From 0ce08455efde73c4c1c6b2c16cd565b45c736537 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Wed, 5 May 2021 19:08:21 +0000 Subject: [PATCH] update changelog --- CHANGELOG.md | 461 ++++++++++++++++++++++++++------------------------- 1 file changed, 236 insertions(+), 225 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6848c656..74b1a901 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,29 @@ # Changelog -## [7.6.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.6.1) (2021-04-28) +## [7.7.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.7.0) (2021-05-05) -[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.6.0...7.6.1) +[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.6.0...7.7.0) + +**Implemented enhancements:** + +- Add tasks for new controls [\#123](https://github.com/dev-sec/ansible-collection-hardening/issues/123) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- ssh\_allow\_tcp\_forwarding remote option added [\#447](https://github.com/dev-sec/ansible-collection-hardening/pull/447) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([alimli](https://github.com/alimli)) **Fixed bugs:** -- Check for MariaDB Version when selecting users without passwords [\#444](https://github.com/dev-sec/ansible-collection-hardening/pull/444) ([neubi4](https://github.com/neubi4)) -- Adds dependency on ansible.posix and community.general [\#415](https://github.com/dev-sec/ansible-collection-hardening/pull/415) ([irl](https://github.com/irl)) +- Check for MariaDB Version when selecting users without passwords [\#444](https://github.com/dev-sec/ansible-collection-hardening/pull/444) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([neubi4](https://github.com/neubi4)) +- Adds dependency on ansible.posix and community.general [\#415](https://github.com/dev-sec/ansible-collection-hardening/pull/415) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([irl](https://github.com/irl)) **Closed issues:** - No dependency on ansible.posix collection [\#414](https://github.com/dev-sec/ansible-collection-hardening/issues/414) - No dependency on community.general [\#413](https://github.com/dev-sec/ansible-collection-hardening/issues/413) +- in lxc/docker/openvz IPv6 is always disabled by ufw-configuration [\#402](https://github.com/dev-sec/ansible-collection-hardening/issues/402) +- Allow login\_unix\_socket to be specified [\#327](https://github.com/dev-sec/ansible-collection-hardening/issues/327) + +**Merged pull requests:** + +- add back labels to changelog [\#446](https://github.com/dev-sec/ansible-collection-hardening/pull/446) ([rndmh3ro](https://github.com/rndmh3ro)) ## [7.6.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.6.0) (2021-04-27) @@ -20,11 +31,11 @@ **Implemented enhancements:** -- ssh: Client HostKeyAlgorithms configuration variable [\#442](https://github.com/dev-sec/ansible-collection-hardening/pull/442) ([sepek](https://github.com/sepek)) +- ssh: Client HostKeyAlgorithms configuration variable [\#442](https://github.com/dev-sec/ansible-collection-hardening/pull/442) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([sepek](https://github.com/sepek)) **Fixed bugs:** -- mysql USER and HOST should be quoted for drop query [\#443](https://github.com/dev-sec/ansible-collection-hardening/pull/443) ([neubi4](https://github.com/neubi4)) +- mysql USER and HOST should be quoted for drop query [\#443](https://github.com/dev-sec/ansible-collection-hardening/pull/443) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([neubi4](https://github.com/neubi4)) **Closed issues:** @@ -32,7 +43,7 @@ **Merged pull requests:** -- fixed a typo in comments [\#439](https://github.com/dev-sec/ansible-collection-hardening/pull/439) ([ssttehrani](https://github.com/ssttehrani)) +- fixed a typo in comments [\#439](https://github.com/dev-sec/ansible-collection-hardening/pull/439) [[documentation](https://github.com/dev-sec/ansible-collection-hardening/labels/documentation)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([ssttehrani](https://github.com/ssttehrani)) ## [7.5.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.5.0) (2021-04-01) @@ -40,12 +51,12 @@ **Implemented enhancements:** -- Not accepting source routing for IPv6. This was already done for IPv4. [\#424](https://github.com/dev-sec/ansible-collection-hardening/pull/424) ([joubbi](https://github.com/joubbi)) +- Not accepting source routing for IPv6. This was already done for IPv4. [\#424](https://github.com/dev-sec/ansible-collection-hardening/pull/424) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) **Fixed bugs:** -- SSH kex sntrup4591761x25519-sha512@tinyssh.org replaced [\#433](https://github.com/dev-sec/ansible-collection-hardening/issues/433) -- Fix ssh kex sntrup761x25519-sha512@openssh.com for openssh \>= 8.5 [\#437](https://github.com/dev-sec/ansible-collection-hardening/pull/437) ([BenjaminBoehm](https://github.com/BenjaminBoehm)) +- SSH kex sntrup4591761x25519-sha512@tinyssh.org replaced [\#433](https://github.com/dev-sec/ansible-collection-hardening/issues/433) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Fix ssh kex sntrup761x25519-sha512@openssh.com for openssh \>= 8.5 [\#437](https://github.com/dev-sec/ansible-collection-hardening/pull/437) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([BenjaminBoehm](https://github.com/BenjaminBoehm)) **Closed issues:** @@ -53,12 +64,12 @@ **Merged pull requests:** -- remove secure-auth param if mysql \>= 8.0.3 [\#438](https://github.com/dev-sec/ansible-collection-hardening/pull/438) ([rndmh3ro](https://github.com/rndmh3ro)) -- Improved comments. [\#436](https://github.com/dev-sec/ansible-collection-hardening/pull/436) ([joubbi](https://github.com/joubbi)) -- os\_auth\_pam\_pwquality\_options: Changed type to authtok\_type [\#432](https://github.com/dev-sec/ansible-collection-hardening/pull/432) ([joubbi](https://github.com/joubbi)) -- add restart-auditd handler after configuration change [\#427](https://github.com/dev-sec/ansible-collection-hardening/pull/427) ([rndmh3ro](https://github.com/rndmh3ro)) -- add new tasks to delete mysql users without passwords [\#423](https://github.com/dev-sec/ansible-collection-hardening/pull/423) ([rndmh3ro](https://github.com/rndmh3ro)) -- Uppercased first letter of task names. [\#422](https://github.com/dev-sec/ansible-collection-hardening/pull/422) ([joubbi](https://github.com/joubbi)) +- remove secure-auth param if mysql \>= 8.0.3 [\#438](https://github.com/dev-sec/ansible-collection-hardening/pull/438) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Improved comments. [\#436](https://github.com/dev-sec/ansible-collection-hardening/pull/436) [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) +- os\_auth\_pam\_pwquality\_options: Changed type to authtok\_type [\#432](https://github.com/dev-sec/ansible-collection-hardening/pull/432) [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([joubbi](https://github.com/joubbi)) +- add restart-auditd handler after configuration change [\#427](https://github.com/dev-sec/ansible-collection-hardening/pull/427) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add new tasks to delete mysql users without passwords [\#423](https://github.com/dev-sec/ansible-collection-hardening/pull/423) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Uppercased first letter of task names. [\#422](https://github.com/dev-sec/ansible-collection-hardening/pull/422) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([joubbi](https://github.com/joubbi)) ## [7.4.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.4.0) (2021-03-23) @@ -66,7 +77,7 @@ **Implemented enhancements:** -- Harden user home dirs [\#428](https://github.com/dev-sec/ansible-collection-hardening/pull/428) ([rndmh3ro](https://github.com/rndmh3ro)) +- Harden user home dirs [\#428](https://github.com/dev-sec/ansible-collection-hardening/pull/428) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) **Closed issues:** @@ -74,10 +85,10 @@ **Merged pull requests:** -- Use pam\_pwhistory.so instead of pam\_unix.so for remembering old passwords [\#431](https://github.com/dev-sec/ansible-collection-hardening/pull/431) ([joubbi](https://github.com/joubbi)) -- Remove comments from PAM config file, but keep it in the template [\#430](https://github.com/dev-sec/ansible-collection-hardening/pull/430) ([joubbi](https://github.com/joubbi)) -- add support for using a proxy to test with molecule [\#429](https://github.com/dev-sec/ansible-collection-hardening/pull/429) ([rndmh3ro](https://github.com/rndmh3ro)) -- Improve Documentation for sysctl defaults [\#418](https://github.com/dev-sec/ansible-collection-hardening/pull/418) ([joubbi](https://github.com/joubbi)) +- Use pam\_pwhistory.so instead of pam\_unix.so for remembering old passwords [\#431](https://github.com/dev-sec/ansible-collection-hardening/pull/431) [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) +- Remove comments from PAM config file, but keep it in the template [\#430](https://github.com/dev-sec/ansible-collection-hardening/pull/430) [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([joubbi](https://github.com/joubbi)) +- add support for using a proxy to test with molecule [\#429](https://github.com/dev-sec/ansible-collection-hardening/pull/429) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Improve Documentation for sysctl defaults [\#418](https://github.com/dev-sec/ansible-collection-hardening/pull/418) [[documentation](https://github.com/dev-sec/ansible-collection-hardening/labels/documentation)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([joubbi](https://github.com/joubbi)) ## [7.3.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.3.0) (2021-03-16) @@ -85,16 +96,16 @@ **Implemented enhancements:** -- pam\_tally2 is deprecated in RHEL8 and pam\_faillock should be used in EL7 and EL8 instead. [\#377](https://github.com/dev-sec/ansible-collection-hardening/issues/377) -- Replace pam\_tally2 with pam\_faillock in Redhat [\#273](https://github.com/dev-sec/ansible-collection-hardening/issues/273) -- Extend GSSAPI configuration support to ssh\_config [\#403](https://github.com/dev-sec/ansible-collection-hardening/pull/403) ([wzzrd](https://github.com/wzzrd)) -- add restart handler variable for mysql role [\#399](https://github.com/dev-sec/ansible-collection-hardening/pull/399) ([rndmh3ro](https://github.com/rndmh3ro)) -- restructure PAM handling and update for currently supported Linux distributions [\#392](https://github.com/dev-sec/ansible-collection-hardening/pull/392) ([schurzi](https://github.com/schurzi)) +- pam\_tally2 is deprecated in RHEL8 and pam\_faillock should be used in EL7 and EL8 instead. [\#377](https://github.com/dev-sec/ansible-collection-hardening/issues/377) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] +- Replace pam\_tally2 with pam\_faillock in Redhat [\#273](https://github.com/dev-sec/ansible-collection-hardening/issues/273) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] +- Extend GSSAPI configuration support to ssh\_config [\#403](https://github.com/dev-sec/ansible-collection-hardening/pull/403) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([wzzrd](https://github.com/wzzrd)) +- add restart handler variable for mysql role [\#399](https://github.com/dev-sec/ansible-collection-hardening/pull/399) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- restructure PAM handling and update for currently supported Linux distributions [\#392](https://github.com/dev-sec/ansible-collection-hardening/pull/392) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([schurzi](https://github.com/schurzi)) **Fixed bugs:** -- Not able to use `sudo` command for user authenticated via ActiveDirectory [\#278](https://github.com/dev-sec/ansible-collection-hardening/issues/278) -- You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS [\#252](https://github.com/dev-sec/ansible-collection-hardening/issues/252) +- Not able to use `sudo` command for user authenticated via ActiveDirectory [\#278](https://github.com/dev-sec/ansible-collection-hardening/issues/278) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] +- You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS [\#252](https://github.com/dev-sec/ansible-collection-hardening/issues/252) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] **Closed issues:** @@ -102,17 +113,17 @@ - Unable to connect with SSH \(Permission denied \(publickey\)\) [\#411](https://github.com/dev-sec/ansible-collection-hardening/issues/411) - TASK \[os\_hardening : configure auditd | package-08\] [\#410](https://github.com/dev-sec/ansible-collection-hardening/issues/410) - Collection throws undefined ansible\_role\_name error in auditd task [\#409](https://github.com/dev-sec/ansible-collection-hardening/issues/409) -- Ensure permissions on /etc/crontab are configured [\#375](https://github.com/dev-sec/ansible-collection-hardening/issues/375) +- Ensure permissions on /etc/crontab are configured [\#375](https://github.com/dev-sec/ansible-collection-hardening/issues/375) [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] - Documentation should be updated [\#361](https://github.com/dev-sec/ansible-collection-hardening/issues/361) **Merged pull requests:** -- Improve Release Action [\#421](https://github.com/dev-sec/ansible-collection-hardening/pull/421) ([schurzi](https://github.com/schurzi)) -- remove FQCN from roles in examples [\#420](https://github.com/dev-sec/ansible-collection-hardening/pull/420) ([schurzi](https://github.com/schurzi)) -- Ensure permissions on /etc/crontab are configured [\#405](https://github.com/dev-sec/ansible-collection-hardening/pull/405) ([joubbi](https://github.com/joubbi)) -- remove FQCN from roles in examples [\#404](https://github.com/dev-sec/ansible-collection-hardening/pull/404) ([schurzi](https://github.com/schurzi)) -- do not install mysql python package on target host [\#401](https://github.com/dev-sec/ansible-collection-hardening/pull/401) ([rndmh3ro](https://github.com/rndmh3ro)) -- make wrong password fail task [\#400](https://github.com/dev-sec/ansible-collection-hardening/pull/400) ([rndmh3ro](https://github.com/rndmh3ro)) +- Improve Release Action [\#421](https://github.com/dev-sec/ansible-collection-hardening/pull/421) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) +- remove FQCN from roles in examples [\#420](https://github.com/dev-sec/ansible-collection-hardening/pull/420) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) +- Ensure permissions on /etc/crontab are configured [\#405](https://github.com/dev-sec/ansible-collection-hardening/pull/405) [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) +- remove FQCN from roles in examples [\#404](https://github.com/dev-sec/ansible-collection-hardening/pull/404) [[documentation](https://github.com/dev-sec/ansible-collection-hardening/labels/documentation)] [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) +- do not install mysql python package on target host [\#401](https://github.com/dev-sec/ansible-collection-hardening/pull/401) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- make wrong password fail task [\#400](https://github.com/dev-sec/ansible-collection-hardening/pull/400) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) ## [7.2.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.2.0) (2021-02-10) @@ -120,13 +131,13 @@ **Implemented enhancements:** -- Add variable to specify SSH host RSA key size [\#394](https://github.com/dev-sec/ansible-collection-hardening/pull/394) ([Normo](https://github.com/Normo)) -- Set default for ssh host key files only when hardening the server [\#393](https://github.com/dev-sec/ansible-collection-hardening/pull/393) ([Normo](https://github.com/Normo)) +- Add variable to specify SSH host RSA key size [\#394](https://github.com/dev-sec/ansible-collection-hardening/pull/394) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([Normo](https://github.com/Normo)) +- Set default for ssh host key files only when hardening the server [\#393](https://github.com/dev-sec/ansible-collection-hardening/pull/393) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([Normo](https://github.com/Normo)) **Fixed bugs:** -- A reason why instance would go in rescue mode ? [\#267](https://github.com/dev-sec/ansible-collection-hardening/issues/267) -- fix galaxy action to update local galaxy.yml [\#395](https://github.com/dev-sec/ansible-collection-hardening/pull/395) ([Normo](https://github.com/Normo)) +- A reason why instance would go in rescue mode ? [\#267](https://github.com/dev-sec/ansible-collection-hardening/issues/267) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- fix galaxy action to update local galaxy.yml [\#395](https://github.com/dev-sec/ansible-collection-hardening/pull/395) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([Normo](https://github.com/Normo)) **Closed issues:** @@ -137,7 +148,7 @@ **Merged pull requests:** -- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi)) +- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) - fix minimum required ansible version in docs [\#390](https://github.com/dev-sec/ansible-collection-hardening/pull/390) ([schurzi](https://github.com/schurzi)) ## [7.1.