add debian 12 support (#684)

* add debian 12 support Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * temp disable pam-checks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove debian12 from vagrant tests as there's no box yet Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use new pam-tester from pip Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use new pam-tester from pip Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * install pam-tester with python3 and use full path to it Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * install python3-setupttools in verify-tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix path for pam-tester in all tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set python interpreter to 3 for verify-tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Revert "set python interpreter to 3 for verify-tests" This reverts commit 00b6556e33. * add back accidentally deleted tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2024-11-10 01:04:13 +00:00 · 2023-08-04 12:59:40 +02:00 · 2023-08-04 12:59:40 +02:00 · ef5e8801e4
commit ef5e8801e4
parent 9950f9ba52
10 changed files with 41 additions and 17 deletions
--- a/.github/workflows/mysql_hardening.yml
+++ b/.github/workflows/mysql_hardening.yml
@ -45,6 +45,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          - debian12
          # - amazon  # geerlingguy.mysql does not support fedora
          # - arch  # geerlingguy.mysql does not support arch
          - opensuse_tumbleweed
--- a/.github/workflows/nginx_hardening.yml
+++ b/.github/workflows/nginx_hardening.yml
@ -44,6 +44,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          - debian12
          - amazon2023
          # - arch  # needs to be fixed
          # - opensuse_tumbleweed  # needs to be fixed
--- a/.github/workflows/os_hardening.yml
+++ b/.github/workflows/os_hardening.yml
@ -46,6 +46,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          - debian12
          - amazon2023
          - opensuse_tumbleweed
          - arch
--- a/.github/workflows/os_hardening_vm.yml
+++ b/.github/workflows/os_hardening_vm.yml
@ -46,6 +46,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          # - debian12  # waiting for https://github.com/lavabit/robox/pull/274
          - opensuse15
          # - arch  # needs fix for audit
    steps:
--- a/.github/workflows/ssh_hardening.yml
+++ b/.github/workflows/ssh_hardening.yml
@ -46,6 +46,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          - debian12
          - amazon2023
          - arch
          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
--- a/.github/workflows/ssh_hardening_custom_tests.yml
+++ b/.github/workflows/ssh_hardening_custom_tests.yml
@ -46,6 +46,7 @@ jobs:
          - ubuntu2204
          - debian10
          - debian11
+          - debian12
          - amazon2023
          - arch
          # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
--- a/README.md
+++ b/README.md
@ -11,9 +11,9 @@
 This collection provides battle tested hardening for:

 - Linux operating systems:
-  - CentOS 7
-  - Rocky Linux 8
-  - Debian 10/11
+  - CentOS 7/8/9
+  - Rocky Linux 8/9
+  - Debian 10/11/12
  - Ubuntu 18.04/20.04/22.04
  - Amazon Linux (some roles supported)
  - Arch Linux (some roles supported)
--- a/molecule/os_hardening/verify.yml
+++ b/molecule/os_hardening/verify.yml
@ -7,6 +7,10 @@
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
+    - name: set ansible_python_interpreter to "/usr/bin/python3"
+      set_fact:
+        ansible_python_interpreter: "/usr/bin/python3"
+
    - name: include verification tasks
      ansible.builtin.include_tasks:
        file: "{{ item }}"
--- a/molecule/os_hardening/verify_tasks/pam.yml
+++ b/molecule/os_hardening/verify_tasks/pam.yml
@ -1,9 +1,17 @@
 ---
- name: download pam-tester
-  get_url:
-    url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
-    dest: /bin/pam-tester
-    mode: 0555
+
+- name: install pip
+  package:
+    name:
+      - python3-pip
+      - python3-setuptools
+    state: present
+
+- name: install pam-tester
+  ansible.builtin.pip:
+    name: pam-tester
+    state: present
+    executable: /usr/bin/pip3

 - name: set password for test
  set_fact:
@ -23,7 +31,7 @@

 - name: check successful login with correct password
  shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
  environment:
    TMPDIR: /var/tmp
    LC_ALL: "{{ locale | default('C.UTF-8') }}"
@ -31,7 +39,7 @@

 - name: check unsuccessful login with incorrect password
  shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
  environment:
    TMPDIR: /var/tmp
    LC_ALL: "{{ locale | default('C.UTF-8') }}"
@ -40,7 +48,7 @@

 - name: check unsuccessful login, with correct password (lockout)
  shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
  environment:
    TMPDIR: /var/tmp
    LC_ALL: "{{ locale | default('C.UTF-8') }}"
@ -52,7 +60,7 @@

 - name: check successful login
  shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
  environment:
    TMPDIR: /var/tmp
    LC_ALL: "{{ locale | default('C.UTF-8') }}"
--- a/molecule/os_hardening_vm/verify_tasks/pam.yml
+++ b/molecule/os_hardening_vm/verify_tasks/pam.yml
@ -1,9 +1,15 @@
 ---
- name: download pam-tester
-  get_url:
-    url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
-    dest: /bin/pam-tester
-    mode: 0555
+- name: install pip
+  package:
+    name:
+      - python3-pip
+      - python3-setuptools
+    state: present
+
+- name: install pam-tester
+  ansible.builtin.pip:
+    name: pam-tester
+    state: present

 - name: set password for test
  set_fact: