accounts with UID 0
   shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   register: root_user_check
   tags:
     - accounts

tasks/rhel7stig/aide.yml

@@ -17,7 +17,7 @@
   stat:
     path: "{{ item }}"
   register: aide_conf
-  check_mode: no
+  check_mode: false
   with_items:
     - /etc/aide/aide.conf.d
     - /etc/aide.conf
@@ -71,10 +71,10 @@
 - name: Configure AIDE to verify additional properties (SUSE)
   lineinfile:
     dest: "/etc/aide.conf"
-    regexp: '(^Binlib.*= )'
+    regexp: "(^Binlib.*= )"
-    line: '\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs'
+    line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs"
     state: present
-    backrefs: yes
+    backrefs: true
   when:
     - aide_conf.results[1].stat.exists | bool
     - ansible_facts['pkg_mgr'] == 'zypper'
@@ -89,7 +89,7 @@
   stat:
     path: "{{ aide_database_file }}"
   register: aide_database
-  check_mode: no
+  check_mode: false
   tags:
     - always
 

tasks/rhel7stig/apt.yml

@@ -21,8 +21,8 @@
 
 - name: Gather debsums report
   shell: "debsums > {{ temp_dir }}/debsums.txt"
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
   when:
     - security_check_package_checksums | bool
     - not check_mode | bool
@@ -30,7 +30,7 @@
 - name: V-71855 - Get files with invalid checksums (apt)
   shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
-  changed_when: False
+  changed_when: false
   when:
     - security_check_package_checksums | bool
     - not check_mode | bool
@@ -70,9 +70,9 @@
 - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
   command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
   register: gpgcheck_result
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
 
 - name: V-71977 - Package management tool must verify authenticity of packages
   debug:
@@ -102,7 +102,7 @@
     regexp: "^(#)?APT::Get::AutomaticRemove"
     line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
     state: present
-    create: yes
+    create: true
     mode: "0644"
   when:
     - security_package_clean_on_remove | bool

tasks/rhel7stig/async_tasks.yml

@@ -17,8 +17,8 @@
 # lookup one time and then grep over the output in subsequent tasks.
 - name: Verify all installed RPM packages
   shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" # noqa: command-instead-of-module
-  failed_when: False
+  failed_when: false
-  changed_when: False
+  changed_when: false
   register: rpmverify_task
   async: 3600
   poll: 0
@@ -31,7 +31,6 @@
     - V-71855
     - skip_ansible_lint
 
-
 - name: Locate top level directories to check for .shosts
   find:
     paths: /
@@ -49,10 +48,10 @@
 - name: Check for .shosts or shosts.equiv files
   find:
     paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
-    recurse: yes
+    recurse: true
-    hidden: yes
+    hidden: true
-    patterns: '.shosts,shosts.equiv'
+    patterns: ".shosts,shosts.equiv"
-  changed_when: False
+  changed_when: false
   register: shosts_find
   async: 300
   poll: 0

tasks/rhel7stig/auditd.yml

@@ -17,7 +17,7 @@
   stat:
     path: /etc/audit/auditd.conf
   register: auditd_conf
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -25,7 +25,7 @@
   stat:
     path: /etc/audisp/audisp-remote.conf
   register: audisp_remote_conf
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -62,7 +62,7 @@
 - name: Get valid system architectures for audit rules
   set_fact:
     auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -157,7 +157,7 @@
 - name: Adjust auditd/audispd configurations
   lineinfile:
     dest: "{{ item.config }}"
-    regexp: '^#?{{ item.parameter }}\s*='
+    regexp: "^#?{{ item.parameter }}\\s*="
     line: "{{ item.parameter }} = {{ item.value }}"
   with_items: "{{ auditd_config }}"
   when:
@@ -177,7 +177,7 @@
   service:
     name: auditd
     state: started
-    enabled: yes
+    enabled: true
   when:
     - auditd_conf.stat.exists
   tags:

