add testing and support for current versions of Fedora and FreeBSD (#709)

* add testing and support for current versions of Fedora and FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * add waivers for FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * use original fedora images Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * also harden /home mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * also harden /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * test mock efi directory Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * remove mock Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * umount efi Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * add /tmp to special mountpoints Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * set options for /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * create /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * create /tmp mount and mount it ... Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * make fewer changes to default test run Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * use correct Ansible var Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-09-20 05:11:53 +00:00 · 2023-11-16 09:14:03 +01:00 · 2023-11-16 09:14:03 +01:00 · 3d98cbf67b
commit 3d98cbf67b
parent 4a5a6e18e7
12 changed files with 43 additions and 20 deletions
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@ -39,8 +39,8 @@ jobs:
          - centosstream9
          - rocky8
          - rocky9
-          - fedora37
          - fedora38
+          - fedora39
          - ubuntu1804
          - ubuntu2004
          - ubuntu2204
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@ -34,21 +34,21 @@ jobs:
      fail-fast: false
      matrix:
        molecule_distro:
-          - centos7
-          - centos8s
-          - centos9s
-          - rocky8
-          - rocky9
-          - fedora37
-          - fedora38
-          - ubuntu1804
-          - ubuntu2004
-          - ubuntu2204
-          - debian10
-          - debian11
-          - debian12
-          - opensuse15
-          # - arch  # needs fix for audit
+          - generic/centos7
+          - generic/centos8s
+          - generic/centos9s
+          - generic/rocky8
+          - generic/rocky9
+          - fedora/38-cloud-base
+          - fedora/39-cloud-base
+          - generic/ubuntu1804
+          - generic/ubuntu2004
+          - generic/ubuntu2204
+          - generic/debian10
+          - generic/debian11
+          - generic/debian12
+          - generic/opensuse15
+          # - generic/arch  # needs fix for audit
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@ -39,8 +39,8 @@ jobs:
          - centosstream9
          - rocky8
          - rocky9
-          - fedora37
          - fedora38
+          - fedora39
          - ubuntu1804
          - ubuntu2004
          - ubuntu2204
--- a/.github/workflows/ssh_hardening_bsd.yml
+++ b/.github/workflows/ssh_hardening_bsd.yml
@ -36,6 +36,8 @@ jobs:
        molecule_distro:
          - openbsd7
          - freebsd12
+          - freebsd13
+          - freebsd14
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@ -39,8 +39,8 @@ jobs:
          - centosstream9
          - rocky8
          - rocky9
-          - fedora37
          - fedora38
+          - fedora39
          - ubuntu1804
          - ubuntu2004
          - ubuntu2204
--- a/molecule/os_hardening_vm/converge.yml
+++ b/molecule/os_hardening_vm/converge.yml
@ -13,6 +13,12 @@
      set_fact: 
        os_mnt_boot_enabled: false
      when: ansible_facts.os_family == 'Archlinux'
+    - name: overrides for Fedora image
+      set_fact: 
+        os_mnt_tmp_enabled: true
+        os_mnt_tmp_src: "tmpfs"
+        os_mnt_tmp_filesystem: "tmpfs"
+      when: ansible_facts.distribution == 'Fedora'
    - include_role:
        name: os_hardening
  vars:
@ -20,4 +26,5 @@
    os_auth_lockout_time: 15
    os_yum_repo_file_whitelist: ['foo.repo']
    os_mnt_boot_enabled: true
+    os_mnt_home_enabled: true
    os_mnt_boot_src: "/dev/vda1"
--- a/molecule/os_hardening_vm/molecule.yml
+++ b/molecule/os_hardening_vm/molecule.yml
@ -12,7 +12,7 @@ platforms:
  # since we also need to use different OS users to run the tests because of how molecule operates,
  # the VM names must be predictable by OS user (to clean up canceled runs)
  - name: "${USER}"
-    box: "generic/${MOLECULE_DISTRO}"
+    box: "${MOLECULE_DISTRO}"
    memory: 1024
    cpus: 2
 provisioner:
--- a/molecule/os_hardening_vm/prepare.yml
+++ b/molecule/os_hardening_vm/prepare.yml
@ -51,6 +51,12 @@
      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
      changed_when: false

+    - name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
+      ansible.posix.mount:
+        path: /boot/efi
+        state: unmounted
+      when: ansible_facts.distribution == 'Fedora'
+
    - name: include YUM prepare tasks
      include_tasks: prepare_tasks/yum.yml
      when: ansible_facts.os_family == 'RedHat'
--- a/molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
+++ b/molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
--- a/molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
+++ b/molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
--- a/roles/os_hardening/tasks/minimize_access.yml
+++ b/roles/os_hardening/tasks/minimize_access.yml
@ -93,7 +93,7 @@

 - name: Append special devices list to valid mountpoint list
  ansible.builtin.set_fact:
-    mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run'] }}"
+    mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}"

 - name: Minimize access for filesystems
  ansible.builtin.include_tasks: minimize_access_fs.yml
--- a/roles/ssh_hardening/meta/main.yml
+++ b/roles/ssh_hardening/meta/main.yml
@ -27,6 +27,8 @@ galaxy_info:
    - name: FreeBSD
      versions:
        - "12.2"
+        - "13.2"
+        - "14.0"
    - name: OpenBSD
      versions:
        - "7.0"