mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
253c5ec3eb
* fix changelog generation the changelog generation fails because we merged other repos into this one and these commits do not share a common ancestor. see this issue: https://github.com/github-changelog-generator/github-changelog-generator/issues/665 to workaround this, we change the changelog generation so all tags older than 7.0.0 will be ignored (--since-tag does not work here because it still works on all tags). This however will remove older releases from the changelog so we move these old releases into a separate file. this is okay for me since these old releases are for ansible-os-hardening and not the collection. the new changelog file will contain all changes since 7.0.0. Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix regex in action Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
49 KiB
49 KiB
Changelog
6.2.0 (2020-08-17)
Implemented enhancements:
- Optimize and unify when clause #295 [enhancement] [patch] (Alexhha)
- use find module instead of shell #294 [enhancement] [patch] (danielkubat)
- improve testing #287 [enhancement] [minor] (schurzi)
Fixed bugs:
- Inconsistent use of role vars/role defaults #284 [bug]
- replace module parameter fixed #297 [bug] [patch] (danielkubat)
Closed issues:
- Consider using find module instead of shell #293
- Optimize logical OR in when clause #292
- vfat added to dev-sec.conf, but efi is used #288
- OpenSUSE Support #249
Merged pull requests:
- fix fedora build #296 (rndmh3ro)
- do not blacklist used filesystems #289 [patch] (schurzi)
- move hidepid vars into defaults so theyre overwritable #285 [patch] (rndmh3ro)
6.1.0 (2020-07-21)
Implemented enhancements:
- Mount proc filesystem using hidepid option #283 [enhancement] [minor] (alegrey91)
Fixed bugs:
Closed issues:
- The state of the galaxy release #269
Merged pull requests:
6.0.3 (2020-06-06)
Implemented enhancements:
- unify changelog and release actions #279 [enhancement] [patch] (rndmh3ro)
6.0.2 (2020-06-02)
Implemented enhancements:
- purge insecure packages #275 [enhancement] [minor] (chris-rock)
6.0.1 (2020-05-09)
Implemented enhancements:
- add changelog and release workflow #271 [enhancement] [patch] (rndmh3ro)
- github action for changelog generation #270 [enhancement] [patch] (rndmh3ro)
6.0.0 (2020-05-05)
Implemented enhancements:
- Configure audit=1 for more accurate auid auditing #253 [enhancement]
- Add Debian Buster support for ansible-os-hardening #233 [enhancement] [hacktoberfest]
- Add CentOS 8 support for ansible-os-hardening #232 [enhancement] [hacktoberfest]
- Add selinux configuration #154 [enhancement] [hacktoberfest] [help wanted]
- Make useradd defaults in login.defs dependent on OS #266 [enhancement] (aisbergg)
- Add kernel hardening parameters from Tails and CIS Benchmark #263 [enhancement] (kravietz)
- add ansible-lint #262 [enhancement] (rndmh3ro)
- Remove trailing space #261 [enhancement] (kravietz)
- Add kernel parameter information to README #259 [enhancement] (jaredledvina)
- Remove trailing whitespaces
ansible-lint 201#254 [enhancement] (kravietz) - Standardize the var ordering #251 [enhancement] (dustinmiller1337)
- Add intial support for OpenSUSE #250 [enhancement] (dustinmiller1337)
- Make max_log_file_action for auditd configurable #246 [enhancement] (jandd)
- Add exception in sysctl task #240 [enhancement] (ghost)
- Fedora - Use new auto ansible_python_interpreter for dnf #239 [enhancement] (jaredledvina)
- add test support for CentOS8 #237 [enhancement] (yeoldegrove)
- Support configuring SELinux and default to enforcing #236 [enhancement] (jaredledvina)
- Add test support for debian buster #234 [enhancement] (123Haynes)
- Changed local var name to a less common one #231 [enhancement] (rgarrigue)
- Use ansible facts for vars #226 [enhancement] (joshuatalb)
Fixed bugs:
- /etc/login.defs alters centos 7/8 default values #265 [bug] [help wanted]
