Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords #431 (joubbi)
Remove comments from PAM config file, but keep it in the template #430 (joubbi)
add support for using a proxy to test with molecule #429 (rndmh3ro)
Improve Documentation for sysctl defaults #418 (joubbi)

7.3.0 (2021-03-16)

Full Changelog

Implemented enhancements:

pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead. #377
Replace pam_tally2 with pam_faillock in Redhat #273
Extend GSSAPI configuration support to ssh_config #403 (wzzrd)
add restart handler variable for mysql role #399 (rndmh3ro)
restructure PAM handling and update for currently supported Linux distributions #392 (schurzi)

Fixed bugs:

Not able to use sudo command for user authenticated via ActiveDirectory #278
You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS #252

Closed issues:

Netdata monitoring of docker in docker no longer possible #412
Unable to connect with SSH (Permission denied (publickey)) #411
TASK [os_hardening : configure auditd | package-08] #410
Collection throws undefined ansible_role_name error in auditd task #409
Ensure permissions on /etc/crontab are configured #375
Documentation should be updated #361

Merged pull requests:

Improve Release Action #421 (schurzi)
remove FQCN from roles in examples #420 (schurzi)
Ensure permissions on /etc/crontab are configured #405 (joubbi)
remove FQCN from roles in examples #404 (schurzi)
do not install mysql python package on target host #401 (rndmh3ro)
make wrong password fail task #400 (rndmh3ro)

7.2.0 (2021-02-10)

Full Changelog

Implemented enhancements:

Add variable to specify SSH host RSA key size #394 (Normo)
Set default for ssh host key files only when hardening the server #393 (Normo)

Fixed bugs:

A reason why instance would go in rescue mode ? #267
fix galaxy action to update local galaxy.yml #395 (Normo)

Closed issues:

Updating version in galaxy.yml should be part of the release process #396
ssh_hardening fail on keypair generation #388
The system must display the date and time of the last successful account logon upon an SSH logon. #362
Error in "root password is present" step #326

Merged pull requests:

update ansible-lint to version 5 #397 (schurzi)
fix minimum required ansible version in docs #390 (schurzi)

7.1.1 (2021-02-05)

Full Changelog

Fixed bugs:

use fqcn for community.crypto.openssh_keypair module #389 (schurzi)

Closed issues:

AnsibleUndefinedVariable: 'ansible_role_name' is undefined with 7.1.0 #387

7.1.0 (2021-02-02)

Full Changelog

Implemented enhancements:

Default value for ssh_max_startups should be changed #366
Comment in configuration files should state which collection was there #345
Error on applying the sysctl vars on Debian Jessy #230
add Support for OpenSSH HostCertificate config option #380 (mpraeger)
Syncookie #372 (joubbi)
Sorted sysctl values and lists in READMEs alphabetically No functional changes. #371 (joubbi)
make auditd 'max_log_file' configurable #370 (tgueldner-mms)
reduce maximum unauthenticated ssh sessions #368 (schurzi)
add a runtime.yml to declare minimum ansible version #363 (rndmh3ro)
change inclusion of os specific defaults #353 (schurzi)
make the os_env_umask variable usable #351 (sprat)
Fix #348: make ssh configuration files paths configurable #350 (sprat)
Removed Protocol statement in later versions of sshd, since the code … #342 (joubbi)
Improvements of comments in opensshd.conf.j2 #338 #339 (joubbi)

Fixed bugs:

Comments in opensshd.conf.j2 should be improved #338
check for correct cpu vendor in initramfs-tools #374 (schurzi)
set hidepid=0 on RHEL/CentOS 7 #369 (schurzi)

Closed issues:

initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs #373
How do i install this on Centos 8? #367
hidepid=2 gives error when running systemctl on EL7 #364
Allow putting the ssh/sshd config in alternative files #348
os_env_umask has no effect #344
Don't modify /etc/sysctl.conf #343

Merged pull requests:

use version tag for changelog action #386 (schurzi)
make release workflow manually runnable #384 (schurzi)
run labeler workflow with higher privileges #383 (schurzi)
remove issue labels from changelog #382 (schurzi)
Added comment on top of templates about which role manages the file #378 (joubbi)
Regenerate RSA key with size 4096 bits #376 (ssttehrani)
fix second changelog generation task, too #349 (rndmh3ro)
fix changelog generation #341 (rndmh3ro)
Improve README for ssh_hardening #335 (szEvEz)

7.0.0 (2020-11-11)

Full Changelog

Breaking changes:

