ansible-collection-hardening/molecule/os_hardening/converge.yml

---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  collections:
    - devsec.hardening
  tasks:
    - name: workaround for https://github.com/ansible/ansible/issues/66304
      set_fact:
        ansible_virtualization_type: "docker"
    - include_role:
        name: os_hardening
  vars:
    os_security_users_allow: change_user
    os_security_kernel_enable_core_dump: false
    os_auditd_num_logs: 10
    os_security_suid_sgid_remove_from_unknown: true
    os_auth_pam_passwdqc_enable: false
    os_auth_lockout_time: 15
    os_desktop_enable: true
    os_env_extra_user_paths: ['/home']
    os_auth_allow_homeless: true
    os_security_suid_sgid_blacklist: ['/bin/umount']
    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
    os_filesystem_whitelist: []
    os_yum_repo_file_whitelist: ['foo.repo']
    os_users_without_password_ageing: ['pw_no_ageing']
    os_auth_pw_warn_age: 7
    os_netrc_enabled: false
    os_ignore_users: ["shell_sys_acc"]
    os_ignore_home_folder_users: ["user_with_777_home"]
    sysctl_config:
      net.ipv4.ip_forward: 0
      net.ipv6.conf.all.forwarding: 0
      net.ipv6.conf.all.accept_ra: 0
      net.ipv6.conf.default.accept_ra: 0
      net.ipv4.conf.all.rp_filter: 1
      net.ipv4.conf.default.rp_filter: 1
      net.ipv4.icmp_echo_ignore_broadcasts: 1
      net.ipv4.icmp_ignore_bogus_error_responses: 1
      net.ipv4.icmp_ratelimit: 100
      net.ipv4.icmp_ratemask: 88089
      net.ipv4.conf.all.arp_ignore: 1
      net.ipv4.conf.all.arp_announce: 2
      net.ipv4.conf.all.shared_media: 1
      net.ipv4.conf.default.shared_media: 1
      net.ipv4.conf.all.accept_source_route: 0
      net.ipv4.conf.default.accept_source_route: 0
      net.ipv4.conf.default.accept_redirects: 0
      net.ipv4.conf.all.accept_redirects: 0
      net.ipv4.conf.all.secure_redirects: 0
      net.ipv4.conf.default.secure_redirects: 0
      net.ipv6.conf.default.accept_redirects: 0
      net.ipv6.conf.all.accept_redirects: 0
      net.ipv4.conf.all.send_redirects: 0
      net.ipv4.conf.default.send_redirects: 0
      net.ipv4.conf.all.log_martians: 1
      net.ipv6.conf.default.router_solicitations: 0
      net.ipv6.conf.default.accept_ra_rtr_pref: 0
      net.ipv6.conf.default.accept_ra_pinfo: 0
      net.ipv6.conf.default.accept_ra_defrtr: 0
      net.ipv6.conf.default.conf: 0
      net.ipv6.conf.default.dad_transmits: 0
      net.ipv6.conf.default.max_addresses: 1
      kernel.sysrq: 0
      fs.suid_dumpable: 0
      kernel.randomize_va_space: 2

# - name: wrapper playbook for kitchen testing "ansible-os-hardening"
#  hosts: all
#  become: true
#  collections:
#    - devsec.hardening
#  vars:
#    os_auditd_enabled: false
#  tasks:
#    - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
#      set_fact:
#        ansible_python_interpreter: "/usr/bin/python3"
#      when: ansible_facts.distribution == 'Fedora'
#
#    - name: Run the equivalent of "apt-get update" as a separate step
#      apt:
#        update_cache: yes
#      when: ansible_facts.os_family == 'Debian'
#
#    - include_role:
#        name: os_hardening
change symlink testing 2018-07-31 19:19:03 +00:00			`---`
			`- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing`
move to collections 2020-11-07 20:19:43 +00:00			`hosts: all`
			`become: true`
add support for using a proxy to test with molecule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2021-03-19 14:45:06 +00:00			`environment:`
			`http_proxy: "{{ lookup('env', 'http_proxy') \| default(omit) }}"`