- Invalid Conditionals in user_accounts.yml #255 [bug]
auth-systemrelated files are created for non-RHEL systemse.g. Debian#247 [bug]- NSA website links are stale #227 [bug] [hacktoberfest] [help wanted]
- Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223 [bug]
-
lots of - Add a "don't fail on error" switch ? #148 [bug]
- Addressing issue #255 #258 [bug] (ljkimmel)
- Fix #247, cleanup conditions #248 [bug] (fernandezcuesta)
- Fix error on applying the sysctl vars on containers #243 [bug] (ghost)
- Update location of NSA RHEL 5 Guide #235 [bug] (jaredledvina)
5.2.1 (2019-06-09)
Implemented enhancements:
- Fix deprecation warnings in Ansible 2.8 #224 [enhancement] (Normo)
- add docs to find-task in minimize access. fix #219 #220 [enhancement] (rndmh3ro)
Fixed bugs:
squash_actionsdeprecation warning #218 [bug] [help wanted]
5.2.0 (2019-05-04)
Implemented enhancements:
- Speed up "minimize access on found files" task #208 [enhancement]
- Fedora support? #163 [enhancement] [help wanted]
- remove eol'd OS and add new #217 [enhancement] (rndmh3ro)
- Add note about docker under warning #214 [enhancement] (ChrisMcKee)
- change minimize access tasks to speed them up #209 [enhancement] (rndmh3ro)
- Added fedora support #206 [enhancement] (jonaswre)
- Pass package list directly to apt and yum modules without using with_items loop #200 [enhancement] (Normo)
Fixed bugs:
- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202 [bug]
- 'sysctl_rhel_config' is undefined #167 [bug]
- RHEL 7.4: Too many setuid bits removed #140 [bug] [help wanted]
- Fix typo #212 [bug] (ruslo)
- Update modprobe to 0644 #211 [bug] (joshuatalb)
- Test Kitchen Vagrant Fixes #210 [bug] (joshuatalb)
-
readme - fix ansible lint remarks #204 [bug] (rndmh3ro)
- add colon to user env paths - fix #202 #203 [bug] (rndmh3ro)
- Fix errors produced by ansible-lint #159 [bug] (zbrojny120)
5.1.0 (2018-10-17)
Implemented enhancements:
- add ubuntu 1804 support #196 [enhancement] (rndmh3ro)
- add option to disable auditd #192 [enhancement] (rndmh3ro)
Fixed bugs:
- auditd causing v5.0 to fail on unpriviledged LXC's #191 [bug]
- Setting os_security_users_allow has no effect #175 [bug]
- add /usr/bin/su to suid_guid whitelist #199 [bug] (ccolic)
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 [bug] (szEvEz)
5.0.0 (2018-09-02)
Implemented enhancements:
- Warning about "include" for tasks for ansible-playbook 2.4.0
devel f0a5854e39#131 [enhancement] - fix problems with efi and vfat #190 [enhancement] (rndmh3ro)
- added os_hardening_enabled flag #186 [enhancement] (jcheroske)
- add amazon run opts to travis #183 [enhancement] (rndmh3ro)
- use package instead of yum and apt #180 [enhancement] (rndmh3ro)
- add oracle7 to travis #178 [enhancement] (rndmh3ro)
- fix wrong permissions passwdqc #170 #176 [enhancement] (rndmh3ro)
- ipv4 forwarding comment is inconsistent with example #174 [enhancement] (carchrae)
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 [enhancement] (martinbydefault)
- Use package state 'present' since 'installed' is deprecated #168 [enhancement] (Normo)
- Update syntax to Ansible 2.4 #161 [enhancement] (thomasjpfan)
- add amazon linux testing #160 [enhancement] (rndmh3ro)
- Add support for Amazon Linux #158 [enhancement] (woneill)
- install and configure auditd - fix inspec package-08 #144 [enhancement] (rndmh3ro)
- Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 [enhancement] (HelioCampos)
Fixed bugs:
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171 [bug]
- wrong permissions passwdqc #170 [bug]
- Update deprecated
includestatements #166 [bug] - Strongly recommend against disabling vfat by default #162 [bug]
- System completely unresponsive after role execution #145 [bug]
- do not install passwdqc on amazon linux #189 [bug] (rndmh3ro)
- add back run opts for debian 8 in travis #184 [bug] (rndmh3ro)