Move all roles to one single collection #332 (rndmh3ro)

Implemented enhancements:

Breaking change in ansible-lint - set file permissions explicitly #299
Configure audit=1 for more accurate auid auditing #253
Add Debian Buster support for ansible-os-hardening #233
Add CentOS 8 support for ansible-os-hardening #232
Speed up "minimize access on found files" task #208
Fedora support? #163
Update some RH settings in this role #155
Add selinux configuration #154
Warning about "include" for tasks for ansible-playbook 2.4.0 devel f0a5854e39 #131
Removal of core dump hardening configuration if core dumps are allowed #129
Description of the Ansible roles of dev-sec says "This Ansible playbook" #97
Improve Documentation #315 (schurzi)
Arch support #303 (rndmh3ro)
fix linting for molecule #301 (schurzi)
file permissions explicitly defined #300 (danielkubat)
Optimize and unify when clause #295 (Alexhha)
use find module instead of shell #294 (danielkubat)
improve testing #287 (schurzi)
Mount proc filesystem using hidepid option #283 (alegrey91)
unify changelog and release actions #279 (rndmh3ro)
purge insecure packages #275 (chris-rock)
add changelog and release workflow #271 (rndmh3ro)
github action for changelog generation #270 (rndmh3ro)
Make useradd defaults in login.defs dependent on OS #266 (aisbergg)
Add kernel hardening parameters from Tails and CIS Benchmark #263 (kravietz)
add ansible-lint #262 (rndmh3ro)
Remove trailing space #261 (kravietz)
Add kernel parameter information to README #259 (jaredledvina)
Remove trailing whitespaces ansible-lint 201 #254 (kravietz)
Standardize the var ordering #251 (dustinmiller)
Add intial support for OpenSUSE #250 (dustinmiller)
Make max_log_file_action for auditd configurable #246 (jandd)
Add exception in sysctl task #240 (ghost)
Fedora - Use new auto ansible_python_interpreter for dnf #239 (jaredledvina)
add test support for CentOS8 #237 (yeoldegrove)
Support configuring SELinux and default to enforcing #236 (jaredledvina)
Add test support for debian buster #234 (123Haynes)
Changed local var name to a less common one #231 (rgarrigue)
Use ansible facts for vars #226 (joshuatalb)
Fix deprecation warnings in Ansible 2.8 #224 (Normo)
add docs to find-task in minimize access. fix #219 #220 (rndmh3ro)
remove eol'd OS and add new #217 (rndmh3ro)
Add note about docker under warning #214 (ChrisMcKee)
change minimize access tasks to speed them up #209 (rndmh3ro)
Added fedora support #206 (jonaswre)
Pass package list directly to apt and yum modules without using with_items loop #200 (Normo)
add ubuntu 1804 support #196 (rndmh3ro)
add option to disable auditd #192 (rndmh3ro)
fix problems with efi and vfat #190 (rndmh3ro)
added os_hardening_enabled flag #186 (jcheroske)
add amazon run opts to travis #183 (rndmh3ro)
use package instead of yum and apt #180 (rndmh3ro)
add oracle7 to travis #178 (rndmh3ro)
fix wrong permissions passwdqc #170 #176 (rndmh3ro)
ipv4 forwarding comment is inconsistent with example #174 (carchrae)
Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
Use package state 'present' since 'installed' is deprecated #168 (Normo)
Update syntax to Ansible 2.4 #161 (thomasjpfan)
add amazon linux testing #160 (rndmh3ro)
Add support for Amazon Linux #158 (woneill)
Don't create home for system accounts #156 (oakey-b1)
Prevent disabling of filesystems via whitelist #153 (manuelprinz)
Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
add missing sysctl parameter #143 (rndmh3ro)
update readme #139 (rndmh3ro)
add modprobe template, control os-10 #138 (rndmh3ro)
new task for delete netrc files, control os-09 #137 (rndmh3ro)
add passwd task, control os-03 #136 (rndmh3ro)
remove prelink package, control package-09 #135 (rndmh3ro)
style update #134 (rndmh3ro)
Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)
Fix ansible.cfg and use comment filter #130 (fazlearefin)
install initramfs-tools #114 (rndmh3ro)
omit empty variables #106 (rndmh3ro)
Supports --check mode #93 (conorsch)
Adds support for CentOS 7 #91 (conorsch)
Docker #90 (rndmh3ro)
debian 8 support #88 (rndmh3ro)
Ufw manage defaults #85 (fitz123)
replace ignore_errors to failed_when to supress ugly error warnings #81 (fitz123)
fix bare variables usage for loops #79 (fitz123)
update platforms in meta-file #69 (rndmh3ro)
add webhook for ansible galaxy #68 (rndmh3ro)
Move sysctl vars to defaults #67 (rndmh3ro)
make sys_uid and sys_gid configurable #62 (rndmh3ro)
Ansible 2.0 support #59 (rndmh3ro)
use inspec as test framework #58 (chris-rock)
Packages as attributes #57 (rndmh3ro)
Change categories to tags for upcoming ansible 2.0 #56 (rndmh3ro)
Add SINGLE and PROMPT parameters. #55 (rndmh3ro)
add changelog generator #54 (chris-rock)

