Commit graph

1758 commits

Author SHA1 Message Date
Martin Schurz
b6b2d45f09 speedup ansible
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:59 +02:00
Martin Schurz
9cfe1f2b9a also harden /boot
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:11 +02:00
Martin Schurz
e49eacd8ec icrease ressources for test vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 10:42:20 +02:00
Martin Schurz
7535abd882 remove waiver
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 02:22:35 +02:00
Martin Schurz
400e576984 use correct parameter
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 01:47:59 +02:00
Martin Schurz
0eddf2872b setup python
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 01:19:12 +02:00
Martin Schurz
013a554731 force linking
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 00:59:50 +02:00
Martin Schurz
8f3f724380 call correct molecule task
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 00:57:26 +02:00
Martin Schurz
e742330a41 add testing of os_hardning on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 00:52:58 +02:00
dev-sec CI
b00b38ece6 update changelog 2022-07-08 16:12:57 +00:00
schurzi
dd919b5cf6
Merge pull request #546 from dev-sec/linting
Linting
2022-07-08 18:10:32 +02:00
Martin Schurz
21df60a71f fix includes
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-08 17:24:07 +02:00
Sebastian Gumprich
73f84ae2a9 fix wrong indentation
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-08 16:04:37 +02:00
Sebastian Gumprich
bf372f8493 rename tasks file and remove redundant 'verify'
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-08 16:04:24 +02:00
Sebastian Gumprich
ef89d52f98 remove duplicate file
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:22:10 +02:00
Sebastian Gumprich
9b50392d8a fix linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:12:06 +02:00
Sebastian Gumprich
215c50709b tempt 2022-07-07 15:34:28 +02:00
Sebastian Gumprich
a8fdf2de0a fix linting errors
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 14:59:39 +02:00
dev-sec CI
3528fe9f6d update changelog 2022-07-07 10:08:44 +00:00
Martin Schurz
02b9a20fe7 fix release action
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-07 12:06:34 +02:00
Martin Schurz
f627d2fbfd fix release action
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-07 11:27:51 +02:00
rndmh3ro
e28e09cd0e Prettified Code! 2022-07-07 07:02:50 +00:00
balu
488ff6a7c3
Harden mountpoints (#531)
* first testing with tasks and variables

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* update variables for dir options

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* updated permissions and defaults

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix home dir permissions

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* updated tasks with useful variables

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* reorder tasks. first remount, then manage fstab and fix permissions on directories. Renaming task names with mountpoints (slashes)

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* shorten tasks with list items

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* change defaults for /boot directory, because its a bad behaviour, if ansible changes boot entries with a default value

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* Update documentation for new parameters to manage mountpoints

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* Update roles/os_hardening/tasks/minimize_access.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* Update roles/os_hardening/tasks/minimize_access.yml

Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* Fix state on every new task

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* loop instead of list

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* testing remount with register

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* add remounts with loop over all changed folders

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* testing and solving trouble with variable names

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* optimize default permissions for var-log-audit

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* optimize default permissions for var-log-audit

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* change to new optimizied permissions of var-log-audit

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix some defaults in fstab to configure as mounted

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* add stat and check, if boot folder exists

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2022-07-07 09:02:25 +02:00
dev-sec CI
0251172cd1 update galaxy.yml with new version 2022-06-29 14:02:54 +00:00
dev-sec CI
9b27a6a0fc update changelog 2022-06-29 13:57:35 +00:00
Martin Schurz
b32ee28a89 use correct version for github-actions-x/commit
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-06-29 15:55:13 +02:00
Martin Schurz
0c8cbb2185 update GitHub action for checkout
there was a new feature introduced to git, that prevents some of our
actions to run. The updated action handles this properly.

https://github.com/actions/checkout/issues/760

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-06-29 15:34:39 +02:00
Sebastian Gumprich
231036f882
update commit-action version 2022-06-29 12:59:44 +02:00
Sebastian Gumprich
36412f438a
upadte commit-action version 2022-06-29 12:56:28 +02:00
Sebastian Gumprich
3f50b6e94b update os-hardening readme with os_ignore_users
fixes #542

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-05-30 13:29:45 +02:00
schurzi
9cf1659742
Merge pull request #541 from dev-sec/doc_update
Improve documentation
2022-05-04 14:25:21 +02:00
Martin Schurz
79fb86d021 fix linter errors
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-05-04 14:12:24 +02:00
Martin Schurz
57944bc56d add ignore to ansible-lint
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-05-04 14:03:33 +02:00
Martin Schurz
bff23f82cb update ansible-lint action
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-05-04 13:57:52 +02:00
Martin Schurz
46b436fc9b update description of ssh_client_alive_count
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-05-04 13:48:38 +02:00
Martin Schurz
18d01327eb improve linking to legacy roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-05-04 13:44:52 +02:00
dev-sec CI
1d3ea50de6 update changelog 2022-02-28 09:21:42 +00:00
schurzi
dc22dc33a2
Merge pull request #530 from dev-sec/delete_drafts
delete obsolete release drafts
2022-02-28 10:20:01 +01:00
Martin Schurz
9d00c8ba29 delete old release drafts
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-02-25 20:10:36 +01:00
dev-sec CI
bf276ba14d update changelog 2022-02-21 13:03:04 +00:00
abejotaR
8edd650135
change permissions of the tmout.sh file (#520)
Co-authored-by: Abraham Rebori <abraham.rebori@nexa.com.uy>
2022-02-21 14:01:19 +01:00
dev-sec CI
fce131a75d update changelog 2022-02-21 13:00:41 +00:00
Sebastian Gumprich
af14af5954
add waivers to skip controls (#529)
Signed-off-by: rndmh3ro <github@gumpri.ch>
2022-02-21 13:58:39 +01:00
dev-sec CI
b6677fccd9 update changelog 2022-02-21 11:14:34 +00:00
schurzi
9be3a0520b
Merge pull request #526 from dev-sec/nginx_debian_9_tls
debian 9's nginx doesn't support tls1.3
2022-02-21 11:49:34 +01:00
dev-sec CI
1f8c8d1c43 update changelog 2022-02-21 10:46:52 +00:00
schurzi
49b93dc89c
Merge pull request #525 from dev-sec/remove_centos_8
remove centos8 tests
2022-02-21 11:39:09 +01:00
rndmh3ro
468e4674b8 debian 9's nginx doesnt support tls1.3
while this could be better solved by checking what nginx version is used, debian9 is eol'd in 4 months. if there will be again a need to check for nginx versions, we'll add it then

Signed-off-by: rndmh3ro <github@gumpri.ch>
2022-02-21 10:02:54 +01:00
dev-sec CI
2a4d409339 update galaxy.yml with new version 2022-02-21 08:28:20 +00:00
rndmh3ro
b74e88723d remove centos8 tests
Signed-off-by: rndmh3ro <github@gumpri.ch>
2022-02-21 08:05:40 +01:00