mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 13:21:52 +00:00
Merge branch 'master' into tally
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
commit
5f97dffddf
11 changed files with 79 additions and 13 deletions
11
.github/dependabot.yml
vendored
Normal file
11
.github/dependabot.yml
vendored
Normal file
|
@ -0,0 +1,11 @@
|
|||
# To get started with Dependabot version updates, you'll need to specify which
|
||||
# package ecosystems to update and where the package manifests are located.
|
||||
# Please see the documentation for all configuration options:
|
||||
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
|
||||
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "pip" # See documentation for possible values
|
||||
directory: "/" # Location of package manifests
|
||||
schedule:
|
||||
interval: "daily"
|
18
CHANGELOG.md
18
CHANGELOG.md
|
@ -1,15 +1,26 @@
|
|||
# Changelog
|
||||
|
||||
## [7.2.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.2.1) (2021-02-10)
|
||||
## [7.3.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.3.0) (2021-03-11)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.2.0...7.2.1)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.2.0...7.3.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Extend GSSAPI configuration support to ssh\_config [\#403](https://github.com/dev-sec/ansible-collection-hardening/pull/403) ([wzzrd](https://github.com/wzzrd))
|
||||
- add restart handler variable for mysql role [\#399](https://github.com/dev-sec/ansible-collection-hardening/pull/399) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Unable to connect with SSH \(Permission denied \(publickey\)\) [\#411](https://github.com/dev-sec/ansible-collection-hardening/issues/411)
|
||||
- TASK \[os\_hardening : configure auditd | package-08\] [\#410](https://github.com/dev-sec/ansible-collection-hardening/issues/410)
|
||||
- Collection throws undefined ansible\_role\_name error in auditd task [\#409](https://github.com/dev-sec/ansible-collection-hardening/issues/409)
|
||||
- Ensure permissions on /etc/crontab are configured [\#375](https://github.com/dev-sec/ansible-collection-hardening/issues/375)
|
||||
- Documentation should be updated [\#361](https://github.com/dev-sec/ansible-collection-hardening/issues/361)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Ensure permissions on /etc/crontab are configured [\#405](https://github.com/dev-sec/ansible-collection-hardening/pull/405) ([joubbi](https://github.com/joubbi))
|
||||
- remove FQCN from roles in examples [\#404](https://github.com/dev-sec/ansible-collection-hardening/pull/404) ([schurzi](https://github.com/schurzi))
|
||||
- do not install mysql python package on target host [\#401](https://github.com/dev-sec/ansible-collection-hardening/pull/401) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- make wrong password fail task [\#400](https://github.com/dev-sec/ansible-collection-hardening/pull/400) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
|
@ -36,7 +47,6 @@
|
|||
|
||||
**Merged pull requests:**
|
||||
|
||||
- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi))
|
||||
- fix minimum required ansible version in docs [\#390](https://github.com/dev-sec/ansible-collection-hardening/pull/390) ([schurzi](https://github.com/schurzi))
|
||||
|
||||
## [7.1.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.1) (2021-02-05)
|
||||
|
@ -89,6 +99,7 @@
|
|||
|
||||
**Merged pull requests:**
|
||||
|
||||
- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi))
|
||||
- use version tag for changelog action [\#386](https://github.com/dev-sec/ansible-collection-hardening/pull/386) ([schurzi](https://github.com/schurzi))
|
||||
- make release workflow manually runnable [\#384](https://github.com/dev-sec/ansible-collection-hardening/pull/384) ([schurzi](https://github.com/schurzi))
|
||||
- run labeler workflow with higher privileges [\#383](https://github.com/dev-sec/ansible-collection-hardening/pull/383) ([schurzi](https://github.com/schurzi))
|
||||
|
@ -120,6 +131,7 @@
|
|||
- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-collection-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
|
||||
- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-collection-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- purge insecure packages [\#275](https://github.com/dev-sec/ansible-collection-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
|
||||
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-collection-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
|
|
|
@ -50,6 +50,12 @@ In progress, not working:
|
|||
- [apache_hardening](roles/apache_hardening/)
|
||||
- [windows_hardening](roles/windows_hardening/)
|
||||
|
||||
## Installation
|
||||
|
||||
Install the collection via ansible-galaxy:
|
||||
|
||||
`ansible-galaxy collection install devsec.hardening`
|
||||
|
||||
## Using this collection
|
||||
|
||||
Please refer to the examples in the readmes of the role.
