* first testing with tasks and variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* update variables for dir options
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated permissions and defaults
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix home dir permissions
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* updated tasks with useful variables
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* reorder tasks. first remount, then manage fstab and fix permissions on directories. Renaming task names with mountpoints (slashes)
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* shorten tasks with list items
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change defaults for /boot directory, because its a bad behaviour, if ansible changes boot entries with a default value
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update documentation for new parameters to manage mountpoints
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Update roles/os_hardening/tasks/minimize_access.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* Fix state on every new task
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* loop instead of list
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing remount with register
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add remounts with loop over all changed folders
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* testing and solving trouble with variable names
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize default permissions for var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* change to new optimizied permissions of var-log-audit
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix some defaults in fstab to configure as mounted
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* add stat and check, if boot folder exists
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
while this could be better solved by checking what nginx version is used, debian9 is eol'd in 4 months. if there will be again a need to check for nginx versions, we'll add it then
Signed-off-by: rndmh3ro <github@gumpri.ch>
Files in this whitelist should not be altered.
Currently this is only relevant for enforcing the gpg check.
Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix variable documentation for ctrlaltdel
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* added ctrlaltdel variable for molecule
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro
Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
* fix typo in new file
Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:
- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`
This change adds those files to the rules, so that permissions are
handled in the same way.
Closes: #488
Signed-off-by: Claudius Heine <ch@denx.de>
* fix filter error in ansible.builtin.file mode parameter
* Change cinc supermarket
* fix link to baseline
* fix typo
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* [mysql_hardening] Allow setting the mysql_distribution
On some operating systems, the package for MySQL is not `mysql-server`,
and so the default check for this will not yield the correct result.
This change adds an escape hatch by letting the user set
`mysql_distribution`. Additionally, it verifies that it is set to a
legal value if the user has set it.
Closes#472
Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>
* Update roles/mysql_hardening/tasks/main.yml
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* Add CVE-2021-33909 mitigations
kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0
The first one is also used by Tails.
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Clean up whitespaces
Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
* Add Configuration of password remember
and set default to 60
see Telekom 2021.07-01 SoC 3.01 Req 25 and SoC 3.65 Req46
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* set default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* readme default for password remember back to 5
Signed-off-by: Maik Stuebner <Maik.Stuebner@t-systems.com>
* add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT
Similar reason as #461
> If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs)
> allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
> The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* document SUB_UID_MIN/MAX/COUNT, etc
Signed-off-by: Leo Gallucci <elgalu3@gmail.com>
* use os_family instead of distribution for debian systems
Signed-off-by: rndmh3ro <github@gumpri.ch>
* remove tasks related to rhel6 or debian 6
Signed-off-by: rndmh3ro <github@gumpri.ch>
* add rocky linux 8 tests and make sure that all relevant tasks are executed
Signed-off-by: rndmh3ro <github@gumpri.ch>
* fix missing quote
Signed-off-by: rndmh3ro <github@gumpri.ch>
when our collection is used with tags, the os dependent variables are
not resolved. This task should run every time, so the behaviour is
correct.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
When `import_tasks` is used, the task `Fetch OS dependent variables`
always runs, even when excluded by an upstream tag.
When `Fetch OS dependent variables` runs while excluded via tags, it
will always fail with the following.
```
fatal: [alpha]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}
```
This brings os_hardening's main.yml in line with ssh_hardening's
main.yml, which doesn't have this issue.
Signed-off-by: Colin Adler <colin@coder.com>
