mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 05:11:53 +00:00
manually fix remaining problems
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
parent
7e33ea0bae
commit
422fb940a9
23 changed files with 78 additions and 65 deletions
|
@ -18,3 +18,4 @@ mock_roles:
|
||||||
|
|
||||||
skip_list:
|
skip_list:
|
||||||
- var-naming[no-role-prefix]
|
- var-naming[no-role-prefix]
|
||||||
|
- meta-runtime[unsupported-version]
|
||||||
|
|
|
@ -22,6 +22,9 @@ tags:
|
||||||
- nginx_hardening
|
- nginx_hardening
|
||||||
- os_hardening
|
- os_hardening
|
||||||
- ssh_hardening
|
- ssh_hardening
|
||||||
|
- database
|
||||||
|
- linux
|
||||||
|
- security
|
||||||
dependencies:
|
dependencies:
|
||||||
ansible.posix: '>=1.0.0'
|
ansible.posix: '>=1.0.0'
|
||||||
community.crypto: '>=1.0.0'
|
community.crypto: '>=1.0.0'
|
||||||
|
|
|
@ -35,19 +35,20 @@
|
||||||
|
|
||||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "*"
|
upgrade: safe
|
||||||
state: latest
|
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Install required python packages on Suse
|
- name: Install required python packages on Suse
|
||||||
ansible.builtin.command: zypper -n install python-xml python3-rpm python3-PyMySQL
|
ansible.builtin.command: zypper -n install python-xml python3-rpm python3-PyMySQL
|
||||||
|
changed_when: false
|
||||||
when: ansible_os_family == 'Suse'
|
when: ansible_os_family == 'Suse'
|
||||||
|
|
||||||
- name: Create missing directory
|
- name: Create missing directory
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/mysql/conf.d
|
path: /etc/mysql/conf.d
|
||||||
state: directory
|
state: directory
|
||||||
|
mode: "0770"
|
||||||
|
|
||||||
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
|
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
@ -72,7 +73,8 @@
|
||||||
- ansible_os_family == "RedHat"
|
- ansible_os_family == "RedHat"
|
||||||
- ansible_distribution_major_version == "7"
|
- ansible_distribution_major_version == "7"
|
||||||
|
|
||||||
- ansible.builtin.include_role:
|
- name: Install mysql with a generic Ansible role
|
||||||
|
ansible.builtin.include_role:
|
||||||
name: dev-sec.mysql
|
name: dev-sec.mysql
|
||||||
|
|
||||||
- name: Include MySQL user prepare tasks
|
- name: Include MySQL user prepare tasks
|
||||||
|
|
|
@ -7,8 +7,9 @@
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
vars:
|
vars:
|
||||||
- nginx_ppa_use: true
|
nginx_ppa_use: true
|
||||||
- nginx_ppa_version: stable
|
nginx_ppa_version: stable
|
||||||
tasks:
|
tasks:
|
||||||
- ansible.builtin.include_role:
|
- name: Include nginx_hardening role
|
||||||
|
ansible.builtin.include_role:
|
||||||
name: devsec.hardening.nginx_hardening
|
name: devsec.hardening.nginx_hardening
|
||||||
|
|
|
@ -2,23 +2,23 @@
|
||||||
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||||
hosts: localhost
|
hosts: localhost
|
||||||
vars:
|
vars:
|
||||||
- nginx_main_template_enable: true
|
nginx_main_template_enable: true
|
||||||
- nginx_main_template:
|
nginx_main_template:
|
||||||
template_file: nginx.conf.j2
|
template_file: nginx.conf.j2
|
||||||
conf_file_name: nginx.conf
|
conf_file_name: nginx.conf
|
||||||
conf_file_location: /etc/nginx/
|
conf_file_location: /etc/nginx/
|
||||||
user: www-data
|
user: www-data
|
||||||
worker_processes: auto
|
worker_processes: auto
|
||||||
error_level: warn
|
error_level: warn
|
||||||
worker_connections: 1024
|
worker_connections: 1024
|
||||||
http_enable: true
|
http_enable: true
|
||||||
http_settings:
|
http_settings:
|
||||||
keepalive_timeout: 65
|
keepalive_timeout: 65
|
||||||
cache: false
|
cache: false
|
||||||
rate_limit: false
|
rate_limit: false
|
||||||
keyval: false
|
keyval: false
|
||||||
stream_enable: false
|
stream_enable: false
|
||||||
http_global_autoindex: false
|
http_global_autoindex: false
|
||||||
roles:
|
roles:
|
||||||
- nginxinc.nginx
|
- nginxinc.nginx
|
||||||
- nginx_hardening
|
- nginx_hardening
|
||||||
|
|
|
@ -24,5 +24,6 @@
|
||||||
ansible_distribution_major_version: 7
|
ansible_distribution_major_version: 7
|
||||||
when: ansible_distribution == 'Amazon'
