Martin Schurz
04654d0490
correct typo
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-14 11:19:12 +01:00
Martin Schurz
aa166f43fc
split debian and rhel pam config
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-14 02:07:25 +01:00
Martin Schurz
19482c319c
force create symlink
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-13 19:38:57 +01:00
Martin Schurz
fc7fb4fc8a
make compatible to authconfig
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-13 18:09:48 +01:00
Maxim Burgerhout
8baab7516e
Extend GSSAPI configuration support to ssh_config
...
Previously, the ssh_gssapi_support variable only toggled the GSSAPI
settings in sshd_config.
Through this change, setting ssh_gssapi_support to true also enables
support in ssh_config.
It enables both authentication and credential delegation.
Signed-off-by: Maxim Burgerhout <maxim@wzzrd.com>
2021-02-12 13:10:35 +01:00
Martin Schurz
7282187a90
Merge branch 'master' into tally
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-10 21:44:55 +01:00
Martin Schurz
157f4fca70
add tasks for faillock on debian
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-10 21:43:30 +01:00
Sebastian Gumprich
6be31fbc3b
do not install mysql python package on target host ( #401 )
...
this package has to be installed on the host that executes the task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-02-10 15:57:51 +01:00
Sebastian Gumprich
756839f8f0
make wrong password fail task ( #400 )
...
* make wrong password fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add name to fail task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-02-10 15:55:08 +01:00
Sebastian Gumprich
c55c1f21ed
add restart handler variable for mysql role ( #399 )
...
* add restart handler variable for mysql role
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add prettierignore file to ignore CHANGELOG
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-02-10 15:54:57 +01:00
schurzi
a98876b350
update ansible-lint to version 5 ( #397 )
...
* add ansible to requirements
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* trigger run
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update noqa for ansible-lint 5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-10 13:47:01 +01:00
Martin Schurz
94b9bfc3cd
add files for faillock
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-10 12:49:12 +01:00
Norman Ziegner
f035053381
Only set default for ssh host key files when hardening the server ( #393 )
...
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2021-02-09 10:01:41 +01:00
Norman Ziegner
614662b99d
Add variable to specify host rsa key size ( #394 )
...
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2021-02-09 09:44:55 +01:00
Martin Schurz
3ad4fbab0e
add guard for tally debian unstable
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-08 11:18:50 +01:00
Martin Schurz
ebbf6855e8
add rhel faillock config
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-08 10:51:16 +01:00
Martin Schurz
b210df1233
re-add debian tally config
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-08 10:51:03 +01:00
Martin Schurz
a55a4d2024
remove pam_tally2
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-08 08:09:43 +01:00
schurzi
4b0819349d
use fqcn for community.crypto.openssh_keypair module ( #389 )
...
tihis fixes a problem with Ansible 2.9 where the default openssh_keypair
is not supporting every option we need
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-02-05 19:44:23 +01:00
Maximilian Praeger
4399d3f885
removed: unneccessary conditional
...
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
2021-01-22 07:24:54 +01:00
Maximilian Praeger
6b55b9619c
added: comment for HostCertificate
...
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
2021-01-22 07:24:54 +01:00
Maximilian Praeger
8f7bae533c
fixed: add empty line after HostCertificate loop
...
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
2021-01-22 07:24:54 +01:00
Maximilian Praeger
9853c7ea45
added: defaults for ssh_host_certificates
...
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
2021-01-22 07:24:54 +01:00
Maximilian Praeger
6e9247bde3
added: support for HostCertificate in sshd conf file
...
Signed-off-by: Maximilian Praeger <mpraeger@users.noreply.github.com>
2021-01-22 07:24:53 +01:00
Sina Tak Tehrani
ef31838fa2
Regenerate RSA key with size 4096 bits ( #376 )
...
* regenerate RSA key with size 4096 bits
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed lint problem
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* fixed E301 lint error
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* added host keys related vars
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* used openssh_keypair module
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* changed RSA private key mode to 0640
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
* specified condition to prevent wrong file mode on debian-based OS
Signed-off-by: Sina Tak Tehrani <ssttehrani@gmail.com>
2021-01-21 13:38:48 +01:00
Martin Schurz
0600cdae75
add "role" to comment
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-20 11:23:40 +01:00
Farid Joubbi
254b62d980
Added comment on top of template about which role modified the resulting file. https://github.com/dev-sec/ansible-collection-hardening/issues/345
...
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2021-01-19 14:05:33 +01:00
Farid Joubbi
d01abb44c0
Syncookie ( #372 )
...
* Enabled SYN cookie sysctl.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed SYN cookies from here since it's a default now.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2021-01-15 09:56:29 +01:00
schurzi
16a41412bb
check for correct cpu vendor in initramfs-tools ( #374 )
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-12 06:31:13 +01:00
schurzi
d83ad9e6a9
Merge pull request #368 from dev-sec/max_startups
...
reduce maximum unauthenticated ssh sessions
2021-01-11 20:49:29 +01:00
Farid Joubbi
5675589e01
Sorted sysctl values and lists in READMEs alphabetically (No functional changes). ( #371 )
...
* Add s's for consistency.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Sort lists alphabetically.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Sorted sysctl_config alphabetically.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Sort removed protocols.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added dots in variable descriptions for the sake of consistency.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added dots in variable descriptions for the sake of consistency.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2021-01-08 20:45:50 +01:00
tgueldner-mms
e8e552f3ae
make auditd 'max_log_file' configurable ( #370 )
...
* make auditd 'max_log_file' configurable
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
* fix documentation for os_auditd_max_log_file
Signed-off-by: Thomas Gueldner <T.Gueldner@t-systems.com>
2021-01-08 13:23:58 +01:00
schurzi
b4ca950122
set hidepid=0 on RHEL/CentOS 7 ( #369 )
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-03 12:53:08 +01:00
Martin Schurz
168af7fb6f
reduce maximum unauthenticated ssh sessions
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-03 00:21:26 +01:00
schurzi
a75e2c028b
change inclusion of os specific defaults ( #353 )
...
* change inclusion of os specific defaults
we now include the os specific options into a separate variable and
merge this with the default ansible namespace, when the corresponding
keys do not already exist (eg. are defined by default oder by user)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* simplify check for os specific variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add test for variable override
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move tests to verify stage
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct grep
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix typo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Revert "Merge pull request #351 from sprat/fix-umask"
This reverts commit 9e8e0bc8fb
, reversing
changes made to 98c7553016
.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move immutable ssh vars to internal vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move vars to OS files
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* change default handling for all roles
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix issues
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* Update main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2020-12-20 20:46:57 +01:00
Farid Joubbi
83e29b01f5
Removed Protocol statement in later versions of sshd, since the code … ( #342 )
...
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Prettified the generated ssh_config. No functional changes, removed spaces and orphan comments.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed Protocol statement in later versions of sshd, since the code for SSH-1 has been removed in sshd.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Removed blank lines and prettified ssh_config.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Added note about setting sshd_authenticationmethods if ssh_server_password_login.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
* Backticked true.
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2020-12-16 19:29:33 +01:00
Sylvain Prat
43ec139d24
Fix #348 : make ssh configuration files paths configurable ( #350 )
...
Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
2020-12-16 19:24:44 +01:00
Sylvain Prat
ea471b38b7
Fix #344 : make the os_env_umask variable usable again
...
Signed-off-by: Sylvain Prat <sylvain.prat@gmail.com>
2020-12-15 21:31:51 +01:00
Farid Joubbi
91424ac209
Improvements of comments in opensshd.conf.j2 #338 ( #339 )
...
* Fixed some comments that had issues. See #338
* Cut some long comments into two rows for easier reading.
Signed-off-by: joubbi <farid@joubbi.se>
2020-12-12 20:35:38 +01:00
szEvEz
13b09a0f23
Improve README for ssh_hardening ( #335 )
...
Signed-off-by: szEvEz <szivos.john@gmail.com>
2020-11-24 12:29:46 +01:00
Sebastian Gumprich
f2804c7c19
Merge branch 'master' into collection
2020-11-11 21:08:54 +01:00
Sebastian Gumprich
d857830979
minor readme fixes
...
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
2020-11-09 20:49:07 +01:00
rndmh3ro
c94d973527
Prettified Code!
