Martin Schurz
99784726f8
drop role after test for inspec
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
2f5360225b
extend role check
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
fdf7bbd7be
correct hostname in test
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
ee1fec3d3e
correct indentation
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
35df355248
add tests for roles
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
ec8811acdf
use like to coerce collation
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
6681e0b319
correct query
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
79dc1d5474
check mode for status var
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
219ec1938b
try symlink fix
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
336861838a
try local path
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
b07ac77223
test removing requirements
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
665edd5157
re-add working directories
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
8f516018b6
trigger workflow
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
4756a620f2
reduce dir dependencies
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:02 +01:00
Martin Schurz
c59a4d4e48
fix role path
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:36:26 +01:00
Martin Schurz
216b56f468
lint
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:36:26 +01:00
Martin Schurz
36715017d7
use separate task for role detection
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:36:26 +01:00
Martin Schurz
2c18d3afda
use if for role detection
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-11-11 15:34:34 +01:00
Sebastian Gumprich
bd721317d2
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:34 +01:00
Sebastian Gumprich
92e6cad463
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:34 +01:00
Sebastian Gumprich
66adae0faa
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:34 +01:00
Sebastian Gumprich
dc583422bc
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
Sebastian Gumprich
4c5a5deec6
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
Sebastian Gumprich
a6892904bf
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
Sebastian Gumprich
0675167cb2
do not create role for now!
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
Sebastian Gumprich
8d5143b5d7
try to fix IS_ROLE
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
Sebastian Gumprich
0bf528d83b
do not try to drop roles in mysql hardening
...
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/ ) and mysql 8 (need to verify).
MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.
ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.
Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf
This role is shown as a user, it has however a new is_role-flag.
MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User | Host | is_role |
+-----------------------+-----------+---------+
| mariadb.sys | localhost | N |
| root | localhost | N |
| mysql | localhost | N |
| PUBLIC | | Y |
| monitoring | % | N |
| monitoring | localhost | N |
| galera_mariadb_backup | % | N |
+-----------------------+-----------+---------+
Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
dev-sec CI
cd572de55a
update changelog
2023-11-01 14:57:36 +00:00
schurzi
da017fa880
Gather facts when os_hardening role is executed with tags ( #708 )
...
* Gather facts when os_hardening role is executed with tags
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* better when condition
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-01 15:54:52 +01:00
dev-sec CI
4978598e00
update changelog
2023-10-26 08:46:02 +00:00
dev-sec CI
ac7ef8aae6
update os_hardening readme
2023-10-26 08:43:45 +00:00
dev-sec CI
27a1f6e5e8
update ssh_hardening readme
2023-10-26 08:43:40 +00:00
dev-sec CI
e84b407c44
update nginx_hardening readme
2023-10-26 08:43:39 +00:00
Moritz
8252b82764
fix: roles-readme action default value ( #706 )
...
* fix: default value for push-branch
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* docs(ssh_hardening): meta arguments desc
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: split checkout for forked repos in pull requests
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: push not on pr and added diff
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
---------
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
2023-10-26 10:43:10 +02:00
dev-sec CI
5aa26aa039
update changelog
2023-10-25 13:12:59 +00:00
Moritz
1b0576695e
feat: workflow for roles readme ( #705 )
...
* chore: added aar_doc config
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* feat: added initial state of roles readme workflow
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: runs on
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: install poetry
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* feat: loop over all roles and install peotry with pip
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: working dir for poetry run
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: cli path
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* chore: scale down matrix loop for testing
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: poetry run for py execution command
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: work dir for poetry run
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: cli.py path
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: roles path
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* feat: push readme
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: on push branch master
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: uncomment other roles
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* chore: limit trigger to master and arguments
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: push branch name
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* refactor: simplify steps
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* style: linting and styling
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* chore: trigger for pull request
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: push only if ref is master
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* chore: output diff of generated README
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: push readme in pull request
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* docs: role var description text
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: aar_doc roles path
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: git diff
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: fetch all history and changed diff branch
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: run diff only for pr
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: remove fetch-depth and switch to normal diff
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: remove diff and set push-branch
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
* fix: head_ref with default ref_name for push-branch
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
---------
Signed-off-by: Nemental <15136847+Nemental@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2023-10-25 15:10:02 +02:00
dev-sec CI
d63015c2a7
update changelog
2023-10-23 10:26:41 +00:00
rndmh3ro
a08a057f7b
Prettified Code!
2023-10-23 10:24:09 +00:00
Sebastian Gumprich
787ac9bd54
fix some wrong defaults and types in the readmes ( #703 )
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
2023-10-23 12:23:49 +02:00
dev-sec CI
91d10892dc
update changelog
2023-10-20 08:36:06 +00:00
schurzi
90ca33466e
Merge pull request #696 from dev-sec/renovate/actions-checkout-4.x
...
chore(deps): update actions/checkout action to v4
2023-10-20 10:33:08 +02:00
renovate[bot]
b01789b14b
chore(deps): update actions/checkout action to v4
...
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-10-19 10:32:39 +00:00
dev-sec CI
526e369999
update changelog
2023-10-16 18:59:25 +00:00
schurzi
9c2f12561a
update links to new Ansible Galaxy ( #702 )
...
* update links to new Ansible Galaxy
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove dead link
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-10-16 20:56:13 +02:00
dev-sec CI
cec9c99763
update changelog
2023-10-08 19:07:40 +00:00
schurzi
dae8487ab3
Merge pull request #700 from nejch/chore/template-typo
...
Fix typo in login.defs.j2
2023-10-08 21:04:58 +02:00
Nejc Habjan
35d87aa678
Fix typo in login.defs.j2
...
Signed-off-by: Nejc Habjan <nejc.habjan@siemens.com>
2023-10-08 14:15:16 +02:00
dev-sec CI
6833d66634
update changelog
2023-09-22 07:25:11 +00:00
Sebastian Gumprich
3bdd8c851e
test debian12 on VM ( #695 )
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
2023-09-22 09:22:27 +02:00
dev-sec CI
d86859962d
update changelog
2023-08-24 13:24:45 +00:00