* Add CVE-2021-33909 mitigations
kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0
The first one is also used by Tails.
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Clean up whitespaces
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Add Configuration of password remember
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* set default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* readme default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT
Similar reason as #461
> If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs)
> allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
> The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* document SUB_UID_MIN/MAX/COUNT, etc
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
When `import_tasks` is used, the task `Fetch OS dependent variables`
always runs, even when excluded by an upstream tag.
When `Fetch OS dependent variables` runs while excluded via tags, it
will always fail with the following.
```
fatal: [alpha]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}
```
This brings os_hardening's main.yml in line with ssh_hardening's
main.yml, which doesn't have this issue.
Signed-off-by: Colin Adler <colin@coder.com>
* galaxy.yml: Adds dependency on ansible.posix (Fixes: #414)
This is required by the OS hardening role, which uses the mount module.
* add community.general dependency
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* added version check for MariaDB in Query
MariaDB Uses the authentication_string field since 10.4.0, added this in version check in query for users to delete
Signed-off-by: Martin Neubert <martin.neubert@t-systems.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* ssh: Client HostKeyAlgorithms configuration variable
Introduce a new variable ssh_client_host_key_algorithms to be able to configure
it for the client like for the server.
This fixes#441
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
* sshd: Adapt the ssh_host_key_algorithms description
Linking to the latest version may lead to a broken config so be a bit more
dynamic
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