tasks/rhel7stig/auth.yml

@@ -18,10 +18,10 @@
 - name: Set pam_faildelay configuration on Ubuntu
   lineinfile:
     dest: /etc/pam.d/login
-    regexp: '^(auth[\s]+optional[\s]+pam_faildelay.so).*$'
+    regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$"
-    line: '\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}'
+    line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}"
     state: present
-    backrefs: yes
+    backrefs: true
   when:
     - security_shadow_utils_fail_delay is defined
     - ansible_facts['os_family'] | lower == 'debian'
@@ -35,9 +35,9 @@
     dest: "{{ pam_auth_file }}"
     state: present
     regexp: "^(.*)nullok_secure(.*)$"
-    line: '\1\2'
+    line: "\\1\\2"
-    backup: yes
+    backup: true
-    backrefs: yes
+    backrefs: true
   when:
     - ansible_facts['os_family'] == 'Debian'
     - security_disallow_blank_password_login | bool
@@ -51,9 +51,9 @@
     dest: "{{ item[1] }}"
     state: present
     regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$"
-    line: '\1\2'
+    line: "\\1\\2"
-    backup: yes
+    backup: true
-    backrefs: yes
+    backrefs: true
   loop: "{{ ['auth', 'password'] | product(['{{ pam_auth_file }}', '{{ pam_password_file }}']) | list }}"
   when:
     - ansible_facts['os_family'] == 'RedHat'
@@ -68,9 +68,9 @@
     dest: "{{ item }}"
     state: present
     regexp: "^(.*required.*)nullok(.*)$"
-    line: '\1\2'
+    line: "\\1\\2"
-    backup: yes
+    backup: true
-    backrefs: yes
+    backrefs: true
   with_items:
     - "{{ pam_auth_file }}"
     - "{{ pam_password_file }}"
@@ -108,7 +108,7 @@
 - name: Check for 'nopasswd' in sudoers files
   shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
   register: sudoers_nopasswd_check
-  changed_when: False
+  changed_when: false
   when:
     - security_sudoers_nopasswd_check_enable | bool
   tags:
@@ -134,7 +134,7 @@
 - name: Check for '!authenticate' in sudoers files
   shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
   register: sudoers_authenticate_check
-  changed_when: False
+  changed_when: false
   tags:
     - auth
     - medium
@@ -159,7 +159,7 @@
   stat:
     path: /etc/sssd/sssd.conf
   register: sssd_conf_check
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -169,7 +169,7 @@
   stat:
     path: "{{ grub_custom_file }}"
   register: grub_custom_file_check
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -189,10 +189,10 @@
     - name: Set CLASS for grub file
       lineinfile:
         path: "{{ grub_linux_file }}"
-        regexp: '^CLASS=.*'
+        regexp: "^CLASS=.*"
         line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
         state: present
-        backrefs: yes
+        backrefs: true
       notify:
         - Update grub config
   when:
@@ -207,7 +207,7 @@
 - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
   blockinfile:
     dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
-    create: yes
+    create: true
     mode: "0644"
     block: |
       # Deployed by the ansible-hardening role
@@ -223,9 +223,9 @@
 - name: Check for pam_lastlog in PAM configuration
   command: "grep pam_lastlog {{ pam_postlogin_file }}"
   register: pam_lastlog_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -244,8 +244,8 @@
 - name: Ensure .shosts find has finished
   async_status:
     jid: "{{ shosts_find.ansible_job_id }}"
-  failed_when: False
+  failed_when: false
-  changed_when: False
+  changed_when: false
   register: job_result
   until: job_result.finished
   retries: 60