2020-11-08 10:20:25 +00:00
Sebastian Gumprich
c8ada5c13c
Merge branch 'migrate_os' into collection
2020-11-08 11:18:38 +01:00
Sebastian Gumprich
dd3959276b
merge os-hardening role into collection
2020-11-07 22:09:28 +01:00
Sebastian Gumprich
598f7183f8
remove os submodule
2020-11-07 21:49:25 +01:00
Sebastian Gumprich
66e88a34d1
Merge branch 'migrate_mysql' into collection
2020-11-07 21:48:11 +01:00
Sebastian Gumprich
a10e4d7c1a
merge mysql-hardening role into collection
2020-11-07 21:48:10 +01:00
Sebastian Gumprich
51a7fed83d
remove mysql submodule
2020-11-07 21:48:06 +01:00
Sebastian Gumprich
cc48e4761a
Merge branch 'migrate_nginx' into collection
2020-11-07 21:47:46 +01:00
Sebastian Gumprich
e406349064
merge nginx-hardening role into collection
2020-11-07 21:47:45 +01:00
Sebastian Gumprich
5aa3701de9
remove nginx submodule
2020-11-07 21:47:43 +01:00
Sebastian Gumprich
d49e05f8e8
Merge branch 'migrate_ssh' into collection
2020-11-07 21:46:48 +01:00
Sebastian Gumprich
a46642ee92
merge ssh-hardening role into collection
2020-11-07 21:46:45 +01:00
Sebastian Gumprich
4e322edc62
remove ssh submodule
2020-11-07 21:46:32 +01:00
Sebastian Gumprich
ac3c12d264
move to collections
2020-11-07 21:19:43 +01:00
Sebastian Gumprich
877449997f
New role layout. Fix #6
2016-01-08 17:00:57 +01:00
Sebastian Gumprich
ea213d636c
Change directory structure. Fix #43
2015-10-27 20:41:36 +01:00
Sebastian Gumprich
7eb8b4f3d3
Change directory layout. fix #48
...
This change gets rid of the separate role dir
and puts everything into the root-directory, making
it possible to install the role via ansible galaxy.
2015-10-21 20:52:46 +02:00
fitz123
c49d519b1f
sftp_enable option
2015-10-21 22:28:01 +07:00
Florian Heinle
e21e62a0dc
fix mysql restart not happening because of missing os specific variable
2015-10-17 18:30:56 +02:00
Florian Heinle
a5d342a01a
Allow whitelisted groups on ssh
...
Setting ssh_allow_groups does not work when set since the corresponding if-check tests for the wrong variable
2015-10-16 19:40:28 +02:00
fitz123
519160b8e7
remove duplicate "update pam" task
2015-10-13 15:37:45 +07:00
fitz123
78fb438a10
Fix stuck in case pam files was updated before by force update
2015-09-30 22:11:37 +07:00
fitz123
893b39181e
bugfix. Now option true for PrintLastLog is available again
2015-09-28 06:24:13 +07:00
fitz123
b013986f61
Fix passwdqc default options
2015-09-24 02:51:56 +07:00
fitz123
afa3be1e6a
Fix nologin shell path for Oracle and RedHat
2015-09-24 02:16:51 +07:00
fitz123
c5307b36f0
Fix nologin shell path
2015-09-24 00:56:09 +07:00
Christoph Hartmann
9a3af69485
Merge pull request #35 from hardening-io/pam_selinux
...
Support for selinux and pam. fix #23
2015-09-22 19:58:58 +02:00
Sebastian Gumprich
d3e01b75d6
Change variable for hmac from server to client
...
in the openssh client configuration a server variable was used.
2015-08-31 21:10:00 +02:00
Sebastian Gumprich
7b5fa53f3a
Update kitchen-ansible, remove separate debian install
...
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.
Also removed whitespace.
2015-08-29 14:13:17 +02:00
Sebastian Gumprich
adc8462838
Revamp conditionals again
2015-08-17 15:31:45 +00:00
Sebastian Gumprich
7b934e415c
Add another conditional
2015-08-17 17:16:17 +00:00
Sebastian Gumprich
b17bd65870
Add more conditionals
2015-08-17 17:08:16 +00:00
Sebastian Gumprich
9560f33329
Change last task again
2015-08-17 17:04:47 +00:00
Sebastian Gumprich
be38ac75f4
Add selinux-check
2015-08-16 20:37:33 +00:00
Sebastian Gumprich
1ff939db76
Use correct variable and change travis-test
2015-08-14 17:44:12 +00:00
Sebastian Gumprich
a1a439d38e
Add mode to su-binary task. Fix #38
2015-08-13 21:02:57 +00:00
Sebastian Gumprich
c4482cb12e
Support for selinux and pam. fix #23
...
This change add the following:
- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
2015-08-10 21:45:15 +00:00
Sebastian Gumprich
ef8c4ada2f
Separate ssh client and server ports. Fix #33
...
This PR separates the ssh_ports variable into two separate
variables for the ssh-client and ssh-server.
2015-08-09 11:16:34 +00:00
Christoph Hartmann
950210348f
Merge pull request #31 from hardening-io/max_auth_tries
...
