Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
1854 commits 15 branches 57 tags 4.6 MiB
Commit graph

283 commits

Author SHA1 Message Date
Sebastian Gumprich
812c6c5974 skip auditd restart in molecule tests 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-29 10:00:15 +02:00
Sebastian Gumprich
ae68f73965 skip auditd restart in molecule tests 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-29 09:29:37 +02:00
Farid Joubbi
7af432e1cf
Uppercased first letter of task names. (#422) 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-25 13:52:56 +01:00
Farid Joubbi
c90bbd2c23
Improved comments. (#436) 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-24 14:31:58 +01:00
Farid Joubbi
d1143a06b1
Not accepting source routing for IPv6. This was already done for IPv4. (#424) 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-24 07:55:29 +01:00
Farid Joubbi
240d8acc0c Changed os_auth_pam_pwquality_options type to authtok_type. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-23 11:16:05 +01:00
Martin Schurz
d693a8e200 also use requisite for pwhistory 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-23 08:53:49 +01:00
Martin Schurz
0ac56e4c00 Merge branch 'master' into pwhistory 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-23 08:53:23 +01:00
schurzi
5be13e878f
Merge pull request #430 from joubbi/comment 
Remove comments from PAM config file, but keep it in the template
 2021-03-23 08:40:20 +01:00
Farid Joubbi
659e5ada6a Changed to pam_pwhistory.so instead of pam_unix.so for remembering old passwords. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-22 22:28:25 +01:00
Farid Joubbi
0010715039 Remove comment from output file, but keep it in the template. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-22 19:39:49 +01:00
rndmh3ro
369c2986c6 Prettified Code! 2021-03-22 10:23:03 +00:00
Sebastian Gumprich
02c689eaa0 fix loop for home_directories 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-22 11:18:51 +01:00
Sebastian Gumprich
bf82736787 Update roles/os_hardening/tasks/user_accounts.yml 
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
 2021-03-22 11:18:51 +01:00
Sebastian Gumprich
c86bdcb4c7 linting 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-22 11:18:51 +01:00
Sebastian Gumprich
b5ca78a9cd chmod /home directories to 0700 
This is based on https://github.com/dev-sec/ansible-collection-hardening/pull/277
and updated to work with the new collection.

Thanks to @aardbol for this initial implementation!

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-22 11:18:51 +01:00
Sebastian Gumprich
390f7ad6cc fix linting 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-03-19 14:46:42 +01:00
Felix Herzog
eca93cc80b add restart-auditd handler as after configuration change (e.g. of os_auditd_max_log_file_action) you need to restart. Sadly on rhel7 systems you cannot use systemd. And as debian derivates use service as alias and it works I kept it that simple. also adding 'auditd'-tag to make it easy only run that config change if needed. 
Signed-off-by: Felix Herzog <snoopotic@gmail.com>
 2021-03-19 14:42:31 +01:00
schurzi
a64838272c
Merge pull request #418 from joubbi/documentation2 
Improve Documentation for sysctl defaults
 2021-03-16 15:49:55 +01:00
Martin Schurz
b2dd73d27e remove unneeded tasks 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-15 23:53:40 +01:00
Martin Schurz
ec9d7d2cb8 cleanup and typos 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-15 23:39:12 +01:00
Farid Joubbi
97c55d6e55 Documented rationale for sysctl values set. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-15 14:01:19 +01:00
Martin Schurz
5f97dffddf Merge branch 'master' into tally 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-11 19:26:37 +01:00
schurzi
103135ce9a fix task naming 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-03-11 17:21:32 +01:00
Farid Joubbi
4158e0bfb4 Created a list of files/dirs to be looped instead of two tasks per file/dir. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-11 16:54:25 +01:00
Farid Joubbi
4bad4779cd Fixed copy-paste error by doing og-rwx instead of numerical. 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-22 22:13:18 +01:00
Martin Schurz
75fc31b80c remove cracklib 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-22 19:10:45 +01:00
Farid Joubbi
91a0d62305 Ensure permissions on /etc/crontab are configured. #375 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-19 23:19:00 +01:00
Farid Joubbi
60d24db460 Ensure permissions on /etc/crontab are configured. #375 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-02-19 22:40:16 +01:00
schurzi
8e4c22d8d9
remove FQCN from roles in examples (#404) 
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.

Verified with Ansible 2.10.5

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-17 11:34:37 +01:00
Martin Schurz
dba53718cf sssd is disabled on Amazonlinus 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-16 20:44:28 +01:00
Martin Schurz
4a5fa70507 default faillock to yes 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-16 19:31:51 +01:00
Martin Schurz
64713ce75d add default for new variable 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-15 11:17:01 +01:00
Martin Schurz
ec36bf5b9c document parameter 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-15 00:22:03 +01:00
Martin Schurz
08aad6e80f add documentation 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-15 00:13:14 +01:00
Martin Schurz
28c6bf5c66 put force on the right task 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 23:31:24 +01:00
Martin Schurz
26c73ed1c9 fix debian faillock config 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 23:13:14 +01:00
Maxim Burgerhout
54c8e6aedb Split off ssh_gssapi_delegation into own variable 
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
 2021-02-14 22:07:33 +01:00
Martin Schurz
b9e33091e2 fix problems with auth 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 21:30:35 +01:00
Martin Schurz
7f1765c608 consolidate auth for rhel 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 17:30:02 +01:00
Martin Schurz
30f0839513 add support for rhel8 and sssd 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 12:44:20 +01:00
Martin Schurz
532917d956 remove rhel6 support from pam 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 12:14:54 +01:00
Martin Schurz
04654d0490 correct typo 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 11:19:12 +01:00
Martin Schurz
aa166f43fc split debian and rhel pam config 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-14 02:07:25 +01:00
Martin Schurz
19482c319c force create symlink 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-13 19:38:57 +01:00
Martin Schurz
fc7fb4fc8a make compatible to authconfig 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-13 18:09:48 +01:00
Maxim Burgerhout
8baab7516e Extend GSSAPI configuration support to ssh_config 
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.

Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.

It enables both authentication and credential delegation.

Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
 2021-02-12 13:10:35 +01:00
Martin Schurz
7282187a90 Merge branch 'master' into tally 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 21:44:55 +01:00
Martin Schurz
157f4fca70 add tasks for faillock on debian 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 21:43:30 +01:00
Sebastian Gumprich
6be31fbc3b
do not install mysql python package on target host (#401) 
this package has to be installed on the host that executes the task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:57:51 +01:00
Sebastian Gumprich
756839f8f0
make wrong password fail task (#400) 
* make wrong password fail task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add name to fail task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:55:08 +01:00
Sebastian Gumprich
c55c1f21ed
add restart handler variable for mysql role (#399) 
* add restart handler variable for mysql role

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add prettierignore file to ignore CHANGELOG

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-10 15:54:57 +01:00
schurzi
a98876b350
update ansible-lint to version 5 (#397) 
* add ansible to requirements

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* trigger run

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* update noqa for ansible-lint 5

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 13:47:01 +01:00
Martin Schurz
94b9bfc3cd add files for faillock 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-10 12:49:12 +01:00
Norman Ziegner
f035053381
Only set default for ssh host key files when hardening the server (#393) 
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
 2021-02-09 10:01:41 +01:00
Norman Ziegner
614662b99d
Add variable to specify host rsa key size (#394) 
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
 2021-02-09 09:44:55 +01:00
Martin Schurz
3ad4fbab0e add guard for tally debian unstable 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-08 11:18:50 +01:00
Martin Schurz
ebbf6855e8 add rhel faillock config 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-08 10:51:16 +01:00
Martin Schurz
b210df1233 re-add debian tally config 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-08 10:51:03 +01:00
Martin Schurz
a55a4d2024 remove pam_tally2 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-08 08:09:43 +01:00
schurzi
4b0819349d
use fqcn for community.crypto.openssh_keypair module (#389) 
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-02-05 19:44:23 +01:00
Maximilian Praeger
4399d3f885 removed: unneccessary conditional 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
6b55b9619c added: comment for HostCertificate 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
8f7bae533c fixed: add empty line after HostCertificate loop 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
9853c7ea45 added: defaults for ssh_host_certificates 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:54 +01:00
Maximilian Praeger
6e9247bde3 added: support for HostCertificate in sshd conf file 
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
 2021-01-22 07:24:53 +01:00
Sina Tak Tehrani
ef31838fa2
Regenerate RSA key with size 4096 bits (#376) 
* regenerate RSA key with size 4096 bits

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* fixed lint problem

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* fixed E301 lint error

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* added host keys related vars

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* used openssh_keypair module

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* changed RSA private key mode to 0640

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>

* specified condition to prevent wrong file mode on debian-based OS

Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
 2021-01-21 13:38:48 +01:00
Martin Schurz
0600cdae75 add "role" to comment 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-20 11:23:40 +01:00
Farid Joubbi
254b62d980 Added comment on top of template about which role modified the resulting file. https://github.com/dev-sec/ansible-collection-hardening/issues/345 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-01-19 14:05:33 +01:00
Farid Joubbi
d01abb44c0
Syncookie (#372) 
* Enabled SYN cookie sysctl.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Removed SYN cookies from here since it's a default now.

Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-01-15 09:56:29 +01:00
schurzi
16a41412bb
check for correct cpu vendor in initramfs-tools (#374) 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-12 06:31:13 +01:00
schurzi
d83ad9e6a9
Merge pull request #368 from dev-sec/max_startups 
reduce maximum unauthenticated ssh sessions
 2021-01-11 20:49:29 +01:00
Farid Joubbi
5675589e01
Sorted sysctl values and lists in READMEs alphabetically (No functional changes). (#371) 
* Add s's for consistency.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Sort lists alphabetically.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Sorted sysctl_config alphabetically.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Sort removed protocols.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Added dots in variable descriptions for the sake of consistency.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Added dots in variable descriptions for the sake of consistency.

Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-01-08 20:45:50 +01:00
tgueldner-mms
e8e552f3ae
make auditd 'max_log_file' configurable (#370) 
* make auditd 'max_log_file' configurable

Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>

* fix documentation for os_auditd_max_log_file

Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
 2021-01-08 13:23:58 +01:00
schurzi
b4ca950122
set hidepid=0 on RHEL/CentOS 7 (#369) 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-03 12:53:08 +01:00
Martin Schurz
168af7fb6f reduce maximum unauthenticated ssh sessions 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-03 00:21:26 +01:00
schurzi
a75e2c028b
change inclusion of os specific defaults (#353) 
* change inclusion of os specific defaults

we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* simplify check for os specific variables

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add test for variable override

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move tests to verify stage

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct grep

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* linting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix typo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Revert "Merge pull request #351 from sprat/fix-umask"

This reverts commit 9e8e0bc8fb, reversing
changes made to 98c7553016.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move immutable ssh vars to internal vars

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move vars to OS files

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* change default handling for all roles

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix issues

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* Update main.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
 2020-12-20 20:46:57 +01:00
Farid Joubbi
83e29b01f5
Removed Protocol statement in later versions of sshd, since the code … (#342) 
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Prettified the generated ssh_config. No functional changes, removed spaces and orphan comments.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Removed blank lines and prettified ssh_config.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Added note about setting sshd_authenticationmethods if ssh_server_password_login.

Signed-off-by: Farid Joubbi <farid@joubbi.se>

* Backticked true.

Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2020-12-16 19:29:33 +01:00
Sylvain Prat
43ec139d24
Fix #348: make ssh configuration files paths configurable (#350) 
Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
 2020-12-16 19:24:44 +01:00
Sylvain Prat
ea471b38b7 Fix #344: make the os_env_umask variable usable again 
Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
 2020-12-15 21:31:51 +01:00
Farid Joubbi
91424ac209
Improvements of comments in opensshd.conf.j2 #338 (#339) 
* Fixed some comments that had issues. See #338

* Cut some long comments into two rows for easier reading.

