Merge branch 'master' into tally

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "pip" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"

CHANGELOG.md

@@ -1,15 +1,26 @@
 # Changelog
 
-## [7.2.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.2.1) (2021-02-10)
+## [7.3.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.3.0) (2021-03-11)
 
-[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.2.0...7.2.1)
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.2.0...7.3.0)
 
 **Implemented enhancements:**
 
+- Extend GSSAPI configuration support to ssh\_config [\#403](https://github.com/dev-sec/ansible-collection-hardening/pull/403) ([wzzrd](https://github.com/wzzrd))
 - add restart handler variable for mysql role [\#399](https://github.com/dev-sec/ansible-collection-hardening/pull/399) ([rndmh3ro](https://github.com/rndmh3ro))
 
+**Closed issues:**
+
+- Unable to connect with SSH \(Permission denied \(publickey\)\) [\#411](https://github.com/dev-sec/ansible-collection-hardening/issues/411)
+- TASK \[os\_hardening : configure auditd | package-08\] [\#410](https://github.com/dev-sec/ansible-collection-hardening/issues/410)
+- Collection throws undefined ansible\_role\_name error in auditd task [\#409](https://github.com/dev-sec/ansible-collection-hardening/issues/409)
+- Ensure permissions on /etc/crontab are configured [\#375](https://github.com/dev-sec/ansible-collection-hardening/issues/375)
+- Documentation should be updated [\#361](https://github.com/dev-sec/ansible-collection-hardening/issues/361)
+
 **Merged pull requests:**
 
+- Ensure permissions on /etc/crontab are configured [\#405](https://github.com/dev-sec/ansible-collection-hardening/pull/405) ([joubbi](https://github.com/joubbi))
+- remove FQCN from roles in examples [\#404](https://github.com/dev-sec/ansible-collection-hardening/pull/404) ([schurzi](https://github.com/schurzi))
 - do not install mysql python package on target host [\#401](https://github.com/dev-sec/ansible-collection-hardening/pull/401) ([rndmh3ro](https://github.com/rndmh3ro))
 - make wrong password fail task [\#400](https://github.com/dev-sec/ansible-collection-hardening/pull/400) ([rndmh3ro](https://github.com/rndmh3ro))
 
@@ -36,7 +47,6 @@
 
 **Merged pull requests:**
 
-- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi))
 - fix minimum required ansible version in docs [\#390](https://github.com/dev-sec/ansible-collection-hardening/pull/390) ([schurzi](https://github.com/schurzi))
 
 ## [7.1.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.1) (2021-02-05)
@@ -89,6 +99,7 @@
 
 **Merged pull requests:**
 
+- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi))
 - use version tag for changelog action [\#386](https://github.com/dev-sec/ansible-collection-hardening/pull/386) ([schurzi](https://github.com/schurzi))
 - make release workflow manually runnable [\#384](https://github.com/dev-sec/ansible-collection-hardening/pull/384) ([schurzi](https://github.com/schurzi))
 - run labeler workflow with higher privileges [\#383](https://github.com/dev-sec/ansible-collection-hardening/pull/383) ([schurzi](https://github.com/schurzi))
@@ -120,6 +131,7 @@
 - Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-collection-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
 - unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-collection-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
 - purge insecure packages [\#275](https://github.com/dev-sec/ansible-collection-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
+- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-collection-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
 
 **Fixed bugs:**
 

README.md

@@ -50,6 +50,12 @@ In progress, not working:
 - [apache_hardening](roles/apache_hardening/)
 - [windows_hardening](roles/windows_hardening/)
 
+## Installation
+
+Install the collection via ansible-galaxy:
+
+`ansible-galaxy collection install devsec.hardening`
+
 ## Using this collection
 
 Please refer to the examples in the readmes of the role.

roles/mysql_hardening/README.md

@@ -24,7 +24,7 @@ It configures:
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.mysql_hardening
+    - mysql_hardening
 ```
 
 This role expects an existing installation of MySQL or MariaDB. Please ensure that the following variables are set accordingly:

roles/nginx_hardening/README.md

@@ -83,7 +83,7 @@ It works with the following nginx-roles, including, but not limited to:
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.nginx_hardening
+    - nginx_hardening
 ```
 
 [nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size

roles/os_hardening/README.md

@@ -222,7 +222,7 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.os_hardening
+    - os_hardening
 ```
 
 ## Changing sysctl variables
@@ -235,7 +235,7 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.os_hardening
+    - os_hardening
   vars:
     sysctl_overwrite:
       # Enable IPv4 traffic forwarding.

roles/os_hardening/tasks/cron.yml

@@ -0,0 +1,28 @@
+---
+# Granting write access to this directory for non-privileged users could provide
+# them the means for gaining unauthorized elevated privileges.
+# Granting read access to this directory could give an unprivileged user insight
+# in how to gain elevated privileges or circumvent auditing controls.
+# CIS 5.1.2 - CIS 5.1.7
+#
+- name: Find cron files and directories
+  find:
+    paths:
+      - /etc
+    patterns:
+      - cron.hourly
+      - cron.daily
+      - cron.weekly
+      - cron.monthly
+      - cron.d
+      - crontab
+    file_type: any
+  register: cron_directories
+
+- name: Ensure permissions on cron files and directories are configured
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    owner: root
+    group: root
+    mode: og-rwx
+  with_items: "{{ cron_directories.files }}"

roles/os_hardening/tasks/hardening.yml

@@ -25,6 +25,9 @@
   tags: auditd
   when: os_auditd_enabled | bool
 
+- import_tasks: cron.yml
+  tags: cron
+
 - import_tasks: limits.yml
   tags: limits
 

roles/ssh_hardening/README.md

@@ -76,7 +76,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
   - Description: false to disable pam authentication.
 - `ssh_gssapi_support`
   - Default: `false`
-  - Description: true if SSH has GSSAPI support.
+  - Description: Set to true to enable GSSAPI authentication (both client and server).
+- `ssh_gssapi_delegation`
+  - Default: `false`
+  - Description: Set to true to enable GSSAPI credential forwarding.
 - `ssh_kerberos_support`
   - Default: `true`
   - Description: true if SSH has Kerberos support.
@@ -241,7 +244,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.ssh_hardening
+    - ssh_hardening
 ```
 
 ## Configuring settings not listed in role-variables
@@ -255,7 +258,7 @@ Example playbook:
   collections:
     - devsec.hardening
   roles:
-    - devsec.hardening.ssh_hardening
+    - ssh_hardening
   vars:
     ssh_custom_options:
       - "Include /etc/ssh/ssh_config.d/*"

roles/ssh_hardening/defaults/main.yml

@@ -91,9 +91,12 @@ ssh_use_pam: true                   # sshd
 # specify AuthenticationMethods
 sshd_authenticationmethods: 'publickey'
 
-# true if SSH support GSSAPI
+# Set to true to enable GSSAPI authentication (both client and server)
 ssh_gssapi_support: false
 
+# Set to true to enable GSSAPI credential forwarding
+ssh_gssapi_delegation: false
+
 # if specified, login is disallowed for user names that match one of the patterns.
 ssh_deny_users: ''                  # sshd
 

roles/ssh_hardening/templates/openssh.conf.j2

@@ -104,8 +104,8 @@ RSAAuthentication yes
 PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
 
 # Only use GSSAPIAuthentication if implemented on the network.
-GSSAPIAuthentication no
-GSSAPIDelegateCredentials no
+GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
+GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}
 
 # Disable tunneling
 Tunnel no