Make MaxAuthTries configurable
2015-08-06 23:39:14 -07:00
Sebastian Gumprich
2bc353b7a9
Make MaxAuthTries configurable
2015-08-06 14:20:32 +00:00
Sebastian Gumprich
9befb22e13
Change oneliner if-statements to be more readable
2015-08-06 14:00:14 +00:00
Sebastian Gumprich
df8b205a8f
Change oneliner if-statements to be more readable
2015-08-06 13:53:33 +00:00
Robin Schneider
10f6544f3c
Make ssh client password login configurable.
...
Defaults to not allow which might be a bit restrictive.
2015-08-04 15:17:50 +02:00
Sebastian Gumprich
60e898098d
Fix join-filter, jinja-cases, spelling, whitespace
...
- the join filter is replaced by '+'
- the if-cases for rhel-based OS'es is simplified
- intendation of complex if-cases
2015-07-29 20:52:53 +00:00
Sebastian Gumprich
bda8d52083
Merge pull request #26 from ypid/role-review
...
Fixed role's join-filter, jinja-cases, spelling, whitespace
2015-07-29 13:27:46 +00:00
Robin Schneider
a2f4542a48
Short role review. Fixed role when ssh_client_weak_kex == true.
...
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
2015-07-28 21:21:32 +02:00
Robin Schneider
a8f991bc07
Make it configurable to only harden ssh client/server or both (default).
2015-07-28 20:42:14 +02:00
Sebastian Gumprich
a2c483ace8
Separate system-vars from editable vars.
...
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-28 18:07:34 +00:00
Sebastian Gumprich
48fc334f71
Separate system-vars from editable vars
...
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-27 21:04:38 +00:00
Sebastian Gumprich
a1425befeb
Separate system-vars from editable vars. Fix #34
2015-07-27 20:47:23 +00:00
Sebastian Gumprich
daf8e4c45b
Add documentation for testing, change value in vars
2015-07-18 20:57:58 +00:00
Sebastian Gumprich
b3af021cd9
Create limits.d-directory if it does not exist.
...
See [here](https://github.com/hardening-io/chef-os-hardening/issues/84 ).
2015-07-13 18:18:13 +00:00
Sebastian Gumprich
dab153eb56
INITIAL
2015-07-02 18:32:22 +00:00
Christoph Hartmann
75dbf1cae6
Merge pull request #30 from hardening-io/CL_RM_TODO
...
Update readme, todo, changelog, vars
2015-06-24 06:40:28 -07:00
Sebastian Gumprich
348fb1cc53
Change var to true to remove pkgs by default
2015-06-24 10:21:13 +00:00
Sebastian Gumprich
5e1e2513c5
Update readme, todo, changelog, vars
...
* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
2015-06-23 23:58:40 +02:00
Sebastian Gumprich
c8d9ac84ef
Add module configuration
2015-06-23 23:58:12 +02:00
Christoph Hartmann
ac4754ff16
Merge pull request #29 from hardening-io/suid_fix
...
List-cleanup and follow symlinks added
2015-06-23 14:57:25 -07:00
Sebastian Gumprich
f6cf4fcdf5
Fix another sysctl-setting due to new tests
2015-06-23 23:51:18 +02:00
Sebastian Gumprich
8ba37823f9
Fix two sysctl-settings
2015-06-23 23:51:18 +02:00
Sebastian Gumprich
88f4f17786
Added condition to suid/sgid-execution
2015-06-23 17:49:37 +00:00
Sebastian Gumprich
46b50769aa
List-cleanup and follow symlinks added
...
- This change alters the black- and white-listed list for
suid/sgid-management to be a proper yaml-formatted list.
- Furthermore "follow symlinks" was added to the tasks
that remove suid/sgid because otherwise the suid/sgid
from the link-targets would not be removed.
2015-06-23 11:01:00 +00:00
Christoph Hartmann
10267eb509
Merge pull request #23 from hardening-io/remove_authconfig
...
Delete authconfig-task on rhel-systems
2015-06-20 02:01:39 -07:00
Sebastian Gumprich
a345da0023
Delete authconfig-task on rhel-systems
...
The authconfig-task overrides changes we later do on files, so this
task is not necessary and causes some tasks to always change files
2015-06-19 11:51:23 +02:00
Sebastian Gumprich
e4c6436163
Add missing rhosts-include task
2015-06-19 11:51:09 +02:00
Christoph Hartmann
71c7042163
Merge pull request #24 from hardening-io/result_override
...
