Mirrors/ansible-collection-hardening

mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00

Author	SHA1	Message	Date
Sebastian Gumprich	f295397611	add role argument spec for os, ssh, mysql (#687 ) * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix wrong syntax * fix spelling errors Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * yamllint the arg-spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back variable Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove redundant setting in tests * fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove duplicate empty line Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix styling Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-08-07 14:30:59 +02:00
Andreas Wagner	d7bda7ca3a	expand on check conditions for non-file locations of logs (#674 ) Co-authored-by: whysthatso <git@whysthatso.net>	2023-05-22 15:53:33 +02:00
Martin Schurz	7259d6b5fd	fix spelling errors Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-14 23:51:53 +02:00
Martin Schurz	0014a3be36	update metadata Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-12 20:18:29 +02:00
schurzi	5ed3f399f2	add check mode to molecule tests (#644 ) * add check mode to molecule tests Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * bail on undefined variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * execute tasks in check mode Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix error in check mode on SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use when condition on task Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-09 09:37:59 +01:00
schurzi	6e5621cdc9	simplify MySQL queries for user deletion (#641 ) * use rowcount to determine mysql results Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * use correct list level Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove json_query Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * remove intermediate vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add check for count Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * drop condition, since one result must exist Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move rowcount in condition Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * do loop in ansible to report each deleted user Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add idempotency check Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * additional tests to verify user deletion Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * actually iterate the whole user list when deleting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix tests for SuSE Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * adopt suggestions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> --------- Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-03-01 14:19:50 +01:00
Sebastian Gumprich	bb588bd777	linting (#603 ) * linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * change line length issues Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * replace yes with true in tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use manual line-wrapping because ansible-lint does not support it correctly. see https://github.com/ansible/ansible-lint/issues/2522 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add exception for task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove trailing whitespace * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back deleted params Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2023-01-24 12:40:27 +01:00
Sebastian Gumprich	be0642bcfb	add verify-task to check if mysql is running and enabled (#608 ) * add verify-task to check if mysql is running and enabled Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Update molecule/mysql_hardening/verify_tasks/service.yml Co-authored-by: schurzi <Martin.Schurz@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: schurzi <Martin.Schurz@t-systems.com>	2022-12-07 08:49:07 +01:00
Sebastian Gumprich	e66c2eb6bb	Add OpenSUSE support (#605 ) * Add variables for mariadb on opensuse Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * enable pipeline Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * add a note about the reuirement of the jmespath library. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * Use python3 on opensuse Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * use right ansible variable Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * Suse requires python-rpm Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * try zypper Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * python-xml Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try at fixing the install Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * another try now with rpm. Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix my yml... Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * typo Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * do the test for Suse on the shell and not in ansible Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * specify to use bash Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * specify to use bash * try the removes keyword of builtin.shell Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix ansible syntax Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * fix zypper syntax Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * ensure pymysql is present Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> * set ansible python interpreter in converge-step, too Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * move install task to prepare Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>	2022-11-29 15:09:27 +01:00
Sebastian Gumprich	dac66f4a88	simplify OS-vars files Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-10-25 18:59:11 +02:00
Sebastian Gumprich	b27ffd08b0	add mysql-vars for new OS Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-10-25 18:58:53 +02:00
schurzi	a1b80fe657	adopt all current suggestions from ansible-lint (#592 )	2022-10-24 09:42:23 +02:00
Sebastian Gumprich	11d187e62e	update supported OS in meta and fix linting (#572 ) Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-08-26 13:44:51 +02:00
schurzi	b56c801574	add basic support for ubuntu22.04 (#554 ) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2022-08-15 13:05:09 +02:00
Sebastian Gumprich	9b50392d8a	fix linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-07-07 16:12:06 +02:00
Sebastian Gumprich	be0d501bc8	update minimum ansible version for roles fixes #407 Signed-off-by: rndmh3ro <github@gumpri.ch>	2021-10-20 20:42:05 +02:00
rndmh3ro	8ff3d73bbf	Prettified Code!	2021-08-25 10:58:16 +00:00
