Commit graph

2206 commits

Author SHA1 Message Date
dev-sec CI
ca5484f96e update changelog 2023-08-07 12:34:12 +00:00
rndmh3ro
c1a0bcbe9d Prettified Code! 2023-08-07 12:31:26 +00:00
Sebastian Gumprich
f295397611
add role argument spec for os, ssh, mysql (#687)
* add role argument spec for os, ssh, mysql

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add role argument spec for os, ssh, mysql

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove variable in variable as it cannot be used in argument spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix wrong syntax

* fix spelling errors

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* cannot use vars before arg-spec validation

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* yamllint the arg-spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back variable

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove redundant setting in tests

* fix descriptions in mysql hardening to betterreflect what they do

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove duplicate empty line

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* set correct defaults on to ssl options

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove left-over hidepid argument spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove license and author infos, this lives in the collection readme

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix styling

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* update some descriptions and sort them in the readme

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* some more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-08-07 14:30:59 +02:00
dev-sec CI
96ba9d1d8d update galaxy.yml with new version 2023-08-04 11:32:54 +00:00
dev-sec CI
3fb0831d7b update changelog 2023-08-04 11:06:58 +00:00
Sebastian Gumprich
ef5e8801e4
add debian 12 support (#684)
* add debian 12 support

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* temp disable pam-checks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove debian12 from vagrant tests as there's no box yet

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use new pam-tester from pip

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use new pam-tester from pip

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add setuptoolks to pam-tester install

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add setuptoolks to pam-tester install

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add setuptoolks to pam-tester install

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add setuptoolks to pam-tester install

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* install pam-tester with python3 and use full path to it

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* install python3-setupttools in verify-tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix path for pam-tester in all tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* set python interpreter to 3 for verify-tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Revert "set python interpreter to 3 for verify-tests"

This reverts commit 00b6556e33.

* add back accidentally deleted tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-08-04 12:59:40 +02:00
dev-sec CI
9950f9ba52 update changelog 2023-07-24 09:37:51 +00:00
Dennis Lerch
6bcdb253ec
auditd: add possibility to override config template (#685)
* make template overrideable

by referencing the auditd.conf.j2 template, a custom template can be provided to the role.

Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>

* extend auditd config

make freq and log_file configurable
implement write_logs with it's default value in order to be able to disable log writing

Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>

* Extend README.md documentation by new variables

reorder `os_auditd_log_format` to keep sequence from defaults

Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>

---------

Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
2023-07-24 11:34:47 +02:00
dev-sec CI
fc524f5369 update changelog 2023-06-20 13:22:05 +00:00
Sebastian Gumprich
790c7c5846
add var-naming[no-role-prefix] to skip-list (#679)
there's probably some added value for this, but I see no reason to change so many variables and possibly break something when it still works and nobody complained

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-06-20 15:18:55 +02:00
dev-sec CI
45d6a17c08 update changelog 2023-06-12 12:22:09 +00:00
Nejc Habjan
dd215ba310
feat: explicitly support Fedora 37 and 38 (#682)
Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>
2023-06-12 14:18:32 +02:00
dev-sec CI
1fb9988fd7 update changelog 2023-06-10 06:07:05 +00:00
Sebastian Gumprich
f56d80b5d8
Replace ssh_keys group in Fedora with root (#677)
* Replace ssh_keys group in Fedora with root

In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream.

See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* change host key mode and owner in fedora and rhel9

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add missing host mode for rhel7

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* harden all ssh host keys

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* skip linting rule

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* correct grp for bsd is wheel

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-06-10 08:04:04 +02:00
dev-sec CI
0e173b4165 update changelog 2023-05-26 12:13:00 +00:00
Sebastian Gumprich
7e6a715692
setting gets ignored (#680)
see: https://github.com/authselect/authselect/issues/223

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-05-26 14:10:49 +02:00
dev-sec CI
9c86dae383 update changelog 2023-05-23 09:22:51 +00:00
junicast
f3337f33b3
Add oddjob mkhomedir option rhel pam (#675)
* added support for oddjob mkhomedir via optional var

