Commit graph

402 commits

Author SHA1 Message Date
dev-sec CI
3250d179bc update nginx_hardening readme 2024-08-06 11:37:20 +00:00
dev-sec CI
caaae61322 update mysql_hardening readme 2024-08-06 11:12:00 +00:00
dev-sec CI
c5935d38e5 update os_hardening readme 2024-08-06 11:11:58 +00:00
dev-sec CI
0989606757 update ssh_hardening readme 2024-08-06 11:11:57 +00:00
schurzi
69ab9e47ad
Update Debian compatibility (#784)
* Update Ubuntu compatability

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* reload systemd when disabling ssh socket

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* manage systemd files

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Create privsep directory for Debian

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Use working Ubuntu 24.04 image for vm tests

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Remove deprecated Debian 10

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-08-06 13:11:32 +02:00
schurzi
2ff44f2145 Prettified Code! 2024-07-28 11:45:51 +00:00
Martin Schurz
f23d5d8eaf Remove deprecated rebuild of initrd
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-07-28 13:17:49 +02:00
Sevan
0233bfe543
Ensure that ssh is installed (#774)
Signed-off-by: Sevan Murriguian-Watrin <git@byh0ki.fr>
2024-07-02 20:41:07 +02:00
dev-sec CI
ed85a70105 update ssh_hardening readme 2024-07-02 16:20:50 +00:00
Martin Schurz
77de9435fa remove freebsd12
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-07-02 17:31:22 +02:00
dev-sec CI
c068979b91 update os_hardening readme 2024-06-24 08:41:24 +00:00
dev-sec CI
b705cd95dc update ssh_hardening readme 2024-06-24 08:41:00 +00:00
dev-sec CI
7f51a49265 update nginx_hardening readme 2024-06-24 08:40:57 +00:00
dev-sec CI
aaaedee1cd update mysql_hardening readme 2024-06-24 08:40:50 +00:00
Sebastian Gumprich
c02b5d9c3a add arg-spec for new variable ssh_server_service_enabled
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-06-24 10:28:53 +02:00
Sevan
b0488e86d4
ssh: explicitly enable or disable the service at boot (#771)
Signed-off-by: Sevan Murriguian-Watrin <git@byh0ki.fr>
2024-06-24 10:26:55 +02:00
Sebastian Gumprich
19ca997bd6
disable systemd socket activation (#769)
* disable systemd socket activation

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* move start to after deactivation so it can start

---------

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-06-18 15:56:09 +02:00
rndmh3ro
26ecb3f5ea Prettified Code! 2024-06-04 08:16:33 +00:00
dev-sec CI
b0f968af21 update nginx_hardening readme 2024-05-31 10:21:00 +00:00
Sebastian Gumprich
85aa1b22b3
do not force type of ssh_gateway_ports (#765)
* do not force type of gatewayports-var

this way it can be a bool or a string. we also now test for it

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* replace yum with dnf

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

---------

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-05-31 12:20:00 +02:00
dev-sec CI
4af40129c6 update ssh_hardening readme 2024-05-31 09:42:36 +00:00
dev-sec CI
eb972f63f7 update os_hardening readme 2024-05-31 09:42:33 +00:00
dev-sec CI
b6be42c3a0 update mysql_hardening readme 2024-05-31 09:42:13 +00:00
Sebastian Gumprich
296f46cc80
centos7 is eol, remove it (#767)
* centos7 is eol, remove it

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* change workflow to update readmes when meta/main.yml is changed

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* remove mention of centos 7 from readme

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

---------

Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-05-31 11:25:01 +02:00
Sebastian Gumprich
346ead4455 fix spelling
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-05-30 15:07:27 +02:00
Sebastian Gumprich
f3a1fcc16a fix spelling
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-05-30 15:01:33 +02:00
debbabi
00443de508
add ssh_pubkey_authentication variable (#749)
Signed-off-by: debbabi <dbassem@gmail.com>
2024-03-20 13:24:27 +01:00
schurzi
72eb74a85f Prettified Code! 2024-01-15 13:51:25 +00:00
Sebastian Gumprich
e5cc9bbf43 restructure readme to move known problems up top
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
2024-01-12 09:30:48 +01:00
Martin Schurz
422fb940a9 manually fix remaining problems
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-12-06 15:27:21 +01:00
Martin Schurz
54f9ef42a1 don't try to restart audit in check mode
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-22 00:45:38 +01:00
Martin Schurz
25acb76c05 reload systemd after installation
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-21 23:59:22 +01:00
Martin Schurz
0f6b8e4a3a use full service name for handler
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-21 23:04:41 +01:00
Martin Schurz
20dd04c9cb split notify, add tmp options for arch
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-21 21:58:58 +01:00
Martin Schurz
60d10811d4 add separate handlers for audit restart
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-21 21:45:05 +01:00
Aki Kanellis
a15159d072 Make disabling unused filesystems idempotent
The `os_unused_filesystems` was lacking sorting, making the task not
idempotent. This was especially apparent and random in Molecule tests
when this collection was added as a dependency.

Signed-off-by: Aki Kanellis <hello@akikanellis.com>
2023-11-19 19:57:31 +00:00
dev-sec CI
2c91f89903 update nginx_hardening readme 2023-11-16 14:33:13 +00:00
dev-sec CI
9c848839d9 update mysql_hardening readme 2023-11-16 14:20:48 +00:00
dev-sec CI
1b69855d51 update os_hardening readme 2023-11-16 14:20:47 +00:00
dev-sec CI
512e31f1ae update ssh_hardening readme 2023-11-16 14:20:44 +00:00
Sebastian Gumprich
2db75b53c1
make it possible to configure more then yes and no for PermitTunnel (#715)
This is a breaking change, since the default variable is now a string instead of a bool

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
2023-11-16 15:20:22 +01:00
schurzi
0371a2690b Prettified Code! 2023-11-16 11:35:10 +00:00
Martin Schurz
adda83572a fix mixup, add custom test badge
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-16 12:10:41 +01:00
Martin Schurz
01bde49fbc update badges
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-16 11:30:38 +01:00
schurzi
3d98cbf67b
add testing and support for current versions of Fedora and FreeBSD (#709)
* add testing and support for current versions of Fedora and FreeBSD

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* add waivers for FreeBSD

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* use original fedora images

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* also harden /home mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* also harden /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* test mock efi directory

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* remove mock

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* umount efi

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* add /tmp to special mountpoints

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* set options for /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* create /tmp mount

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* create /tmp mount and mount it ...

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* make fewer changes to default test run

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* use correct Ansible var

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-16 09:14:03 +01:00
Martin Schurz
bf177add07 one last time ...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:26 +01:00
Martin Schurz
fb22b242fe better compare for utf8
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
0c8c96a535 collate for opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
2f5360225b extend role check
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00
Martin Schurz
35df355248 add tests for roles
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-11 15:37:25 +01:00