123quhiwiwk	062dd3f092	Use log_error/datadir from database settings instead of default variable (#478 ) Signed-off-by: 123quhiwiwk <70281681+123quhiwiwk@users.noreply.github.com>	2021-08-25 12:57:46 +02:00
123quhiwiwk	4671a32062	Execute check of error logfile permissions only when log_error is defined (#477 ) Signed-off-by: 123quhiwiwk <70281681+123quhiwiwk@users.noreply.github.com>	2021-08-24 09:41:55 +02:00
Shawn Wilsher	3b33e0a7aa	[mysql_hardening] Setup defaults for MySQL on FreeBSD (#474 ) Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>	2021-08-20 13:00:12 +02:00
schurzi	d7eb00f4b7	Merge pull request #475 from dev-sec/ansible_lint use Ansible lint in separate task	2021-08-15 22:53:41 +02:00
rndmh3ro	cf17f80374	skip linting on special task Signed-off-by: rndmh3ro <github@gumpri.ch>	2021-08-15 20:16:56 +02:00
Shawn Wilsher	9ab06a5e06	[mysql_hardening] Allow setting the mysql_distribution (#473 ) * [mysql_hardening] Allow setting the mysql_distribution On some operating systems, the package for MySQL is not `mysql-server`, and so the default check for this will not yield the correct result. This change adds an escape hatch by letting the user set `mysql_distribution`. Additionally, it verifies that it is set to a legal value if the user has set it. Closes #472 Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com> * Update roles/mysql_hardening/tasks/main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>	2021-08-15 20:03:07 +02:00
Sherwin Daganato	350b5891d1	Add support for Rocky Linux 8 (#454 ) Signed-off-by: Sherwin Daganato <sherwin@daganato.com>	2021-06-30 10:12:07 +02:00
schurzi	29e10e5c3b	add tag always to os dependent vars task (#456 ) when our collection is used with tags, the os dependent variables are not resolved. This task should run every time, so the behaviour is correct. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2021-06-29 13:07:25 +02:00
Martin Neubert	0324273dce	Check for MariaDB Version when selecting users without passwords (#444 ) * added version check for MariaDB in Query MariaDB Uses the authentication_string field since 10.4.0, added this in version check in query for users to delete Signed-off-by: Martin Neubert <martin.neubert@t-systems.com> * Update roles/mysql_hardening/tasks/mysql_secure_installation.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> * Update roles/mysql_hardening/tasks/mysql_secure_installation.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>	2021-04-28 09:52:09 +02:00
Martin Neubert	284943b699	USER and HOST should be quoted (#443 ) USER and HOST should be quoted to avoid errors in drop user statement Signed-off-by: Martin Neubert <martin.neubert@t-systems.com>	2021-04-27 21:16:50 +02:00
Sebastian Gumprich	d6a99c995e	use fqcn for mysql tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	c6febf3249	fix linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	7d68c6036c	use single ansible fact to delete user Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	d4a4faa16d	fix syntax of mysql queries Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	5e7a0a60f1	fix linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	c3b954a2ab	add new tasks to delete users without passwords Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 21:16:04 +02:00
Sebastian Gumprich	2fb54bd224	remove secure-auth param if mysql => 8.0.3 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> install collection in molecule Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> remove deprecated ubuntu 16.04 from tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-01 13:20:58 +02:00
Farid Joubbi	7af432e1cf	Uppercased first letter of task names. (#422 ) Signed-off-by: Farid Joubbi <farid@joubbi.se>	2021-03-25 13:52:56 +01:00
schurzi	8e4c22d8d9	remove FQCN from roles in examples (#404 ) Ansible does not work with FQCN and collections sepcified for including roles. It is currently expecting to only get the role name in this context. Verified with Ansible 2.10.5 Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2021-02-17 11:34:37 +01:00
Sebastian Gumprich	6be31fbc3b	do not install mysql python package on target host (#401 ) this package has to be installed on the host that executes the task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-02-10 15:57:51 +01:00
Sebastian Gumprich	756839f8f0	make wrong password fail task (#400 ) * make wrong password fail task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add name to fail task Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-02-10 15:55:08 +01:00
Sebastian Gumprich	c55c1f21ed	add restart handler variable for mysql role (#399 ) * add restart handler variable for mysql role Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add prettierignore file to ignore CHANGELOG Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-02-10 15:54:57 +01:00
Martin Schurz	0600cdae75	add "role" to comment Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2021-01-20 11:23:40 +01:00
schurzi	a75e2c028b	change inclusion of os specific defaults (#353 ) * change inclusion of os specific defaults we now include the os specific options into a separate variable and merge this with the default ansible namespace, when the corresponding keys do not already exist (eg. are defined by default oder by user) Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * simplify check for os specific variables Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add test for variable override Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move tests to verify stage Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * correct grep Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * linting Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix typo Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Revert "Merge pull request #351 from sprat/fix-umask" This reverts commit `9e8e0bc8fb`, reversing changes made to `98c7553016`. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move immutable ssh vars to internal vars Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * move vars to OS files Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * change default handling for all roles Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix issues Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add documentation Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * Update main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>	2020-12-20 20:46:57 +01:00
Sebastian Gumprich	d857830979	minor readme fixes Signed-off-by: Sebastian Gumprich <github@gumpri.ch>	2020-11-09 20:49:07 +01:00
rndmh3ro	c94d973527	Prettified Code!	2020-11-08 10:20:25 +00:00
Sebastian Gumprich	a10e4d7c1a	merge mysql-hardening role into collection	2020-11-07 21:48:10 +01:00

44 commits