* rewrite user home dir hardening
* delete duplicate var that was missed in a merge conflict
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for home rewrites
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <github@drachen-server.de>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
* rewrite system account detection and hardening
* resolve failures created when resolving merge conflicts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for shell removal tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/os_hardening/prepare.yml
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* split tasks for locking and setting shell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change line length issues
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* replace yes with true in tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add exception for task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove trailing whitespace
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Preserve default ownership and dir mode for /var/log on Ubuntu
Signed-off-by: stdtom <stdtom@gmx.net>
* linting
Signed-off-by: stdtom <stdtom@gmx.net>
* Define vars for each OS instead of using defaults.
Signed-off-by: stdtom <stdtom@gmx.net>
* Fix values for os_mnt_var_log_dir_mode and os_mnt_var_log_group
Signed-off-by: stdtom <stdtom@gmx.net>
Signed-off-by: stdtom <stdtom@gmx.net>
* Update main.yml
fixes the handler file and set new syntax
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
* changes command module from legacy to builtin.
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
Signed-off-by: Jacob Sievert <jacob.sievert@sievert-mail.de>
* rework filesystem hardening
- removed a lot duplicated code by using a loop
- added new hardening options for /tmp
- added new options "passno" and "dump" for every filesystem.
currently ansible changed that values to 0 for every fs
new default depends on fstype, can be overwriten in config
- removed default fstype in config
the type will now be autodetected, can be overwriten in config
- mount src setting is now optional
the source will now be autodetected, can be overwriten in config
- it will be now checked, if it is really a mount
- changed fs reload to handler
- removed check os_auditd_enabled on /var/log/audit
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* fix lint errors
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
* implemented the name suggestions
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
Signed-off-by: divialth <65872926+divialth@users.noreply.github.com>
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
* Include Debian 11 into Molecule test suites (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix Ansible Lint GitHub Action version (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Update .gitignore
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* mysql_hardening: Use Python 3 as Ansible interpreter (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Note Debian 11 support for os_hardening & nginx_hardening (#527)
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Fix lint issues & Ansible Lint configuration in CI
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* Try to fix YAML lint issues, again
Re-ordered YAML comments at the end of `.yamllint` file.
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
* rm debian9 from tests, add debian 11 where missing
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix mysql molecule tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
```
Unable to open /var/log/audit/audit.log (Permission denied)
```
This PR fixes the issue by using the default permission set by auditd (`0700`).
Signed-off-by: Benedikt Böhm <bb@xnull.de>
* Only run harding if /var/log/audit exists
Signed-off-by: GitHub <noreply@github.com>
* Update roles/os_hardening/tasks/minimize_access.yml
* add more conditionals to when auditd show be hardened
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add more tests to the os-hardening vm tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Revert "add more tests to the os-hardening vm tests"
This reverts commit c05fe8b520.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* first testing with tasks and variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* update variables for dir options
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated permissions and defaults
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix home dir permissions
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated tasks with useful variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* reorder tasks. first remount, then manage fstab and fix permissions on directories. Renaming task names with mountpoints (slashes)
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* shorten tasks with list items
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change defaults for /boot directory, because its a bad behaviour, if ansible changes boot entries with a default value
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update documentation for new parameters to manage mountpoints
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Fix state on every new task
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* loop instead of list
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing remount with register
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add remounts with loop over all changed folders
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing and solving trouble with variable names
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change to new optimizied permissions of var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix some defaults in fstab to configure as mounted
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add stat and check, if boot folder exists
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Files in this whitelist should not be altered.
Currently this is only relevant for enforcing the gpg check.
Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix variable documentation for ctrlaltdel
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* added ctrlaltdel variable for molecule
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix typo in new file
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:
- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`
This change adds those files to the rules, so that permissions are
handled in the same way.
Closes: #488
Signed-off-by: Claudius Heine <ch@denx.de>
* Add CVE-2021-33909 mitigations
kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0
The first one is also used by Tails.
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Clean up whitespaces
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Add Configuration of password remember
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* set default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* readme default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT
Similar reason as #461
> If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs)
> allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
> The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* document SUB_UID_MIN/MAX/COUNT, etc
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
When `import_tasks` is used, the task `Fetch OS dependent variables`
always runs, even when excluded by an upstream tag.
When `Fetch OS dependent variables` runs while excluded via tags, it
will always fail with the following.
```
fatal: [alpha]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}
```
This brings os_hardening's main.yml in line with ssh_hardening's
main.yml, which doesn't have this issue.
Signed-off-by: Colin Adler <colin@coder.com>
Ansible does not work with FQCN and collections sepcified for including
roles. It is currently expecting to only get the role name in this
context.
Verified with Ansible 2.10.5
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
