Sebastian Gumprich
7b5fa53f3a
Update kitchen-ansible, remove separate debian install
...
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.
Also removed whitespace.
2015-08-29 14:13:17 +02:00
Sebastian Gumprich
adc8462838
Revamp conditionals again
2015-08-17 15:31:45 +00:00
Sebastian Gumprich
7b934e415c
Add another conditional
2015-08-17 17:16:17 +00:00
Sebastian Gumprich
b17bd65870
Add more conditionals
2015-08-17 17:08:16 +00:00
Sebastian Gumprich
9560f33329
Change last task again
2015-08-17 17:04:47 +00:00
Sebastian Gumprich
be38ac75f4
Add selinux-check
2015-08-16 20:37:33 +00:00
Sebastian Gumprich
1ff939db76
Use correct variable and change travis-test
2015-08-14 17:44:12 +00:00
Sebastian Gumprich
a1a439d38e
Add mode to su-binary task. Fix #38
2015-08-13 21:02:57 +00:00
Sebastian Gumprich
c4482cb12e
Support for selinux and pam. fix #23
...
This change add the following:
- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
2015-08-10 21:45:15 +00:00
Sebastian Gumprich
ef8c4ada2f
Separate ssh client and server ports. Fix #33
...
This PR separates the ssh_ports variable into two separate
variables for the ssh-client and ssh-server.
2015-08-09 11:16:34 +00:00
Christoph Hartmann
950210348f
Merge pull request #31 from hardening-io/max_auth_tries
...
Make MaxAuthTries configurable
2015-08-06 23:39:14 -07:00
Sebastian Gumprich
2bc353b7a9
Make MaxAuthTries configurable
2015-08-06 14:20:32 +00:00
Sebastian Gumprich
9befb22e13
Change oneliner if-statements to be more readable
2015-08-06 14:00:14 +00:00
Sebastian Gumprich
df8b205a8f
Change oneliner if-statements to be more readable
2015-08-06 13:53:33 +00:00
Robin Schneider
10f6544f3c
Make ssh client password login configurable.
...
Defaults to not allow which might be a bit restrictive.
2015-08-04 15:17:50 +02:00
Sebastian Gumprich
60e898098d
Fix join-filter, jinja-cases, spelling, whitespace
...
- the join filter is replaced by '+'
- the if-cases for rhel-based OS'es is simplified
- intendation of complex if-cases
2015-07-29 20:52:53 +00:00
Sebastian Gumprich
bda8d52083
Merge pull request #26 from ypid/role-review
...
Fixed role's join-filter, jinja-cases, spelling, whitespace
2015-07-29 13:27:46 +00:00
Robin Schneider
a2f4542a48
Short role review. Fixed role when ssh_client_weak_kex == true.
...
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
2015-07-28 21:21:32 +02:00
Robin Schneider
a8f991bc07
Make it configurable to only harden ssh client/server or both (default).
2015-07-28 20:42:14 +02:00
Sebastian Gumprich
a2c483ace8
Separate system-vars from editable vars.
...
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-28 18:07:34 +00:00
Sebastian Gumprich
48fc334f71
Separate system-vars from editable vars
...
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-27 21:04:38 +00:00
Sebastian Gumprich
a1425befeb
Separate system-vars from editable vars. Fix #34
2015-07-27 20:47:23 +00:00
Sebastian Gumprich
daf8e4c45b
Add documentation for testing, change value in vars
2015-07-18 20:57:58 +00:00
Sebastian Gumprich
b3af021cd9
Create limits.d-directory if it does not exist.
...
See [here](https://github.com/hardening-io/chef-os-hardening/issues/84 ).
2015-07-13 18:18:13 +00:00
Sebastian Gumprich
dab153eb56
INITIAL
2015-07-02 18:32:22 +00:00
Christoph Hartmann
75dbf1cae6
Merge pull request #30 from hardening-io/CL_RM_TODO
...
Update readme, todo, changelog, vars
2015-06-24 06:40:28 -07:00
Sebastian Gumprich
348fb1cc53
Change var to true to remove pkgs by default
2015-06-24 10:21:13 +00:00
Sebastian Gumprich
5e1e2513c5
Update readme, todo, changelog, vars
...
* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
2015-06-23 23:58:40 +02:00
Sebastian Gumprich
c8d9ac84ef
Add module configuration
2015-06-23 23:58:12 +02:00
Christoph Hartmann
ac4754ff16
Merge pull request #29 from hardening-io/suid_fix
...
List-cleanup and follow symlinks added
2015-06-23 14:57:25 -07:00
Sebastian Gumprich
f6cf4fcdf5
Fix another sysctl-setting due to new tests
2015-06-23 23:51:18 +02:00
Sebastian Gumprich
8ba37823f9
Fix two sysctl-settings
2015-06-23 23:51:18 +02:00
Sebastian Gumprich
88f4f17786
Added condition to suid/sgid-execution
2015-06-23 17:49:37 +00:00
Sebastian Gumprich
46b50769aa
List-cleanup and follow symlinks added
...
- This change alters the black- and white-listed list for
suid/sgid-management to be a proper yaml-formatted list.
- Furthermore "follow symlinks" was added to the tasks
that remove suid/sgid because otherwise the suid/sgid
from the link-targets would not be removed.
2015-06-23 11:01:00 +00:00
Christoph Hartmann
10267eb509
Merge pull request #23 from hardening-io/remove_authconfig
...
