Commit graph

1903 commits

Author SHA1 Message Date
lbayerlein
1a97c6cf87
new feautre tmout in a new pr (#516)
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
2021-12-16 11:39:24 +01:00
dev-sec CI
73d319cc79 update changelog 2021-12-10 21:12:13 +00:00
Sebastian Gumprich
8f22ce788c
Feature coredump (#513)
* restructure limits-tasks

* disable coredumps in tests

* use notify-task for systemd-reload

Signed-off-by: rndmh3ro <github@gumpri.ch>

* add notify to another task

Signed-off-by: rndmh3ro <github@gumpri.ch>

* rm obsolete task and rename handler

Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-12-10 22:10:14 +01:00
dev-sec CI
945d00fd91 update changelog 2021-12-08 13:27:41 +00:00
lbayerlein
bb8e3e375e
add feature to disable coredump to limit task (#511)
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
2021-12-08 14:25:49 +01:00
dev-sec CI
db78f612f5 update changelog 2021-11-30 09:24:20 +00:00
schurzi
82be5db515
Merge pull request #510 from alegrey91/master
change hidepid mount task state to mounted
2021-11-30 10:22:24 +01:00
alegrey91
8805d9c14a fix: change hidepid mount task state to mounted 2021-11-29 22:37:21 +01:00
dev-sec CI
ed17a6370a update changelog 2021-11-29 09:27:29 +00:00
schurzi
ad43f908df
prettify nginx options (#509)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-11-29 10:25:43 +01:00
dev-sec CI
530069ae88 update changelog 2021-11-28 10:40:22 +00:00
schurzi
cb3574ed56
Merge pull request #501 from ksaadDE/patch-3
Updated dh_params to 4096
2021-11-28 11:38:39 +01:00
dev-sec CI
e95729b431 update changelog 2021-11-26 10:34:51 +00:00
duffn
1d25d4185c
Update nginx_add_header README to match default (#506)
Signed-off-by: Nicholas Duffy <3457341+duffn@users.noreply.github.com>
2021-11-26 11:31:47 +01:00
tekicat
88893a5d4a
Fix duplicate sysctl config (#505)
Signed-off-by: tekicat <tekicat@amibee.com>
Signed-off-by: gk <ganesh.jayachandran@revolut.com>
Signed-off-by: Tekicat <tekicat@amibee.com>
2021-11-26 11:30:50 +01:00
dev-sec CI
b67a28bd09 update galaxy.yml with new version 2021-11-23 10:49:03 +00:00
rndmh3ro
88ea2966db fix tags in galaxy.yml - no dashes allowed
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-11-23 08:20:06 +01:00
dev-sec CI
dfa065dcff update changelog 2021-11-23 07:08:47 +00:00
rndmh3ro
cb0e00f433 fix tags in galaxy.yml - no dashes allowed
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-11-23 08:06:45 +01:00
dev-sec CI
3bd20265d4 update changelog 2021-11-23 06:46:04 +00:00
Karim
f84ff572ac
Updated dh_params to 4096
Updated dh_params to 4096
2021-11-15 19:02:59 +00:00
dev-sec CI
8a385b8114 update changelog 2021-11-15 18:43:49 +00:00
schurzi
b0393a12ce
Merge pull request #470 from ksaadDE/patch-2
Add TLSv1.3 to nginx default configuration
2021-11-15 19:41:49 +01:00
Karim
96d6b47912 Update main.yml
TLSv1.3 should be supported (+security) and soon as possible should be TLSv1.2 EOL.
2021-11-15 19:23:47 +01:00
dev-sec CI
0c840372d8 update changelog 2021-11-07 21:30:06 +00:00
schurzi
ff939a2b4c
Merge pull request #499 from darxriggs/improvement-arch-linux
Improve testing: install packages on Arch Linux
2021-11-07 22:21:58 +01:00
René Scheibe
0609cf729a Improve installing packages on Arch Linux
This prevents annoying task errors (even though they are ignored)
when testing on non-Arch distributions.

Running the "prepare" command, this was always visible:
> fatal: [instance]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"pacman\" in paths: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"}

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 13:53:03 +01:00
dev-sec CI
c9c6819892 update changelog 2021-11-07 10:58:40 +00:00
René Scheibe
bbe4ce16a1
Add whitelist option for yum repository files (#487)
Files in this whitelist should not be altered.

Currently this is only relevant for enforcing the gpg check.

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 11:56:59 +01:00
dev-sec CI
4eb847c90e update changelog 2021-10-28 08:33:53 +00:00
lbayerlein
1bf31a197b
disable ctrl-alt-del key combination (#496)
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix variable documentation for ctrlaltdel

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* added ctrlaltdel variable for molecule

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix typo in new file

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2021-10-28 10:31:58 +02:00
dev-sec CI
1605f304ec update changelog 2021-10-25 09:14:17 +00:00
schurzi
12c1f3dd78
Merge pull request #491 from dev-sec/recreate_tests
revive old tests with custom ssh settings
2021-10-25 11:12:10 +02:00
rndmh3ro
7f17f9b8b2 remove unused verify file
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-25 11:04:47 +02:00
Sebastian Gumprich
f09b2b6338
fix molecule call 2021-10-25 10:26:56 +02:00
dev-sec CI
2e5e1de407 update changelog 2021-10-24 10:41:11 +00:00
schurzi
c1974282b1
add old role names to tags in Galaxy (#495)
We deprecated our roles in Ansible Galaxy the deprecation link contains
a search keyword with the role name and our new collection should be
found, if someone clicks this link.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-10-24 12:39:16 +02:00
dev-sec CI
09958ccb91 update changelog 2021-10-24 09:30:03 +00:00
schurzi
08b0fd14f4
Merge pull request #494 from dev-sec/sysctl-34
implement sysctl-34 - link protection settings
2021-10-24 11:21:14 +02:00
schurzi
ff37289879
Merge pull request #493 from dev-sec/rndmh3ro-patch-1
update minimum ansible version for roles
2021-10-24 11:09:37 +02:00
Sebastian Gumprich
9f372c285c
Update roles/os_hardening/defaults/main.yml
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2021-10-24 10:59:49 +02:00
dev-sec CI
aaf6d307b8 update galaxy.yml with new version 2021-10-22 10:51:29 +00:00
dev-sec CI
3cd532fe41 update changelog 2021-10-21 07:53:07 +00:00
Claudius Heine
384c097f8a
feat(os_hardening): extend file permission tasks to cover more files (#489)
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: #488

Signed-off-by: Claudius Heine <ch@denx.de>
2021-10-21 09:51:20 +02:00
rndmh3ro
346b064682 implement sysctl-34 - link protection settings
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-20 20:59:49 +02:00
Sebastian Gumprich
be0d501bc8 update minimum ansible version for roles
fixes #407

Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-20 20:42:05 +02:00
rndmh3ro
12aaa7d955 add new files to labeler config
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-20 15:32:45 +02:00
rndmh3ro
f32b2c2c5e fix match address test 2021-10-20 15:18:01 +02:00
rndmh3ro
3877a9bab1 fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 22:00:01 +02:00
rndmh3ro
cb7f447d9f fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:55:01 +02:00