- Fix core dump config file creation when core dumps are disabled #182 [bug] (Normo)
- change minimize access method #181 [bug] (rndmh3ro)
4.3.0 (2018-01-03)
Implemented enhancements:
- Update some RH settings in this role #155 [enhancement]
- Removal of core dump hardening configuration if core dumps are allowed #129 [enhancement] [help wanted]
- Don't create home for system accounts #156 [enhancement] (oakey-b1)
- Prevent disabling of filesystems via whitelist #153 [enhancement] (manuelprinz)
- Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 [enhancement] (kravietz)
- Removal of core dump hardening configuration if core dumps are allowed #146 [enhancement] (martinbydefault)
- add missing sysctl parameter #143 [enhancement] [in progress] (rndmh3ro)
- update readme #139 [enhancement] (rndmh3ro)
Fixed bugs:
- bug in ufw.j2 template #151 [bug]
- replace single ticks with double ticks. fix #151 #152 [bug] (rndmh3ro)
- fixed tag #149 [bug] (martinbydefault)
Closed issues:
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
- Enhancement: Test with TestInfra and Molecule #128
Merged pull requests:
4.3.1 (2017-09-13)
Fixed bugs:
4.2.0 (2017-08-08)
Implemented enhancements:
- add modprobe template, control os-10 #138 [enhancement] (rndmh3ro)
- new task for delete netrc files, control os-09 #137 [enhancement] (rndmh3ro)
- add passwd task, control os-03 #136 [enhancement] (rndmh3ro)
- remove prelink package, control package-09 #135 [enhancement] (rndmh3ro)
- style update #134 [enhancement] (rndmh3ro)
- Fix ansible.cfg and use comment filter #130 [enhancement] (fazlearefin)
Fixed bugs:
- Why is rsync removed? #141 [bug]
- playbook makes OS undetectable #124 [bug]
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118 [bug]
- Remove rsync from package blacklist #142 [bug] (duk3luk3)
Merged pull requests:
4.1.0 (2017-06-27)
Fixed bugs:
- Change system accounts not on the user provided ignore-list items are not JSON serializable #125 [bug]
- Could not find gem 'ruby (>= 2.1.0)' #116 [bug]
- The task sysctl fails when /etc/initramfs-tools is not present #111 [bug]
- Deprecation warning always_run #103 [bug]
Closed issues:
- Enhancement: Pin python dependencies for development and testing #127
- Update readme to include baselines #122
Merged pull requests:
- Converts set to JSON-serializable list #126 (pestaa)
- add more sysctl settings, allow overwriting #120 (rndmh3ro)
4.0.0 (2017-03-14)
Implemented enhancements:
- Description of the Ansible roles of dev-sec says "This Ansible playbook" #97 [enhancement]
- install initramfs-tools #114 [enhancement] (rndmh3ro)
- omit empty variables #106 [bug] [enhancement] (rndmh3ro)
Fixed bugs:
Closed issues:
Merged pull requests:
- change shadow owner in debian systems #117 (rndmh3ro)
- Rhel7 #113 (tyrken)
- use new Docker images #110 (rndmh3ro)
- Don’t refer to this role as "playbook" in the role description #104 (ypid)
3.2.0 (2016-10-24)
Fixed bugs:
- CentOS 7 selinux dependencies #102 [bug]
- ubuntu xenial warning during activate gpg-check for yum-repos #99 [bug]
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98 [bug]
- Enable pam_pwquality in rhel-family > 7 #73 [bug] [help wanted]
- "irc" user always changed after reboot #53 [bug] [help wanted]
Merged pull requests:
- update template #101 (rndmh3ro)
- fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
- add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)
3.1.0 (2016-08-03)
3.1 (2016-07-27)
Implemented enhancements:
- Supports --check mode #93 [enhancement] (conorsch)
- Adds support for CentOS 7 #91 [enhancement] (conorsch)
- Docker #90 [enhancement] (rndmh3ro)
- debian 8 support #88 [enhancement] (rndmh3ro)
- Ufw manage defaults #85 [enhancement] (fitz123)
- replace ignore_errors to failed_when to supress ugly error warnings #81 [enhancement] (fitz123)
- fix bare variables usage for loops #79 [enhancement] (fitz123)
Fixed bugs:
- Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74 [bug]
- Hardening fails on Centos 7.1 at task 'minimize access' #71 [bug] [help wanted]
Closed issues:
- Permissions on /etc/shadow can lock out GUI users #86
- network related sysctl rewritten by ufw in ubuntu #82
- ansible >= 2.0 complains: Using bare variables is deprecated #78
Merged pull requests:
- Fix a formatting issue in readme. #92 (vivekagr)
- Permits overriding permissions on /etc/shadow #89 (conorsch)
3.0.0 (2016-03-13)
Implemented enhancements:
- update platforms in meta-file #69 [enhancement] (rndmh3ro)
- add webhook for ansible galaxy #68 [enhancement] (rndmh3ro)
- Move sysctl vars to defaults #67 [enhancement] (rndmh3ro)
- make sys_uid and sys_gid configurable #62 [enhancement] (rndmh3ro)
- Ansible 2.0 support #59 [enhancement] (rndmh3ro)
- use inspec as test framework #58 [enhancement] (chris-rock)
- Packages as attributes #57 [enhancement] (rndmh3ro)
- Change categories to tags for upcoming ansible 2.0 #56 [enhancement] (rndmh3ro)
- Add SINGLE and PROMPT parameters. #55 [enhancement] (rndmh3ro)
- add changelog generator #54 [enhancement] (chris-rock)
Fixed bugs:
- Updates "tags" parameters on includes in main.yml #66 [bug] (conorsch)
- Suid set def var, fix #64 #63 [bug] (rndmh3ro)
Closed issues:
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
- ansible 2.0 | "remove suid/sgid" task fails #64
- Custom sysctl #50
Merged pull requests:
2.0.0 (2015-11-28)
Closed issues:
Merged pull requests:
- Add explicit role-path to kitchen.yml #52 (rndmh3ro)
- Fix pam passwdqc template #51 (rndmh3ro)
- New dir layout #49 (rndmh3ro)
- remove duplicate "update pam" task #46 (fitz123)
- Fix stuck in case pam files was updated before by force update #45 (fitz123)
- Fix nologin shell path #44 (fitz123)
- improved travis-tests to cover more cases #42 (rndmh3ro)
1.0.0 (2015-09-01)
Closed issues:
- ansible-os-hardening/tasks/minimize_access.yml #38
- Role configuration. vars/main.yml? #34
- Sysctl reloading #18
- Add conditions for disabling of ip forwarding #15
- Disable System Accounts #6
Merged pull requests:
- Update kitchen-ansible, remove separate debian install #40 (rndmh3ro)
- Add mode to su-binary task. Fix #38 #39 (rndmh3ro)
- update common kitchen.yml platforms
ansible, kitchen_debian.yml platformsansible#37 (chris-rock) - Change oneliner if-statements to be more readable #36 (rndmh3ro)
- Separate system-vars from editable vars. Fix #34 #35 (rndmh3ro)
- Create limits.d-directory if it does not exist. #33 (rndmh3ro)
- Add correct CONTRIB-file #32 (rndmh3ro)
- Add Ansible Galaxy badge #31 (rndmh3ro)
- Update readme, todo, changelog, vars #30 (rndmh3ro)
- List-cleanup and follow symlinks added #29 (rndmh3ro)
- Add module configuration #28 (rndmh3ro)
- Fix two sysctl-settings #27 (rndmh3ro)
- Add meta-files for Ansible Galaxy #26 (rndmh3ro)
- Disable System Accounts. Fix #6 #25 (rndmh3ro)
- Use changed_when to avoid changed tasks #24 (rndmh3ro)
- Delete authconfig-task on rhel-systems #23 (rndmh3ro)
- Add missing rhosts-include task #21 (rndmh3ro)
- Change sysctl-task. Fix #18 #20 (rndmh3ro)
- Add travis-support #17 (rndmh3ro)
- Add conditions for various tasks. Fix #15 #16 (rndmh3ro)
- fix configuration of playbook path #14 (chris-rock)
- Make tasks clearer #13 (rndmh3ro)
- Add remove suid/sgid function #12 (rndmh3ro)
- Add task to remove unused repos and pkgs #11 (rndmh3ro)
- Edit README to fit to os-hardening #10 (rndmh3ro)
- ignore RAs on Ipv6 #9 (rndmh3ro)
- Repair debian install script #8 (rndmh3ro)
- Separate tasks into multiple smaller files #7 (rndmh3ro)
- Enable gpg-check on all yum-repositories #5 (rndmh3ro)
- Change playbook-path to accomodate test-repo #4 (rndmh3ro)
- treat securetty config as an array #3 (arlimus)
- Add Securetty-support #2 (rndmh3ro)
- Add profile.conf configuration #1 (rndmh3ro)
* This Changelog was automatically generated by github_changelog_generator