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.1) (2021-02-05) @@ -146,7 +157,7 @@ **Fixed bugs:** -- use fqcn for community.crypto.openssh\_keypair module [\#389](https://github.com/dev-sec/ansible-collection-hardening/pull/389) ([schurzi](https://github.com/schurzi)) +- use fqcn for community.crypto.openssh\_keypair module [\#389](https://github.com/dev-sec/ansible-collection-hardening/pull/389) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) **Closed issues:** @@ -158,35 +169,35 @@ **Implemented enhancements:** -- Default value for ssh\_max\_startups should be changed [\#366](https://github.com/dev-sec/ansible-collection-hardening/issues/366) -- Comment in configuration files should state which collection was there [\#345](https://github.com/dev-sec/ansible-collection-hardening/issues/345) -- Error on applying the sysctl vars on Debian Jessy [\#230](https://github.com/dev-sec/ansible-collection-hardening/issues/230) -- add Support for OpenSSH HostCertificate config option [\#380](https://github.com/dev-sec/ansible-collection-hardening/pull/380) ([mpraeger](https://github.com/mpraeger)) -- Syncookie [\#372](https://github.com/dev-sec/ansible-collection-hardening/pull/372) ([joubbi](https://github.com/joubbi)) -- Sorted sysctl values and lists in READMEs alphabetically \(No functional changes\). [\#371](https://github.com/dev-sec/ansible-collection-hardening/pull/371) ([joubbi](https://github.com/joubbi)) -- make auditd 'max\_log\_file' configurable [\#370](https://github.com/dev-sec/ansible-collection-hardening/pull/370) ([tgueldner-mms](https://github.com/tgueldner-mms)) -- reduce maximum unauthenticated ssh sessions [\#368](https://github.com/dev-sec/ansible-collection-hardening/pull/368) ([schurzi](https://github.com/schurzi)) -- add a runtime.yml to declare minimum ansible version [\#363](https://github.com/dev-sec/ansible-collection-hardening/pull/363) ([rndmh3ro](https://github.com/rndmh3ro)) -- change inclusion of os specific defaults [\#353](https://github.com/dev-sec/ansible-collection-hardening/pull/353) ([schurzi](https://github.com/schurzi)) -- make the os\_env\_umask variable usable [\#351](https://github.com/dev-sec/ansible-collection-hardening/pull/351) ([sprat](https://github.com/sprat)) -- Fix \#348: make ssh configuration files paths configurable [\#350](https://github.com/dev-sec/ansible-collection-hardening/pull/350) ([sprat](https://github.com/sprat)) -- Removed Protocol statement in later versions of sshd, since the code … [\#342](https://github.com/dev-sec/ansible-collection-hardening/pull/342) ([joubbi](https://github.com/joubbi)) -- Improvements of comments in opensshd.conf.j2 \#338 [\#339](https://github.com/dev-sec/ansible-collection-hardening/pull/339) ([joubbi](https://github.com/joubbi)) +- Default value for ssh\_max\_startups should be changed [\#366](https://github.com/dev-sec/ansible-collection-hardening/issues/366) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] +- Comment in configuration files should state which collection was there [\#345](https://github.com/dev-sec/ansible-collection-hardening/issues/345) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Error on applying the sysctl vars on Debian Jessy [\#230](https://github.com/dev-sec/ansible-collection-hardening/issues/230) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- add Support for OpenSSH HostCertificate config option [\#380](https://github.com/dev-sec/ansible-collection-hardening/pull/380) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([mpraeger](https://github.com/mpraeger)) +- Syncookie [\#372](https://github.com/dev-sec/ansible-collection-hardening/pull/372) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) +- Sorted sysctl values and lists in READMEs alphabetically \(No functional changes\). [\#371](https://github.com/dev-sec/ansible-collection-hardening/pull/371) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([joubbi](https://github.com/joubbi)) +- make auditd 'max\_log\_file' configurable [\#370](https://github.com/dev-sec/ansible-collection-hardening/pull/370) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([tgueldner-mms](https://github.com/tgueldner-mms)) +- reduce maximum unauthenticated ssh sessions [\#368](https://github.com/dev-sec/ansible-collection-hardening/pull/368) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) +- add a runtime.yml to declare minimum ansible version [\#363](https://github.com/dev-sec/ansible-collection-hardening/pull/363) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- change inclusion of os specific defaults [\#353](https://github.com/dev-sec/ansible-collection-hardening/pull/353) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([schurzi](https://github.com/schurzi)) +- make the os\_env\_umask variable usable [\#351](https://github.com/dev-sec/ansible-collection-hardening/pull/351) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([sprat](https://github.com/sprat)) +- Fix \#348: make ssh configuration files paths configurable [\#350](https://github.com/dev-sec/ansible-collection-hardening/pull/350) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([sprat](https://github.com/sprat)) +- Removed Protocol statement in later versions of sshd, since the code … [\#342](https://github.com/dev-sec/ansible-collection-hardening/pull/342) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([joubbi](https://github.com/joubbi)) +- Improvements of comments in opensshd.conf.j2 \#338 [\#339](https://github.com/dev-sec/ansible-collection-hardening/pull/339) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([joubbi](https://github.com/joubbi)) **Fixed bugs:** -- Comments in opensshd.conf.j2 should be improved [\#338](https://github.com/dev-sec/ansible-collection-hardening/issues/338) -- check for correct cpu vendor in initramfs-tools [\#374](https://github.com/dev-sec/ansible-collection-hardening/pull/374) ([schurzi](https://github.com/schurzi)) -- set hidepid=0 on RHEL/CentOS 7 [\#369](https://github.com/dev-sec/ansible-collection-hardening/pull/369) ([schurzi](https://github.com/schurzi)) +- Comments in opensshd.conf.j2 should be improved [\#338](https://github.com/dev-sec/ansible-collection-hardening/issues/338) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- check for correct cpu vendor in initramfs-tools [\#374](https://github.com/dev-sec/ansible-collection-hardening/pull/374) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) +- set hidepid=0 on RHEL/CentOS 7 [\#369](https://github.com/dev-sec/ansible-collection-hardening/pull/369) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) **Closed issues:** - initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs [\#373](https://github.com/dev-sec/ansible-collection-hardening/issues/373) - How do i install this on Centos 8? [\#367](https://github.com/dev-sec/ansible-collection-hardening/issues/367) -- hidepid=2 gives error when running systemctl on EL7 [\#364](https://github.com/dev-sec/ansible-collection-hardening/issues/364) +- hidepid=2 gives error when running systemctl on EL7 [\#364](https://github.com/dev-sec/ansible-collection-hardening/issues/364) [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] - Allow putting the ssh/sshd config in alternative files [\#348](https://github.com/dev-sec/ansible-collection-hardening/issues/348) - os\_env\_umask has no effect [\#344](https://github.com/dev-sec/ansible-collection-hardening/issues/344) -- Don't modify /etc/sysctl.conf [\#343](https://github.com/dev-sec/ansible-collection-hardening/issues/343) +- Don't modify /etc/sysctl.conf [\#343](https://github.com/dev-sec/ansible-collection-hardening/issues/343) [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] **Merged pull requests:** @@ -194,11 +205,11 @@ - make release workflow manually runnable [\#384](https://github.com/dev-sec/ansible-collection-hardening/pull/384) ([schurzi](https://github.com/schurzi)) - run labeler workflow with higher privileges [\#383](https://github.com/dev-sec/ansible-collection-hardening/pull/383) ([schurzi](https://github.com/schurzi)) - remove issue labels from changelog [\#382](https://github.com/dev-sec/ansible-collection-hardening/pull/382) ([schurzi](https://github.com/schurzi)) -- Added comment on top of templates about which role manages the file [\#378](https://github.com/dev-sec/ansible-collection-hardening/pull/378) ([joubbi](https://github.com/joubbi)) -- Regenerate RSA key with size 4096 bits [\#376](https://github.com/dev-sec/ansible-collection-hardening/pull/376) ([ssttehrani](https://github.com/ssttehrani)) +- Added comment on top of templates about which role manages the file [\#378](https://github.com/dev-sec/ansible-collection-hardening/pull/378) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([joubbi](https://github.com/joubbi)) +- Regenerate RSA key with size 4096 bits [\#376](https://github.com/dev-sec/ansible-collection-hardening/pull/376) [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[ready to review](https://github.com/dev-sec/ansible-collection-hardening/labels/ready%20to%20review)] ([ssttehrani](https://github.com/ssttehrani)) - fix second changelog generation task, too [\#349](https://github.com/dev-sec/ansible-collection-hardening/pull/349) ([rndmh3ro](https://github.com/rndmh3ro)) - fix changelog generation [\#341](https://github.com/dev-sec/ansible-collection-hardening/pull/341) ([rndmh3ro](https://github.com/rndmh3ro)) -- Improve README for ssh\_hardening [\#335](https://github.com/dev-sec/ansible-collection-hardening/pull/335) ([szEvEz](https://github.com/szEvEz)) +- Improve README for ssh\_hardening [\#335](https://github.com/dev-sec/ansible-collection-hardening/pull/335) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([szEvEz](https://github.com/szEvEz)) ## [7.0.