|
when: ansible_distribution == 'Amazon'
|
||||||
|
|
||||||
- ansible.builtin.include_role:
|
- name: Install nginx with a generic Ansible role
|
||||||
|
ansible.builtin.include_role:
|
||||||
name: geerlingguy.nginx
|
name: geerlingguy.nginx
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
roles:
|
roles:
|
||||||
- geerlingguy.nginx
|
- name: geerlingguy.nginx
|
||||||
|
|
|
@ -6,14 +6,13 @@
|
||||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Workaround for https://github.com/ansible/ansible/issues/66304
|
- name: Workaround for https://github.com/ansible/ansible/issues/66304
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_virtualization_type: docker
|
ansible_virtualization_type: docker
|
||||||
- ansible.builtin.include_role:
|
- name: Include os_hardening role
|
||||||
name: os_hardening
|
ansible.builtin.include_role:
|
||||||
|
name: devsec.hardening.os_hardening
|
||||||
vars:
|
vars:
|
||||||
os_security_users_allow: change_user
|
os_security_users_allow: change_user
|
||||||
os_security_kernel_enable_core_dump: false
|
os_security_kernel_enable_core_dump: false
|
||||||
|
@ -73,8 +72,6 @@
|
||||||
# - name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
# - name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
||||||
# hosts: all
|
# hosts: all
|
||||||
# become: true
|
# become: true
|
||||||
# collections:
|
|
||||||
# - devsec.hardening
|
|
||||||
# vars:
|
# vars:
|
||||||
# os_auditd_enabled: false
|
# os_auditd_enabled: false
|
||||||
# tasks:
|
# tasks:
|
||||||
|
@ -89,4 +86,4 @@
|
||||||
# when: ansible_facts.os_family == 'Debian'
|
# when: ansible_facts.os_family == 'Debian'
|
||||||
#
|
#
|
||||||
# - include_role:
|
# - include_role:
|
||||||
# name: os_hardening
|
# name: devsec.hardening.os_hardening
|
||||||
|
|
|
@ -14,14 +14,14 @@
|
||||||
|
|
||||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "*"
|
upgrade: safe
|
||||||
state: latest
|
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Install required tools on SuSE
|
- name: Install required tools on SuSE
|
||||||
# cannot use zypper module, since it depends on python-xml
|
# cannot use zypper module, since it depends on python-xml
|
||||||
ansible.builtin.command: zypper -n install python-xml awk
|
ansible.builtin.command: zypper -n install python-xml awk
|
||||||
|
changed_when: false
|
||||||
when: ansible_facts.os_family == 'Suse'
|
when: ansible_facts.os_family == 'Suse'
|
||||||
|
|
||||||
- name: Install required tools on fedora
|
- name: Install required tools on fedora
|
||||||
|
|
|
@ -67,8 +67,6 @@
|
||||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
tasks:
|
tasks:
|
||||||
# test if variable can be overridden
|
# test if variable can be overridden
|
||||||
- name: Workaround for https://github.com/ansible/ansible/issues/66304
|
- name: Workaround for https://github.com/ansible/ansible/issues/66304
|
||||||
|
@ -76,8 +74,9 @@
|
||||||
ansible_virtualization_type: docker
|
ansible_virtualization_type: docker
|
||||||
os_env_umask: "027 #override"
|
os_env_umask: "027 #override"
|
||||||
|
|
||||||
- ansible.builtin.include_role:
|
- name: Include os_hardening role
|
||||||
name: os_hardening
|
ansible.builtin.include_role:
|
||||||
|
name: devsec.hardening.os_hardening
|
||||||
|
|
||||||
- name: Verify os_env_umask
|
- name: Verify os_env_umask
|
||||||
ansible.builtin.command:
|
ansible.builtin.command:
|
||||||
|
|
|
@ -6,8 +6,6 @@
|
||||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Override for arch
|
- name: Override for arch
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
@ -22,8 +20,9 @@
|
||||||
os_mnt_tmp_src: tmpfs
|
os_mnt_tmp_src: tmpfs
|
||||||
os_mnt_tmp_filesystem: tmpfs
|
os_mnt_tmp_filesystem: tmpfs
|
||||||
when: ansible_facts.distribution == 'Fedora'
|
when: ansible_facts.distribution == 'Fedora'
|
||||||
- ansible.builtin.include_role:
|
- name: Include os_hardening role
|
||||||
name: os_hardening
|
ansible.builtin.include_role:
|
||||||
|
name: devsec.hardening.os_hardening
|
||||||
vars:
|
vars:
|
||||||
os_auth_pam_passwdqc_enable: false
|
