Commit graph

138 commits

Author SHA1 Message Date
Martin Schurz
ebab98930c try docker for inspec-auditor
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 22:58:28 +02:00
Martin Schurz
dd5ad568b3 fix deprecation warnings
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 20:36:03 +02:00
Martin Schurz
7b69c4bd47 add collection link
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 11:21:12 +02:00
Martin Schurz
e4ecfe2084 add collection to verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 11:03:33 +02:00
schurzi
29f8a2fb78
add testing for OpenBSD and FreeBSD (#642)
* add testing for OpenBSD and FreeBSD

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* make python work

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove jinja template ...

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* make verify work

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct verify

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct verify

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct verify

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct verify

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use right vm name for connect

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add a bit of documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove sudo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add weird OpenSBD workaround

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* make verify playbook more consistent

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* rename nonlinux to BSD

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use openbsd7 for testing

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct use openbsd7 everywhere

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add waivers

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* update waiver descriptions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use docker for inspec

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* keep looking right ;)

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct path to waivers

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use ephemeral directory in docker

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use bsd inspec profile

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove openbsd workaround

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* re-add openbsd workaround

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* commit suggestions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add supportet OS to metadata

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use current python

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-03-31 09:50:04 +02:00
renovate[bot]
32cc9665dd
Update dependency geerlingguy.git to v3.0.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2023-03-31 07:15:43 +00:00
schurzi
5ed3f399f2
add check mode to molecule tests (#644)
* add check mode to molecule tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* bail on undefined variables

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* bail on undefined variables

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* execute tasks in check mode

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix error in check mode on SuSE

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use when condition on task

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-03-09 09:37:59 +01:00
schurzi
6e5621cdc9
simplify MySQL queries for user deletion (#641)
* use rowcount to determine mysql results

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use correct list level

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove json_query

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove intermediate vars

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add check for count

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* drop condition, since one result must exist

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move rowcount in condition

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* do loop in ansible to report each deleted user

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add idempotency check

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* additional tests to verify user deletion

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* actually iterate the whole user list when deleting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix tests for SuSE

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* adopt suggestions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-03-01 14:19:50 +01:00
Sebastian Gumprich
988e5322cd
Fix molecule tests for EL7 (#636)
* Fix molecule tests for EL7

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Apply suggestions from code review

Co-authored-by: schurzi <Martin.Schurz@t-systems.com>

* try to fix tests in centos 7

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* try to fix tests in centos 7

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: dev-sec CI <hello@dev-sec.io>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2023-02-14 11:15:21 +01:00
schurzi
9b32aca0ca
run our CI tests periodically (#634)
* allow multiple instances for os vm tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add scheduled trigger to all test actions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use username to create uniqe vms

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use compatible name

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add explaination

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-02-07 09:27:46 +01:00
Sebastian Gumprich
c2e9c9a8dd
try to fix molecule local tests (#632)
these settings are probably not necessary (geerlingguys images dont have them either)

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-02-06 14:01:40 +01:00
Norman Ziegner
c594a1fe6a
os_hardening: Add test for setting password warning days via variable os_auth_pw_warn_age
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2023-02-03 14:47:27 +01:00
DonEstefan
16e00b02db
rewrite user home dir hardening (#584)
* rewrite user home dir hardening

* delete duplicate var that was missed in a merge conflict

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for home rewrites

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Apply suggestions from code review

Co-authored-by: schurzi <github@drachen-server.de>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
2023-01-28 21:59:19 +01:00
Sebastian Gumprich
89138be4ec
Rewrite system account detection and hardening and create tests (#621)
* rewrite system account detection and hardening

* resolve failures created when resolving merge conflicts

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for shell removal tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Update molecule/os_hardening/prepare.yml

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* split tasks for locking and setting shell

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix some more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2023-01-27 11:01:03 +01:00
Sebastian Gumprich
281d706660 add waiver to not test mounts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 13:03:04 +01:00
Sebastian Gumprich
d386bf36d2 Revert "manage tmp dir in tests"
This reverts commit 966f2fe137.
2023-01-24 12:53:39 +01:00
Sebastian Gumprich
966f2fe137 manage tmp dir in tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 12:36:09 +01:00
Sebastian Gumprich
fa2e90c6f2 mount cgroup rw, as suse seems to need it
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
Sebastian Gumprich
ed1cb1c2a7 add cgroupns: host mode to molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
Sebastian Gumprich
a0d11faa8a Fixed problems with running molecule locally with cgroup v2
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
DonEstefan
674be6dc6f
apply password age settings to exisiting regular users (#582)
* apply password age settings to regular users

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add debugging vars

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Apply suggestions from code review

Co-authored-by: schurzi <github@drachen-server.de>

* add additional condtion for regular users

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: DonEstefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: schurzi <github@drachen-server.de>
2023-01-23 10:50:05 +01:00
Sebastian Gumprich
142782bad6 add diff to molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-19 13:46:16 +01:00
Sebastian Gumprich
be0642bcfb
add verify-task to check if mysql is running and enabled (#608)
* add verify-task to check if mysql is running and enabled

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Update molecule/mysql_hardening/verify_tasks/service.yml

Co-authored-by: schurzi <Martin.Schurz@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2022-12-07 08:49:07 +01:00
Sebastian Gumprich
e66c2eb6bb
Add OpenSUSE support (#605)
* Add variables for mariadb on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* enable pipeline

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* add a note about the reuirement of the jmespath library.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Use python3 on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* use right ansible variable

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Suse requires python-rpm

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* try zypper

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* python-xml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try at fixing the install

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try now with rpm.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml...

