Merge pull request #588 from dev-sec/support_more_os

Support more os

.github/workflows/mysql_hardening.yml

@@ -26,7 +26,10 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centosstream8
+          - centosstream9
           - rocky8
+          - rocky9
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

.github/workflows/nginx_hardening.yml

@@ -25,7 +25,10 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centosstream8
+          - centosstream9
           - rocky8
+          - rocky9
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

.github/workflows/os_hardening.yml

@@ -25,7 +25,10 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centosstream8
+          - centosstream9
           - rocky8
+          - rocky9
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

.github/workflows/os_hardening_vm.yml

@@ -25,14 +25,17 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centos8s
+          # - centos9s  # problems with vagrant
           - rocky8
+          # - rocky9  # problems with vagrant
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
           - debian10
           - debian11
           # - opensuse42  # opensuse currently cannot get an ip address
-          # - arch  - arch is currently not supported by cinc-auditor
+          # - arch  # arch is currently not supported by cinc-auditor
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

.github/workflows/ssh_hardening.yml

@@ -25,7 +25,10 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centosstream8
+          - centosstream9
           - rocky8
+          - rocky9
           - fedora
           - ubuntu1804
           - ubuntu2004

.github/workflows/ssh_hardening_custom_tests.yml

@@ -25,7 +25,10 @@ jobs:
       matrix:
         molecule_distro:
           - centos7
+          - centosstream8
+          - centosstream9
           - rocky8
+          - rocky9
           - fedora
           - ubuntu1804
           - ubuntu2004

molecule/os_hardening_vm/prepare.yml

@@ -16,8 +16,6 @@
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       apt:
-        name: "*"
-        state: latest
         update_cache: true
       when: ansible_os_family == 'Debian'
 

roles/mysql_hardening/vars/RedHat_8.yml

@@ -1,9 +0,0 @@
----
-mysql_daemon: mariadb
-mysql_hardening_mysql_conf_file: '/etc/my.cnf'
-mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
-
-mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_hardening_group: 'mysql'

roles/mysql_hardening/vars/Rocky_8.yml

@@ -1,9 +0,0 @@
----
-mysql_daemon: mariadb
-mysql_hardening_mysql_conf_file: '/etc/my.cnf'
-mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
-
-mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_hardening_group: 'mysql'

roles/mysql_hardening/vars/Ubuntu_18.yml

@@ -1,10 +0,0 @@
----
-mysql_daemon: mysql
-
-mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
-mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
-
-mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_hardening_group: 'adm'

roles/mysql_hardening/vars/Ubuntu_20.yml

@@ -1,10 +0,0 @@
----
-mysql_daemon: mysql
-
-mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
-mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
-
-mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_hardening_group: 'adm'

roles/mysql_hardening/vars/Ubuntu_22.yml

@@ -1,10 +0,0 @@
----
-mysql_daemon: mysql
-
-mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
-mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
-
-mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
-mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_hardening_group: 'adm'

roles/os_hardening/vars/RedHat.yml

@@ -33,7 +33,7 @@ os_auth_sub_gid_min: 100000
 os_auth_sub_gid_max: 600100000
 os_auth_sub_gid_count: 65536
 
-os_auth_pam_sssd_enable: false
+os_auth_pam_sssd_enable: true
 
 # defaults for useradd
 os_useradd_mail_dir: /var/spool/mail

roles/os_hardening/vars/RedHat_8.yml

@@ -1,45 +0,0 @@
----
-
-os_packages_pam_ccreds: 'pam_ccreds'
-os_nologin_shell_path: '/sbin/nologin'
-
-# Different distros use different standards for /etc/shadow perms, e.g.
-# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
-# You must provide key/value pairs for owner, group, and mode if overriding.
-os_shadow_perms:
-  owner: root
-  group: root
-  mode: '0000'
-
-os_passwd_perms:
-  owner: root
-  group: root
-  mode: '0644'
-
-os_env_umask: '077'
-
-os_auth_uid_min: 1000
-os_auth_uid_max: 60000
-os_auth_gid_min: 1000
-os_auth_gid_max: 60000
-os_auth_sys_uid_min: 201
-os_auth_sys_uid_max: 999
-os_auth_sys_gid_min: 201
-os_auth_sys_gid_max: 999
-os_auth_sub_uid_min: 100000
-os_auth_sub_uid_max: 600100000
-os_auth_sub_uid_count: 65536
-os_auth_sub_gid_min: 100000
-os_auth_sub_gid_max: 600100000
-os_auth_sub_gid_count: 65536
-
-os_auth_pam_sssd_enable: true
-
-# defaults for useradd
-os_useradd_mail_dir: /var/spool/mail
-os_useradd_create_home: true
-
-modprobe_package: 'module-init-tools'
-auditd_package: 'audit'
-
-hidepid_option: '2'  # allowed values: 0, 1, 2

