Commit graph

221 commits

Author SHA1 Message Date
Sebastian Gumprich
7b5fa53f3a Update kitchen-ansible, remove separate debian install
Due to the new kitchen-ansible version it is now
possible to install ansible on all major OS's via a
ansible omnibus script which is provided by
kitchen ansible. There's no more need to separate
the debian tests.

Also removed whitespace.
2015-08-29 14:13:17 +02:00
Sebastian Gumprich
adc8462838 Revamp conditionals again 2015-08-17 15:31:45 +00:00
Sebastian Gumprich
7b934e415c Add another conditional 2015-08-17 17:16:17 +00:00
Sebastian Gumprich
b17bd65870 Add more conditionals 2015-08-17 17:08:16 +00:00
Sebastian Gumprich
9560f33329 Change last task again 2015-08-17 17:04:47 +00:00
Sebastian Gumprich
be38ac75f4 Add selinux-check 2015-08-16 20:37:33 +00:00
Sebastian Gumprich
1ff939db76 Use correct variable and change travis-test 2015-08-14 17:44:12 +00:00
Sebastian Gumprich
a1a439d38e Add mode to su-binary task. Fix #38 2015-08-13 21:02:57 +00:00
Sebastian Gumprich
c4482cb12e Support for selinux and pam. fix #23
This change add the following:

- it checks wether selinux is in "Enforcing" mode
- when selinux is enforcing, it copies a new selinux-policy to the host
- this policy allows sshd to read the shadow-file directly, which is forbidden by selinux otherwise
- the policy is then compiled, a package is created and the policy is installed
- when selinux is enforcing, pam is used and the policy is not disabled, it gets removed,
  because its considered a security risk. see here: http://danwalsh.livejournal.com/12333.html
2015-08-10 21:45:15 +00:00
Sebastian Gumprich
ef8c4ada2f Separate ssh client and server ports. Fix #33
This PR separates the ssh_ports variable into two separate
variables for the ssh-client and ssh-server.
2015-08-09 11:16:34 +00:00
Christoph Hartmann
950210348f Merge pull request #31 from hardening-io/max_auth_tries
Make MaxAuthTries configurable
2015-08-06 23:39:14 -07:00
Sebastian Gumprich
2bc353b7a9 Make MaxAuthTries configurable 2015-08-06 14:20:32 +00:00
Sebastian Gumprich
9befb22e13 Change oneliner if-statements to be more readable 2015-08-06 14:00:14 +00:00
Sebastian Gumprich
df8b205a8f Change oneliner if-statements to be more readable 2015-08-06 13:53:33 +00:00
Robin Schneider
10f6544f3c
Make ssh client password login configurable.
Defaults to not allow which might be a bit restrictive.
2015-08-04 15:17:50 +02:00
Sebastian Gumprich
60e898098d Fix join-filter, jinja-cases, spelling, whitespace
- the join filter is replaced by '+'
- the if-cases for rhel-based OS'es is simplified