Delete authconfig-task on rhel-systems
2015-06-20 02:01:39 -07:00
Sebastian Gumprich
a345da0023
Delete authconfig-task on rhel-systems
...
The authconfig-task overrides changes we later do on files, so this
task is not necessary and causes some tasks to always change files
2015-06-19 11:51:23 +02:00
Sebastian Gumprich
e4c6436163
Add missing rhosts-include task
2015-06-19 11:51:09 +02:00
Christoph Hartmann
71c7042163
Merge pull request #24 from hardening-io/result_override
...
Use changed_when to avoid changed tasks
2015-06-19 02:48:08 -07:00
Sebastian Gumprich
1005cc133a
Add ignore-vars. Change nologin-shell dep. on OS
2015-06-18 18:14:08 +00:00
Sebastian Gumprich
f82e7684c6
Added option to disable system accounts
2015-06-18 18:14:08 +00:00
Sebastian Gumprich
6f910c28d8
Use changed_when to avoid changed tasks
...
When a shell or command task, that only fetches data, gets executed,
the task will be marked as change, even though nothing changed.
This commit changes the behaviour of tasks that only fetch data.
For more info see here:
http://docs.ansible.com/playbooks_error_handling.html#overriding-the-changed-result
2015-06-18 13:42:29 +00:00
Sebastian Gumprich
531a051ef9
Skip sysctl-tasks in travis-environment
2015-06-17 12:11:59 +02:00
Sebastian Gumprich
e70974ba16
Add os_security_kernel_enable_module_loading
2015-06-08 17:25:50 +00:00
Sebastian Gumprich
81c171a55a
Change sysctl-task. Fix #18
2015-06-06 18:35:09 +00:00
Christoph Hartmann
645240998d
Merge pull request #16 from hardening-io/cnd_ip_fwd
...
Add conditions for various tasks. Fix #15
2015-06-03 12:35:43 -07:00
Sebastian Gumprich
7c121b7e2b
Add missing condition
2015-06-01 21:46:05 +00:00
Sebastian Gumprich
255948feb3
Add conditions for various tasks. Fix #15
2015-06-01 20:33:35 +00:00
Sebastian Gumprich
fb59fab08f
Remove duplicate whitelist-check
2015-06-01 19:36:37 +00:00
Sebastian Gumprich
544779e26a
Add remove suid/sgid function
2015-06-01 14:50:22 +02:00
Sebastian Gumprich
e6f2253c49
replace sed with replace-module
2015-06-01 14:28:18 +02:00
Sebastian Gumprich
c9252b167f
add gpgcheck rhnplugin.conf, consolidate task
2015-06-01 14:28:18 +02:00
Sebastian Gumprich
66e258da7e
Add task to remove unused repos and pkgs
2015-06-01 14:28:17 +02:00
Sebastian Gumprich
95bb02edbe
Make tasks clearer
2015-06-01 14:23:13 +02:00
Sebastian Gumprich
1782dbf3fa
ignore RAs on Ipv6
...
See: https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-06-01 10:59:37 +02:00
Sebastian Gumprich
3dce747cd6
Revert "ignore RAs on Ipv6"
...
This reverts commit a91cbe0192
.
2015-05-28 18:47:18 +00:00
Sebastian Gumprich
a91cbe0192
ignore RAs on Ipv6
...
Taken from here:
https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-05-28 18:43:52 +00:00
Sebastian Gumprich
a305b94230
Add separated files
2015-05-26 19:53:55 +00:00
Sebastian Gumprich
79ca60bfa1
Separate tasks into multiple smaller files
2015-05-26 19:53:16 +00:00
Sebastian Gumprich
557109e35a
Separate the tasks into smaller files
2015-05-26 19:45:30 +00:00
Christoph Hartmann
01572d9041
Merge pull request #5 from hardening-io/yum
...
Enable gpg-check on all yum-repositories
2015-05-20 12:17:54 -07:00
Sebastian Gumprich
c2884687c8
Change tasks to use sed instead of lineinfile
2015-05-20 21:07:30 +00:00
Sebastian Gumprich
82fea53ba7
Enable gpg-check on all yum-repositories
2015-05-19 21:01:32 +00:00
Dominik Richter
226c2761f8
treat securetty config as an array
2015-05-11 23:06:34 +02:00
Sebastian Gumprich
e097f02065
Add profile.conf configuration
2015-05-11 23:00:08 +02:00
Sebastian Gumprich
ef2ce77f53
Add securetty-template
2015-05-10 21:44:17 +00:00
Sebastian Gumprich
b78345fe0c
Add securetty-support
2015-05-10 21:43:26 +00:00
Sebastian Gumprich
b9cc7bf9d8
Further improvements, first push
2015-05-10 18:33:37 +00:00
Sebastian Gumprich
06d1464e95
Initial
2015-05-04 21:37:22 +00:00
Sebastian Gumprich
ef275a4e85
Add handler to restart ssh only if necessary. Fix #6
2015-04-28 16:47:12 +00:00
Sebastian Gumprich
45eb0e2f38
Oracle support
...
- Add check for Oracle operating systems
- Add minus sign to remove whitespace
2015-04-27 21:14:50 +00:00
Sebastian Gumprich
bb703c962a
INITIAL
2015-04-23 18:30:41 +00:00