os_auth_pam_passwdqc_enable: false
|
||||||
os_auth_lockout_time: 15
|
os_auth_lockout_time: 15
|
||||||
|
|
|
@ -14,12 +14,14 @@
|
||||||
|
|
||||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
upgrade: safe
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_os_family == 'Debian'
|
when: ansible_os_family == 'Debian'
|
||||||
|
|
||||||
- name: Install required tools on SuSE
|
- name: Install required tools on SuSE
|
||||||
# cannot use zypper module, since it depends on python-xml
|
# cannot use zypper module, since it depends on python-xml
|
||||||
ansible.builtin.command: zypper -n install python-xml
|
ansible.builtin.command: zypper -n install python-xml
|
||||||
|
changed_when: false
|
||||||
when: ansible_facts.os_family == 'Suse'
|
when: ansible_facts.os_family == 'Suse'
|
||||||
|
|
||||||
- name: Install required tools on fedora
|
- name: Install required tools on fedora
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
roles:
|
roles:
|
||||||
- geerlingguy.git
|
- name: geerlingguy.git
|
||||||
|
|
|
@ -34,6 +34,7 @@
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
||||||
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
||||||
|
mode: "0400"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- name: Execute cinc-auditor tests
|
- name: Execute cinc-auditor tests
|
||||||
|
|
|
@ -6,7 +6,8 @@
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
tasks:
|
tasks:
|
||||||
- ansible.builtin.include_role:
|
- name: Include ssh_hardening role
|
||||||
|
ansible.builtin.include_role:
|
||||||
name: devsec.hardening.ssh_hardening
|
name: devsec.hardening.ssh_hardening
|
||||||
vars:
|
vars:
|
||||||
sftp_enabled: false
|
sftp_enabled: false
|
||||||
|
|
|
@ -44,6 +44,7 @@
|
||||||
- name: Install required tools on SuSE
|
- name: Install required tools on SuSE
|
||||||
# cannot use zypper module, since it depends on python-xml
|
# cannot use zypper module, since it depends on python-xml
|
||||||
ansible.builtin.command: zypper -n install python-xml
|
ansible.builtin.command: zypper -n install python-xml
|
||||||
|
changed_when: false
|
||||||
when: ansible_facts.os_family == 'Suse'
|
when: ansible_facts.os_family == 'Suse'
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
@ -65,10 +66,13 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /var/run/sshd
|
path: /var/run/sshd
|
||||||
state: directory
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Create ssh host keys # noqa ignore-errors
|
- name: Create ssh host keys # noqa ignore-errors
|
||||||
ansible.builtin.command: ssh-keygen -A
|
ansible.builtin.command: ssh-keygen -A
|
||||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||||
or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
|
or ansible_facts.distribution == "Fedora"
|
||||||
|
or ansible_facts.distribution == "Amazon"
|
||||||
|
or ansible_facts.os_family == "Suse"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
|
@ -6,7 +6,8 @@
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
tasks:
|
tasks:
|
||||||
- ansible.builtin.include_role:
|
- name: Include ssh_hardening role
|
||||||
|
ansible.builtin.include_role:
|
||||||
name: devsec.hardening.ssh_hardening
|
name: devsec.hardening.ssh_hardening
|
||||||
vars:
|
vars:
|
||||||
sftp_enabled: false
|
sftp_enabled: false
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
- name: Install python
|
- name: Install python
|
||||||
# BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
|
# BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
|
||||||
ansible.builtin.raw: pkg_add python%3.10
|
ansible.builtin.raw: pkg_add python%3.10
|
||||||
|
changed_when: false
|
||||||
when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
|
when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
|
||||||
|
|
||||||
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||||
|
@ -21,10 +22,13 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /var/run/sshd
|
path: /var/run/sshd
|
||||||
state: directory
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Create ssh host keys # noqa ignore-errors
|
- name: Create ssh host keys # noqa ignore-errors