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* typo

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* do the test for Suse on the shell and not in ansible

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

* try the removes keyword of builtin.shell

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix ansible syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix zypper syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* ensure pymysql is present

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* set ansible python interpreter in converge-step, too

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* move install task to prepare

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
2022-11-29 15:09:27 +01:00
Sebastian Gumprich
e2b963d711 change baselines back to master
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
414efd6125 use correct centos stream images, try to fix prepare step for debian tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
87a461fc57 use forked mysql-baseline
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
9d75e3b00e test crypto changes from ssh-baseline
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-24 10:03:07 +02:00
schurzi
c1cd6c5ac3
change default to allow SFTP (#564)
* change default to allow SFTP

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* diasble sftp for default tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* extend documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix typo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct ssh version

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-22 10:03:37 +02:00
PhilippFunk
fd3fc1cfba
add option to bypass .netrc check function (#563)
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false

Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>

Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
2022-08-17 09:09:00 +02:00
Daya Adianto
eef8708918
Add full support for Debian 11 (#538)
* Include Debian 11 into Molecule test suites (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix Ansible Lint GitHub Action version (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Update .gitignore

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* mysql_hardening: Use Python 3 as Ansible interpreter (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Note Debian 11 support for os_hardening & nginx_hardening (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix lint issues & Ansible Lint configuration in CI

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Try to fix YAML lint issues, again

Re-ordered YAML comments at the end of `.yamllint` file.

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* rm debian9 from tests, add debian 11 where missing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix mysql molecule tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-08-16 15:02:27 +02:00
schurzi
a806ec8598
add posibility to run ssh_hardening as unprivileged user (#561)
* add VM tests for ssh_hardening

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove VM tests from ssh_hardening

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* run ssh_hardening test as unprivileged user

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add link for documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different config

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove become

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* re-add become

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move become into role

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* indentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* try args apply

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix linting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-15 13:19:07 +02:00
Martin Schurz
27d091e871 reduce testing on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 16:08:35 +02:00
Martin Schurz
c81ce23ed7 disable ctrl+alt+del for vm tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 13:04:14 +02:00
Martin Schurz
72cb97c8d5 remove waivers file from docker test config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:36:48 +02:00
Martin Schurz
edda7075a2 add badge for tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:17:34 +02:00
Martin Schurz
1825eba27a exclude opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-10 21:08:50 +02:00
Martin Schurz
fa7f8597d9 fix bug in check for /boot
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-10 13:36:19 +02:00
Martin Schurz
b6b2d45f09 speedup ansible
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:59 +02:00
Martin Schurz
9cfe1f2b9a also harden /boot
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:11 +02:00
Martin Schurz
e49eacd8ec icrease ressources for test vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 10:42:20 +02:00
Martin Schurz
7535abd882 remove waiver
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 02:22:35 +02:00
Martin Schurz
400e576984 use correct parameter
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 01:47:59 +02:00
Martin Schurz
e742330a41 add testing of os_hardning on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 00:52:58 +02:00
Martin Schurz
21df60a71f fix includes
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-08 17:24:07 +02:00
Sebastian Gumprich
bf372f8493 rename tasks file and remove redundant 'verify'
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-08 16:04:24 +02:00
Sebastian Gumprich
ef89d52f98 remove duplicate file
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:22:10 +02:00
Sebastian Gumprich
9b50392d8a fix linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:12:06 +02:00
Sebastian Gumprich
215c50709b tempt 2022-07-07 15:34:28 +02:00
Sebastian Gumprich
af14af5954
add waivers to skip controls (#529)
Signed-off-by: rndmh3ro <github@gumpri.ch>
2022-02-21 13:58:39 +01:00
Sebastian Gumprich
8f22ce788c
Feature coredump (#513)
* restructure limits-tasks

* disable coredumps in tests

* use notify-task for systemd-reload

Signed-off-by: rndmh3ro <github@gumpri.ch>

* add notify to another task

Signed-off-by: rndmh3ro <github@gumpri.ch>

* rm obsolete task and rename handler

Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-12-10 22:10:14 +01:00
René Scheibe
0609cf729a Improve installing packages on Arch Linux
This prevents annoying task errors (even though they are ignored)
when testing on non-Arch distributions.

