* add testing for OpenBSD and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make python work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove jinja template ...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use right vm name for connect
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add a bit of documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove sudo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add weird OpenSBD workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify playbook more consistent
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rename nonlinux to BSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use openbsd7 for testing
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct use openbsd7 everywhere
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update waiver descriptions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use docker for inspec
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* keep looking right ;)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct path to waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use ephemeral directory in docker
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use bsd inspec profile
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* commit suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add supportet OS to metadata
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current python
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add check mode to molecule tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* execute tasks in check mode
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix error in check mode on SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use when condition on task
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use rowcount to determine mysql results
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use correct list level
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove json_query
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove intermediate vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add check for count
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* drop condition, since one result must exist
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move rowcount in condition
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* do loop in ansible to report each deleted user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add idempotency check
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* additional tests to verify user deletion
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* actually iterate the whole user list when deleting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix tests for SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* adopt suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Fix molecule tests for EL7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* try to fix tests in centos 7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* try to fix tests in centos 7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: dev-sec CI <hello@dev-sec.io>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* allow multiple instances for os vm tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add scheduled trigger to all test actions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different scenario names
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different scenario names
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different scenario names
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use username to create uniqe vms
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use compatible name
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add explaination
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
these settings are probably not necessary (geerlingguys images dont have them either)
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* rewrite user home dir hardening
* delete duplicate var that was missed in a merge conflict
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for home rewrites
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <github@drachen-server.de>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
* rewrite system account detection and hardening
* resolve failures created when resolving merge conflicts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for shell removal tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/os_hardening/prepare.yml
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* split tasks for locking and setting shell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* add verify-task to check if mysql is running and enabled
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/mysql_hardening/verify_tasks/service.yml
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
* Include Debian 11 into Molecule test suites (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix Ansible Lint GitHub Action version (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Update .gitignore
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* mysql_hardening: Use Python 3 as Ansible interpreter (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Note Debian 11 support for os_hardening & nginx_hardening (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix lint issues & Ansible Lint configuration in CI
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Try to fix YAML lint issues, again
Re-ordered YAML comments at the end of `.yamllint` file.
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* rm debian9 from tests, add debian 11 where missing
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix mysql molecule tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add VM tests for ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove VM tests from ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* run ssh_hardening test as unprivileged user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add link for documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move become into role
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* indentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* try args apply
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This prevents annoying task errors (even though they are ignored)
when testing on non-Arch distributions.
Running the "prepare" command, this was always visible:
> fatal: [instance]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"pacman\" in paths: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"}
Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
Files in this whitelist should not be altered.
Currently this is only relevant for enforcing the gpg check.
Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix variable documentation for ctrlaltdel
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* added ctrlaltdel variable for molecule
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix typo in new file
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
install collection in molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
remove deprecated ubuntu 16.04 from tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change inclusion of os specific defaults
we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* simplify check for os specific variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add test for variable override
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move tests to verify stage
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct grep
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix typo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Revert "Merge pull request #351 from sprat/fix-umask"
This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move immutable ssh vars to internal vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move vars to OS files
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* change default handling for all roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix issues
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>