* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove variable in variable as it cannot be used in argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix wrong syntax
* fix spelling errors
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* cannot use vars before arg-spec validation
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* yamllint the arg-spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back variable
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove redundant setting in tests
* fix descriptions in mysql hardening to betterreflect what they do
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove duplicate empty line
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* set correct defaults on to ssl options
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove left-over hidepid argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove license and author infos, this lives in the collection readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix styling
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* update some descriptions and sort them in the readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Replace ssh_keys group in Fedora with root
In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream.
See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change host key mode and owner in fedora and rhel9
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add missing host mode for rhel7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* harden all ssh host keys
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* skip linting rule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* correct grp for bsd is wheel
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add testing for OpenBSD and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make python work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove jinja template ...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use right vm name for connect
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add a bit of documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove sudo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add weird OpenSBD workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify playbook more consistent
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rename nonlinux to BSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use openbsd7 for testing
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct use openbsd7 everywhere
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update waiver descriptions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use docker for inspec
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* keep looking right ;)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct path to waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use ephemeral directory in docker
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use bsd inspec profile
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* commit suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add supportet OS to metadata
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current python
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rewrite system account detection and hardening
* resolve failures created when resolving merge conflicts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for shell removal tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/os_hardening/prepare.yml
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* split tasks for locking and setting shell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change line length issues
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* replace yes with true in tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add exception for task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove trailing whitespace
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Allow ssh_allow_tcp_forwarding to be a boolean
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
* Update documentation related to ssh_allow_tcp_forwarding
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>
This role fails with `The task includes an option with an undefined variable` on OpenBSD because `distributiuon_major_version` is not set on OpenBSD.
We should either default to "" if the variable is not set, or remove `vars/OpenBSD.yml`. I would prefer the former :)
Signed-off-by: Dennis Eriksen <d@ennis.no>
Signed-off-by: Dennis Eriksen <d@ennis.no>
* add VM tests for ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove VM tests from ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* run ssh_hardening test as unprivileged user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add link for documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move become into role
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* indentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* try args apply
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* ssh: Client HostKeyAlgorithms configuration variable
Introduce a new variable ssh_client_host_key_algorithms to be able to configure
it for the client like for the server.
This fixes#441
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
* sshd: Adapt the ssh_host_key_algorithms description
Linking to the latest version may lead to a broken config so be a bit more
dynamic
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.
Verified with Ansible 2.10.5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