Use changed_when to avoid changed tasks
2015-06-19 02:48:08 -07:00
Sebastian Gumprich
1005cc133a
Add ignore-vars. Change nologin-shell dep. on OS
2015-06-18 18:14:08 +00:00
Sebastian Gumprich
f82e7684c6
Added option to disable system accounts
2015-06-18 18:14:08 +00:00
Sebastian Gumprich
6f910c28d8
Use changed_when to avoid changed tasks
...
When a shell or command task, that only fetches data, gets executed,
the task will be marked as change, even though nothing changed.
This commit changes the behaviour of tasks that only fetch data.
For more info see here:
http://docs.ansible.com/playbooks_error_handling.html#overriding-the-changed-result
2015-06-18 13:42:29 +00:00
Sebastian Gumprich
531a051ef9
Skip sysctl-tasks in travis-environment
2015-06-17 12:11:59 +02:00
Sebastian Gumprich
e70974ba16
Add os_security_kernel_enable_module_loading
2015-06-08 17:25:50 +00:00
Sebastian Gumprich
81c171a55a
Change sysctl-task. Fix #18
2015-06-06 18:35:09 +00:00
Christoph Hartmann
645240998d
Merge pull request #16 from hardening-io/cnd_ip_fwd
...
Add conditions for various tasks. Fix #15
2015-06-03 12:35:43 -07:00
Sebastian Gumprich
7c121b7e2b
Add missing condition
2015-06-01 21:46:05 +00:00
Sebastian Gumprich
255948feb3
Add conditions for various tasks. Fix #15
2015-06-01 20:33:35 +00:00
Sebastian Gumprich
fb59fab08f
Remove duplicate whitelist-check
2015-06-01 19:36:37 +00:00
Sebastian Gumprich
544779e26a
Add remove suid/sgid function
2015-06-01 14:50:22 +02:00
Sebastian Gumprich
e6f2253c49
replace sed with replace-module
2015-06-01 14:28:18 +02:00
Sebastian Gumprich
c9252b167f
add gpgcheck rhnplugin.conf, consolidate task
2015-06-01 14:28:18 +02:00
Sebastian Gumprich
66e258da7e
Add task to remove unused repos and pkgs
2015-06-01 14:28:17 +02:00
Sebastian Gumprich
95bb02edbe
Make tasks clearer
2015-06-01 14:23:13 +02:00
Sebastian Gumprich
1782dbf3fa
ignore RAs on Ipv6
...
See: https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-06-01 10:59:37 +02:00
Sebastian Gumprich
3dce747cd6
Revert "ignore RAs on Ipv6"
...
This reverts commit a91cbe0192
.
2015-05-28 18:47:18 +00:00
Sebastian Gumprich
a91cbe0192
ignore RAs on Ipv6
...
Taken from here:
https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-05-28 18:43:52 +00:00
Sebastian Gumprich
a305b94230
Add separated files
2015-05-26 19:53:55 +00:00
Sebastian Gumprich
79ca60bfa1
Separate tasks into multiple smaller files
2015-05-26 19:53:16 +00:00
Sebastian Gumprich
557109e35a
Separate the tasks into smaller files
2015-05-26 19:45:30 +00:00
Christoph Hartmann
01572d9041
Merge pull request #5 from hardening-io/yum
...
Enable gpg-check on all yum-repositories
2015-05-20 12:17:54 -07:00
Sebastian Gumprich
c2884687c8
Change tasks to use sed instead of lineinfile
2015-05-20 21:07:30 +00:00
Sebastian Gumprich
82fea53ba7
Enable gpg-check on all yum-repositories
2015-05-19 21:01:32 +00:00
Dominik Richter
226c2761f8
treat securetty config as an array
2015-05-11 23:06:34 +02:00
Sebastian Gumprich
e097f02065
Add profile.conf configuration
2015-05-11 23:00:08 +02:00
Sebastian Gumprich
ef2ce77f53
Add securetty-template
2015-05-10 21:44:17 +00:00
Sebastian Gumprich
b78345fe0c
Add securetty-support
2015-05-10 21:43:26 +00:00
Sebastian Gumprich
b9cc7bf9d8
Further improvements, first push
2015-05-10 18:33:37 +00:00
Sebastian Gumprich
06d1464e95
Initial
2015-05-04 21:37:22 +00:00
Sebastian Gumprich
ef275a4e85
Add handler to restart ssh only if necessary. Fix #6
2015-04-28 16:47:12 +00:00
Sebastian Gumprich
45eb0e2f38
Oracle support
...
- Add check for Oracle operating systems
- Add minus sign to remove whitespace
2015-04-27 21:14:50 +00:00
Sebastian Gumprich
bb703c962a
INITIAL
2015-04-23 18:30:41 +00:00