tasks/rhel7stig/dnf.yml

@@ -19,7 +19,7 @@
 - name: Check if /etc/dnf/automatic.conf exists
   stat:
     path: /etc/dnf/automatic.conf
-  check_mode: no
+  check_mode: false
   register: dnf_automatic_config_check
   when:
     - ansible_facts['os_family'] | lower == 'redhat'
@@ -49,8 +49,8 @@
 - name: Check to see which dnf automatic timers are available
   shell: "rpm -ql dnf-automatic | grep timer || true" # noqa: command-instead-of-module
   register: dnf_automatic_timers
-  check_mode: no
+  check_mode: false
-  changed_when: False
+  changed_when: false
   when:
     - ansible_facts['os_family'] | lower == 'redhat'
     - ansible_facts['pkg_mgr'] == 'dnf'
@@ -79,7 +79,7 @@
 - name: Enable dnf automatic timer for automatic package updates
   systemd:
     name: "{{ dnf_automatic_timer }}"
-    enabled: yes
+    enabled: true
     state: started
   when:
     - ansible_facts['os_family'] | lower == 'redhat'

tasks/rhel7stig/file_perms.yml

@@ -16,7 +16,7 @@
 - name: V-71849 - Get packages with incorrect file permissions or ownership
   shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   register: rpmverify_package_list
-  changed_when: False
+  changed_when: false
   when:
     - not check_mode | bool
     - ansible_facts['pkg_mgr'] == 'dnf'
@@ -30,7 +30,7 @@
   shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" # noqa: command-instead-of-shell command-instead-of-module risky-shell-pipe
   changed_when: false
   with_nested:
-    - ['--setperms', '--setugids']
+    - ["--setperms", "--setugids"]
     - "{{ rpmverify_package_list.stdout_lines | default([]) }}"
   when:
     - not check_mode | bool
@@ -113,9 +113,9 @@
 - name: Find all world-writable directories
   shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe
   register: world_writable_dirs
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   when:
     - security_find_world_writable_dirs | bool
   tags:

tasks/rhel7stig/graphical.yml

@@ -17,7 +17,7 @@
   stat:
     path: /etc/gdm/custom.conf
   register: gdm_conf_check
-  check_mode: no
+  check_mode: false
 
 - name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
   lineinfile:

tasks/rhel7stig/kernel.yml

@@ -17,7 +17,7 @@
   lineinfile:
     dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
     line: install usb-storage /bin/true
-    create: yes
+    create: true
     mode: "0644"
   when:
     - security_rhel7_disable_usb_storage | bool
@@ -32,7 +32,7 @@
     value: "{{ item.value }}"
     state: "{{ item.enabled | ternary('present', 'absent') }}"
     sysctl_file: "{{ security_sysctl_file }}"
-    reload: yes
+    reload: true
   when:
     - item.enabled | bool
   with_items: "{{ sysctl_settings_rhel7 }}"
@@ -54,8 +54,8 @@
   command: systemctl status kdump # noqa: command-instead-of-module
   register: kdump_service_check
   failed_when: kdump_service_check.rc not in [0,3,4]
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - kernel
     - medium
@@ -65,7 +65,7 @@
   service:
     name: kdump
     state: stopped
-    enabled: no
+    enabled: false
   when:
     - kdump_service_check.rc not in [3,4]
     - security_disable_kdump
@@ -77,9 +77,9 @@
 - name: Check if FIPS is enabled
   command: cat /proc/sys/crypto/fips_enabled
   register: fips_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   when:
     - ansible_facts['pkg_mgr'] == 'dnf'
   tags:

tasks/rhel7stig/lsm.yml

@@ -16,7 +16,7 @@
 - name: Check apparmor_status output
   command: apparmor_status
   register: apparmor_status_output
-  check_mode: no
+  check_mode: false
   changed_when: false
   failed_when: false
   when:
@@ -34,7 +34,7 @@
 - name: Check if apparmor is running
   command: "systemctl status apparmor" # noqa: command-instead-of-module
   register: systemctl_apparmor_status
-  check_mode: no
+  check_mode: false
   changed_when: false
   failed_when: false
   when:
@@ -47,7 +47,7 @@
 - name: Ensure AppArmor is enabled at boot time
   service:
     name: apparmor
-    enabled: yes
+    enabled: true
   when:
     - ansible_facts['pkg_mgr'] in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
@@ -111,8 +111,8 @@
 - name: Check for unlabeled device files
   command: "find /dev -context '*unlabeled_t*'"
   register: unlabeled_devices
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   when:
     - ansible_facts['os_family'] == 'RedHat'
     - ansible_facts['selinux']['status'] == 'enabled'

