Mirrors/ansible-collection-hardening

mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 13:21:52 +00:00

Author	SHA1	Message	Date
Sebastian Gumprich	7e6a715692	setting gets ignored (#680 ) see: https://github.com/authselect/authselect/issues/223 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-05-26 14:10:49 +02:00
junicast	f3337f33b3	Add oddjob mkhomedir option rhel pam (#675 ) * added support for oddjob mkhomedir via optional var * optimized conditional * added variable description Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * added support for oddjob mkhomedir via optional var Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * optimized conditional Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> * added variable description Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> --------- Signed-off-by: Jochen Demmer <jochen.demmer@noris.de> Co-authored-by: Jochen Demmer <jochen.demmer@noris.de>	2023-05-23 11:19:40 +02:00
Andreas Wagner	d7bda7ca3a	expand on check conditions for non-file locations of logs (#674 ) Co-authored-by: whysthatso <git@whysthatso.net>	2023-05-22 15:53:33 +02:00
schurzi	1cce7bca9a	Merge pull request #662 from dev-sec/codespell add spellchecking with codespell	2023-04-17 09:47:53 +02:00
Martin Schurz	7259d6b5fd	fix spelling errors Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-14 23:51:53 +02:00
Martin Schurz	eb47f4dce0	Merge branch 'master' into min_ansible_ver	2023-04-12 22:22:36 +02:00
Martin Schurz	0014a3be36	update metadata Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-12 20:18:29 +02:00
Martin Schurz	a5a065f880	shorten text Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-11 07:49:38 +02:00
Martin Schurz	bc9795c215	add noqa for linter Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-11 07:37:07 +02:00
Martin Schurz	ea922f6dca	fix lint error Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-10 23:49:52 +02:00
Martin Schurz	001900ac35	require ansible.builtin.user to be at least 2.11 since options are needed Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-10 23:42:27 +02:00
schurzi	29f8a2fb78	add testing for OpenBSD and FreeBSD (#642 ) * add testing for OpenBSD and FreeBSD Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make python work Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove jinja template ... Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make verify work Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct verify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use right vm name for connect Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add a bit of documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove sudo Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add weird OpenSBD workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make verify playbook more consistent Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * rename nonlinux to BSD Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use openbsd7 for testing Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct use openbsd7 everywhere Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add waivers Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * update waiver descriptions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use docker for inspec Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * keep looking right ;) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct path to waivers Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use ephemeral directory in docker Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use bsd inspec profile Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove openbsd workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * re-add openbsd workaround Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * commit suggestions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add supportet OS to metadata Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use current python Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-31 09:50:04 +02:00
schurzi	5ed3f399f2	add check mode to molecule tests (#644 ) * add check mode to molecule tests Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * execute tasks in check mode Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix error in check mode on SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use when condition on task Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-09 09:37:59 +01:00
George Bolo	3d0b6670d1	fixes #646 - add another condition to getent task (#647 ) Signed-off-by: gbolo <george.bolo@gmail.com>	2023-03-06 12:07:40 +01:00
schurzi	6e5621cdc9	simplify MySQL queries for user deletion (#641 ) * use rowcount to determine mysql results Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use correct list level Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove json_query Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove intermediate vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add check for count Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * drop condition, since one result must exist Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move rowcount in condition Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * do loop in ansible to report each deleted user Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add idempotency check Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * additional tests to verify user deletion Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * actually iterate the whole user list when deleting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix tests for SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * adopt suggestions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-01 14:19:50 +01:00
