mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 01:04:13 +00:00
Update Debian compatibility (#784)
* Update Ubuntu compatability Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * reload systemd when disabling ssh socket Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * manage systemd files Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Create privsep directory for Debian Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Use working Ubuntu 24.04 image for vm tests Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Remove deprecated Debian 10 Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
schurzi
GitHub
parent
118a0f07f6
commit
69ab9e47ad
17 changed files with 33 additions and 48 deletions
3
.github/workflows/mysql_hardening.yml
vendored
3
.github/workflows/mysql_hardening.yml
vendored
|
|
@ -40,10 +40,9 @@ jobs:
|
|||
- centosstream9
|
||||
- rocky8
|
||||
- rocky9
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- ubuntu2404
|
||||
- debian11
|
||||
- debian12
|
||||
# - amazon # geerlingguy.mysql does not support fedora
|
||||
|
|
|
|||
3
.github/workflows/nginx_hardening.yml
vendored
3
.github/workflows/nginx_hardening.yml
vendored
|
|
@ -39,10 +39,9 @@ jobs:
|
|||
- centosstream9
|
||||
- rocky8
|
||||
- rocky9
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- ubuntu2404
|
||||
- debian11
|
||||
- debian12
|
||||
- amazon2023
|
||||
|
|
|
|||
3
.github/workflows/os_hardening.yml
vendored
3
.github/workflows/os_hardening.yml
vendored
|
|
@ -41,10 +41,9 @@ jobs:
|
|||
- rocky9
|
||||
- fedora39
|
||||
- fedora40
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- ubuntu2404
|
||||
- debian11
|
||||
- debian12
|
||||
- amazon2023
|
||||
|
|
|
|||
3
.github/workflows/os_hardening_vm.yml
vendored
3
.github/workflows/os_hardening_vm.yml
vendored
|
|
@ -41,10 +41,9 @@ jobs:
|
|||
- generic/rocky9
|
||||
- fedora/39-cloud-base
|
||||
- fedora/40-cloud-base
|
||||
- generic/ubuntu1804
|
||||
- generic/ubuntu2004
|
||||
- generic/ubuntu2204
|
||||
- generic/debian10
|
||||
- alvistack/ubuntu-24.04
|
||||
- generic/debian11
|
||||
- generic/debian12
|
||||
- generic/opensuse15
|
||||
|
|
|
|||
3
.github/workflows/ssh_hardening.yml
vendored
3
.github/workflows/ssh_hardening.yml
vendored
|
|
@ -41,10 +41,9 @@ jobs:
|
|||
- rocky9
|
||||
- fedora39
|
||||
- fedora40
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- ubuntu2404
|
||||
- debian11
|
||||
- debian12
|
||||
- amazon2023
|
||||
|
|
|
|||
|
|
@ -41,10 +41,9 @@ jobs:
|
|||
- rocky9
|
||||
- fedora39
|
||||
- fedora40
|
||||
- ubuntu1804
|
||||
- ubuntu2004
|
||||
- ubuntu2204
|
||||
- debian10
|
||||
- ubuntu2404
|
||||
- debian11
|
||||
- debian12
|
||||
- amazon2023
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ This collection provides battle tested hardening for:
|
|||
- Linux operating systems:
|
||||
- CentOS 9
|
||||
- Rocky Linux 8/9
|
||||
- Debian 10/11/12
|
||||
- Ubuntu 18.04/20.04/22.04
|
||||
- Debian 11/12
|
||||
- Ubuntu 20.04/22.04/24.04
|
||||
- Amazon Linux (some roles supported)
|
||||
- Arch Linux (some roles supported)
|
||||
- Fedora 39/40 (some roles supported)
|
||||
|
|
|
|||
|
|
@ -26,13 +26,6 @@
|
|||
when:
|
||||
- ansible_os_family == 'Suse'
|
||||
|
||||
- name: Use Python 2 on Debian 10
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python
|
||||
when:
|
||||
- ansible_distribution == 'Debian'
|
||||
- ansible_distribution_major_version|int == 10
|
||||
|
||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||
ansible.builtin.apt:
|
||||
upgrade: safe
|
||||
|
|
|
|||
|
|
@ -62,12 +62,6 @@
|
|||
update_cache: true
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: Created needed directory
|
||||
ansible.builtin.file:
|
||||
path: /var/run/sshd
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Create ssh host keys # noqa ignore-errors
|
||||
ansible.builtin.command: ssh-keygen -A
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||
|
|
|
|||
|
|
@ -18,12 +18,6 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Created needed directory
|
||||
ansible.builtin.file:
|
||||
path: /var/run/sshd
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Create ssh host keys # noqa ignore-errors
|
||||
ansible.builtin.command: ssh-keygen -A
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||
|
|
|
|||
|
|
@ -62,12 +62,6 @@
|
|||
update_cache: true
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: Created needed directory
|
||||
ansible.builtin.file:
|
||||
path: /var/run/sshd
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Create ssh host keys # noqa ignore-errors
|
||||
ansible.builtin.command: ssh-keygen -A
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||
|
|
|
|||
|
|
@ -12,13 +12,13 @@ galaxy_info:
|
|||
- "9"
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- buster
|
||||
- bookworm
|
||||
- name: Amazon
|
||||
- name: opensuse
|
||||
galaxy_tags:
|
||||
|
|
|
|||
|
|
@ -12,12 +12,12 @@ galaxy_info:
|
|||
- "9"
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- buster
|
||||
- bookworm
|
||||
- bullseye
|
||||
- name: Amazon
|
||||
galaxy_tags:
|
||||
|
|
|
|||
|
|
@ -12,12 +12,12 @@ galaxy_info:
|
|||
- "9"
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- buster
|
||||
- bookworm
|
||||
- bullseye
|
||||
- name: Amazon
|
||||
- name: Fedora
|
||||
|
|
|
|||
|
|
@ -12,12 +12,12 @@ galaxy_info:
|
|||
- "9"
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- jammy
|
||||
- noble
|
||||
- name: Debian
|
||||
versions:
|
||||
- buster
|
||||
- bookworm
|
||||
- bullseye
|
||||
- name: Amazon
|
||||
- name: Fedora
|
||||
|
|
|
|||
|
|
@ -1,8 +1,12 @@
|
|||
---
|
||||
- name: Remove ssh service systemd-socket file
|
||||
ansible.builtin.file:
|
||||
path: /etc/systemd/system/ssh.service.d/00-socket.conf
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- /etc/systemd/system/ssh.service.d/00-socket.conf
|
||||
- /etc/systemd/system/ssh.service.requires/ssh.socket
|
||||
- /etc/systemd/system/sockets.target.wants/ssh.socket
|
||||
|
||||
- name: Disable systemd-socket activation
|
||||
ansible.builtin.systemd:
|
||||
|
|
|
|||
|
|
@ -17,6 +17,18 @@
|
|||
- (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
|
||||
(ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
|
||||
|
||||
- name: Ensure privilege separation directory exists
|
||||
ansible.builtin.file:
|
||||
path: /run/sshd
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
when:
|
||||
- ssh_server_hardening | bool
|
||||
- ssh_server_enabled | bool
|
||||
- ansible_facts.os_family == 'Debian'
|
||||
|
||||
- name: Enable or disable sshd service
|
||||
ansible.builtin.service:
|
||||
name: "{{ sshd_service_name }}"
|
||||
|
|
|
|||
Loading…
Reference in a new issue