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.0.0) (2020-11-11) @@ -206,170 +217,170 @@ **Breaking changes:** -- Move all roles to one single collection [\#332](https://github.com/dev-sec/ansible-collection-hardening/pull/332) ([rndmh3ro](https://github.com/rndmh3ro)) +- Move all roles to one single collection [\#332](https://github.com/dev-sec/ansible-collection-hardening/pull/332) [[breaking](https://github.com/dev-sec/ansible-collection-hardening/labels/breaking)] ([rndmh3ro](https://github.com/rndmh3ro)) **Implemented enhancements:** -- Breaking change in ansible-lint - set file permissions explicitly [\#299](https://github.com/dev-sec/ansible-collection-hardening/issues/299) -- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-collection-hardening/issues/253) -- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-collection-hardening/issues/233) -- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-collection-hardening/issues/232) -- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-collection-hardening/issues/208) -- Fedora support? [\#163](https://github.com/dev-sec/ansible-collection-hardening/issues/163) -- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-collection-hardening/issues/155) -- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-collection-hardening/issues/154) -- Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-collection-hardening/issues/131) -- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-collection-hardening/issues/129) -- Description of the Ansible roles of dev-sec says "This Ansible playbook" [\#97](https://github.com/dev-sec/ansible-collection-hardening/issues/97) -- Improve Documentation [\#315](https://github.com/dev-sec/ansible-collection-hardening/pull/315) ([schurzi](https://github.com/schurzi)) -- Arch support [\#303](https://github.com/dev-sec/ansible-collection-hardening/pull/303) ([rndmh3ro](https://github.com/rndmh3ro)) -- fix linting for molecule [\#301](https://github.com/dev-sec/ansible-collection-hardening/pull/301) ([schurzi](https://github.com/schurzi)) -- file permissions explicitly defined [\#300](https://github.com/dev-sec/ansible-collection-hardening/pull/300) ([danielkubat](https://github.com/danielkubat)) -- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-collection-hardening/pull/295) ([Alexhha](https://github.com/Alexhha)) -- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-collection-hardening/pull/294) ([danielkubat](https://github.com/danielkubat)) -- improve testing [\#287](https://github.com/dev-sec/ansible-collection-hardening/pull/287) ([schurzi](https://github.com/schurzi)) -- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-collection-hardening/pull/283) ([alegrey91](https://github.com/alegrey91)) -- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-collection-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro)) -- purge insecure packages [\#275](https://github.com/dev-sec/ansible-collection-hardening/pull/275) ([chris-rock](https://github.com/chris-rock)) -- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-collection-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro)) -- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-collection-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro)) -- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-collection-hardening/pull/266) ([aisbergg](https://github.com/aisbergg)) -- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-collection-hardening/pull/263) ([kravietz](https://github.com/kravietz)) -- add ansible-lint [\#262](https://github.com/dev-sec/ansible-collection-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro)) -- Remove trailing space [\#261](https://github.com/dev-sec/ansible-collection-hardening/pull/261) ([kravietz](https://github.com/kravietz)) -- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-collection-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina)) -- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-collection-hardening/pull/254) ([kravietz](https://github.com/kravietz)) -- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-collection-hardening/pull/251) ([dustinmiller](https://github.com/dustinmiller)) -- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-collection-hardening/pull/250) ([dustinmiller](https://github.com/dustinmiller)) -- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-collection-hardening/pull/246) ([jandd](https://github.com/jandd)) -- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-collection-hardening/pull/240) ([ghost](https://github.com/ghost)) -- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-collection-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina)) -- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-collection-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove)) -- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-collection-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina)) -- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-collection-hardening/pull/234) ([123Haynes](https://github.com/123Haynes)) -- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-collection-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue)) -- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-collection-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb)) -- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-collection-hardening/pull/224) ([Normo](https://github.com/Normo)) -- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-collection-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro)) -- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-collection-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro)) -- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-collection-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee)) -- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-collection-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro)) -- Added fedora support [\#206](https://github.com/dev-sec/ansible-collection-hardening/pull/206) ([jonaswre](https://github.com/jonaswre)) -- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-collection-hardening/pull/200) ([Normo](https://github.com/Normo)) -- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-collection-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro)) -- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-collection-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro)) -- fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-collection-hardening/pull/190) ([rndmh3ro](https://github.com/rndmh3ro)) -- added os\_hardening\_enabled flag [\#186](https://github.com/dev-sec/ansible-collection-hardening/pull/186) ([jcheroske](https://github.com/jcheroske)) -- add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-collection-hardening/pull/183) ([rndmh3ro](https://github.com/rndmh3ro)) -- use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-collection-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro)) -- add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-collection-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro)) -- fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-collection-hardening/pull/176) ([rndmh3ro](https://github.com/rndmh3ro)) -- ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-collection-hardening/pull/174) ([carchrae](https://github.com/carchrae)) -- Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-collection-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault)) -- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-collection-hardening/pull/168) ([Normo](https://github.com/Normo)) -- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-collection-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan)) -- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-collection-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro)) -- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-collection-hardening/pull/158) ([woneill](https://github.com/woneill)) -- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-collection-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1)) -- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-collection-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz)) -- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-collection-hardening/pull/150) ([kravietz](https://github.com/kravietz)) -- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-collection-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault)) -- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-collection-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) -- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-collection-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro)) -- update readme [\#139](https://github.com/dev-sec/ansible-collection-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro)) -- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-collection-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) -- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-collection-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro)) -- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-collection-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro)) -- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-collection-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro)) -- style update [\#134](https://github.com/dev-sec/ansible-collection-hardening/pull/134) ([rndmh3ro](https://github.com/rndmh3ro)) -- Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-collection-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos)) -- Fix ansible.cfg and use comment filter [\#130](https://github.com/dev-sec/ansible-collection-hardening/pull/130) ([fazlearefin](https://github.com/fazlearefin)) -- install initramfs-tools [\#114](https://github.com/dev-sec/ansible-collection-hardening/pull/114) ([rndmh3ro](https://github.com/rndmh3ro)) -- omit empty variables [\#106](https://github.com/dev-sec/ansible-collection-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro)) -- Supports --check mode [\#93](https://github.com/dev-sec/ansible-collection-hardening/pull/93) ([conorsch](https://github.com/conorsch)) -- Adds support for CentOS 7 [\#91](https://github.com/dev-sec/ansible-collection-hardening/pull/91) ([conorsch](https://github.com/conorsch)) -- Docker [\#90](https://github.com/dev-sec/ansible-collection-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro)) -- debian 8 support [\#88](https://github.com/dev-sec/ansible-collection-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro)) -- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-collection-hardening/pull/85) ([fitz123](https://github.com/fitz123)) -- replace ignore\_errors to failed\_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-collection-hardening/pull/81) ([fitz123](https://github.com/fitz123)) -- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-collection-hardening/pull/79) ([fitz123](https://github.com/fitz123)) -- update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-collection-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro)) -- add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-collection-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro)) -- Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-collection-hardening/pull/67) ([rndmh3ro](https://github.com/rndmh3ro)) -- make sys\_uid and sys\_gid configurable [\#62](https://github.com/dev-sec/ansible-collection-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro)) -- Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-collection-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro)) -- use inspec as test framework [\#58](https://github.com/dev-sec/ansible-collection-hardening/pull/58) ([chris-rock](https://github.com/chris-rock)) -- Packages as attributes [\#57](https://github.com/dev-sec/ansible-collection-hardening/pull/57) ([rndmh3ro](https://github.com/rndmh3ro)) -- Change categories to tags for upcoming ansible 2.0 [\#56](https://github.com/dev-sec/ansible-collection-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro)) -- Add SINGLE and PROMPT parameters. [\#55](https://github.com/dev-sec/ansible-collection-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro)) -- add changelog generator [\#54](https://github.com/dev-sec/ansible-collection-hardening/pull/54) ([chris-rock](https://github.com/chris-rock)) +- Breaking change in ansible-lint - set file permissions explicitly [\#299](https://github.com/dev-sec/ansible-collection-hardening/issues/299) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] +- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-collection-hardening/issues/253) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-collection-hardening/issues/233) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] +- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-collection-hardening/issues/232) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] +- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-collection-hardening/issues/208) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Fedora support? [\#163](https://github.com/dev-sec/ansible-collection-hardening/issues/163) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-collection-hardening/issues/155) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-collection-hardening/issues/154) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-collection-hardening/issues/131) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-collection-hardening/issues/129) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Description of the Ansible roles of dev-sec says "This Ansible playbook" [\#97](https://github.com/dev-sec/ansible-collection-hardening/issues/97) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] +- Improve Documentation [\#315](https://github.com/dev-sec/ansible-collection-hardening/pull/315) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([schurzi](https://github.com/schurzi)) +- Arch support [\#303](https://github.com/dev-sec/ansible-collection-hardening/pull/303) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([rndmh3ro](https://github.com/rndmh3ro)) +- fix linting for molecule [\#301](https://github.com/dev-sec/ansible-collection-hardening/pull/301) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) +- file permissions explicitly defined [\#300](https://github.com/dev-sec/ansible-collection-hardening/pull/300) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] ([danielkubat](https://github.com/danielkubat)) +- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-collection-hardening/pull/295) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([Alexhha](https://github.com/Alexhha)) +- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-collection-hardening/pull/294) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([danielkubat](https://github.com/danielkubat)) +- improve testing [\#287](https://github.com/dev-sec/ansible-collection-hardening/pull/287) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] ([schurzi](https://github.com/schurzi)) +- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-collection-hardening/pull/283) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] ([alegrey91](https://github.com/alegrey91)) +- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-collection-hardening/pull/279) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- purge insecure packages [\#275](https://github.com/dev-sec/ansible-collection-hardening/pull/275) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[minor](https://github.com/dev-sec/ansible-collection-hardening/labels/minor)] ([chris-rock](https://github.com/chris-rock)) +- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-collection-hardening/pull/271) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-collection-hardening/pull/270) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-collection-hardening/pull/266) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([aisbergg](https://github.com/aisbergg)) +- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-collection-hardening/pull/263) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz)) +- add ansible-lint [\#262](https://github.com/dev-sec/ansible-collection-hardening/pull/262) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove trailing space [\#261](https://github.com/dev-sec/ansible-collection-hardening/pull/261) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz)) +- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-collection-hardening/pull/259) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina)) +- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-collection-hardening/pull/254) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz)) +- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-collection-hardening/pull/251) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([dustinmiller](https://github.com/dustinmiller)) +- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-collection-hardening/pull/250) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([dustinmiller](https://github.com/dustinmiller)) +- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-collection-hardening/pull/246) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jandd](https://github.com/jandd)) +- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-collection-hardening/pull/240) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([ghost](https://github.com/ghost)) +- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-collection-hardening/pull/239) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina)) +- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-collection-hardening/pull/237) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([yeoldegrove](https://github.com/yeoldegrove)) +- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-collection-hardening/pull/236) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jaredledvina](https://github.com/jaredledvina)) +- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-collection-hardening/pull/234) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([123Haynes](https://github.com/123Haynes)) +- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-collection-hardening/pull/231) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rgarrigue](https://github.com/rgarrigue)) +- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-collection-hardening/pull/226) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([joshuatalb](https://github.com/joshuatalb)) +- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-collection-hardening/pull/224) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([Normo](https://github.com/Normo)) +- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-collection-hardening/pull/220) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-collection-hardening/pull/217) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-collection-hardening/pull/214) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([ChrisMcKee](https://github.com/ChrisMcKee)) +- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-collection-hardening/pull/209) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Added fedora support [\#206](https://github.com/dev-sec/ansible-collection-hardening/pull/206) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jonaswre](https://github.com/jonaswre)) +- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-collection-hardening/pull/200) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([Normo](https://github.com/Normo)) +- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-collection-hardening/pull/196) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-collection-hardening/pull/192) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-collection-hardening/pull/190) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- added os\_hardening\_enabled flag [\#186](https://github.com/dev-sec/ansible-collection-hardening/pull/186) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([jcheroske](https://github.com/jcheroske)) +- add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-collection-hardening/pull/183) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-collection-hardening/pull/180) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-collection-hardening/pull/178) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-collection-hardening/pull/176) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-collection-hardening/pull/174) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([carchrae](https://github.com/carchrae)) +- Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-collection-hardening/pull/172) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([martinbydefault](https://github.com/martinbydefault)) +- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-collection-hardening/pull/168) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([Normo](https://github.com/Normo)) +- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-collection-hardening/pull/161) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([thomasjpfan](https://github.com/thomasjpfan)) +- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-collection-hardening/pull/160) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-collection-hardening/pull/158) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([woneill](https://github.com/woneill)) +- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-collection-hardening/pull/156) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([oakey-b1](https://github.com/oakey-b1)) +- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-collection-hardening/pull/153) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([manuelprinz](https://github.com/manuelprinz)) +- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-collection-hardening/pull/150) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([kravietz](https://github.com/kravietz)) +- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-collection-hardening/pull/146) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([martinbydefault](https://github.com/martinbydefault)) +- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-collection-hardening/pull/144) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-collection-hardening/pull/143) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] [[in progress](https://github.com/dev-sec/ansible-collection-hardening/labels/in%20progress)] ([rndmh3ro](https://github.com/rndmh3ro)) +- update readme [\#139](https://github.com/dev-sec/ansible-collection-hardening/pull/139) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-collection-hardening/pull/138) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-collection-hardening/pull/137) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-collection-hardening/pull/136) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-collection-hardening/pull/135) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- style update [\#134](https://github.com/dev-sec/ansible-collection-hardening/pull/134) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-collection-hardening/pull/132) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([HelioCampos](https://github.com/HelioCampos)) +- Fix ansible.cfg and use comment filter [\#130](https://github.com/dev-sec/ansible-collection-hardening/pull/130) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([fazlearefin](https://github.com/fazlearefin)) +- install initramfs-tools [\#114](https://github.com/dev-sec/ansible-collection-hardening/pull/114) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- omit empty variables [\#106](https://github.com/dev-sec/ansible-collection-hardening/pull/106) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Supports --check mode [\#93](https://github.com/dev-sec/ansible-collection-hardening/pull/93) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([conorsch](https://github.com/conorsch)) +- Adds support for CentOS 7 [\#91](https://github.com/dev-sec/ansible-collection-hardening/pull/91) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([conorsch](https://github.com/conorsch)) +- Docker [\#90](https://github.com/dev-sec/ansible-collection-hardening/pull/90) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- debian 8 support [\#88](https://github.com/dev-sec/ansible-collection-hardening/pull/88) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-collection-hardening/pull/85) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123)) +- replace ignore\_errors to failed\_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-collection-hardening/pull/81) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123)) +- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-collection-hardening/pull/79) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([fitz123](https://github.com/fitz123)) +- update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-collection-hardening/pull/69) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-collection-hardening/pull/68) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-collection-hardening/pull/67) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- make sys\_uid and sys\_gid configurable [\#62](https://github.com/dev-sec/ansible-collection-hardening/pull/62) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-collection-hardening/pull/59) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- use inspec as test framework [\#58](https://github.com/dev-sec/ansible-collection-hardening/pull/58) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([chris-rock](https://github.com/chris-rock)) +- Packages as attributes [\#57](https://github.com/dev-sec/ansible-collection-hardening/pull/57) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Change categories to tags for upcoming ansible 2.0 [\#56](https://github.com/dev-sec/ansible-collection-hardening/pull/56) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Add SINGLE and PROMPT parameters. [\#55](https://github.com/dev-sec/ansible-collection-hardening/pull/55) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add changelog generator [\#54](https://github.com/dev-sec/ansible-collection-hardening/pull/54) [[enhancement](https://github.com/dev-sec/ansible-collection-hardening/labels/enhancement)] ([chris-rock](https://github.com/chris-rock)) **Fixed bugs:** -- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode [\#313](https://github.com/dev-sec/ansible-collection-hardening/issues/313) -- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-collection-hardening/issues/284) -- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-collection-hardening/issues/281) -- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-collection-hardening/issues/265) -- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-collection-hardening/issues/255) -- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-collection-hardening/issues/247) -- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-collection-hardening/issues/227) -- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-collection-hardening/issues/223) -- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-collection-hardening/issues/221) -- `squash_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-collection-hardening/issues/218) -- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-collection-hardening/issues/202) -- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-collection-hardening/issues/191) -- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-collection-hardening/issues/175) -- minimize\_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-collection-hardening/issues/171) -- wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-collection-hardening/issues/170) -- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-collection-hardening/issues/167) -- Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-collection-hardening/issues/166) -- Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-collection-hardening/issues/162) -- bug in ufw.j2 template [\#151](https://github.com/dev-sec/ansible-collection-hardening/issues/151) -- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-collection-hardening/issues/148) -- System completely unresponsive after role execution [\#145](https://github.com/dev-sec/ansible-collection-hardening/issues/145) -- Why is rsync removed? [\#141](https://github.com/dev-sec/ansible-collection-hardening/issues/141) -- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-collection-hardening/issues/140) -- Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-collection-hardening/issues/125) -- playbook makes OS undetectable [\#124](https://github.com/dev-sec/ansible-collection-hardening/issues/124) -- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf [\#118](https://github.com/dev-sec/ansible-collection-hardening/issues/118) -- Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-collection-hardening/issues/116) -- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-collection-hardening/issues/115) -- The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-collection-hardening/issues/111) -- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-collection-hardening/issues/105) -- Deprecation warning always\_run [\#103](https://github.com/dev-sec/ansible-collection-hardening/issues/103) -- CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-collection-hardening/issues/102) -- ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-collection-hardening/issues/99) -- rhel\_system\_auth.j2 is still using pam\_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-collection-hardening/issues/98) -- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-collection-hardening/issues/74) -- Enable pam\_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-collection-hardening/issues/73) -- Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-collection-hardening/issues/71) -- "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-collection-hardening/issues/53) -- use touch for 10.hardcore.conf to avoid problems with dry-run [\#314](https://github.com/dev-sec/ansible-collection-hardening/pull/314) ([schurzi](https://github.com/schurzi)) -- use touch with no date changes [\#310](https://github.com/dev-sec/ansible-collection-hardening/pull/310) ([rndmh3ro](https://github.com/rndmh3ro)) -- do not touch sysctl file to avoid idempotency problems [\#309](https://github.com/dev-sec/ansible-collection-hardening/pull/309) ([rndmh3ro](https://github.com/rndmh3ro)) -- replace module parameter fixed [\#297](https://github.com/dev-sec/ansible-collection-hardening/pull/297) ([danielkubat](https://github.com/danielkubat)) -- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-collection-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel)) -- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-collection-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta)) -- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-collection-hardening/pull/243) ([ghost](https://github.com/ghost)) -- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-collection-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina)) -- Fix typo [\#212](https://github.com/dev-sec/ansible-collection-hardening/pull/212) ([ruslo](https://github.com/ruslo)) -- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-collection-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb)) -- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-collection-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb)) -- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-collection-hardening/pull/207) ([pmav99](https://github.com/pmav99)) -- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-collection-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro)) -- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-collection-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro)) -- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-collection-hardening/pull/199) ([ccolic](https://github.com/ccolic)) -- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-collection-hardening/pull/197) ([szEvEz](https://github.com/szEvEz)) -- do not install passwdqc on amazon linux [\#189](https://github.com/dev-sec/ansible-collection-hardening/pull/189) ([rndmh3ro](https://github.com/rndmh3ro)) -- add back run opts for debian 8 in travis [\#184](https://github.com/dev-sec/ansible-collection-hardening/pull/184) ([rndmh3ro](https://github.com/rndmh3ro)) -- Fix core dump config file creation when core dumps are disabled [\#182](https://github.com/dev-sec/ansible-collection-hardening/pull/182) ([Normo](https://github.com/Normo)) -- change minimize access method [\#181](https://github.com/dev-sec/ansible-collection-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro)) -- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-collection-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120)) -- replace single ticks with double ticks. fix \#151 [\#152](https://github.com/dev-sec/ansible-collection-hardening/pull/152) ([rndmh3ro](https://github.com/rndmh3ro)) -- fixed tag [\#149](https://github.com/dev-sec/ansible-collection-hardening/pull/149) ([martinbydefault](https://github.com/martinbydefault)) -- Remove rsync from package blacklist [\#142](https://github.com/dev-sec/ansible-collection-hardening/pull/142) ([duk3luk3](https://github.com/duk3luk3)) -- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-collection-hardening/pull/66) ([conorsch](https://github.com/conorsch)) -- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-collection-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro)) +- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode [\#313](https://github.com/dev-sec/ansible-collection-hardening/issues/313) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] +- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-collection-hardening/issues/284) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-collection-hardening/issues/281) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-collection-hardening/issues/265) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-collection-hardening/issues/255) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-collection-hardening/issues/247) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-collection-hardening/issues/227) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[hacktoberfest](https://github.com/dev-sec/ansible-collection-hardening/labels/hacktoberfest)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-collection-hardening/issues/223) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-collection-hardening/issues/221) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- `squash_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-collection-hardening/issues/218) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-collection-hardening/issues/202) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-collection-hardening/issues/191) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-collection-hardening/issues/175) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- minimize\_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-collection-hardening/issues/171) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-collection-hardening/issues/170) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-collection-hardening/issues/167) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-collection-hardening/issues/166) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-collection-hardening/issues/162) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- bug