ansible-collection-hardening/CHANGELOG.md
2021-04-28 07:53:52 +00:00

50 KiB
Raw Blame History

Changelog

7.6.1 (2021-04-28)

Full Changelog

Fixed bugs:

  • Check for MariaDB Version when selecting users without passwords #444 (neubi4)

7.6.0 (2021-04-27)

Full Changelog

Implemented enhancements:

  • ssh: Client HostKeyAlgorithms configuration variable #442 (sepek)

Fixed bugs:

  • mysql USER and HOST should be quoted for drop query #443 (neubi4)

Closed issues:

  • Support HostKeyAlgorithms configuration for ssh_client file #441

Merged pull requests:

7.5.0 (2021-04-01)

Full Changelog

Implemented enhancements:

  • Not accepting source routing for IPv6. This was already done for IPv4. #424 (joubbi)

Fixed bugs:

Closed issues:

  • Harden user home directories #276

Merged pull requests:

  • remove secure-auth param if mysql >= 8.0.3 #438 (rndmh3ro)
  • Improved comments. #436 (joubbi)
  • os_auth_pam_pwquality_options: Changed type to authtok_type #432 (joubbi)
  • add restart-auditd handler after configuration change #427 (rndmh3ro)
  • add new tasks to delete mysql users without passwords #423 (rndmh3ro)
  • Uppercased first letter of task names. #422 (joubbi)

7.4.0 (2021-03-23)

Full Changelog

Implemented enhancements:

Closed issues:

  • Errors in packer build for vagrant builder #244

Merged pull requests:

  • Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords #431 (joubbi)
  • Remove comments from PAM config file, but keep it in the template #430 (joubbi)
  • add support for using a proxy to test with molecule #429 (rndmh3ro)
  • Improve Documentation for sysctl defaults #418 (joubbi)

7.3.0 (2021-03-16)

Full Changelog

Implemented enhancements:

  • pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead. #377
  • Replace pam_tally2 with pam_faillock in Redhat #273
  • Extend GSSAPI configuration support to ssh_config #403 (wzzrd)
  • add restart handler variable for mysql role #399 (rndmh3ro)
  • restructure PAM handling and update for currently supported Linux distributions #392 (schurzi)

Fixed bugs:

  • Not able to use sudo command for user authenticated via ActiveDirectory #278
  • You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS #252

Closed issues:

  • Netdata monitoring of docker in docker no longer possible #412
  • Unable to connect with SSH (Permission denied (publickey)) #411
  • TASK [os_hardening : configure auditd | package-08] #410
  • Collection throws undefined ansible_role_name error in auditd task #409
  • Ensure permissions on /etc/crontab are configured #375
  • Documentation should be updated #361

Merged pull requests:

7.2.0 (2021-02-10)

Full Changelog

Implemented enhancements:

  • Add variable to specify SSH host RSA key size #394 (Normo)
  • Set default for ssh host key files only when hardening the server #393 (Normo)

Fixed bugs:

  • A reason why instance would go in rescue mode ? #267
  • fix galaxy action to update local galaxy.yml #395 (Normo)

Closed issues:

  • Updating version in galaxy.yml should be part of the release process #396
  • ssh_hardening fail on keypair generation #388
  • The system must display the date and time of the last successful account logon upon an SSH logon. #362
  • Error in "root password is present" step #326

Merged pull requests:

7.1.1 (2021-02-05)

Full Changelog

Fixed bugs:

  • use fqcn for community.crypto.openssh_keypair module #389 (schurzi)

Closed issues:

  • AnsibleUndefinedVariable: 'ansible_role_name' is undefined with 7.1.0 #387

7.1.0 (2021-02-02)

Full Changelog

Implemented enhancements:

  • Default value for ssh_max_startups should be changed #366
  • Comment in configuration files should state which collection was there #345
  • Error on applying the sysctl vars on Debian Jessy #230
  • add Support for OpenSSH HostCertificate config option #380 (mpraeger)
  • Syncookie #372 (joubbi)
  • Sorted sysctl values and lists in READMEs alphabetically No functional changes. #371 (joubbi)
  • make auditd 'max_log_file' configurable #370 (tgueldner-mms)
  • reduce maximum unauthenticated ssh sessions #368 (schurzi)
  • add a runtime.yml to declare minimum ansible version #363 (rndmh3ro)
  • change inclusion of os specific defaults #353 (schurzi)
  • make the os_env_umask variable usable #351 (sprat)
  • Fix #348: make ssh configuration files paths configurable #350 (sprat)
  • Removed Protocol statement in later versions of sshd, since the code … #342 (joubbi)
  • Improvements of comments in opensshd.conf.j2 #338 #339 (joubbi)

Fixed bugs:

  • Comments in opensshd.conf.j2 should be improved #338
  • check for correct cpu vendor in initramfs-tools #374 (schurzi)
  • set hidepid=0 on RHEL/CentOS 7 #369 (schurzi)

Closed issues:

  • initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs #373
  • How do i install this on Centos 8? #367
  • hidepid=2 gives error when running systemctl on EL7 #364
  • Allow putting the ssh/sshd config in alternative files #348
  • os_env_umask has no effect #344
  • Don't modify /etc/sysctl.conf #343

Merged pull requests:

7.0.0 (2020-11-11)

Full Changelog

Breaking changes:

Implemented enhancements:

Fixed bugs:

  • Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode #313
  • Inconsistent use of role vars/role defaults #284
  • Is it safe to use on Debian 10? The build is failing. #281
  • /etc/login.defs alters centos 7/8 default values #265
  • Invalid Conditionals in user_accounts.yml #255
  • auth-system related files are created for non-RHEL systems e.g. Debian #247
  • NSA website links are stale #227
  • Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
  • lots of
  • squash_actions deprecation warning #218
  • login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
  • auditd causing v5.0 to fail on unpriviledged LXC's #191
  • Setting os_security_users_allow has no effect #175
  • minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
  • wrong permissions passwdqc #170
  • 'sysctl_rhel_config' is undefined #167
  • Update deprecated include statements #166
  • Strongly recommend against disabling vfat by default #162
  • bug in ufw.j2 template #151
  • Add a "don't fail on error" switch ? #148
  • System completely unresponsive after role execution #145
  • Why is rsync removed? #141
  • RHEL 7.4: Too many setuid bits removed #140
  • Change system accounts not on the user provided ignore-list items are not JSON serializable #125
  • playbook makes OS undetectable #124
  • Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
  • Could not find gem 'ruby (>= 2.1.0)' #116
  • os_security_kernel_enable_sysrq is not implemented #115
  • The task sysctl fails when /etc/initramfs-tools is not present #111
  • The role fails when conditionally included #105
  • Deprecation warning always_run #103
  • CentOS 7 selinux dependencies #102
  • ubuntu xenial warning during activate gpg-check for yum-repos #99
  • rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
  • Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
  • Enable pam_pwquality in rhel-family > 7 #73
  • Hardening fails on Centos 7.1 at task 'minimize access' #71
  • "irc" user always changed after reboot #53
  • use touch for 10.hardcore.conf to avoid problems with dry-run #314 (schurzi)
  • use touch with no date changes #310 (rndmh3ro)
  • do not touch sysctl file to avoid idempotency problems #309 (rndmh3ro)
  • replace module parameter fixed #297 (danielkubat)
  • Addressing issue #255 #258 (ljkimmel)
  • Fix #247, cleanup conditions #248 (fernandezcuesta)
  • Fix error on applying the sysctl vars on containers #243 (ghost)
  • Update location of NSA RHEL 5 Guide #235 (jaredledvina)
  • Fix typo #212 (ruslo)
  • Update modprobe to 0644 #211 (joshuatalb)
  • Test Kitchen Vagrant Fixes #210 (joshuatalb)
  • readme
  • fix ansible lint remarks #204 (rndmh3ro)
  • add colon to user env paths - fix #202 #203 (rndmh3ro)
  • add /usr/bin/su to suid_guid whitelist #199 (ccolic)
  • ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)
  • do not install passwdqc on amazon linux #189 (rndmh3ro)
  • add back run opts for debian 8 in travis #184 (rndmh3ro)
  • Fix core dump config file creation when core dumps are disabled #182 (Normo)
  • change minimize access method #181 (rndmh3ro)
  • Fix errors produced by ansible-lint #159 (zbrojny120)
  • replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
  • fixed tag #149 (martinbydefault)
  • Remove rsync from package blacklist #142 (duk3luk3)
  • Updates "tags" parameters on includes in main.yml #66 (conorsch)
  • Suid set def var, fix #64 #63 (rndmh3ro)

Closed issues:

  • Any planned support for RHEL/CentOS 8? #298
  • Consider using find module instead of shell #293
  • Optimize logical OR in when clause #292
  • vfat added to dev-sec.conf, but efi is used #288
  • The state of the galaxy release #269
  • OpenSUSE Support #249
  • ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
  • Enhancement: Test with TestInfra and Molecule #128
  • Enhancement: Pin python dependencies for development and testing #127
  • Update readme to include baselines #122
  • Error running on RHEL 7 due to syntax issues #112
  • disable password age #109
  • Permissions on /etc/shadow can lock out GUI users #86
  • network related sysctl rewritten by ufw in ubuntu #82
  • ansible >= 2.0 complains: Using bare variables is deprecated #78
  • Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
  • ansible 2.0 | "remove suid/sgid" task fails #64
  • Custom sysctl #50
  • Fix directory structure. #48
  • pam auth update error #47
  • ansible-os-hardening/tasks/minimize_access.yml #38
  • Role configuration. vars/main.yml? #34
  • Sysctl reloading #18
  • Add conditions for disabling of ip forwarding #15
  • Disable System Accounts #6

Merged pull requests:

* This Changelog was automatically generated by github_changelog_generator