tasks/rhel7stig/main.yml

@@ -26,7 +26,7 @@
 - name: Set a fact for the temporary directory
   set_fact:
     temp_dir: "{{ mktemp_result.path }}"
-  changed_when: False
+  changed_when: false
   when:
     - not check_mode | bool
   tags:
@@ -41,7 +41,7 @@
   get_users:
     min_uid: 0
   register: hardening_user_list
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -49,7 +49,7 @@
   get_users:
     min_uid: "{{ security_interactive_user_minimum_uid }}"
   register: interactive_user_list
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -108,7 +108,7 @@
   file:
     path: "{{ temp_dir }}"
     state: absent
-  changed_when: False
+  changed_when: false
   when:
     - not check_mode | bool
   tags:

tasks/rhel7stig/misc.yml

@@ -17,8 +17,8 @@
   command: systemctl status autofs # noqa: command-instead-of-module
   register: autofs_check
   failed_when: autofs_check.rc not in [0,3,4]
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -26,7 +26,7 @@
   service:
     name: autofs
     state: stopped
-    enabled: no
+    enabled: false
   when:
     - autofs_check.rc not in [3,4]
     - security_rhel7_disable_autofs | bool
@@ -41,7 +41,7 @@
 - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
   systemd:
     name: ctrl-alt-del.target
-    enabled: no
+    enabled: false
   when:
     - security_rhel7_disable_ctrl_alt_delete | bool
   tags:
@@ -52,8 +52,8 @@
 - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
   systemd:
     name: ctrl-alt-del.target
-    masked: yes
+    masked: true
-    daemon_reload: yes
+    daemon_reload: true
   when:
     - security_rhel7_disable_ctrl_alt_delete | bool
   tags:
@@ -112,9 +112,9 @@
 - name: Check if syslog output is being sent to another server
   command: 'grep "^[^#].*@" /etc/rsyslog.conf'
   register: rsyslog_transmit_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -133,7 +133,7 @@
   stat:
     path: /usr/bin/clamdscan
   register: clamav_install_check
-  changed_when: False
+  changed_when: false
   tags:
     - always
 