Fixed bugs:

Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode #313
Inconsistent use of role vars/role defaults #284
Is it safe to use on Debian 10? The build is failing. #281
/etc/login.defs alters centos 7/8 default values #265
Invalid Conditionals in user_accounts.yml #255
auth-system related files are created for non-RHEL systems e.g. Debian #247
NSA website links are stale #227
Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
```
lots of
```
squash_actions deprecation warning #218
login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
auditd causing v5.0 to fail on unpriviledged LXC's #191
Setting os_security_users_allow has no effect #175
minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
wrong permissions passwdqc #170
'sysctl_rhel_config' is undefined #167
Update deprecated include statements #166
Strongly recommend against disabling vfat by default #162
bug in ufw.j2 template #151
Add a "don't fail on error" switch ? #148
System completely unresponsive after role execution #145
Why is rsync removed? #141
RHEL 7.4: Too many setuid bits removed #140
Change system accounts not on the user provided ignore-list items are not JSON serializable #125
playbook makes OS undetectable #124
Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
Could not find gem 'ruby (>= 2.1.0)' #116
os_security_kernel_enable_sysrq is not implemented #115
The task sysctl fails when /etc/initramfs-tools is not present #111
The role fails when conditionally included #105
Deprecation warning always_run #103
CentOS 7 selinux dependencies #102
ubuntu xenial warning during activate gpg-check for yum-repos #99
rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
Enable pam_pwquality in rhel-family > 7 #73
Hardening fails on Centos 7.1 at task 'minimize access' #71
"irc" user always changed after reboot #53
use touch for 10.hardcore.conf to avoid problems with dry-run #314 (schurzi)
use touch with no date changes #310 (rndmh3ro)
do not touch sysctl file to avoid idempotency problems #309 (rndmh3ro)
replace module parameter fixed #297 (danielkubat)
Addressing issue #255 #258 (ljkimmel)
Fix #247, cleanup conditions #248 (fernandezcuesta)
Fix error on applying the sysctl vars on containers #243 (ghost)
Update location of NSA RHEL 5 Guide #235 (jaredledvina)
Fix typo #212 (ruslo)
Update modprobe to 0644 #211 (joshuatalb)
Test Kitchen Vagrant Fixes #210 (joshuatalb)
```
readme
```
fix ansible lint remarks #204 (rndmh3ro)
add colon to user env paths - fix #202 #203 (rndmh3ro)
add /usr/bin/su to suid_guid whitelist #199 (ccolic)
ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)
do not install passwdqc on amazon linux #189 (rndmh3ro)
add back run opts for debian 8 in travis #184 (rndmh3ro)
Fix core dump config file creation when core dumps are disabled #182 (Normo)
change minimize access method #181 (rndmh3ro)
Fix errors produced by ansible-lint #159 (zbrojny120)
replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
fixed tag #149 (martinbydefault)
Remove rsync from package blacklist #142 (duk3luk3)
Updates "tags" parameters on includes in main.yml #66 (conorsch)
Suid set def var, fix #64 #63 (rndmh3ro)

Closed issues:

Any planned support for RHEL/CentOS 8? #298
Consider using find module instead of shell #293
Optimize logical OR in when clause #292
vfat added to dev-sec.conf, but efi is used #288
The state of the galaxy release #269
OpenSUSE Support #249
ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
Enhancement: Test with TestInfra and Molecule #128
Enhancement: Pin python dependencies for development and testing #127
Update readme to include baselines #122
Error running on RHEL 7 due to syntax issues #112
disable password age #109
Permissions on /etc/shadow can lock out GUI users #86
network related sysctl rewritten by ufw in ubuntu #82
ansible >= 2.0 complains: Using bare variables is deprecated #78
Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
ansible 2.0 | "remove suid/sgid" task fails #64
Custom sysctl #50
Fix directory structure. #48
pam auth update error #47
ansible-os-hardening/tasks/minimize_access.yml #38
Role configuration. vars/main.yml? #34
Sysctl reloading #18
Add conditions for disabling of ip forwarding #15
Disable System Accounts #6

