Mirrors/ansible-collection-hardening

mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 05:11:53 +00:00

Author	SHA1	Message	Date
Martin Schurz	0c8c96a535	collate for opensuse Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	2f5360225b	extend role check Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	35df355248	add tests for roles Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	ec8811acdf	use like to coerce collation Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	6681e0b319	correct query Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	79dc1d5474	check mode for status var Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	8f516018b6	trigger workflow Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:37:25 +01:00
Martin Schurz	216b56f468	lint Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:36:26 +01:00
Martin Schurz	36715017d7	use separate task for role detection Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-11 15:36:26 +01:00
Martin Schurz	2c18d3afda	use if for role detection Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-11-11 15:34:34 +01:00
Sebastian Gumprich	bd721317d2	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:34 +01:00
Sebastian Gumprich	92e6cad463	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:34 +01:00
Sebastian Gumprich	66adae0faa	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:34 +01:00
Sebastian Gumprich	dc583422bc	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:33 +01:00
Sebastian Gumprich	4c5a5deec6	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:33 +01:00
Sebastian Gumprich	a6892904bf	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:33 +01:00
Sebastian Gumprich	8d5143b5d7	try to fix IS_ROLE Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:33 +01:00
Sebastian Gumprich	0bf528d83b	do not try to drop roles in mysql hardening There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify). MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case. ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in. Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf This role is shown as a user, it has however a new is_role-flag. MariaDB [(none)]> select user, host, is_role from mysql.user; +-----------------------+-----------+---------+ \| User \| Host \| is_role \| +-----------------------+-----------+---------+ \| mariadb.sys \| localhost \| N \| \| root \| localhost \| N \| \| mysql \| localhost \| N \| \| PUBLIC \| \| Y \| \| monitoring \| % \| N \| \| monitoring \| localhost \| N \| \| galera_mariadb_backup \| % \| N \| +-----------------------+-----------+---------+ Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails. Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-11-11 15:34:33 +01:00
schurzi	da017fa880	Gather facts when os_hardening role is executed with tags (#708 ) * Gather facts when os_hardening role is executed with tags Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * better when condition Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-11-01 15:54:52 +01:00
dev-sec CI	ac7ef8aae6	update os_hardening readme	2023-10-26 08:43:45 +00:00
dev-sec CI	27a1f6e5e8	update ssh_hardening readme	2023-10-26 08:43:40 +00:00
dev-sec CI	e84b407c44	update nginx_hardening readme	2023-10-26 08:43:39 +00:00
Moritz	8252b82764	fix: roles-readme action default value (#706 ) * fix: default value for push-branch Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * docs(ssh_hardening): meta arguments desc Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: split checkout for forked repos in pull requests Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: push not on pr and added diff Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> --------- Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>	2023-10-26 10:43:10 +02:00
Moritz	1b0576695e	feat: workflow for roles readme (#705 ) * chore: added aar_doc config Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * feat: added initial state of roles readme workflow Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: runs on Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: install poetry Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * feat: loop over all roles and install peotry with pip Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: working dir for poetry run Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: cli path Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * chore: scale down matrix loop for testing Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: poetry run for py execution command Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: work dir for poetry run Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: cli.py path Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: roles path Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * feat: push readme Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: on push branch master Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: uncomment other roles Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * chore: limit trigger to master and arguments Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: push branch name Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * refactor: simplify steps Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * style: linting and styling Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * chore: trigger for pull request Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: push only if ref is master Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * chore: output diff of generated README Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: push readme in pull request Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * docs: role var description text Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: aar_doc roles path Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: git diff Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: fetch all history and changed diff branch Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: run diff only for pr Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: remove fetch-depth and switch to normal diff Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: remove diff and set push-branch Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> * fix: head_ref with default ref_name for push-branch Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> --------- Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>	2023-10-25 15:10:02 +02:00
rndmh3ro	a08a057f7b	Prettified Code!	2023-10-23 10:24:09 +00:00
Sebastian Gumprich	787ac9bd54	fix some wrong defaults and types in the readmes (#703 ) Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>	2023-10-23 12:23:49 +02:00
schurzi	9c2f12561a	update links to new Ansible Galaxy (#702 ) * update links to new Ansible Galaxy Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * remove dead link Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>	2023-10-16 20:56:13 +02:00
Nejc Habjan	35d87aa678	Fix typo in login.defs.j2 Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>	2023-10-08 14:15:16 +02:00
rndmh3ro	965c9326d0	Prettified Code!	2023-08-24 13:22:18 +00:00