			`https_proxy: "{{ lookup('env', 'https_proxy') \| default(omit) }}"`
			`no_proxy: "{{ lookup('env', 'no_proxy') \| default(omit) }}"`
move to collections 2020-11-07 20:19:43 +00:00			`collections:`
			`- devsec.hardening`
			`tasks:`
			`- name: workaround for https://github.com/ansible/ansible/issues/66304`
Fedora - Use new auto ansible_python_interpreter for dnf (#239) * Fedora - Use new ansible_python_interpreter for dnf Signed-off-by: Jared Ledvina <jared@techsmix.net> 2019-10-25 21:13:17 +00:00			`set_fact:`
move to collections 2020-11-07 20:19:43 +00:00			`ansible_virtualization_type: "docker"`
			`- include_role:`
			`name: os_hardening`
change symlink testing 2018-07-31 19:19:03 +00:00			`vars:`
			`os_security_users_allow: change_user`
Feature coredump (#513) * restructure limits-tasks * disable coredumps in tests * use notify-task for systemd-reload Signed-off-by: rndmh3ro <github@gumpri.ch> * add notify to another task Signed-off-by: rndmh3ro <github@gumpri.ch> * rm obsolete task and rename handler Signed-off-by: rndmh3ro <github@gumpri.ch> 2021-12-10 21:10:14 +00:00			`os_security_kernel_enable_core_dump: false`
add diff to molecule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> 2023-01-19 12:42:10 +00:00			`os_auditd_num_logs: 10`
change symlink testing 2018-07-31 19:19:03 +00:00			`os_security_suid_sgid_remove_from_unknown: true`
			`os_auth_pam_passwdqc_enable: false`
add testcases for PAM Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2021-02-22 14:42:13 +00:00			`os_auth_lockout_time: 15`
change symlink testing 2018-07-31 19:19:03 +00:00			`os_desktop_enable: true`
			`os_env_extra_user_paths: ['/home']`
			`os_auth_allow_homeless: true`
			`os_security_suid_sgid_blacklist: ['/bin/umount']`
			`os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']`
Update modprobe to 0644 Signed-off-by: Joshua Talbot <info@jtalb.com> 2019-01-29 18:58:05 +00:00			`os_filesystem_whitelist: []`
Add whitelist option for yum repository files (#487) Files in this whitelist should not be altered. Currently this is only relevant for enforcing the gpg check. Signed-off-by: René Scheibe <rene.scheibe@gmail.com> 2021-11-07 10:56:59 +00:00			`os_yum_repo_file_whitelist: ['foo.repo']`
apply password age settings to exisiting regular users (#582) * apply password age settings to regular users * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add debugging vars Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Apply suggestions from code review Co-authored-by: schurzi <github@drachen-server.de> * add additional condtion for regular users Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: DonEstefan <donestefan@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: schurzi <github@drachen-server.de> 2023-01-23 09:50:05 +00:00			`os_users_without_password_ageing: ['pw_no_ageing']`
os_hardening: Add test for setting password warning days via variable os_auth_pw_warn_age Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> 2023-02-01 15:19:18 +00:00			`os_auth_pw_warn_age: 7`
add option to bypass .netrc check function (#563) add option to whitelist specific user that need a .netrc file in there home dirs add test for .netrc files if option os_netrc_enabled is false Signed-off-by: Philipp Funk <philipp.funk@t-systems.com> Signed-off-by: Philipp Funk <philipp.funk@t-systems.com> Co-authored-by: Philipp Funk <philipp.funk@t-systems.com> 2022-08-17 07:09:00 +00:00			`os_netrc_enabled: false`
