The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:
- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`
This change adds those files to the rules, so that permissions are
handled in the same way.
Closes: #488
Signed-off-by: Claudius Heine <ch@denx.de>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* [mysql_hardening] Allow setting the mysql_distribution
On some operating systems, the package for MySQL is not `mysql-server`,
and so the default check for this will not yield the correct result.
This change adds an escape hatch by letting the user set
`mysql_distribution`. Additionally, it verifies that it is set to a
legal value if the user has set it.
Closes#472
Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Add CVE-2021-33909 mitigations
kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0
The first one is also used by Tails.
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Clean up whitespaces
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Add Configuration of password remember
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* set default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* readme default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT
Similar reason as #461
> If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs)
> allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
> The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* document SUB_UID_MIN/MAX/COUNT, etc
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
When `import_tasks` is used, the task `Fetch OS dependent variables`
always runs, even when excluded by an upstream tag.
When `Fetch OS dependent variables` runs while excluded via tags, it
will always fail with the following.
```
fatal: [alpha]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}
```
This brings os_hardening's main.yml in line with ssh_hardening's
main.yml, which doesn't have this issue.
Signed-off-by: Colin Adler <colin@coder.com>
* added version check for MariaDB in Query
MariaDB Uses the authentication_string field since 10.4.0, added this in version check in query for users to delete
Signed-off-by: Martin Neubert <martin.neubert@t-systems.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* ssh: Client HostKeyAlgorithms configuration variable
Introduce a new variable ssh_client_host_key_algorithms to be able to configure
it for the client like for the server.
This fixes#441
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
* sshd: Adapt the ssh_host_key_algorithms description
Linking to the latest version may lead to a broken config so be a bit more
dynamic
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
install collection in molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
remove deprecated ubuntu 16.04 from tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.
Verified with Ansible 2.10.5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.
Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.
It enables both authentication and credential delegation.
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
* make wrong password fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add name to fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add restart handler variable for mysql role
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add prettierignore file to ignore CHANGELOG
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add ansible to requirements
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* trigger run
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update noqa for ansible-lint 5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* regenerate RSA key with size 4096 bits
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed lint problem
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed E301 lint error
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* added host keys related vars
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* used openssh_keypair module
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* changed RSA private key mode to 0640
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* specified condition to prevent wrong file mode on debian-based OS
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* Enabled SYN cookie sysctl.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed SYN cookies from here since it's a default now.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* make auditd 'max_log_file' configurable
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
* fix documentation for os_auditd_max_log_file
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
* change inclusion of os specific defaults
we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* simplify check for os specific variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add test for variable override
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move tests to verify stage
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct grep
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix typo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Revert "Merge pull request #351 from sprat/fix-umask"
This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move immutable ssh vars to internal vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move vars to OS files
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* change default handling for all roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix issues
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Prettified the generated ssh_config. No functional changes, removed spaces and orphan comments.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed blank lines and prettified ssh_config.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added note about setting sshd_authenticationmethods if ssh_server_password_login.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Backticked true.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.
Also removed whitespace.
This change add the following:
- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
- This change alters the black- and white-listed list for
suid/sgid-management to be a proper yaml-formatted list.
- Furthermore "follow symlinks" was added to the tasks
that remove suid/sgid because otherwise the suid/sgid
from the link-targets would not be removed.
