* centos7 is eol, remove it
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* change workflow to update readmes when meta/main.yml is changed
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* remove mention of centos 7 from readme
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
The `os_unused_filesystems` was lacking sorting, making the task not
idempotent. This was especially apparent and random in Molecule tests
when this collection was added as a dependency.
Signed-off-by: Aki Kanellis <hello@akikanellis.com>
* add testing and support for current versions of Fedora and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add waivers for FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use original fedora images
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /home mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* test mock efi directory
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove mock
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* umount efi
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add /tmp to special mountpoints
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* set options for /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount and mount it ...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* make fewer changes to default test run
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use correct Ansible var
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Gather facts when os_hardening role is executed with tags
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* better when condition
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove variable in variable as it cannot be used in argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix wrong syntax
* fix spelling errors
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* cannot use vars before arg-spec validation
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* yamllint the arg-spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back variable
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove redundant setting in tests
* fix descriptions in mysql hardening to betterreflect what they do
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove duplicate empty line
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* set correct defaults on to ssl options
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove left-over hidepid argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove license and author infos, this lives in the collection readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix styling
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* update some descriptions and sort them in the readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* make template overrideable
by referencing the auditd.conf.j2 template, a custom template can be provided to the role.
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* extend auditd config
make freq and log_file configurable
implement write_logs with it's default value in order to be able to disable log writing
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* Extend README.md documentation by new variables
reorder `os_auditd_log_format` to keep sequence from defaults
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
---------
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* add check mode to molecule tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* execute tasks in check mode
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix error in check mode on SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use when condition on task
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add remaining platforms to test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove unneccessary tasks for test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current opensuse version
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* disable sysctl for missing yama in opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rewrite user home dir hardening
* delete duplicate var that was missed in a merge conflict
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for home rewrites
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <github@drachen-server.de>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
* rewrite system account detection and hardening
* resolve failures created when resolving merge conflicts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for shell removal tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Update molecule/os_hardening/prepare.yml
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* split tasks for locking and setting shell
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change line length issues
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* replace yes with true in tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use manual line-wrapping because ansible-lint does not support it correctly.
see https://github.com/ansible/ansible-lint/issues/2522
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add exception for task
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove trailing whitespace
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back deleted params
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