- intendation of complex if-cases
2015-07-29 20:52:53 +00:00
Sebastian Gumprich
bda8d52083 Merge pull request #26 from ypid/role-review
Fixed role's join-filter, jinja-cases, spelling, whitespace
2015-07-29 13:27:46 +00:00
Robin Schneider
a2f4542a48
Short role review. Fixed role when ssh_client_weak_kex == true.
* This role uses the Jinja2 `join` filter quite creatively, please fix this. This patch fixes one instance.
* Make full use of Jinja2 features. E.g. use `if ansible_os_family in ['Oracle Linux', 'RedHat']` for example. This patch fixes one instance.
* Fixed spelling.
* Removed whitespace.
2015-07-28 21:21:32 +02:00
Robin Schneider
a8f991bc07
Make it configurable to only harden ssh client/server or both (default). 2015-07-28 20:42:14 +02:00
Sebastian Gumprich
a2c483ace8 Separate system-vars from editable vars.
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-28 18:07:34 +00:00
Sebastian Gumprich
48fc334f71 Separate system-vars from editable vars
This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs.
2015-07-27 21:04:38 +00:00
Sebastian Gumprich
a1425befeb Separate system-vars from editable vars. Fix #34 2015-07-27 20:47:23 +00:00
Sebastian Gumprich
daf8e4c45b Add documentation for testing, change value in vars 2015-07-18 20:57:58 +00:00
Sebastian Gumprich
b3af021cd9 Create limits.d-directory if it does not exist.
See [here](https://github.com/hardening-io/chef-os-hardening/issues/84).
2015-07-13 18:18:13 +00:00
Sebastian Gumprich
dab153eb56 INITIAL 2015-07-02 18:32:22 +00:00
Christoph Hartmann
75dbf1cae6 Merge pull request #30 from hardening-io/CL_RM_TODO
Update readme, todo, changelog, vars
2015-06-24 06:40:28 -07:00
Sebastian Gumprich
348fb1cc53 Change var to true to remove pkgs by default 2015-06-24 10:21:13 +00:00
Sebastian Gumprich
5e1e2513c5 Update readme, todo, changelog, vars
* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
2015-06-23 23:58:40 +02:00
Sebastian Gumprich
c8d9ac84ef Add module configuration 2015-06-23 23:58:12 +02:00
Christoph Hartmann
ac4754ff16 Merge pull request #29 from hardening-io/suid_fix
List-cleanup and follow symlinks added
2015-06-23 14:57:25 -07:00
Sebastian Gumprich
f6cf4fcdf5 Fix another sysctl-setting due to new tests 2015-06-23 23:51:18 +02:00
Sebastian Gumprich
8ba37823f9 Fix two sysctl-settings 2015-06-23 23:51:18 +02:00
Sebastian Gumprich
88f4f17786 Added condition to suid/sgid-execution 2015-06-23 17:49:37 +00:00
Sebastian Gumprich
46b50769aa List-cleanup and follow symlinks added
- This change alters the black- and white-listed list for
suid/sgid-management to be a proper yaml-formatted list.