Sebastian Gumprich	9c5b619149	fix descrptions in readme (#693 ) Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>	2023-08-24 15:21:57 +02:00
Thibault Soubiran	f602bc621a	feat: customize user paths default. Resolves: #689 (#692 ) Signed-off-by: Thibault Soubiran <thibault.soubiran@protonmail.com>	2023-08-24 14:02:23 +02:00
rndmh3ro	c1a0bcbe9d	Prettified Code!	2023-08-07 12:31:26 +00:00
Sebastian Gumprich	f295397611	add role argument spec for os, ssh, mysql (#687 ) * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix wrong syntax * fix spelling errors Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * yamllint the arg-spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back variable Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove redundant setting in tests * fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove duplicate empty line Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix styling Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-08-07 14:30:59 +02:00
Dennis Lerch	6bcdb253ec	auditd: add possibility to override config template (#685 ) * make template overrideable by referencing the auditd.conf.j2 template, a custom template can be provided to the role. Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com> * extend auditd config make freq and log_file configurable implement write_logs with it's default value in order to be able to disable log writing Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com> * Extend README.md documentation by new variables reorder `os_auditd_log_format` to keep sequence from defaults Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com> --------- Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>	2023-07-24 11:34:47 +02:00
Nejc Habjan	dd215ba310	feat: explicitly support Fedora 37 and 38 (#682 ) Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>	2023-06-12 14:18:32 +02:00
Sebastian Gumprich	f56d80b5d8	Replace ssh_keys group in Fedora with root (#677 ) * Replace ssh_keys group in Fedora with root In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream. See: https://www.spinics.net/lists/fedora-devel/msg307707.html See: https://src.fedoraproject.org/rpms/openssh/pull-request/37# Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change host key mode and owner in fedora and rhel9 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add missing host mode for rhel7 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * harden all ssh host keys Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * skip linting rule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * correct grp for bsd is wheel Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-06-10 08:04:04 +02:00
Sebastian Gumprich	7e6a715692	setting gets ignored (#680 ) see: https://github.com/authselect/authselect/issues/223 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-05-26 14:10:49 +02:00
junicast	f3337f33b3	Add oddjob mkhomedir option rhel pam (#675 ) * added support for oddjob mkhomedir via optional var * optimized conditional * added variable description Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * added support for oddjob mkhomedir via optional var Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * optimized conditional Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * added variable description Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> --------- Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> Co-authored-by: Jochen Demmer <jochen.demmer@noris.de>	2023-05-23 11:19:40 +02:00
Andreas Wagner	d7bda7ca3a	expand on check conditions for non-file locations of logs (#674 ) Co-authored-by: whysthatso <git@whysthatso.net>	2023-05-22 15:53:33 +02:00
schurzi	1cce7bca9a	Merge pull request #662 from dev-sec/codespell add spellchecking with codespell	2023-04-17 09:47:53 +02:00
Martin Schurz	7259d6b5fd	fix spelling errors Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-14 23:51:53 +02:00
Martin Schurz	eb47f4dce0	Merge branch 'master' into min_ansible_ver	2023-04-12 22:22:36 +02:00
Martin Schurz	0014a3be36	update metadata Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-12 20:18:29 +02:00
Martin Schurz	a5a065f880	shorten text Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-11 07:49:38 +02:00
Martin Schurz	bc9795c215	add noqa for linter Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-11 07:37:07 +02:00
Martin Schurz	ea922f6dca	fix lint error Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-10 23:49:52 +02:00
Martin Schurz	001900ac35	require ansible.builtin.user to be at least 2.11 since options are needed Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-10 23:42:27 +02:00
schurzi	29f8a2fb78	add testing for OpenBSD and FreeBSD (#642 ) * add testing for OpenBSD and FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make python work Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove jinja template ... Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make verify work Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use right vm name for connect Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add a bit of documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove sudo Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add weird OpenSBD workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make verify playbook more consistent Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * rename nonlinux to BSD Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use openbsd7 for testing Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct use openbsd7 everywhere Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add waivers Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * update waiver descriptions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use docker for inspec Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * keep looking right ;) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct path to waivers Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use ephemeral directory in docker Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use bsd inspec profile Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove openbsd workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * re-add openbsd workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * commit suggestions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add supportet OS to metadata Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use current python Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-31 09:50:04 +02:00
schurzi	5ed3f399f2	add check mode to molecule tests (#644 ) * add check mode to molecule tests Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * execute tasks in check mode Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix error in check mode on SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use when condition on task Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-09 09:37:59 +01:00
George Bolo	3d0b6670d1	fixes #646 - add another condition to getent task (#647 ) Signed-off-by: gbolo <george.bolo@gmail.com>	2023-03-06 12:07:40 +01:00

1 2 3 4 5 ...

355 commits