|
||||
|
|
|
@ -24,7 +24,7 @@ It configures:
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.mysql_hardening
|
||||
- mysql_hardening
|
||||
```
|
||||
|
||||
This role expects an existing installation of MySQL or MariaDB. Please ensure that the following variables are set accordingly:
|
||||
|
|
|
@ -83,7 +83,7 @@ It works with the following nginx-roles, including, but not limited to:
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.nginx_hardening
|
||||
- nginx_hardening
|
||||
```
|
||||
|
||||
[nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
|
||||
|
|
|
@ -222,7 +222,7 @@ To prevent some of the filesystems from being disabled, add them to the `os_file
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
- os_hardening
|
||||
```
|
||||
|
||||
## Changing sysctl variables
|
||||
|
@ -235,7 +235,7 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
- os_hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Enable IPv4 traffic forwarding.
|
||||
|
|
28
roles/os_hardening/tasks/cron.yml
Normal file
28
roles/os_hardening/tasks/cron.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
# Granting write access to this directory for non-privileged users could provide
|
||||
# them the means for gaining unauthorized elevated privileges.
|
||||
# Granting read access to this directory could give an unprivileged user insight
|
||||
# in how to gain elevated privileges or circumvent auditing controls.
|
||||
# CIS 5.1.2 - CIS 5.1.7
|
||||
#
|
||||
- name: Find cron files and directories
|
||||
find:
|
||||
paths:
|
||||
- /etc
|
||||
patterns:
|
||||
- cron.hourly
|
||||
- cron.daily
|
||||
- cron.weekly
|
||||
- cron.monthly
|
||||
- cron.d
|
||||
- crontab
|
||||
file_type: any
|
||||
register: cron_directories
|
||||
|
||||
- name: Ensure permissions on cron files and directories are configured
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: og-rwx
|
||||
with_items: "{{ cron_directories.files }}"
|
|
@ -25,6 +25,9 @@
|
|||
tags: auditd
|
||||
when: os_auditd_enabled | bool
|
||||
|
||||
- import_tasks: cron.yml
|
||||
tags: cron
|
||||
|
||||
- import_tasks: limits.yml
|
||||
tags: limits
|
||||
|
||||
|
|
|
@ -76,7 +76,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
- Description: false to disable pam authentication.
|
||||
- `ssh_gssapi_support`
|
||||
- Default: `false`
|
||||
- Description: true if SSH has GSSAPI support.
|
||||
- Description: Set to true to enable GSSAPI authentication (both client and server).
|
||||
- `ssh_gssapi_delegation`
|
||||
- Default: `false`
|
||||
- Description: Set to true to enable GSSAPI credential forwarding.
|
||||
- `ssh_kerberos_support`
|
||||
- Default: `true`
|
||||
- Description: true if SSH has Kerberos support.
|
||||
|
@ -241,7 +244,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.ssh_hardening
|
||||
- ssh_hardening
|
||||
```
|
||||
|
||||
## Configuring settings not listed in role-variables
|
||||
|
@ -255,7 +258,7 @@ Example playbook:
|
|||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.ssh_hardening
|
||||
- ssh_hardening
|
||||
vars:
|
||||
ssh_custom_options:
|
||||
- "Include /etc/ssh/ssh_config.d/*"
|
||||
|
|
|
@ -91,9 +91,12 @@ ssh_use_pam: true # sshd
|
|||
# specify AuthenticationMethods
|
||||
sshd_authenticationmethods: 'publickey'
|
||||
|
||||
# true if SSH support GSSAPI
|
||||
# Set to true to enable GSSAPI authentication (both client and server)
|
||||
ssh_gssapi_support: false
|
||||
|
||||
# Set to true to enable GSSAPI credential forwarding
|
||||
ssh_gssapi_delegation: false
|
||||
|
||||
# if specified, login is disallowed for user names that match one of the patterns.
|
||||
ssh_deny_users: '' # sshd
|
||||
|
||||
|
|
|
@ -104,8 +104,8 @@ RSAAuthentication yes
|
|||
PasswordAuthentication {{ 'yes' if ssh_client_password_login else 'no' }}
|
||||
|
||||
# Only use GSSAPIAuthentication if implemented on the network.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIDelegateCredentials no
|
||||
GSSAPIAuthentication {{ 'yes' if (ssh_gssapi_support|bool) else 'no' }}
|
||||
GSSAPIDelegateCredentials {{ 'yes' if (ssh_gssapi_delegation|bool) else 'no' }}
|
||||
|
||||
# Disable tunneling
|
||||
Tunnel no
|
||||
|
|
Loading…
Reference in a new issue