Nejc Habjan	9e4ea20c67	Only skip audit restart handler in docker (#637 ) Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>	2023-02-15 17:58:52 +01:00
Nejc Habjan	1fc2809307	Make action_mail_acct configurable in auditd (#631 ) Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>	2023-02-06 13:24:43 +01:00
schurzi	1ef9171393	remove unneccessary tasks for VM based test (#629 ) * add remaining platforms to test Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove unneccessary tasks for test Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use current opensuse version Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * disable sysctl for missing yama in opensuse Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-02-06 08:37:40 +01:00
Norman Ziegner	2f60b44cca	os_hardening: Add variable to set the number of days of warning before user password expires Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>	2023-02-01 16:17:36 +01:00
rndmh3ro	bc096e58e5	Prettified Code!	2023-01-28 20:59:35 +00:00
DonEstefan	16e00b02db	rewrite user home dir hardening (#584 ) * rewrite user home dir hardening * delete duplicate var that was missed in a merge conflict Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for home rewrites Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Apply suggestions from code review Co-authored-by: schurzi <github@drachen-server.de> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: donestefan <donestefan@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: schurzi <github@drachen-server.de>	2023-01-28 21:59:19 +01:00
Sebastian Gumprich	a75b339526	fix more linting errors Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-01-27 11:27:35 +01:00
Sebastian Gumprich	89138be4ec	Rewrite system account detection and hardening and create tests (#621 ) * rewrite system account detection and hardening * resolve failures created when resolving merge conflicts Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for shell removal tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Update molecule/os_hardening/prepare.yml Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * split tasks for locking and setting shell Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> Co-authored-by: donestefan <donestefan@users.noreply.github.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>	2023-01-27 11:01:03 +01:00
schurzi	ee80418496	Merge pull request #618 from dev-sec/deprecate_intitramfs deprecate rebuilding of initramfs	2023-01-25 23:56:36 +01:00
Martin Schurz	7f8e9919ee	add readme Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-01-25 22:30:17 +01:00
Sebastian Gumprich	a1028c7504	deprecate initramfs Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-01-25 13:07:37 +01:00
mmitnyan	83a0a9242b	Support for Amazon Linux 2 (#624 ) Signed-off-by: Manuel Mitnyan <mmitnyan@videotron.ca> Signed-off-by: Manuel Mitnyan <mmitnyan@videotron.ca>	2023-01-25 09:12:25 +01:00
Sebastian Gumprich	bb588bd777	linting (#603 ) * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-01-24 12:40:27 +01:00
DonEstefan	674be6dc6f	apply password age settings to exisiting regular users (#582 ) * apply password age settings to regular users * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add debugging vars Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add tests for password ageing Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Apply suggestions from code review Co-authored-by: schurzi <github@drachen-server.de> * add additional condtion for regular users Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: DonEstefan <donestefan@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: schurzi <github@drachen-server.de>	2023-01-23 10:50:05 +01:00
stdtom	9d2c68ef2f	Preserve default ownership and dir mode for /var/log on Ubuntu (#615 ) * Preserve default ownership and dir mode for /var/log on Ubuntu Signed-off-by: stdtom <stdtom@gmx.net> * linting Signed-off-by: stdtom <stdtom@gmx.net> * Define vars for each OS instead of using defaults. Signed-off-by: stdtom <stdtom@gmx.net> * Fix values for os_mnt_var_log_dir_mode and os_mnt_var_log_group Signed-off-by: stdtom <stdtom@gmx.net> Signed-off-by: stdtom <stdtom@gmx.net>	2023-01-23 09:34:41 +01:00
rndmh3ro	b3fbfcedbe	Prettified Code!	2023-01-19 12:45:51 +00:00
Paweł Krawczyk	88ef3cf3af	Parametrize more auditd.conf options (#535 ) * Parametrize more auditd.conf options * Parametrize more auditd.conf options * Add `os_auditd` options * Add os_auditd_log_group * Add os_auditd_log_group Co-authored-by: Paweł Krawczyk <p@krvtz.net> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>	2023-01-19 13:45:24 +01:00
richardlock	a82942a63a	Add support for /etc/auditd.conf num_logs to go with max_log_file_action. (#617 ) Signed-off-by: Richard Lock <r.j.lock@derby.ac.uk> Signed-off-by: Richard Lock <r.j.lock@derby.ac.uk>	2023-01-12 12:52:48 +01:00