- Furthermore "follow symlinks" was added to the tasks
that remove suid/sgid because otherwise the suid/sgid
from the link-targets would not be removed.
2015-06-23 11:01:00 +00:00
Christoph Hartmann
10267eb509 Merge pull request #23 from hardening-io/remove_authconfig
Delete authconfig-task on rhel-systems
2015-06-20 02:01:39 -07:00
Sebastian Gumprich
a345da0023 Delete authconfig-task on rhel-systems
The authconfig-task overrides changes we later do on files, so this
task is not necessary and causes some tasks to always change files
2015-06-19 11:51:23 +02:00
Sebastian Gumprich
e4c6436163 Add missing rhosts-include task 2015-06-19 11:51:09 +02:00
Christoph Hartmann
71c7042163 Merge pull request #24 from hardening-io/result_override
Use changed_when to avoid changed tasks
2015-06-19 02:48:08 -07:00
Sebastian Gumprich
1005cc133a Add ignore-vars. Change nologin-shell dep. on OS 2015-06-18 18:14:08 +00:00
Sebastian Gumprich
f82e7684c6 Added option to disable system accounts 2015-06-18 18:14:08 +00:00
Sebastian Gumprich
6f910c28d8 Use changed_when to avoid changed tasks
When a shell or command task, that only fetches data, gets executed,
the task will be marked as change, even though nothing changed.
This commit changes the behaviour of tasks that only fetch data.
For more info see here:
http://docs.ansible.com/playbooks_error_handling.html#overriding-the-changed-result
2015-06-18 13:42:29 +00:00
Sebastian Gumprich
531a051ef9 Skip sysctl-tasks in travis-environment 2015-06-17 12:11:59 +02:00
Sebastian Gumprich
e70974ba16 Add os_security_kernel_enable_module_loading 2015-06-08 17:25:50 +00:00
Sebastian Gumprich
81c171a55a Change sysctl-task. Fix #18 2015-06-06 18:35:09 +00:00
Christoph Hartmann
645240998d Merge pull request #16 from hardening-io/cnd_ip_fwd
Add conditions for various tasks. Fix #15
2015-06-03 12:35:43 -07:00
Sebastian Gumprich
7c121b7e2b Add missing condition 2015-06-01 21:46:05 +00:00
Sebastian Gumprich
255948feb3 Add conditions for various tasks. Fix #15 2015-06-01 20:33:35 +00:00
Sebastian Gumprich
fb59fab08f Remove duplicate whitelist-check 2015-06-01 19:36:37 +00:00
Sebastian Gumprich
544779e26a Add remove suid/sgid function 2015-06-01 14:50:22 +02:00
Sebastian Gumprich
e6f2253c49 replace sed with replace-module 2015-06-01 14:28:18 +02:00
Sebastian Gumprich
c9252b167f add gpgcheck rhnplugin.conf, consolidate task 2015-06-01 14:28:18 +02:00
Sebastian Gumprich
66e258da7e Add task to remove unused repos and pkgs 2015-06-01 14:28:17 +02:00
Sebastian Gumprich
95bb02edbe Make tasks clearer 2015-06-01 14:23:13 +02:00
Sebastian Gumprich
1782dbf3fa ignore RAs on Ipv6
See: https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-06-01 10:59:37 +02:00
Sebastian Gumprich
3dce747cd6 Revert "ignore RAs on Ipv6"
This reverts commit a91cbe0192.
2015-05-28 18:47:18 +00:00
Sebastian Gumprich
a91cbe0192 ignore RAs on Ipv6
Taken from here:
https://github.com/hardening-io/puppet-os-hardening/blob/master/manifests/sysctl.pp#L66-L68
2015-05-28 18:43:52 +00:00
Sebastian Gumprich
a305b94230 Add separated files 2015-05-26 19:53:55 +00:00
Sebastian Gumprich
79ca60bfa1 Separate tasks into multiple smaller files 2015-05-26 19:53:16 +00:00
Sebastian Gumprich
557109e35a Separate the tasks into smaller files 2015-05-26 19:45:30 +00:00
Christoph Hartmann
01572d9041 Merge pull request #5 from hardening-io/yum
Enable gpg-check on all yum-repositories
2015-05-20 12:17:54 -07:00
Sebastian Gumprich
c2884687c8 Change tasks to use sed instead of lineinfile 2015-05-20 21:07:30 +00:00
Sebastian Gumprich
82fea53ba7 Enable gpg-check on all yum-repositories 2015-05-19 21:01:32 +00:00
Dominik Richter
226c2761f8 treat securetty config as an array 2015-05-11 23:06:34 +02:00
Sebastian Gumprich
e097f02065 Add profile.conf configuration 2015-05-11 23:00:08 +02:00
Sebastian Gumprich
ef2ce77f53 Add securetty-template 2015-05-10 21:44:17 +00:00
Sebastian Gumprich
b78345fe0c Add securetty-support 2015-05-10 21:43:26 +00:00
Sebastian Gumprich
b9cc7bf9d8 Further improvements, first push 2015-05-10 18:33:37 +00:00
Sebastian Gumprich
06d1464e95 Initial 2015-05-04 21:37:22 +00:00
Sebastian Gumprich
ef275a4e85 Add handler to restart ssh only if necessary. Fix #6 2015-04-28 16:47:12 +00:00
Sebastian Gumprich
45eb0e2f38 Oracle support
- Add check for Oracle operating systems

- Add minus sign to remove whitespace
2015-04-27 21:14:50 +00:00
Sebastian Gumprich
bb703c962a INITIAL 2015-04-23 18:30:41 +00:00