@@ -160,7 +160,7 @@
     dest: /etc/clamd.d/scan.conf
     regexp: "^(#)?LocalSocket (.*)$"
     line: "LocalSocket {{ clamav_service_details['socket_path'] }}"
-    backrefs: yes
+    backrefs: true
   when:
     - clamav_install_check.stat.exists
     - security_enable_virus_scanner | bool
@@ -205,15 +205,15 @@
 - name: Check if ClamAV update process is already running
   shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
   register: freshclam_proc
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
 - name: Update ClamAV database
   command: freshclam
-  changed_when: False
+  changed_when: false
   when:
     - freshclam_proc.rc != 0
     - clamav_install_check.stat.exists
@@ -229,7 +229,7 @@
   service:
     name: "{{ clamav_service }}"
     state: started
-    enabled: yes
+    enabled: true
   when:
     - clamav_install_check.stat.exists
     - security_enable_virus_scanner | bool
@@ -273,7 +273,7 @@
   service:
     name: "{{ chrony_service }}"
     state: started
-    enabled: yes
+    enabled: true
   when:
     - not check_mode
     - security_rhel7_enable_chrony | bool
@@ -309,8 +309,8 @@
   command: systemctl status firewalld # noqa: command-instead-of-module
   register: firewalld_status_check
   failed_when: firewalld_status_check.rc not in [0,3,4]
-  changed_when: False
+  changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -318,7 +318,7 @@
   service:
     name: firewalld
     state: started
-    enabled: yes
+    enabled: true
   when:
     - firewalld_status_check.rc not in [3,4]
     - security_enable_firewalld | bool
@@ -346,9 +346,9 @@
 - name: Count nameserver entries in /etc/resolv.conf
   command: grep ^nameserver /etc/resolv.conf
   register: nameserver_check
-  check_mode: no
+  check_mode: false
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
   tags:
     - always
     - skip_ansible_lint
@@ -369,9 +369,9 @@
 - name: Check for interfaces in promiscuous mode
   shell: "set -o pipefail; ip link | grep -i promisc"
   register: promiscuous_interface_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -397,8 +397,8 @@
 - name: V-72297 - Prevent unrestricted mail relaying
   lineinfile:
     dest: /etc/postfix/main.cf
-    regexp: '^smtpd_client_restrictions'
+    regexp: "^smtpd_client_restrictions"
-    line: 'smtpd_client_restrictions = permit_mynetworks, reject'
+    line: "smtpd_client_restrictions = permit_mynetworks, reject"
   when:
     - postfix_conf_check.stat.exists
     - security_rhel7_restrict_mail_relaying | bool
@@ -411,16 +411,16 @@
   stat:
     path: /etc/xinetd.d/tftp
   register: tftp_config_check
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
 - name: Check TFTP configuration mode
-  command: 'grep server_args /etc/xinetd.d/tftp'
+  command: "grep server_args /etc/xinetd.d/tftp"
   register: tftp_secure_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   when:
     - tftp_config_check.stat.exists
   tags:
@@ -440,9 +440,9 @@
 - name: Check to see if snmpd config contains public/private
   command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
   register: snmp_public_private_check
-  changed_when: False
+  changed_when: false
-  failed_when: False
+  failed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 

tasks/rhel7stig/rpm.yml

@@ -16,8 +16,8 @@
 - name: Ensure RPM verification task has finished
   async_status:
     jid: "{{ rpmverify_task.ansible_job_id }}"
-  failed_when: False
+  failed_when: false
-  changed_when: False
+  changed_when: false
   register: job_result
   until: job_result.finished
   retries: 360
@@ -32,7 +32,7 @@
 - name: V-71855 - Get files with invalid checksums (rpm)
   shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
-  changed_when: False
+  changed_when: false
   when:
     - security_check_package_checksums | bool
     - not check_mode | bool

tasks/rhel7stig/sshd.yml

@@ -30,8 +30,8 @@
   lineinfile:
     path: /etc/ssh/sshd_config
     state: absent
-    regexp: '^{{ item.name }}\s+(?!{{ item.value }})'
+    regexp: "^{{ item.name }}\\s+(?!{{ item.value }})"
-    validate: '/usr/sbin/sshd -T -f %s'
+    validate: "/usr/sbin/sshd -T -f %s"
   with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
   notify:
     - Restart ssh
@@ -64,7 +64,7 @@
     state: present
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     insertbefore: "BOF"
-    validate: '/usr/sbin/sshd -T -f %s'
+    validate: "/usr/sbin/sshd -T -f %s"
     block: |-
       {% set options = sshd_settings_rhel7 | selectattr('enabled') %}
       {% for option in options %}
@@ -99,7 +99,7 @@
 - name: Ensure sshd is enabled at boot time
   service:
     name: "{{ ssh_service }}"
-    enabled: yes
+    enabled: true
   when:
     - security_enable_sshd | bool
   tags:
@@ -113,7 +113,7 @@
   # The shell command will always report 'changed' so we need to
   # ignore that since this role is supposed to be idempotent.
   changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -134,7 +134,7 @@
   # The shell command will always report 'changed' so we need to
   # ignore that since this role is supposed to be idempotent
   changed_when: false
-  check_mode: no
+  check_mode: false
   tags:
     - always
 
