Add full support for Debian 11 (#538)

* Include Debian 11 into Molecule test suites (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix Ansible Lint GitHub Action version (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Update .gitignore

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* mysql_hardening: Use Python 3 as Ansible interpreter (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Note Debian 11 support for os_hardening & nginx_hardening (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix lint issues & Ansible Lint configuration in CI

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Try to fix YAML lint issues, again

Re-ordered YAML comments at the end of `.yamllint` file.

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* rm debian9 from tests, add debian 11 where missing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix mysql molecule tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

.github/workflows/ansible-lint.yml

@@ -5,7 +5,6 @@ on: [push, pull_request]   # yamllint disable-line rule:truthy
 
 jobs:
   ansible-lint:
-
     runs-on: ubuntu-latest
 
     steps:

.github/workflows/mysql_hardening.yml

@@ -27,8 +27,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed

.github/workflows/nginx_hardening.yml

@@ -27,8 +27,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           - amazon
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed

.github/workflows/os_hardening.yml

@@ -27,8 +27,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           - amazon
           - opensuse_tumbleweed
           # - arch  # needs to be fixed

.github/workflows/os_hardening_vm.yml

@@ -27,8 +27,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           # - opensuse42  # opensuse currently cannot get an ip address
           # - arch  - arch is currently not supported by cinc-auditor
     steps:

.github/workflows/ssh_hardening.yml

@@ -28,8 +28,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           - amazon
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse

.github/workflows/ssh_hardening_custom_tests.yml

@@ -28,8 +28,8 @@ jobs:
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian9
           - debian10
+          - debian11
           - amazon
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # baseline is not compatible with suse

.gitignore

@@ -1,3 +1,4 @@
 .kitchen
 hosts
 Gemfile.lock
+.venv

README.md

@@ -14,6 +14,7 @@ This collection provides battle tested hardening for:
   - CentOS 7/8
   - Rocky Linux 8
   - Debian 9/10
+  - Debian 11 (some roles supported)
   - Ubuntu 16.04/18.04/20.04/22.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)

molecule/mysql_hardening/converge.yml

@@ -2,6 +2,8 @@
 - name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
   hosts: all
   become: true
+  collections:
+    - devsec.hardening
   environment:
     http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"

molecule/mysql_hardening/prepare.yml

@@ -8,6 +8,20 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
+    - name: Use Python 3 on Debian 11
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_distribution == 'Debian'
+        - ansible_distribution_major_version|int >= 11
+
+    - name: Use Python 2 on Debian 10
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python
+      when:
+        - ansible_distribution == 'Debian'
+        - ansible_distribution_major_version|int == 10
+
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       apt:
         name: "*"
@@ -42,6 +56,7 @@
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
 
+
     - include_role:
         name: dev-sec.mysql
 

roles/nginx_hardening/meta/main.yml

@@ -18,6 +18,7 @@ galaxy_info:
       versions:
         - stretch
         - buster
+        - bullseye
   galaxy_tags:
     - system
     - security

roles/os_hardening/meta/main.yml

@@ -18,6 +18,7 @@ galaxy_info:
       versions:
         - stretch
         - buster
+        - bullseye
     - name: Amazon
     - name: Fedora
     - name: Archlinux