Running the "prepare" command, this was always visible:
> fatal: [instance]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"pacman\" in paths: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"}

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 13:53:03 +01:00
René Scheibe
bbe4ce16a1
Add whitelist option for yum repository files (#487)
Files in this whitelist should not be altered.

Currently this is only relevant for enforcing the gpg check.

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 11:56:59 +01:00
lbayerlein
1bf31a197b
disable ctrl-alt-del key combination (#496)
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix variable documentation for ctrlaltdel

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* added ctrlaltdel variable for molecule

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix typo in new file

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2021-10-28 10:31:58 +02:00
schurzi
12c1f3dd78
Merge pull request #491 from dev-sec/recreate_tests
revive old tests with custom ssh settings
2021-10-25 11:12:10 +02:00
rndmh3ro
7f17f9b8b2 remove unused verify file
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-25 11:04:47 +02:00
rndmh3ro
f32b2c2c5e fix match address test 2021-10-20 15:18:01 +02:00
rndmh3ro
3877a9bab1 fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 22:00:01 +02:00
rndmh3ro
cb7f447d9f fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:55:01 +02:00
rndmh3ro
55c83ac92d use second molecule scenario for custom ssh tests
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:49:24 +02:00
rndmh3ro
bbc827e4a1 use second molecule scenario for custom ssh tests
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:33:45 +02:00
rndmh3ro
940819ab84 revive old tests with custom ssh settings
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:01:02 +02:00
Sina Tak Tehrani
5debcc0c6f
fix filter error in ansible.builtin.file mode parameter (#486)
* fix filter error in ansible.builtin.file mode parameter

* Change cinc supermarket

* fix link to baseline

* fix typo

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2021-10-18 20:55:24 +02:00
rndmh3ro
92bd94a0cf change baseline urls to full zip-url
the other urls that use git don't work anymore

Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 20:28:19 +02:00
rndmh3ro
6c80de270b remove molecule linting, because it has own action now
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-08-15 20:16:56 +02:00
Sebastian Gumprich
41cd8485cb
enable ipv6 globally (#450)
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-05-26 20:13:45 +02:00
Sebastian Gumprich
8c89d78f44 move jmespath installation into github workflow
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 21:16:04 +02:00
Sebastian Gumprich
5ed100b7ea try to install jmespath on github host
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 21:16:04 +02:00
Sebastian Gumprich
e1f0efb220 move mysql install to prepare step to create a password-less user
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 21:16:04 +02:00
Sebastian Gumprich
73cdd973d7 remove custom tests as we have inspec tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 21:16:04 +02:00
Sebastian Gumprich
c3b954a2ab add new tasks to delete users without passwords
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 21:16:04 +02:00
Sebastian Gumprich
2fb54bd224 remove secure-auth param if mysql => 8.0.3
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

install collection in molecule

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

remove deprecated ubuntu 16.04 from tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-01 13:20:58 +02:00
schurzi
2882a15ee1
Merge pull request #427 from dev-sec/snoopotic-fix/add_auditd_restart_handler
add restart-auditd handler after configuration change
2021-03-29 21:15:46 +02:00
Sebastian Gumprich
458dfa2b6a use cinc exec supermarket instead of github
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-03-29 16:16:03 +02:00
Sebastian Gumprich
6c805f6ca9 add support for using a proxy to test with molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-03-19 15:52:19 +01:00
Sebastian Gumprich
8cb6732882 add support for using a proxy to test with molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-03-19 15:45:06 +01:00
Martin Schurz
ec9d7d2cb8 cleanup and typos
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-03-15 23:39:12 +01:00
Martin Schurz
75fc31b80c remove cracklib
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 19:10:45 +01:00
Martin Schurz
10841ced62 case sensitive
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 18:29:55 +01:00
Martin Schurz
335df545fb correct version
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 18:15:33 +01:00
Martin Schurz
6d2c92d4ab correct locale
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 18:14:59 +01:00
Martin Schurz
3334000b97 set locale for test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 17:45:46 +01:00
Martin Schurz
26d84b5f84 use custom /tmp dir
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 16:46:41 +01:00
Martin Schurz
9b6f313065 move pam tests up
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 15:54:03 +01:00
Martin Schurz
23071a183c add testcases for PAM
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-22 15:42:13 +01:00
schurzi
a75e2c028b
change inclusion of os specific defaults (#353)
* change inclusion of os specific defaults

we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* simplify check for os specific variables

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add test for variable override

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move tests to verify stage

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct grep

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* linting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix typo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Revert "Merge pull request #351 from sprat/fix-umask"

This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move immutable ssh vars to internal vars

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move vars to OS files

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* change default handling for all roles

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix issues

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Update main.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2020-12-20 20:46:57 +01:00
Sebastian Gumprich
98c7553016 remove trailing blank lines
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2020-12-15 20:09:29 +01:00
Sebastian Gumprich
ac3c12d264 move to collections 2020-11-07 21:19:43 +01:00