Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 21:21:54 +00:00
Code Issues Projects Releases Packages Wiki Activity
1461 commits 12 branches 56 tags 3.7 MiB
Commit graph

1461 commits

This branch
This branch
All branches
Author SHA1 Message Date
schurzi
103135ce9a fix task naming 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-11 17:21:32 +01:00
Farid Joubbi
4158e0bfb4 Created a list of files/dirs to be looped instead of two tasks per file/dir. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-11 16:54:25 +01:00
Farid Joubbi
4bad4779cd Fixed copy-paste error by doing og-rwx instead of numerical. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-22 22:13:18 +01:00
Farid Joubbi
91a0d62305 Ensure permissions on /etc/crontab are configured. #375 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-19 23:19:00 +01:00
Farid Joubbi
60d24db460 Ensure permissions on /etc/crontab are configured. #375 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-19 22:40:16 +01:00
dev-sec CI
90e0ce7c6b update changelog 2021-02-17 10:37:06 +00:00
schurzi
8e4c22d8d9
remove FQCN from roles in examples (#404) 
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.

Verified with Ansible 2.10.5

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-17 11:34:37 +01:00
dev-sec CI
2a4b98ab4a update changelog 2021-02-15 10:26:19 +00:00
schurzi
5d55d29fe2
Merge pull request #403 from wzzrd/gssapi_client_support 
Extend GSSAPI configuration support to ssh_config
 2021-02-15 11:23:57 +01:00
Martin Schurz
64713ce75d add default for new variable 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-15 11:17:01 +01:00
Maxim Burgerhout
54c8e6aedb Split off ssh_gssapi_delegation into own variable 
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
 2021-02-14 22:07:33 +01:00
Maxim Burgerhout
8baab7516e Extend GSSAPI configuration support to ssh_config 
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.

Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.

It enables both authentication and credential delegation.

Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
 2021-02-12 13:10:35 +01:00
dev-sec CI
70cd7bbf1e update changelog 2021-02-10 15:07:15 +00:00
Sebastian Gumprich
6be31fbc3b
do not install mysql python package on target host (#401) 
this package has to be installed on the host that executes the task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:57:51 +01:00
Sebastian Gumprich
756839f8f0
make wrong password fail task (#400) 
* make wrong password fail task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add name to fail task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:55:08 +01:00
Sebastian Gumprich
c55c1f21ed
add restart handler variable for mysql role (#399) 
* add restart handler variable for mysql role

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add prettierignore file to ignore CHANGELOG

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:54:57 +01:00
dev-sec CI
8d3e452ce3 update galaxy.yml with new version 2021-02-10 13:02:01 +00:00
dev-sec CI
d8ea484f92 update changelog 2021-02-10 12:51:07 +00:00
schurzi
a98876b350
update ansible-lint to version 5 (#397) 
* add ansible to requirements

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* trigger run

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* update noqa for ansible-lint 5

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 13:47:01 +01:00
dev-sec CI
6d369739e4 update changelog 2021-02-10 11:59:07 +00:00
schurzi
2b39258d47
Merge pull request #395 from Normo/update-galaxy-version 
fix galaxy action to update local galaxy.yml
 2021-02-10 12:56:53 +01:00
Martin Schurz
75a8aca905 fix galaxy action to update local galaxy.yml 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 12:53:02 +01:00
Norman Ziegner
b26b4e090c
Bump collection version from 7.0.0 to 7.1.1 
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
 2021-02-10 10:11:15 +01:00
Norman Ziegner
f035053381
Only set default for ssh host key files when hardening the server (#393) 
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
 2021-02-09 10:01:41 +01:00
rndmh3ro
0cfdb1954e Prettified Code! 2021-02-09 08:45:31 +00:00
Norman Ziegner
614662b99d
Add variable to specify host rsa key size (#394) 
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
 2021-02-09 09:44:55 +01:00
dev-sec CI
a17f4a6f45 update changelog 2021-02-05 19:42:47 +00:00
schurzi
30f03bc124
Merge pull request #390 from dev-sec/fix_docs 
fix minimum required ansible version in docs
 2021-02-05 20:40:42 +01:00
schurzi
40bc23d7da Prettified Code! 2021-02-05 19:39:43 +00:00
Martin Schurz
c6114278a1 fix minimum required ansible version in docs 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-05 20:39:04 +01:00
dev-sec CI
e833d1dce4 update changelog 2021-02-05 18:46:35 +00:00
schurzi
4b0819349d
use fqcn for community.crypto.openssh_keypair module (#389) 
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-05 19:44:23 +01:00
dev-sec CI
2f9cd82615 update changelog 2021-02-02 10:02:38 +00:00
schurzi
9db01d5fbe
Merge pull request #386 from dev-sec/changelog_gen_v1 
use version tag for changelog action
 2021-02-02 11:00:11 +01:00
Martin Schurz
e4b0801d22 use version tag for changelog action 
Referencing actions by the short SHA will be deprecated soon

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-02 10:58:52 +01:00
dev-sec CI
67c40dc021 update changelog 2021-01-22 13:57:21 +00:00
dev-sec CI
9c17f0f7c3 update changelog 2021-01-22 12:59:34 +00:00
schurzi
8a1064ded4
make release workflow manually runnable (#384) 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-22 13:57:20 +01:00
dev-sec CI
29b72ea277 update changelog 2021-01-22 11:37:26 +00:00
schurzi
6e84f53a75
run labeler workflow with higher privileges (#383) 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-22 12:34:59 +01:00
schurzi
7a560b3d38
remove issue labels from changelog (#382) 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-22 12:34:51 +01:00
schurzi
66feb7c2ad
Merge pull request #380 from mpraeger/feature/host_certificates 
add Support for OpenSSH HostCertificate config option
 2021-01-22 10:43:32 +01:00
Maximilian Praeger
4399d3f885 removed: unneccessary conditional 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
6b55b9619c added: comment for HostCertificate 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
8f7bae533c fixed: add empty line after HostCertificate loop 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
9853c7ea45 added: defaults for ssh_host_certificates 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
6e9247bde3 added: support for HostCertificate in sshd conf file 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:53 +01:00
Sina Tak Tehrani
ef31838fa2
Regenerate RSA key with size 4096 bits (#376) 
* regenerate RSA key with size 4096 bits

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* fixed lint problem

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* fixed E301 lint error

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* added host keys related vars

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* used openssh_keypair module

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* changed RSA private key mode to 0640

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* specified condition to prevent wrong file mode on debian-based OS

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
 2021-01-21 13:38:48 +01:00
schurzi
f010b9a17e
Merge pull request #378 from joubbi/iwashere 
Added comment on top of templates about which role manages the file
 2021-01-20 11:42:38 +01:00
Martin Schurz
0600cdae75 add "role" to comment 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-20 11:23:40 +01:00