Signed-off-by: joubbi <farid@joubbi.se>
 2020-12-12 20:35:38 +01:00
szEvEz
13b09a0f23
Improve README for ssh_hardening (#335) 
Signed-off-by: szEvEz <szivos.john@gmail.com>
 2020-11-24 12:29:46 +01:00
Sebastian Gumprich
f2804c7c19 Merge branch 'master' into collection 2020-11-11 21:08:54 +01:00
Sebastian Gumprich
d857830979 minor readme fixes 
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
 2020-11-09 20:49:07 +01:00
rndmh3ro
c94d973527 Prettified Code! 2020-11-08 10:20:25 +00:00
Sebastian Gumprich
c8ada5c13c Merge branch 'migrate_os' into collection 2020-11-08 11:18:38 +01:00
Sebastian Gumprich
dd3959276b merge os-hardening role into collection 2020-11-07 22:09:28 +01:00
Sebastian Gumprich
598f7183f8 remove os submodule 2020-11-07 21:49:25 +01:00
Sebastian Gumprich
66e88a34d1 Merge branch 'migrate_mysql' into collection 2020-11-07 21:48:11 +01:00
Sebastian Gumprich
a10e4d7c1a merge mysql-hardening role into collection 2020-11-07 21:48:10 +01:00
Sebastian Gumprich
51a7fed83d remove mysql submodule 2020-11-07 21:48:06 +01:00
Sebastian Gumprich
cc48e4761a Merge branch 'migrate_nginx' into collection 2020-11-07 21:47:46 +01:00
Sebastian Gumprich
e406349064 merge nginx-hardening role into collection 2020-11-07 21:47:45 +01:00
Sebastian Gumprich
5aa3701de9 remove nginx submodule 2020-11-07 21:47:43 +01:00
Sebastian Gumprich
d49e05f8e8 Merge branch 'migrate_ssh' into collection 2020-11-07 21:46:48 +01:00
Sebastian Gumprich
a46642ee92 merge ssh-hardening role into collection 2020-11-07 21:46:45 +01:00
Sebastian Gumprich
4e322edc62 remove ssh submodule 2020-11-07 21:46:32 +01:00
Sebastian Gumprich
ac3c12d264 move to collections 2020-11-07 21:19:43 +01:00
Sebastian Gumprich
877449997f New role layout. Fix #6 2016-01-08 17:00:57 +01:00
Sebastian Gumprich
ea213d636c Change directory structure. Fix #43 2015-10-27 20:41:36 +01:00
Sebastian Gumprich
7eb8b4f3d3 Change directory layout. fix #48 
This change gets rid of the separate role dir
and puts everything into the root-directory, making
it possible to install the role via ansible galaxy.
 2015-10-21 20:52:46 +02:00
fitz123
c49d519b1f sftp_enable option 2015-10-21 22:28:01 +07:00
Florian Heinle
e21e62a0dc fix mysql restart not happening because of missing os specific variable 2015-10-17 18:30:56 +02:00
Florian Heinle
a5d342a01a Allow whitelisted groups on ssh 
Setting ssh_allow_groups does not work when set since the corresponding if-check tests for the wrong variable
 2015-10-16 19:40:28 +02:00
fitz123
519160b8e7 remove duplicate "update pam" task 2015-10-13 15:37:45 +07:00
fitz123
78fb438a10 Fix stuck in case pam files was updated before by force update 2015-09-30 22:11:37 +07:00
fitz123
893b39181e bugfix. Now option true for PrintLastLog is available again 2015-09-28 06:24:13 +07:00
fitz123
b013986f61 Fix passwdqc default options 2015-09-24 02:51:56 +07:00
fitz123
afa3be1e6a Fix nologin shell path for Oracle and RedHat 2015-09-24 02:16:51 +07:00
fitz123
c5307b36f0 Fix nologin shell path 2015-09-24 00:56:09 +07:00
Christoph Hartmann
9a3af69485 Merge pull request #35 from hardening-io/pam_selinux 
Support for selinux and pam. fix #23
 2015-09-22 19:58:58 +02:00
Sebastian Gumprich
d3e01b75d6 Change variable for hmac from server to client 
in the openssh client configuration a server variable was used.
 2015-08-31 21:10:00 +02:00
Sebastian Gumprich
7b5fa53f3a Update kitchen-ansible, remove separate debian install 
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.

Also removed whitespace.
 2015-08-29 14:13:17 +02:00
Sebastian Gumprich
adc8462838 Revamp conditionals again 2015-08-17 15:31:45 +00:00
Sebastian Gumprich
7b934e415c Add another conditional 2015-08-17 17:16:17 +00:00
Sebastian Gumprich
b17bd65870 Add more conditionals 2015-08-17 17:08:16 +00:00
Sebastian Gumprich
9560f33329 Change last task again 2015-08-17 17:04:47 +00:00
Sebastian Gumprich
be38ac75f4 Add selinux-check 2015-08-16 20:37:33 +00:00
Sebastian Gumprich
1ff939db76 Use correct variable and change travis-test 2015-08-14 17:44:12 +00:00
Sebastian Gumprich
a1a439d38e Add mode to su-binary task. Fix #38 2015-08-13 21:02:57 +00:00
Sebastian Gumprich
c4482cb12e Support for selinux and pam. fix #23 
This change add the following:

- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
  because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
 2015-08-10 21:45:15 +00:00
Sebastian Gumprich
ef8c4ada2f Separate ssh client and server ports. Fix #33 
This PR separates the ssh_ports variable into two separate
variables for the ssh-client and ssh-server.
 2015-08-09 11:16:34 +00:00
Christoph Hartmann
950210348f Merge pull request #31 from hardening-io/max_auth_tries 
Make MaxAuthTries configurable
 2015-08-06 23:39:14 -07:00
Sebastian Gumprich
2bc353b7a9 Make MaxAuthTries configurable 2015-08-06 14:20:32 +00:00
Sebastian Gumprich
9befb22e13 Change oneliner if-statements to be more readable 2015-08-06 14:00:14 +00:00
Sebastian Gumprich
df8b205a8f Change oneliner if-statements to be more readable 2015-08-06 13:53:33 +00:00
Robin Schneider
10f6544f3c
Make ssh client password login configurable. 
Defaults to not allow which might be a bit restrictive.
 2015-08-04 15:17:50 +02:00
Sebastian Gumprich
60e898098d Fix join-filter, jinja-cases, spelling, whitespace 
- the join filter is replaced by '+'
- the if-cases for rhel-based OS'es is simplified
- intendation of complex if-cases
 2015-07-29 20:52:53 +00:00
Sebastian Gumprich
bda8d52083 Merge pull request #26 from ypid/role-review 
Fixed role's join-filter, jinja-cases, spelling, whitespace
 2015-07-29 13:27:46 +00:00
Robin Schneider
a2f4542a48
Short role review. Fixed role when ssh_client_weak_kex == true. 
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
 2015-07-28 21:21:32 +02:00
Robin Schneider
a8f991bc07
Make it configurable to only harden ssh client/server or both (default). 2015-07-28 20:42:14 +02:00
Sebastian Gumprich
a2c483ace8 Separate system-vars from editable vars. 
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
 2015-07-28 18:07:34 +00:00
Sebastian Gumprich
48fc334f71 Separate system-vars from editable vars 
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
 2015-07-27 21:04:38 +00:00
Sebastian Gumprich
a1425befeb Separate system-vars from editable vars. Fix #34 2015-07-27 20:47:23 +00:00
Sebastian Gumprich
daf8e4c45b Add documentation for testing, change value in vars 2015-07-18 20:57:58 +00:00
Sebastian Gumprich
b3af021cd9 Create limits.d-directory if it does not exist. 
See [here](https://github.com/hardening-io/chef-os-hardening/issues/84).
 2015-07-13 18:18:13 +00:00
Sebastian Gumprich
dab153eb56 INITIAL 2015-07-02 18:32:22 +00:00
Christoph Hartmann
75dbf1cae6 Merge pull request #30 from hardening-io/CL_RM_TODO 
Update readme, todo, changelog, vars
 2015-06-24 06:40:28 -07:00
Sebastian Gumprich
348fb1cc53 Change var to true to remove pkgs by default 2015-06-24 10:21:13 +00:00
Sebastian Gumprich
5e1e2513c5 Update readme, todo, changelog, vars 
* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
 2015-06-23 23:58:40 +02:00
Sebastian Gumprich
c8d9ac84ef Add module configuration 2015-06-23 23:58:12 +02:00
Christoph Hartmann
ac4754ff16 Merge pull request #29 from hardening-io/suid_fix 
List-cleanup and follow symlinks added
 2015-06-23 14:57:25 -07:00
Sebastian Gumprich
f6cf4fcdf5 Fix another sysctl-setting due to new tests 2015-06-23 23:51:18 +02:00
Sebastian Gumprich
8ba37823f9 Fix two sysctl-settings 2015-06-23 23:51:18 +02:00
Sebastian Gumprich
88f4f17786 Added condition to suid/sgid-execution 2015-06-23 17:49:37 +00:00
Sebastian Gumprich
46b50769aa List-cleanup and follow symlinks added 
- This change alters the black- and white-listed list for
suid/sgid-management to be a proper yaml-formatted list.

- Furthermore "follow symlinks" was added to the tasks
that remove suid/sgid because otherwise the suid/sgid
from the link-targets would not be removed.
 2015-06-23 11:01:00 +00:00
Christoph Hartmann
10267eb509 Merge pull request #23 from hardening-io/remove_authconfig 
Delete authconfig-task on rhel-systems
 2015-06-20 02:01:39 -07:00
Sebastian Gumprich
a345da0023 Delete authconfig-task on rhel-systems 
The authconfig-task overrides changes we later do on files, so this
task is not necessary and causes some tasks to always change files
 2015-06-19 11:51:23 +02:00
Sebastian Gumprich
e4c6436163 Add missing rhosts-include task 2015-06-19 11:51:09 +02:00
Christoph Hartmann
71c7042163 Merge pull request #24 from hardening-io/result_override 
Use changed_when to avoid changed tasks
 2015-06-19 02:48:08 -07:00