Merge pull request #30 from hardening-io/CL_RM_TODO

Update readme, todo, changelog, vars

CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+## 1.0.0
+
+ * Implement os-hardening to meet our [tests](https://github.com/hardening-io/tests-os-hardening)
+ * Enable GPG-checking on all yum-repository files [#5](https://github.com/hardening-io/ansible-os-hardening/pull/5)
+ * Disable system accounts [#6](https://github.com/hardening-io/ansible-os-hardening/issues/6)
+ * Module-loading configuration [#22](https://github.com/hardening-io/ansible-os-hardening/pull/22)
+ * Travis support [#17](https://github.com/hardening-io/ansible-os-hardening/pull/17)

README.md

@@ -1,8 +1,7 @@
 # os-hardening (Ansible Role)
 
-[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][2]
-[![Code Coverage](http://img.shields.io/coveralls/hardening-io/ansible-os-hardening.svg)][3]
-[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][5]
+[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][1]
+[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
 
 ## Description
 
@@ -31,13 +30,11 @@ It will not:
 
 ## Variables
 
+### in main.yml
+
 * `os_desktop_enable: false` -  true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
-* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
-* `os_network_ipv6_enable: false`
-* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 * `os_env_extra_user_paths: []` - add additional paths to the user's `PATH` variable (default is empty).
 * `os_env_umask: "027"`
-* `os_env_root_path: "/"` - where root is mounted
 * `os_auth_pw_max_age: 60` - maximum password age
 * `os_auth_pw_min_age: 7` - minimum password age (before allowing any other password change)
 * `os_auth_retries: 5` - the maximum number of authentication attempts, before the account is locked for some time
@@ -53,10 +50,14 @@ It will not:
 * `os_security_suid_sgid_enforce: true` - true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
 * `os_security_suid_sgid_blacklist: []` - a list of paths which should have their SUID/SGID bits removed
 * `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
-* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
-* `os_security_suid_sgid_dry_run_on_unknown: false` - like `remove_from_unknown` above, only that SUID/SGID bits aren't removed.
-  It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
-* `os_security_packages_clean']  = true` - removes packages with known issues. See section packages.
+* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
+* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
+
+### in sysctl.yml
+
+* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
+* `os_network_ipv6_enable: false`
+* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 
 ## Packages
 
@@ -117,7 +118,7 @@ This role is mostly based on guides by:
 * [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
 * [Deutsche Telekom, Group IT Security, Security Requirements (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si)
 
-Thanks to all of you!!
+Thanks to all of you!
 ## Contributing
 
 See [contributor guideline](CONTRIBUTING.md).
@@ -139,6 +140,5 @@ See the License for the specific language governing permissions and
 limitations under the License.
 
 
-[2]: http://travis-ci.org/hardening-io/ansible-os-hardening
-[3]: https://coveralls.io/r/hardening-io/ansible-os-hardening
-[5]: https://gitter.im/hardening-io
+[1]: http://travis-ci.org/hardening-io/ansible-os-hardening
+[2]: https://gitter.im/hardening-io/general

TODO.md

@@ -0,0 +1,4 @@
+# TODO
+
+* [Adduser consistency](https://github.com/hardening-io/chef-os-hardening/pull/73)
+* [add support for limiting password re-use](https://github.com/hardening-io/puppet-os-hardening/pull/61)

roles/ansible-os-hardening/vars/main.yml

@@ -1,14 +1,6 @@
-# rhel, centos autoconf configuration
-#os_authconfig_shadow_enable:  true
-#os_authconfig_md5_enable:  true
-
 os_desktop_enable: false
-os_network_forwarding: false
-os_network_ipv6_enable: false
-os_network_arp_restricted: true 
 os_env_extra_user_paths: []
 os_env_umask: '027'
-os_env_root_path: '/'
 os_auth_pw_max_age: 60
 os_auth_pw_min_age: 7 # discourage password cycling
 os_auth_retries: 5
@@ -26,7 +18,6 @@ os_security_users_allow: []
 # specify system accounts those login should not be disabled and password not changed
 os_ignore_users: ['vagrant']
 os_security_kernel_enable_module_loading: true
-os_security_kernel_enable_sysrq: false
 os_security_kernel_enable_core_dump: false
 os_security_suid_sgid_enforce: true
 # user-defined blacklist and whitelist
@@ -42,9 +33,6 @@ os_security_packages_clean: true
 # ====================
 # These are not meant to be modified by the user
 
-# misc
-os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
-
 # suid and sgid blacklists and whitelists
 # ---------------------------------------
 # don't change values in the system_blacklist/whitelist