* add remaining platforms to test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove unneccessary tasks for test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current opensuse version
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* disable sysctl for missing yama in opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rewrite user home dir hardening
* delete duplicate var that was missed in a merge conflict
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for home rewrites
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <github@drachen-server.de>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
* rewrite system account detection and hardening
* resolve failures created when resolving merge conflicts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for shell removal tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/os_hardening/prepare.yml
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* split tasks for locking and setting shell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change line length issues
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* replace yes with true in tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add exception for task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove trailing whitespace
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Preserve default ownership and dir mode for /var/log on Ubuntu
Signed-off-by: stdtom <stdtom@gmx.net>
* linting
Signed-off-by: stdtom <stdtom@gmx.net>
* Define vars for each OS instead of using defaults.
Signed-off-by: stdtom <stdtom@gmx.net>
* Fix values for os_mnt_var_log_dir_mode and os_mnt_var_log_group
Signed-off-by: stdtom <stdtom@gmx.net>
Signed-off-by: stdtom <stdtom@gmx.net>
* add verify-task to check if mysql is running and enabled
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/mysql_hardening/verify_tasks/service.yml
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* Update main.yml
fixes the handler file and set new syntax
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
* changes command module from legacy to builtin.
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
* Allow ssh_allow_tcp_forwarding to be a boolean
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
* Update documentation related to ssh_allow_tcp_forwarding
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
This role fails with `The task includes an option with an undefined variable` on OpenBSD because `distributiuon_major_version` is not set on OpenBSD.
We should either default to "" if the variable is not set, or remove `vars/OpenBSD.yml`. I would prefer the former :)
Signed-off-by: Dennis Eriksen <d@ennis.no>
Signed-off-by: Dennis Eriksen <d@ennis.no>
* rework filesystem hardening
- removed a lot duplicated code by using a loop
- added new hardening options for /tmp
- added new options "passno" and "dump" for every filesystem.
currently ansible changed that values to 0 for every fs
new default depends on fstype, can be overwriten in config
- removed default fstype in config
the type will now be autodetected, can be overwriten in config
- mount src setting is now optional
the source will now be autodetected, can be overwriten in config
- it will be now checked, if it is really a mount
- changed fs reload to handler
- removed check os_auditd_enabled on /var/log/audit
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* fix lint errors
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* implemented the name suggestions
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
* Include Debian 11 into Molecule test suites (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix Ansible Lint GitHub Action version (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Update .gitignore
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* mysql_hardening: Use Python 3 as Ansible interpreter (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Note Debian 11 support for os_hardening & nginx_hardening (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix lint issues & Ansible Lint configuration in CI
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Try to fix YAML lint issues, again
Re-ordered YAML comments at the end of `.yamllint` file.
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* rm debian9 from tests, add debian 11 where missing
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix mysql molecule tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add VM tests for ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove VM tests from ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* run ssh_hardening test as unprivileged user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add link for documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move become into role
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* indentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* try args apply
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
```
Unable to open /var/log/audit/audit.log (Permission denied)
```
This PR fixes the issue by using the default permission set by auditd (`0700`).
Signed-off-by: Benedikt Böhm <bb@xnull.de>
* Only run harding if /var/log/audit exists
Signed-off-by: GitHub <noreply@github.com>
* Update roles/os_hardening/tasks/minimize_access.yml
* add more conditionals to when auditd show be hardened
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add more tests to the os-hardening vm tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Revert "add more tests to the os-hardening vm tests"
This reverts commit c05fe8b520.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