in ufw.j2 template [\#151](https://github.com/dev-sec/ansible-collection-hardening/issues/151) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-collection-hardening/issues/148) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- System completely unresponsive after role execution [\#145](https://github.com/dev-sec/ansible-collection-hardening/issues/145) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Why is rsync removed? [\#141](https://github.com/dev-sec/ansible-collection-hardening/issues/141) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-collection-hardening/issues/140) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-collection-hardening/issues/125) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- playbook makes OS undetectable [\#124](https://github.com/dev-sec/ansible-collection-hardening/issues/124) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf [\#118](https://github.com/dev-sec/ansible-collection-hardening/issues/118) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-collection-hardening/issues/116) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-collection-hardening/issues/115) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-collection-hardening/issues/111) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-collection-hardening/issues/105) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Deprecation warning always\_run [\#103](https://github.com/dev-sec/ansible-collection-hardening/issues/103) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-collection-hardening/issues/102) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-collection-hardening/issues/99) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- rhel\_system\_auth.j2 is still using pam\_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-collection-hardening/issues/98) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-collection-hardening/issues/74) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] +- Enable pam\_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-collection-hardening/issues/73) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-collection-hardening/issues/71) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-collection-hardening/issues/53) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[help wanted](https://github.com/dev-sec/ansible-collection-hardening/labels/help%20wanted)] +- use touch for 10.hardcore.conf to avoid problems with dry-run [\#314](https://github.com/dev-sec/ansible-collection-hardening/pull/314) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) +- use touch with no date changes [\#310](https://github.com/dev-sec/ansible-collection-hardening/pull/310) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- do not touch sysctl file to avoid idempotency problems [\#309](https://github.com/dev-sec/ansible-collection-hardening/pull/309) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- replace module parameter fixed [\#297](https://github.com/dev-sec/ansible-collection-hardening/pull/297) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([danielkubat](https://github.com/danielkubat)) +- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-collection-hardening/pull/258) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([ljkimmel](https://github.com/ljkimmel)) +- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-collection-hardening/pull/248) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([fernandezcuesta](https://github.com/fernandezcuesta)) +- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-collection-hardening/pull/243) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([ghost](https://github.com/ghost)) +- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-collection-hardening/pull/235) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([jaredledvina](https://github.com/jaredledvina)) +- Fix typo [\#212](https://github.com/dev-sec/ansible-collection-hardening/pull/212) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([ruslo](https://github.com/ruslo)) +- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-collection-hardening/pull/211) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([joshuatalb](https://github.com/joshuatalb)) +- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-collection-hardening/pull/210) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([joshuatalb](https://github.com/joshuatalb)) +- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-collection-hardening/pull/207) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([pmav99](https://github.com/pmav99)) +- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-collection-hardening/pull/204) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-collection-hardening/pull/203) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-collection-hardening/pull/199) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([ccolic](https://github.com/ccolic)) +- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-collection-hardening/pull/197) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([szEvEz](https://github.com/szEvEz)) +- do not install passwdqc on amazon linux [\#189](https://github.com/dev-sec/ansible-collection-hardening/pull/189) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- add back run opts for debian 8 in travis [\#184](https://github.com/dev-sec/ansible-collection-hardening/pull/184) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix core dump config file creation when core dumps are disabled [\#182](https://github.com/dev-sec/ansible-collection-hardening/pull/182) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([Normo](https://github.com/Normo)) +- change minimize access method [\#181](https://github.com/dev-sec/ansible-collection-hardening/pull/181) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-collection-hardening/pull/159) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([zbrojny120](https://github.com/zbrojny120)) +- replace single ticks with double ticks. fix \#151 [\#152](https://github.com/dev-sec/ansible-collection-hardening/pull/152) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) +- fixed tag [\#149](https://github.com/dev-sec/ansible-collection-hardening/pull/149) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([martinbydefault](https://github.com/martinbydefault)) +- Remove rsync from package blacklist [\#142](https://github.com/dev-sec/ansible-collection-hardening/pull/142) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([duk3luk3](https://github.com/duk3luk3)) +- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-collection-hardening/pull/66) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([conorsch](https://github.com/conorsch)) +- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-collection-hardening/pull/63) [[bug](https://github.com/dev-sec/ansible-collection-hardening/labels/bug)] ([rndmh3ro](https://github.com/rndmh3ro)) **Closed issues:** @@ -402,11 +413,11 @@ **Merged pull requests:** - prettier markdown files action added [\#322](https://github.com/dev-sec/ansible-collection-hardening/pull/322) ([danielkubat](https://github.com/danielkubat)) -- adjust permissions on shadow file on suse [\#311](https://github.com/dev-sec/ansible-collection-hardening/pull/311) ([rndmh3ro](https://github.com/rndmh3ro)) +- adjust permissions on shadow file on suse [\#311](https://github.com/dev-sec/ansible-collection-hardening/pull/311) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) - fix fedora build [\#296](https://github.com/dev-sec/ansible-collection-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro)) -- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-collection-hardening/pull/289) ([schurzi](https://github.com/schurzi)) -- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-collection-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro)) -- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-collection-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro)) +- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-collection-hardening/pull/289) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([schurzi](https://github.com/schurzi)) +- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-collection-hardening/pull/285) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) +- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-collection-hardening/pull/282) [[patch](https://github.com/dev-sec/ansible-collection-hardening/labels/patch)] ([rndmh3ro](https://github.com/rndmh3ro)) - move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-collection-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro)) - Converts set to JSON-serializable list [\#126](https://github.com/dev-sec/ansible-collection-hardening/pull/126) ([pestaa](https://github.com/pestaa)) - add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-collection-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))