Rewrite system account detection and hardening and create tests (#621) * rewrite system account detection and hardening * resolve failures created when resolving merge conflicts Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for shell removal tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Update molecule/os_hardening/prepare.yml Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * split tasks for locking and setting shell Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> Co-authored-by: donestefan <donestefan@users.noreply.github.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com> 2023-01-27 10:01:03 +00:00			`os_ignore_users: ["shell_sys_acc"]`
rewrite user home dir hardening (#584) * rewrite user home dir hardening * delete duplicate var that was missed in a merge conflict Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for home rewrites Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Apply suggestions from code review Co-authored-by: schurzi <github@drachen-server.de> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: donestefan <donestefan@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: schurzi <github@drachen-server.de> 2023-01-28 20:59:19 +00:00			`os_ignore_home_folder_users: ["user_with_777_home"]`
change symlink testing 2018-07-31 19:19:03 +00:00			`sysctl_config:`
			`net.ipv4.ip_forward: 0`
			`net.ipv6.conf.all.forwarding: 0`
			`net.ipv6.conf.all.accept_ra: 0`
			`net.ipv6.conf.default.accept_ra: 0`
			`net.ipv4.conf.all.rp_filter: 1`
			`net.ipv4.conf.default.rp_filter: 1`
			`net.ipv4.icmp_echo_ignore_broadcasts: 1`
			`net.ipv4.icmp_ignore_bogus_error_responses: 1`
			`net.ipv4.icmp_ratelimit: 100`
			`net.ipv4.icmp_ratemask: 88089`
			`net.ipv4.conf.all.arp_ignore: 1`
			`net.ipv4.conf.all.arp_announce: 2`
			`net.ipv4.conf.all.shared_media: 1`
			`net.ipv4.conf.default.shared_media: 1`
			`net.ipv4.conf.all.accept_source_route: 0`
			`net.ipv4.conf.default.accept_source_route: 0`
			`net.ipv4.conf.default.accept_redirects: 0`
			`net.ipv4.conf.all.accept_redirects: 0`
			`net.ipv4.conf.all.secure_redirects: 0`
			`net.ipv4.conf.default.secure_redirects: 0`
			`net.ipv6.conf.default.accept_redirects: 0`
			`net.ipv6.conf.all.accept_redirects: 0`
			`net.ipv4.conf.all.send_redirects: 0`
			`net.ipv4.conf.default.send_redirects: 0`
			`net.ipv4.conf.all.log_martians: 1`
			`net.ipv6.conf.default.router_solicitations: 0`
			`net.ipv6.conf.default.accept_ra_rtr_pref: 0`
			`net.ipv6.conf.default.accept_ra_pinfo: 0`
			`net.ipv6.conf.default.accept_ra_defrtr: 0`
Fedora - Use new auto ansible_python_interpreter for dnf (#239) * Fedora - Use new ansible_python_interpreter for dnf Signed-off-by: Jared Ledvina <jared@techsmix.net> 2019-10-25 21:13:17 +00:00			`net.ipv6.conf.default.conf: 0`
change symlink testing 2018-07-31 19:19:03 +00:00			`net.ipv6.conf.default.dad_transmits: 0`
			`net.ipv6.conf.default.max_addresses: 1`
			`kernel.sysrq: 0`
			`fs.suid_dumpable: 0`
			`kernel.randomize_va_space: 2`

move to collections 2020-11-07 20:19:43 +00:00			`# - name: wrapper playbook for kitchen testing "ansible-os-hardening"`
			`# hosts: all`
			`# become: true`
			`# collections:`
			`# - devsec.hardening`
			`# vars:`
			`# os_auditd_enabled: false`
			`# tasks:`
			`# - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora`
			`# set_fact:`
			`# ansible_python_interpreter: "/usr/bin/python3"`
			`# when: ansible_facts.distribution == 'Fedora'`
			`#`
			`# - name: Run the equivalent of "apt-get update" as a separate step`
			`# apt:`
			`# update_cache: yes`
			`# when: ansible_facts.os_family == 'Debian'`
			`#`
			`# - include_role:`
			`# name: os_hardening`