Merged pull requests:

prettier markdown files action added #322 (danielkubat)
adjust permissions on shadow file on suse #311 (rndmh3ro)
fix fedora build #296 (rndmh3ro)
do not blacklist used filesystems #289 (schurzi)
move hidepid vars into defaults so theyre overwritable #285 (rndmh3ro)
install procps in debian so sysctl.conf exists #282 (rndmh3ro)
move defaults to os-specific vars #157 (rndmh3ro)
Converts set to JSON-serializable list #126 (pestaa)
add more sysctl settings, allow overwriting #120 (rndmh3ro)
remove execshield sysctl-parameter on rhel7 #119 (rndmh3ro)
change shadow owner in debian systems #117 (rndmh3ro)
Rhel7 #113 (tyrken)
use new Docker images #110 (rndmh3ro)
Don’t refer to this role as "playbook" in the role description #104 (ypid)
update template #101 (rndmh3ro)
fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)
Fix a formatting issue in readme. #92 (vivekagr)
Permits overriding permissions on /etc/shadow #89 (conorsch)
Release 3.0.0 #75 (rndmh3ro)
Add explicit role-path to kitchen.yml #52 (rndmh3ro)
Fix pam passwdqc template #51 (rndmh3ro)
New dir layout #49 (rndmh3ro)
remove duplicate "update pam" task #46 (fitz123)
Fix stuck in case pam files was updated before by force update #45 (fitz123)
Fix nologin shell path #44 (fitz123)
improved travis-tests to cover more cases #42 (rndmh3ro)
Update kitchen-ansible, remove separate debian install #40 (rndmh3ro)
Add mode to su-binary task. Fix #38 #39 (rndmh3ro)
update common kitchen.yml platforms ansible, kitchen_debian.yml platforms ansible #37 (chris-rock)
Change oneliner if-statements to be more readable #36 (rndmh3ro)
Separate system-vars from editable vars. Fix #34 #35 (rndmh3ro)
Create limits.d-directory if it does not exist. #33 (rndmh3ro)
Add correct CONTRIB-file #32 (rndmh3ro)
Add Ansible Galaxy badge #31 (rndmh3ro)
Update readme, todo, changelog, vars #30 (rndmh3ro)
List-cleanup and follow symlinks added #29 (rndmh3ro)
Add module configuration #28 (rndmh3ro)
Fix two sysctl-settings #27 (rndmh3ro)
Add meta-files for Ansible Galaxy #26 (rndmh3ro)
Disable System Accounts. Fix #6 #25 (rndmh3ro)
Use changed_when to avoid changed tasks #24 (rndmh3ro)
Delete authconfig-task on rhel-systems #23 (rndmh3ro)
Add missing rhosts-include task #21 (rndmh3ro)
Change sysctl-task. Fix #18 #20 (rndmh3ro)
Add travis-support #17 (rndmh3ro)
Add conditions for various tasks. Fix #15 #16 (rndmh3ro)
fix configuration of playbook path #14 (chris-rock)
Make tasks clearer #13 (rndmh3ro)
Add remove suid/sgid function #12 (rndmh3ro)
Add task to remove unused repos and pkgs #11 (rndmh3ro)
Edit README to fit to os-hardening #10 (rndmh3ro)
ignore RAs on Ipv6 #9 (rndmh3ro)
Repair debian install script #8 (rndmh3ro)
Separate tasks into multiple smaller files #7 (rndmh3ro)
Enable gpg-check on all yum-repositories #5 (rndmh3ro)
Change playbook-path to accomodate test-repo #4 (rndmh3ro)
treat securetty config as an array #3 (arlimus)
Add Securetty-support #2 (rndmh3ro)
Add profile.conf configuration #1 (rndmh3ro)

* This Changelog was automatically generated by github_changelog_generator

50 KiB Raw Blame History Unescape Escape

Changelog

7.6.1 (2021-04-28)

7.6.0 (2021-04-27)

7.5.0 (2021-04-01)

7.4.0 (2021-03-23)

7.3.0 (2021-03-16)

7.2.0 (2021-02-10)

7.1.1 (2021-02-05)

7.1.0 (2021-02-02)

7.0.0 (2020-11-11)

50 KiB

Raw Blame History