* optimized conditional

* added variable description

Signed-off-by: Jochen Demmer <jochen.demmer@noris.de>

* added support for oddjob mkhomedir via optional var

Signed-off-by: Jochen Demmer <jochen.demmer@noris.de>

* optimized conditional

Signed-off-by: Jochen Demmer <jochen.demmer@noris.de>

* added variable description

Signed-off-by: Jochen Demmer <jochen.demmer@noris.de>

---------

Signed-off-by: Jochen Demmer <jochen.demmer@noris.de>
Co-authored-by: Jochen Demmer <jochen.demmer@noris.de>
2023-05-23 11:19:40 +02:00
dev-sec CI
c597eb97b2 update changelog 2023-05-22 13:56:42 +00:00
Andreas Wagner
d7bda7ca3a
expand on check conditions for non-file locations of logs (#674)
Co-authored-by: whysthatso <git@whysthatso.net>
2023-05-22 15:53:33 +02:00
dev-sec CI
037919e67a update changelog 2023-04-28 12:08:48 +00:00
schurzi
ed5aefad3e
Merge pull request #667 from dev-sec/molecule_update
use new molecule-plugins
2023-04-28 14:05:46 +02:00
Martin Schurz
e5b8df07e2 use new molecule-plugins
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-28 13:48:45 +02:00
dev-sec CI
808cc6d78a update changelog 2023-04-17 07:51:08 +00:00
schurzi
1cce7bca9a
Merge pull request #662 from dev-sec/codespell
add spellchecking with codespell
2023-04-17 09:47:53 +02:00
Martin Schurz
74c76b8240 correct workflow name and use main version
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-16 22:57:44 +02:00
Martin Schurz
cd56c017ba add parameter for skipped words
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-16 22:54:43 +02:00
Martin Schurz
93ddd4b45e use shared workflow
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-16 22:49:53 +02:00
Martin Schurz
7259d6b5fd fix spelling errors
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-14 23:51:53 +02:00
Martin Schurz
edcada16e4 add spellchecking with codespell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-14 23:34:05 +02:00
dev-sec CI
7e31002555 update galaxy.yml with new version 2023-04-13 08:40:54 +00:00
dev-sec CI
8816969278 update changelog 2023-04-12 22:51:41 +00:00
schurzi
7e6e43e0a5
Merge pull request #657 from dev-sec/min_ansible_ver 2023-04-13 00:48:29 +02:00
dev-sec CI
b79eb83d4f update changelog 2023-04-12 20:24:10 +00:00
Martin Schurz
eb47f4dce0 Merge branch 'master' into min_ansible_ver 2023-04-12 22:22:36 +02:00
schurzi
4a21ec0234
Merge pull request #656 from dev-sec/update_Tests
Update test environment
2023-04-12 22:21:49 +02:00
Martin Schurz
bb47300798 remove unneccessary collection include
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-12 20:27:35 +02:00
Martin Schurz
de0439ed58 remove unneccessary collection include
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-12 20:22:22 +02:00
Martin Schurz
6e48f686a9 add fedora to testing
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-12 20:21:27 +02:00
Martin Schurz
0014a3be36 update metadata
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-12 20:18:29 +02:00
Martin Schurz
a186760b45 exclude broken tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-11 09:51:05 +02:00
Martin Schurz
a5a065f880 shorten text
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-11 07:49:38 +02:00
Martin Schurz
bc9795c215 add noqa for linter
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-11 07:37:07 +02:00
Martin Schurz
f02f8b9a90 add procps for Debian
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-11 07:20:44 +02:00
Martin Schurz
5cc7b8dee3 add waivers for os_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-11 07:17:29 +02:00
Martin Schurz
ea922f6dca fix lint error
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 23:49:52 +02:00
Martin Schurz
e43f180112 update waiver path
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 23:48:52 +02:00
Martin Schurz
001900ac35 require ansible.builtin.user to be at least 2.11 since options are needed
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 23:42:27 +02:00
Martin Schurz
31c9885610 use docker for inspec-auditor
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 23:22:41 +02:00
Martin Schurz
4a9d6033eb try docker for inspec-auditor
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-10 23:04:46 +02:00