|
||||||
ansible.builtin.command: ssh-keygen -A
|
ansible.builtin.command: ssh-keygen -A
|
||||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||||
or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
|
or ansible_facts.distribution == "Fedora"
|
||||||
|
or ansible_facts.distribution == "Amazon"
|
||||||
|
or ansible_facts.os_family == "Suse"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
src: /usr/bin/which
|
src: /usr/bin/which
|
||||||
dest: /usr/bin/type
|
dest: /usr/bin/type
|
||||||
state: hard
|
state: hard
|
||||||
|
mode: "0770"
|
||||||
when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
|
when: lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'
|
||||||
|
|
||||||
- name: Verify
|
- name: Verify
|
||||||
|
@ -28,6 +29,7 @@
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
||||||
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
||||||
|
mode: "0400"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- name: Execute cinc-auditor tests
|
- name: Execute cinc-auditor tests
|
||||||
|
|
|
@ -6,11 +6,10 @@
|
||||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
tasks:
|
tasks:
|
||||||
- ansible.builtin.include_role:
|
- name: Include ssh_hardening role
|
||||||
name: ssh_hardening
|
ansible.builtin.include_role:
|
||||||
|
name: devsec.hardening.ssh_hardening
|
||||||
vars:
|
vars:
|
||||||
ssh_trusted_user_ca_keys_file: /etc/ssh/ca.pub
|
ssh_trusted_user_ca_keys_file: /etc/ssh/ca.pub
|
||||||
ssh_trusted_user_ca_keys:
|
ssh_trusted_user_ca_keys:
|
||||||
|
|
|
@ -44,6 +44,7 @@
|
||||||
- name: Install required tools on SuSE
|
- name: Install required tools on SuSE
|
||||||
# cannot use zypper module, since it depends on python-xml
|
# cannot use zypper module, since it depends on python-xml
|
||||||
ansible.builtin.command: zypper -n install python-xml
|
ansible.builtin.command: zypper -n install python-xml
|
||||||
|
changed_when: false
|
||||||
when: ansible_facts.os_family == 'Suse'
|
when: ansible_facts.os_family == 'Suse'
|
||||||
|
|
||||||
- name: Install packages
|
- name: Install packages
|
||||||
|
@ -65,10 +66,13 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /var/run/sshd
|
path: /var/run/sshd
|
||||||
state: directory
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Create ssh host keys # noqa ignore-errors
|
- name: Create ssh host keys # noqa ignore-errors
|
||||||
ansible.builtin.command: ssh-keygen -A
|
ansible.builtin.command: ssh-keygen -A
|
||||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora"
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||||
or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse"
|
or ansible_facts.distribution == "Fedora"
|
||||||
|
or ansible_facts.distribution == "Amazon"
|
||||||
|
or ansible_facts.os_family == "Suse"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
|
@ -933,8 +933,6 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
roles:
|
roles:
|
||||||
- devsec.hardening.os_hardening
|
- devsec.hardening.os_hardening
|
||||||
vars:
|
vars:
|
||||||
|
@ -961,8 +959,6 @@ We are setting this sysctl to a default of `32`, some systems only support small
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
roles:
|
roles:
|
||||||
- devsec.hardening.os_hardening
|
- devsec.hardening.os_hardening
|
||||||
vars:
|
vars:
|
||||||
|
@ -984,10 +980,8 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
roles:
|
roles:
|
||||||
- os_hardening
|
- devsec.hardening.os_hardening
|
||||||
vars:
|
vars:
|
||||||
sysctl_overwrite:
|
sysctl_overwrite:
|
||||||
# Enable IPv4 traffic forwarding.
|
# Enable IPv4 traffic forwarding.
|
||||||
|
|
|
@ -453,10 +453,8 @@ Example playbook:
|
||||||
|
|
||||||
```yml
|
```yml
|
||||||
- hosts: localhost
|
- hosts: localhost
|
||||||
collections:
|
|
||||||
- devsec.hardening
|
|
||||||
roles:
|
roles:
|
||||||
- ssh_hardening
|
- devsec.hardening.ssh_hardening
|
||||||
vars:
|
vars:
|
||||||
ssh_custom_options:
|
ssh_custom_options:
|
||||||
- "Include /etc/ssh/ssh_config.d/*"
|
- "Include /etc/ssh/ssh_config.d/*"
|
||||||
|
|
Loading…
Reference in a new issue