* rework filesystem hardening
- removed a lot duplicated code by using a loop
- added new hardening options for /tmp
- added new options "passno" and "dump" for every filesystem.
currently ansible changed that values to 0 for every fs
new default depends on fstype, can be overwriten in config
- removed default fstype in config
the type will now be autodetected, can be overwriten in config
- mount src setting is now optional
the source will now be autodetected, can be overwriten in config
- it will be now checked, if it is really a mount
- changed fs reload to handler
- removed check os_auditd_enabled on /var/log/audit
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* fix lint errors
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* implemented the name suggestions
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
* Include Debian 11 into Molecule test suites (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix Ansible Lint GitHub Action version (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Update .gitignore
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* mysql_hardening: Use Python 3 as Ansible interpreter (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Note Debian 11 support for os_hardening & nginx_hardening (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix lint issues & Ansible Lint configuration in CI
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Try to fix YAML lint issues, again
Re-ordered YAML comments at the end of `.yamllint` file.
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* rm debian9 from tests, add debian 11 where missing
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix mysql molecule tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add VM tests for ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove VM tests from ssh_hardening
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* run ssh_hardening test as unprivileged user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add link for documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use different config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add become
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move become into role
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* indentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* try args apply
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
```
Unable to open /var/log/audit/audit.log (Permission denied)
```
This PR fixes the issue by using the default permission set by auditd (`0700`).
Signed-off-by: Benedikt Böhm <bb@xnull.de>
* Only run harding if /var/log/audit exists
Signed-off-by: GitHub <noreply@github.com>
* Update roles/os_hardening/tasks/minimize_access.yml
* add more conditionals to when auditd show be hardened
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add more tests to the os-hardening vm tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Revert "add more tests to the os-hardening vm tests"
This reverts commit c05fe8b520.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* first testing with tasks and variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* update variables for dir options
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated permissions and defaults
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix home dir permissions
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated tasks with useful variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* reorder tasks. first remount, then manage fstab and fix permissions on directories. Renaming task names with mountpoints (slashes)
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* shorten tasks with list items
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change defaults for /boot directory, because its a bad behaviour, if ansible changes boot entries with a default value
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update documentation for new parameters to manage mountpoints
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Fix state on every new task
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* loop instead of list
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing remount with register
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add remounts with loop over all changed folders
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing and solving trouble with variable names
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change to new optimizied permissions of var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix some defaults in fstab to configure as mounted
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add stat and check, if boot folder exists
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
while this could be better solved by checking what nginx version is used, debian9 is eol'd in 4 months. if there will be again a need to check for nginx versions, we'll add it then
Signed-off-by: rndmh3ro <github@gumpri.ch>
Files in this whitelist should not be altered.
Currently this is only relevant for enforcing the gpg check.
Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix variable documentation for ctrlaltdel
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* added ctrlaltdel variable for molecule
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix typo in new file
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:
- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`
This change adds those files to the rules, so that permissions are
handled in the same way.
Closes: #488
Signed-off-by: Claudius Heine <ch@denx.de>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* [mysql_hardening] Allow setting the mysql_distribution
On some operating systems, the package for MySQL is not `mysql-server`,
and so the default check for this will not yield the correct result.
This change adds an escape hatch by letting the user set
`mysql_distribution`. Additionally, it verifies that it is set to a
legal value if the user has set it.
Closes#472
Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Add CVE-2021-33909 mitigations
kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0
The first one is also used by Tails.
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Clean up whitespaces
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Add Configuration of password remember
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* set default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* readme default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT
Similar reason as #461
> If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs)
> allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
> The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* document SUB_UID_MIN/MAX/COUNT, etc
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
When `import_tasks` is used, the task `Fetch OS dependent variables`
always runs, even when excluded by an upstream tag.
When `Fetch OS dependent variables` runs while excluded via tags, it
will always fail with the following.
```
fatal: [alpha]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}
```
This brings os_hardening's main.yml in line with ssh_hardening's
main.yml, which doesn't have this issue.
Signed-off-by: Colin Adler <colin@coder.com>
* added version check for MariaDB in Query
MariaDB Uses the authentication_string field since 10.4.0, added this in version check in query for users to delete
Signed-off-by: Martin Neubert <martin.neubert@t-systems.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/mysql_secure_installation.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* ssh: Client HostKeyAlgorithms configuration variable
Introduce a new variable ssh_client_host_key_algorithms to be able to configure
it for the client like for the server.
This fixes#441
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
* sshd: Adapt the ssh_host_key_algorithms description
Linking to the latest version may lead to a broken config so be a bit more
dynamic
Signed-off-by: Paul Seidler <705535+sepek@users.noreply.github.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
install collection in molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
remove deprecated ubuntu 16.04 from tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