@@ -152,6 +152,6 @@
 - name: Manage motd in pam.d
   replace:
     path: /etc/pam.d/sshd
-    regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
+    regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$"
     replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
   when: security_sshd_dynamic_banner_disable | bool

tasks/rhel7stig/yum.yml

@@ -19,7 +19,7 @@
 - name: Check if /etc/yum/yum-cron.conf exists
   stat:
     path: /etc/yum/yum-cron.conf
-  check_mode: no
+  check_mode: false
   register: yum_cron_config_check
   when:
     - ansible_facts['os_family'] | lower == 'redhat'

tasks/rhel7stig/zypper.yml

@@ -17,8 +17,8 @@
 - name: Ensure RPM verification task has finished
   async_status:
     jid: "{{ rpmverify_task.ansible_job_id }}"
-  failed_when: False
+  failed_when: false
-  changed_when: False
+  changed_when: false
   register: job_result
   until: job_result.finished
   retries: 360
@@ -33,7 +33,7 @@
 - name: V-71855 - Get files with invalid checksums (rpm)
   shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
-  changed_when: False
+  changed_when: false
   when:
     - security_check_package_checksums | bool
     - not check_mode | bool
@@ -70,7 +70,7 @@
 - name: V-71977 - Require digital signatures for all packages and repositories
   lineinfile:
     dest: "{{ item }}"
-    regexp: '^(#)?\s*gpgcheck'
+    regexp: "^(#)?\\s*gpgcheck"
     line: "gpgcheck=1"
     state: present
   with_items:
@@ -86,8 +86,8 @@
 - name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
   lineinfile:
     dest: "{{ pkg_mgr_config }}"
-    regexp: '^(#)?\s*solver\.cleandepsOnRemove'
+    regexp: "^(#)?\\s*solver\\.cleandepsOnRemove"
-    line: 'solver.cleandepsOnRemove = true'
+    line: "solver.cleandepsOnRemove = true"
     state: present
   when:
     - security_package_clean_on_remove | bool

vars/debian.yml

@@ -60,7 +60,7 @@ stig_packages_rhel7:
       - openssh-server
       - screen
     state: "{{ security_package_state }}"
-    enabled: True
+    enabled: true
   - packages:
       - aide
       - aide-common

