diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 9a241b09..94c04d41 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -45,6 +45,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 # - amazon # geerlingguy.mysql does not support fedora # - arch # geerlingguy.mysql does not support arch - opensuse_tumbleweed diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 076a4b5d..08bc83d1 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -44,6 +44,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 8a198c7d..13a0d1e6 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - opensuse_tumbleweed - arch diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index b1e62e2e..f1d49b8a 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + # - debian12 # waiting for https://github.com/lavabit/robox/pull/274 - opensuse15 # - arch # needs fix for audit steps: diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index ea6537de..ae86418b 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index af69e403..ce99f41f 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/README.md b/README.md index 789b37cf..d237e05e 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ This collection provides battle tested hardening for: - Linux operating systems: - - CentOS 7 - - Rocky Linux 8 - - Debian 10/11 + - CentOS 7/8/9 + - Rocky Linux 8/9 + - Debian 10/11/12 - Ubuntu 18.04/20.04/22.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 58e6d679..8641874b 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,6 +7,10 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: + - name: set ansible_python_interpreter to "/usr/bin/python3" + set_fact: + ansible_python_interpreter: "/usr/bin/python3" + - name: include verification tasks ansible.builtin.include_tasks: file: "{{ item }}" diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 62bdb330..c71cae01 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,9 +1,17 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 + +- name: install pip + package: + name: + - python3-pip + - python3-setuptools + state: present + +- name: install pam-tester + ansible.builtin.pip: + name: pam-tester + state: present + executable: /usr/bin/pip3 - name: set password for test set_fact: @@ -23,7 +31,7 @@ - name: check successful login with correct password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -31,7 +39,7 @@ - name: check unsuccessful login with incorrect password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -40,7 +48,7 @@ - name: check unsuccessful login, with correct password (lockout) shell: - cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -52,7 +60,7 @@ - name: check successful login shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index 62bdb330..bfbb7a3b 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,9 +1,15 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 +- name: install pip + package: + name: + - python3-pip + - python3-setuptools + state: present + +- name: install pam-tester + ansible.builtin.pip: + name: pam-tester + state: present - name: set password for test set_fact: