diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml index 30e1d4f6..64a461f0 100644 --- a/.github/workflows/ansible-lint.yml +++ b/.github/workflows/ansible-lint.yml @@ -5,7 +5,6 @@ on: [push, pull_request] # yamllint disable-line rule:truthy jobs: ansible-lint: - runs-on: ubuntu-latest steps: diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index a1ba48fd..9a279ad2 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -27,8 +27,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 # - amazon # geerlingguy.mysql does not support fedora # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index f805f61a..5ff6a6f8 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -27,8 +27,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 - amazon # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 597012ef..13fe561b 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -27,8 +27,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 - amazon - opensuse_tumbleweed # - arch # needs to be fixed diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index cd63b743..01de2033 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -27,8 +27,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 # - opensuse42 # opensuse currently cannot get an ip address # - arch - arch is currently not supported by cinc-auditor steps: diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index 84f20735..db3febff 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -28,8 +28,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 - amazon # - arch # needs to be fixed # - opensuse_tumbleweed # baseline is not compatible with suse diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index ed1a875b..4f112971 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -28,8 +28,8 @@ jobs: - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian9 - debian10 + - debian11 - amazon # - arch # needs to be fixed # - opensuse_tumbleweed # baseline is not compatible with suse diff --git a/.gitignore b/.gitignore index 1953eaac..b5a8983a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .kitchen hosts Gemfile.lock +.venv \ No newline at end of file diff --git a/README.md b/README.md index 71f5f289..da60f26c 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ This collection provides battle tested hardening for: - CentOS 7/8 - Rocky Linux 8 - Debian 9/10 + - Debian 11 (some roles supported) - Ubuntu 16.04/18.04/20.04/22.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml index bd589ef2..1532fa71 100644 --- a/molecule/mysql_hardening/converge.yml +++ b/molecule/mysql_hardening/converge.yml @@ -2,6 +2,8 @@ - name: wrapper playbook for kitchen testing "ansible-mysql-hardening" hosts: all become: true + collections: + - devsec.hardening environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index 5133c0e9..f5ef673d 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -8,6 +8,20 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: + - name: Use Python 3 on Debian 11 + set_fact: + ansible_python_interpreter: /usr/bin/python3 + when: + - ansible_distribution == 'Debian' + - ansible_distribution_major_version|int >= 11 + + - name: Use Python 2 on Debian 10 + set_fact: + ansible_python_interpreter: /usr/bin/python + when: + - ansible_distribution == 'Debian' + - ansible_distribution_major_version|int == 10 + - name: Run the equivalent of "apt-get update && apt-get upgrade" apt: name: "*" @@ -42,6 +56,7 @@ - ansible_distribution != "Ubuntu" - ansible_distribution_major_version|int < 20 + - include_role: name: dev-sec.mysql diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index 9a80cdfa..028c96b5 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -18,6 +18,7 @@ galaxy_info: versions: - stretch - buster + - bullseye galaxy_tags: - system - security diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index fa268e6b..23282763 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -18,6 +18,7 @@ galaxy_info: versions: - stretch - buster + - bullseye - name: Amazon - name: Fedora - name: Archlinux