vars/main.yml

@@ -61,158 +61,158 @@ auditd_config:
 audited_commands:
   - command: chsh
     stig_id: V-72167
-    arch_specific: no
+    arch_specific: false
   - command: chage
     stig_id: V-72155
-    arch_specific: no
+    arch_specific: false
   - command: chcon
     stig_id: V-72139
-    arch_specific: no
+    arch_specific: false
   - command: chmod
     stig_id: V-72105
-    arch_specific: yes
+    arch_specific: true
   - command: chown
     stig_id: V-72097
-    arch_specific: yes
+    arch_specific: true
   - command: creat
     stig_id: V-72123
-    arch_specific: yes
+    arch_specific: true
   - command: crontab
     stig_id: V-72183
-    arch_specific: no
+    arch_specific: false
   - command: delete_module
     stig_id: V-72189
-    arch_specific: yes
+    arch_specific: true
   - command: fchmod
     stig_id: V-72107
-    arch_specific: yes
+    arch_specific: true
   - command: fchmodat
     stig_id: V-72109
-    arch_specific: yes
+    arch_specific: true
   - command: fchown
     stig_id: V-72099
-    arch_specific: yes
+    arch_specific: true
   - command: fchownat
     stig_id: V-72103
-    arch_specific: yes
+    arch_specific: true
   - command: fremovexattr
     stig_id: V-72119
-    arch_specific: yes
+    arch_specific: true
   - command: fsetxattr
     stig_id: V-72113
-    arch_specific: yes
+    arch_specific: true
   - command: ftruncate
     stig_id: V-72133
-    arch_specific: yes
+    arch_specific: true
   - command: init_module
     stig_id: V-72187
-    arch_specific: yes
+    arch_specific: true
   - command: gpasswd
     stig_id: V-72153
-    arch_specific: no
+    arch_specific: false
   - command: lchown
     stig_id: V-72101
-    arch_specific: yes
+    arch_specific: true
   - command: lremovexattr
     stig_id: V-72121
-    arch_specific: yes
+    arch_specific: true
   - command: lsetxattr
     stig_id: V-72115
-    arch_specific: yes
+    arch_specific: true
   - command: mount
     path: /bin
     stig_id: V-72171
-    arch_specific: no
+    arch_specific: false
   - command: newgrp
     stig_id: V-72165
-    arch_specific: no
+    arch_specific: false
   - command: open
     stig_id: V-72125
-    arch_specific: yes
+    arch_specific: true
   - command: openat
     stig_id: V-72127
-    arch_specific: yes
+    arch_specific: true
   - command: open_by_handle_at
     stig_id: V-72129
-    arch_specific: yes
+    arch_specific: true
   - command: pam_timestamp_check
     path: /sbin
     stig_id: V-72185
-    arch_specific: no
+    arch_specific: false
   - command: passwd
     stig_id: V-72149
-    arch_specific: no
+    arch_specific: false
   - command: postdrop
     path: /usr/sbin
     stig_id: V-72175
-    arch_specific: no
+    arch_specific: false
   - command: postqueue
     path: /usr/sbin
     stig_id: V-72177
-    arch_specific: no
+    arch_specific: false
   - command: removexattr
     stig_id: V-72117
-    arch_specific: yes
+    arch_specific: true
   - command: rename
     stig_id: V-72199
-    arch_specific: yes
+    arch_specific: true
   - command: renameat
     stig_id: V-72201
-    arch_specific: yes
+    arch_specific: true
   - command: restorecon
     path: /usr/sbin
     stig_id: V-72141
-    arch_specific: no
+    arch_specific: false
   - command: rmdir
     stig_id: V-72203
-    arch_specific: yes
+    arch_specific: true
   - command: semanage
     path: /usr/sbin
     stig_id: V-72135
-    arch_specific: no
+    arch_specific: false
   - command: setsebool
     path: /usr/sbin
     stig_id: V-72137
-    arch_specific: no
+    arch_specific: false
   - command: setxattr
     stig_id: V-72111
-    arch_specific: yes
+    arch_specific: true
   - command: ssh-keysign
     path: "{{ ssh_keysign_path }}"
     stig_id: V-72179
-    arch_specific: no
+    arch_specific: false
   - command: su
     path: /bin
     stig_id: V-72159
-    arch_specific: no
+    arch_specific: false
   - command: sudo
     stig_id: V-72161
-    arch_specific: no
+    arch_specific: false
   - command: sudoedit
     path: /bin
     stig_id: V-72169
-    arch_specific: no
+    arch_specific: false
   - command: truncate
     stig_id: V-72131
-    arch_specific: yes
+    arch_specific: true
   - command: umount
     path: /bin
     stig_id: V-72173
-    arch_specific: no
+    arch_specific: false
   - command: unix_chkpwd
     path: /sbin
     stig_id: V-72151
-    arch_specific: no
+    arch_specific: false
   - command: unlink
     stig_id: V-72205
-    arch_specific: yes
+    arch_specific: true
   - command: unlinkat
     stig_id: V-72207
-    arch_specific: yes
+    arch_specific: true
   - command: userhelper
     path: /usr/sbin
     stig_id: V-72157
-    arch_specific: no
+    arch_specific: false
 