roles/os_hardening/vars/Rocky_8.yml

@@ -1,45 +0,0 @@
----
-
-os_packages_pam_ccreds: 'pam_ccreds'
-os_nologin_shell_path: '/sbin/nologin'
-
-# Different distros use different standards for /etc/shadow perms, e.g.
-# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
-# You must provide key/value pairs for owner, group, and mode if overriding.
-os_shadow_perms:
-  owner: root
-  group: root
-  mode: '0000'
-
-os_passwd_perms:
-  owner: root
-  group: root
-  mode: '0644'
-
-os_env_umask: '077'
-
-os_auth_uid_min: 1000
-os_auth_uid_max: 60000
-os_auth_gid_min: 1000
-os_auth_gid_max: 60000
-os_auth_sys_uid_min: 201
-os_auth_sys_uid_max: 999
-os_auth_sys_gid_min: 201
-os_auth_sys_gid_max: 999
-os_auth_sub_uid_min: 100000
-os_auth_sub_uid_max: 600100000
-os_auth_sub_uid_count: 65536
-os_auth_sub_gid_min: 100000
-os_auth_sub_gid_max: 600100000
-os_auth_sub_gid_count: 65536
-
-os_auth_pam_sssd_enable: true
-
-# defaults for useradd
-os_useradd_mail_dir: /var/spool/mail
-os_useradd_create_home: true
-
-modprobe_package: 'module-init-tools'
-auditd_package: 'audit'
-
-hidepid_option: '2'  # allowed values: 0, 1, 2

roles/ssh_hardening/vars/CentOS_8.yml

@@ -1,23 +0,0 @@
----
-sshd_path: /usr/sbin/sshd
-ssh_host_keys_dir: '/etc/ssh'
-sshd_service_name: sshd
-ssh_owner: root
-ssh_group: root
-ssh_host_keys_owner: 'root'
-ssh_host_keys_group: 'ssh_keys'
-ssh_selinux_packages:
-  - policycoreutils-python-utils
-  - checkpolicy
-
-# true if SSH support Kerberos
-ssh_kerberos_support: true
-
-# true if SSH has PAM support
-ssh_pam_support: true
-
-sshd_moduli_file: '/etc/ssh/moduli'
-
-# disable CRYPTO_POLICY to take settings from sshd configuration
-# see: https://access.redhat.com/solutions/4410591
-sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/CentOS_9.yml

@@ -1,23 +0,0 @@
----
-sshd_path: /usr/sbin/sshd
-ssh_host_keys_dir: '/etc/ssh'
-sshd_service_name: sshd
-ssh_owner: root
-ssh_group: root
-ssh_host_keys_owner: 'root'
-ssh_host_keys_group: 'ssh_keys'
-ssh_selinux_packages:
-  - policycoreutils-python-utils
-  - checkpolicy
-
-# true if SSH support Kerberos
-ssh_kerberos_support: true
-
-# true if SSH has PAM support
-ssh_pam_support: true
-
-sshd_moduli_file: '/etc/ssh/moduli'
-
-# disable CRYPTO_POLICY to take settings from sshd configuration
-# see: https://access.redhat.com/solutions/4410591
-sshd_disable_crypto_policy: true

roles/ssh_hardening/vars/RedHat.yml

@@ -7,7 +7,7 @@ ssh_group: root
 ssh_host_keys_owner: 'root'
 ssh_host_keys_group: 'ssh_keys'
 ssh_selinux_packages:
-  - policycoreutils-python
+  - policycoreutils-python-utils
   - checkpolicy
 
 # true if SSH support Kerberos

roles/ssh_hardening/vars/RedHat_7.yml

@@ -7,7 +7,7 @@ ssh_group: root
 ssh_host_keys_owner: 'root'
 ssh_host_keys_group: 'ssh_keys'
 ssh_selinux_packages:
-  - python3-policycoreutils
+  - policycoreutils-python
   - checkpolicy
 
 # true if SSH support Kerberos

roles/ssh_hardening/vars/Rocky_8.yml

@@ -1,23 +0,0 @@
----
-sshd_path: /usr/sbin/sshd
-ssh_host_keys_dir: '/etc/ssh'
-sshd_service_name: sshd
-ssh_owner: root
-ssh_group: root
-ssh_host_keys_owner: 'root'
-ssh_host_keys_group: 'ssh_keys'
-ssh_selinux_packages:
-  - python3-policycoreutils
-  - checkpolicy
-
-# true if SSH support Kerberos
-ssh_kerberos_support: true
-
-# true if SSH has PAM support
-ssh_pam_support: true
-
-sshd_moduli_file: '/etc/ssh/moduli'
-
-# disable CRYPTO_POLICY to take settings from sshd configuration
-# see: https://access.redhat.com/solutions/4410591
-sshd_disable_crypto_policy: true