Sebastian Gumprich	be0642bcfb	add verify-task to check if mysql is running and enabled (#608 ) * add verify-task to check if mysql is running and enabled Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Update molecule/mysql_hardening/verify_tasks/service.yml Co-authored-by: schurzi <Martin.Schurz@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>	2022-12-07 08:49:07 +01:00
DonEstefan	bb3c63e321	fix IPv6 hardening (#607 ) Signed-off-by: DonEstefan <donestefan@users.noreply.github.com> Signed-off-by: DonEstefan <donestefan@users.noreply.github.com> Co-authored-by: donestefan <donestefan@users.noreply.github.com>	2022-11-30 16:13:25 +01:00
Sebastian Gumprich	e66c2eb6bb	Add OpenSUSE support (#605 ) * Add variables for mariadb on opensuse Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * enable pipeline Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * add a note about the reuirement of the jmespath library. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * Use python3 on opensuse Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * use right ansible variable Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * Suse requires python-rpm Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * try zypper Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * python-xml Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try at fixing the install Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try now with rpm. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml... Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * typo Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * do the test for Suse on the shell and not in ansible Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * specify to use bash Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * specify to use bash * try the removes keyword of builtin.shell Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix ansible syntax Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix zypper syntax Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * ensure pymysql is present Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * set ansible python interpreter in converge-step, too Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * move install task to prepare Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>	2022-11-29 15:09:27 +01:00
Jacob Sievert	ade6deeba2	Updates handlers for new ansible syntax and deprecated options for legacy commands (#602 ) * Update main.yml fixes the handler file and set new syntax Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de> * changes command module from legacy to builtin. Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de> Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>	2022-11-24 08:39:05 +01:00
Cristian Baldi	7d1da63c94	Allow ssh_allow_tcp_forwarding to be a boolean (#600 ) * Allow ssh_allow_tcp_forwarding to be a boolean Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com> * Update documentation related to ssh_allow_tcp_forwarding Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com> Signed-off-by: Cristian Baldi <cristian.baldi@scrive.com>	2022-11-23 13:45:01 +01:00
Dennis Eriksen	681898bd96	OpenBSD does not support GSSAPIAuthentication ... and freaks out when it is mentioned in the config files. So let's just remove the GSSAPI-stuff. Signed-off-by: Dennis Eriksen <d@ennis.no>	2022-11-08 09:12:18 +01:00
Dennis Eriksen	4df95e3733	OpenBSD does not set distributiuon_major_version (#597 ) This role fails with `The task includes an option with an undefined variable` on OpenBSD because `distributiuon_major_version` is not set on OpenBSD. We should either default to "" if the variable is not set, or remove `vars/OpenBSD.yml`. I would prefer the former :) Signed-off-by: Dennis Eriksen <d@ennis.no> Signed-off-by: Dennis Eriksen <d@ennis.no>	2022-11-04 12:00:55 +01:00
Diego Louzán	f8295d5248	fix(os_hardening): cast expected int types in pam tasks Signed-off-by: Diego Louzán <diego.louzan@gmail.com>	2022-10-27 16:50:08 +02:00
Sebastian Gumprich	dac66f4a88	simplify OS-vars files Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-10-25 18:59:11 +02:00
Sebastian Gumprich	3b8b394f10	add ssh-vars for new OS Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-10-25 18:59:11 +02:00
Sebastian Gumprich	b27ffd08b0	add mysql-vars for new OS Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-10-25 18:58:53 +02:00
schurzi	a1b80fe657	adopt all current suggestions from ansible-lint (#592 )	2022-10-24 09:42:23 +02:00
donestefan	464d8df8e8	add hardening of root user account(s) (#579 )	2022-10-21 11:05:43 +02:00
Benedikt Böhm	802bad48e6	do not manage trusted user ca keys if none exist (#580 ) Signed-off-by: Benedikt Böhm <bb@xnull.de> Signed-off-by: Benedikt Böhm <bb@xnull.de>	2022-10-20 14:44:14 +02:00
hagenbauer	500cd24beb	nginx variables for configuration and owner (#578 ) Signed-off-by: hagen.bauer@caserio.de <hagen.bauer@caserio.de> Signed-off-by: hagen.bauer@caserio.de <hagen.bauer@caserio.de>	2022-09-08 14:58:10 +02:00
Simon Baerlocher	883effef82	add centos >8 Support (#573 ) Signed-off-by: Simon Baerlocher <s.baerlocher@sbaerlocher.ch> Signed-off-by: Simon Baerlocher <s.baerlocher@sbaerlocher.ch>	2022-09-06 16:31:43 +02:00
Sebastian Gumprich	9ac01fb358	add always-tag to include so other tags can be used (#569 ) Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-08-26 13:45:05 +02:00

1 2 3 4 5 ...

319 commits