 ## Password quality settings
 # This variable is used in main/rhel7stig/auth.yml to set password quality
@@ -368,15 +368,15 @@ sshd_settings_rhel7:
     stig_id: V-71959
   - name: Ciphers
     value: "{{ security_sshd_cipher_list }}"
-    enabled: True
+    enabled: true
     stig_id: V-72221
   - name: ClientAliveInterval
     value: "{{ security_sshd_client_alive_interval }}"
-    enabled: True
+    enabled: true
     stig_id: V-72237
   - name: ClientAliveCountMax
     value: "{{ security_sshd_client_alive_count_max }}"
-    enabled: True
+    enabled: true
     stig_id: V-72241
   - name: PrintLastLog
     value: "yes"
@@ -388,7 +388,7 @@ sshd_settings_rhel7:
       {% if security_sshd_permit_root_login | string in ['False', 'True'] %}
       {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}
       {{ security_sshd_permit_root_login }}{% endif %}
-    enabled: True
+    enabled: true
     stig_id: V-72247
   - name: IgnoreUserKnownHosts
     value: "yes"
@@ -404,11 +404,11 @@ sshd_settings_rhel7:
     stig_id: V-72303
   - name: Protocol
     value: "{{ security_sshd_protocol }}"
-    enabled: yes
+    enabled: true
     stig_id: V-72251
   - name: MACs
     value: "{{ security_sshd_allowed_macs }}"
-    enabled: yes
+    enabled: true
     stig_id: V-72253
   - name: UsePrivilegeSeparation
     value: sandbox
@@ -416,7 +416,7 @@ sshd_settings_rhel7:
     stig_id: V-72265
   - name: Compression
     value: "{{ security_sshd_compression }}"
-    enabled: yes
+    enabled: true
     stig_id: V-72267
   - name: KerberosAuthentication
     value: "no"

vars/redhat-7.yml

@@ -38,7 +38,7 @@ pkg_mgr_config: "{{ (ansible_facts['pkg_mgr'] == 'yum') | ternary('/etc/yum.conf
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
-clamav_service: 'clamd@scan'
+clamav_service: "clamd@scan"
 
 # Clamav paparms
 clamav_service_details:
@@ -65,7 +65,7 @@ stig_packages_rhel7:
       - openssh-server
       - screen
     state: "{{ security_package_state }}"
-    enabled: True
+    enabled: true
   - packages:
       - aide
     state: "{{ security_package_state }}"

vars/redhat-8.yml

@@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
-clamav_service: 'clamd@scan'
+clamav_service: "clamd@scan"
 
 # Clamav paparms
 clamav_service_details:
@@ -64,7 +64,7 @@ stig_packages_rhel7:
       - openssh-clients
       - openssh-server
     state: "{{ security_package_state }}"
-    enabled: True
+    enabled: true
   - packages:
       - aide
     state: "{{ security_package_state }}"

vars/redhat-9.yml

@@ -38,7 +38,7 @@ pkg_mgr_config: /etc/dnf/dnf.conf
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
-clamav_service: 'clamd@scan'
+clamav_service: "clamd@scan"
 
 # Clamav paparms
 clamav_service_details:
@@ -64,7 +64,7 @@ stig_packages_rhel7:
       - openssh-clients
       - openssh-server
     state: "{{ security_package_state }}"
-    enabled: True
+    enabled: true
   - packages:
       - aide
     state: "{{ security_package_state }}"

vars/suse.yml

@@ -41,7 +41,7 @@ pkg_mgr_config: /etc/zypp/zypp.conf
 cron_service: crond
 ssh_service: sshd
 chrony_service: chronyd
-clamav_service: 'clamd'
+clamav_service: "clamd"
 
 # Commands
 grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
@@ -59,7 +59,7 @@ stig_packages_rhel7:
       - openssh
       - screen
     state: "{{ security_package_state }}"
-    enabled: True
+    enabled: true
   - packages:
       - aide
     state: "{{ security_package_state }}"

zuul.d/project.yaml

@@ -1,3 +1,4 @@
+---
 # Copyright 2017, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");