Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
1661 commits 15 branches 57 tags 4.6 MiB
Commit graph

1661 commits

This branch
This branch
All branches
Author SHA1 Message Date
dev-sec CI
2e5e1de407 update changelog 2021-10-24 10:41:11 +00:00
schurzi
c1974282b1
add old role names to tags in Galaxy (#495) 
We deprecated our roles in Ansible Galaxy the deprecation link contains
a search keyword with the role name and our new collection should be
found, if someone clicks this link.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-10-24 12:39:16 +02:00
dev-sec CI
09958ccb91 update changelog 2021-10-24 09:30:03 +00:00
schurzi
08b0fd14f4
Merge pull request #494 from dev-sec/sysctl-34 
implement sysctl-34 - link protection settings
 2021-10-24 11:21:14 +02:00
schurzi
ff37289879
Merge pull request #493 from dev-sec/rndmh3ro-patch-1 
update minimum ansible version for roles
 2021-10-24 11:09:37 +02:00
Sebastian Gumprich
9f372c285c
Update roles/os_hardening/defaults/main.yml 
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
 2021-10-24 10:59:49 +02:00
dev-sec CI
aaf6d307b8 update galaxy.yml with new version 2021-10-22 10:51:29 +00:00
dev-sec CI
3cd532fe41 update changelog 2021-10-21 07:53:07 +00:00
Claudius Heine
384c097f8a
feat(os_hardening): extend file permission tasks to cover more files (#489) 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: #488

Signed-off-by: Claudius Heine <ch@denx.de>
 2021-10-21 09:51:20 +02:00
rndmh3ro
346b064682 implement sysctl-34 - link protection settings 
Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-10-20 20:59:49 +02:00
Sebastian Gumprich
be0d501bc8 update minimum ansible version for roles 
fixes #407

Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-10-20 20:42:05 +02:00
dev-sec CI
999e5fa210 update changelog 2021-10-18 19:14:34 +00:00
schurzi
215c8042ad
Merge pull request #490 from dev-sec/change_baseline_urlsa 
change baseline urls to full zip-url
 2021-10-18 21:04:05 +02:00
dev-sec CI
21ca7c533a update changelog 2021-10-18 18:57:06 +00:00
Sina Tak Tehrani
5debcc0c6f
fix filter error in ansible.builtin.file mode parameter (#486) 
* fix filter error in ansible.builtin.file mode parameter

* Change cinc supermarket

* fix link to baseline

* fix typo

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
 2021-10-18 20:55:24 +02:00
rndmh3ro
92bd94a0cf change baseline urls to full zip-url 
the other urls that use git don't work anymore

Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-10-18 20:28:19 +02:00
dev-sec CI
aea4499805 update galaxy.yml with new version 2021-10-15 13:46:33 +00:00
dev-sec CI
29945527b8 update changelog 2021-08-30 13:47:56 +00:00
ReinerNippes
e819f89ccb
ssh_allow_tcp_forwarding is not a boolean (#480) 
Changed the comment to "Set to 'yes', 'no', 'local', 'all' or 'remote' to allow TCP Forwarding"
 2021-08-30 15:46:03 +02:00
dev-sec CI
fcb7efc156 update changelog 2021-08-28 13:23:49 +00:00
Roger Meier
8fdb4e55b8
chore(ssh_hardening): set min_ansible_version to >=2.9.10 (#479) 2021-08-28 15:21:59 +02:00
rndmh3ro
8ff3d73bbf Prettified Code! 2021-08-25 10:58:16 +00:00
123quhiwiwk
062dd3f092
Use log_error/datadir from database settings instead of default variable (#478) 
Signed-off-by: 123quhiwiwk <70281681+123quhiwiwk@users.noreply.github.com>
 2021-08-25 12:57:46 +02:00
dev-sec CI
37cff01759 update changelog 2021-08-24 07:43:35 +00:00
123quhiwiwk
4671a32062
Execute check of error logfile permissions only when log_error is defined (#477) 
Signed-off-by: 123quhiwiwk <70281681+123quhiwiwk@users.noreply.github.com>
 2021-08-24 09:41:55 +02:00
dev-sec CI
78bab3f710 update changelog 2021-08-20 11:02:03 +00:00
Shawn Wilsher
3b33e0a7aa
[mysql_hardening] Setup defaults for MySQL on FreeBSD (#474) 
Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>
 2021-08-20 13:00:12 +02:00
dev-sec CI
2ed9d8e9da update galaxy.yml with new version 2021-08-17 11:29:25 +00:00
dev-sec CI
df134e6385 update changelog 2021-08-15 20:55:27 +00:00
schurzi
d7eb00f4b7
Merge pull request #475 from dev-sec/ansible_lint 
use Ansible lint in separate task
 2021-08-15 22:53:41 +02:00
rndmh3ro
7b37e9890e rename ansible-lint task 
Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-08-15 20:16:56 +02:00
rndmh3ro
cf17f80374 skip linting on special task 
Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-08-15 20:16:56 +02:00
rndmh3ro
6fa7f7a0c8 add new linting action to replace molecules linting 
molecule lints multiple times per action

Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-08-15 20:16:56 +02:00
rndmh3ro
6c80de270b remove molecule linting, because it has own action now 
Signed-off-by: rndmh3ro <github@gumpri.ch>
 2021-08-15 20:16:56 +02:00
dev-sec CI
e20dd076d1 update changelog 2021-08-15 18:04:40 +00:00
Shawn Wilsher
9ab06a5e06
[mysql_hardening] Allow setting the mysql_distribution (#473) 
* [mysql_hardening] Allow setting the mysql_distribution

On some operating systems, the package for MySQL is not `mysql-server`,
and so the default check for this will not yield the correct result.
This change adds an escape hatch by letting the user set
`mysql_distribution`.  Additionally, it verifies that it is set to a
legal value if the user has set it.

Closes #472

Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>

* Update roles/mysql_hardening/tasks/main.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
 2021-08-15 20:03:07 +02:00
dev-sec CI
bfd3f96355 update changelog 2021-08-06 11:42:51 +00:00
Filippo Tessarotto
3a73f6c46a
SSH Hardening: backtick typo (#471) 2021-08-06 13:41:05 +02:00
dev-sec CI
4162929d2e update changelog 2021-08-06 11:10:37 +00:00
Sebastian Gumprich
545fd8798f
Create LICENSE 2021-08-06 13:08:55 +02:00
dev-sec CI
3bd5eccec0 update changelog 2021-07-23 10:06:49 +00:00
schurzi
430e6c366f
Merge pull request #469 from dev-sec/rndmh3ro-patch-1 
fix license in galaxy
 2021-07-23 12:04:59 +02:00
schurzi
b24ee631cb
fix double space 2021-07-23 12:04:45 +02:00
Sebastian Gumprich
681047ba52
fix readme in galaxy 2021-07-23 11:06:22 +02:00
dev-sec CI
96685ff0ac update galaxy.yml with new version 2021-07-22 14:41:26 +00:00
dev-sec CI
93ed95fe90 update changelog 2021-07-22 14:34:58 +00:00
Paweł Krawczyk
66bd1f0aec
Add CVE-2021-33909 mitigations (#466) 
* Add CVE-2021-33909 mitigations

kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0

The first one is also used by Tails.

Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>

* Clean up whitespaces

Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
 2021-07-22 16:32:41 +02:00
dev-sec CI
327b1a84c8 update changelog 2021-07-22 08:20:09 +00:00
Maik Stübner
714a34fa55
Allow configuration of password remember in pam (#467) 
* Add Configuration of password remember
and set default to 60

see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>

* set default for password remember back to 5

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>

* readme default for password remember back to 5

Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
 2021-07-22 10:18:01 +02:00
dev-sec CI
488441a7dc update changelog 2021-07-16 07:43:08 +00:00