mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
add testing and support for current versions of Fedora and FreeBSD (#709)
* add testing and support for current versions of Fedora and FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * add waivers for FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * use original fedora images Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * also harden /home mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * also harden /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * test mock efi directory Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * remove mock Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * umount efi Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * add /tmp to special mountpoints Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * set options for /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * create /tmp mount Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * create /tmp mount and mount it ... Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * make fewer changes to default test run Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * use correct Ansible var Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
parent
4a5a6e18e7
commit
3d98cbf67b
12 changed files with 43 additions and 20 deletions
2
.github/workflows/os_hardening.yml
vendored
2
.github/workflows/os_hardening.yml
vendored
|
@ -39,8 +39,8 @@ jobs:
|
|||
- centosstream9
|
||||
- rocky8
|
||||
- rocky9
|
||||
- fedora37
|
||||
- fedora38
|
||||
- fedora39
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
|
|
30
.github/workflows/os_hardening_vm.yml
vendored
30
.github/workflows/os_hardening_vm.yml
vendored
|
@ -34,21 +34,21 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
molecule_distro:
|
||||
- centos7
|
||||
- centos8s
|
||||
- centos9s
|
||||
- rocky8
|
||||
- rocky9
|
||||
- fedora37
|
||||
- fedora38
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- debian11
|
||||
- debian12
|
||||
- opensuse15
|
||||
# - arch # needs fix for audit
|
||||
- generic/centos7
|
||||
- generic/centos8s
|
||||
- generic/centos9s
|
||||
- generic/rocky8
|
||||
- generic/rocky9
|
||||
- fedora/38-cloud-base
|
||||
- fedora/39-cloud-base
|
||||
- generic/ubuntu1804
|
||||
- generic/ubuntu2004
|
||||
- generic/ubuntu2204
|
||||
- generic/debian10
|
||||
- generic/debian11
|
||||
- generic/debian12
|
||||
- generic/opensuse15
|
||||
# - generic/arch # needs fix for audit
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@v4
|
||||
|
|
2
.github/workflows/ssh_hardening.yml
vendored
2
.github/workflows/ssh_hardening.yml
vendored
|
@ -39,8 +39,8 @@ jobs:
|
|||
- centosstream9
|
||||
- rocky8
|
||||
- rocky9
|
||||
- fedora37
|
||||
- fedora38
|
||||
- fedora39
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
|
|
2
.github/workflows/ssh_hardening_bsd.yml
vendored
2
.github/workflows/ssh_hardening_bsd.yml
vendored
|
@ -36,6 +36,8 @@ jobs:
|
|||
molecule_distro:
|
||||
- openbsd7
|
||||
- freebsd12
|
||||
- freebsd13
|
||||
- freebsd14
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@v4
|
||||
|
|
|
@ -39,8 +39,8 @@ jobs:
|
|||
- centosstream9
|
||||
- rocky8
|
||||
- rocky9
|
||||
- fedora37
|
||||
- fedora38
|
||||
- fedora39
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
|
|
|
@ -13,6 +13,12 @@
|
|||
set_fact:
|
||||
os_mnt_boot_enabled: false
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
- name: overrides for Fedora image
|
||||
set_fact:
|
||||
os_mnt_tmp_enabled: true
|
||||
os_mnt_tmp_src: "tmpfs"
|
||||
os_mnt_tmp_filesystem: "tmpfs"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
- include_role:
|
||||
name: os_hardening
|
||||
vars:
|
||||
|
@ -20,4 +26,5 @@
|
|||
os_auth_lockout_time: 15
|
||||
os_yum_repo_file_whitelist: ['foo.repo']
|
||||
os_mnt_boot_enabled: true
|
||||
os_mnt_home_enabled: true
|
||||
os_mnt_boot_src: "/dev/vda1"
|
||||
|
|
|
@ -12,7 +12,7 @@ platforms:
|
|||
# since we also need to use different OS users to run the tests because of how molecule operates,
|
||||
# the VM names must be predictable by OS user (to clean up canceled runs)
|
||||
- name: "${USER}"
|
||||
box: "generic/${MOLECULE_DISTRO}"
|
||||
box: "${MOLECULE_DISTRO}"
|
||||
memory: 1024
|
||||
cpus: 2
|
||||
provisioner:
|
||||
|
|
|
@ -51,6 +51,12 @@
|
|||
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
changed_when: false
|
||||
|
||||
- name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
|
||||
ansible.posix.mount:
|
||||
path: /boot/efi
|
||||
state: unmounted
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: include YUM prepare tasks
|
||||
include_tasks: prepare_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
|
3
molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
Normal file
3
molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
Normal file
|
@ -0,0 +1,3 @@
|
|||
sshd-45:
|
||||
run: false
|
||||
justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
|
3
molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
Normal file
3
molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
Normal file
|
@ -0,0 +1,3 @@
|
|||
sshd-45:
|
||||
run: false
|
||||
justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
|
|
@ -93,7 +93,7 @@
|
|||
|
||||
- name: Append special devices list to valid mountpoint list
|
||||
ansible.builtin.set_fact:
|
||||
mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run'] }}"
|
||||
mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}"
|
||||
|
||||
- name: Minimize access for filesystems
|
||||
ansible.builtin.include_tasks: minimize_access_fs.yml
|
||||
|
|
|
@ -27,6 +27,8 @@ galaxy_info:
|
|||
- name: FreeBSD
|
||||
versions:
|
||||
- "12.2"
|
||||
- "13.2"
|
||||
- "14.0"
|
||||
- name: OpenBSD
|
||||
versions:
|
||||
- "7.0"
|
||||
|
|
Loading…
Reference in a new issue