Releases: konstruktoid/ansible-role-hardening
Releases · konstruktoid/ansible-role-hardening
v2.1.0-rc.3
What's Changed
- add kernel_lockdown variable by @konstruktoid in #648
Full Changelog: v2.1.0-rc.2...v2.1.0-rc.3
v2.1.0-rc2
What's Changed
- add
ufw_rate_limit
variable by @konstruktoid in #608 - ensure upgrade dont change by @konstruktoid in #610
- Vagrantfile: Added Bookworm by @jdaln in #615
- set restrictive permssions on journal files by @konstruktoid in #622
- add additional kernel configuration options by @konstruktoid in #624
- add additional sysctl variables by @konstruktoid in #625
- replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in #630
- ensure kdump-tools are masked by @konstruktoid in #635
- replace focal with noble in the Vagrantfile by @konstruktoid in #636
- add custom installations and extend tests by @konstruktoid in #638
- dont try to install empty lists by @konstruktoid in #637
- ignore case in UFW comments by @konstruktoid in #639
New Contributors
Full Changelog: v2.0.4...v2.1.0-rc.2
v2.1.0-rc.1
What's Changed
- add
ufw_rate_limit
variable by @konstruktoid in #608 - set restrictive permssions on journal files by @konstruktoid in #622
- add additional kernel configuration options by @konstruktoid in #624
- add additional sysctl variables by @konstruktoid in #625
- replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in #630
- ensure kdump-tools are masked by @konstruktoid in #635
- ignore case in UFW comments by @konstruktoid in #639
New Contributors
Full Changelog: v2.0.4...v2.1.0-rc.1
v2.0.4
What's Changed
- update test docs by @konstruktoid in #601
- dont recurse when creating custom facts directories by @konstruktoid in #602
Full Changelog: v2.0.3...v2.0.4
v2.0.3
What's Changed
- add journald variables by @konstruktoid in #581
- add
aide_dir_exclusions
variable and use include directories if present by @konstruktoid in #587 - ensure usb/devices exists before installing USBGuard by @konstruktoid in #591
Full Changelog: v2.0.2...v2.0.3
v2.0.2
What's Changed
- document the
sysctl_conf_dir
variable by @konstruktoid in #572 - add
auditd_enable_flag
variable by @konstruktoid in #578
Full Changelog: v2.0.1...v2.0.2
v2.0.1
What's Changed
- set sysctl conf dir as default variable by @konstruktoid in #571
Full Changelog: v2.0.0...v2.0.1
v2.0.0
What's Changed
This is a breaking release, read the documentation and update any variables effected
Changes include, but are not limited to:
- variables with multiple configuration options are now lists
manage_aide
,manage_auditd
,manage_timesyncd
,manage_faillock
,manage_ssh
,manage_ufw
,manage_usbguard
,manage_resolved
,manage_rkhunter
,manage_compilers
are variables that can be set tofalse
if configuration of named services is done outside of this role- blocking blacklisted kernel modules is now the default and not optional
automatic_updates: true
will install and configure dnf-automatic or unattended-upgrades, depending on the distribution- the
sshd_update_moduli
variable, if set totrue
, will download a updated moduli file from the konstruktoid/ssh-moduli repository. - all template paths are now variables
What's Changed
- add extra comment in template files by @cleberb in #399
- add passlib dependency by @konstruktoid in #402
- fix template variable for task mount.yml by @cleberb in #398
- correct grep exit codes by @konstruktoid in #406
- improvements restrict compilers by @cleberb in #403
- update suid list from @GTFOBins by @konstruktoid in #415
- extend sshd configuration by @cleberb in #401
faillock
and password hash improvements by @cleberb in #421- add sshd_match_user variables by @konstruktoid in #428
- fix sshd configuration by @cleberb in #430
- changed sysctl configuration to exclusively use templates. by @KoenDG in #431
- move ipv6 into main sysctl file, add one for ufw settings by @konstruktoid in #433
- rename sysctl files by @konstruktoid in #434
- defaults readability by @konstruktoid in #439
- rewrite audit rules by @konstruktoid in #440
- ensure TMOUT and shell umask settings by @konstruktoid in #448
- handle sysctl VLANs by @sgnsys3 in #405
- ensure motd-news is masked by @konstruktoid in #467
- refactor and verify rsyslog FileCreateMode by @konstruktoid in #468
- ensure package managers clean and remove after installation by @konstruktoid in #469
- loop default deny by @konstruktoid in #471
- consistent command and shell usage by @konstruktoid in #472
- remove pam backups by @konstruktoid in #474
- refactor auditd rules by @konstruktoid in #475
- add local accounts to password list by @konstruktoid in #476
- fix local passwords by @konstruktoid in #478
- update test boxes by @konstruktoid in #479
- remove dsa host keys, generate ecdsa and ed25519 by @konstruktoid in #483
- add variable to update ssh moduli file by @konstruktoid in #486
- disable systemd-journal-remote by @konstruktoid in #488
- add session_timeout variable and declare TMOUT by @konstruktoid in #489
- add rsyslog FileCreateMode variable by @konstruktoid in #490
- add tmout verification by @konstruktoid in #491
- merge kernel module tasks by @konstruktoid in #492
- fix sshd host key permissions by @konstruktoid in #493
- set correct permissions on sysctl configuration files by @konstruktoid in #499
- handle missing pam file by @konstruktoid in #500
- get version from sshd instead of the client by @konstruktoid in #501
- ensure kmod is installed by @konstruktoid in #504
- require ansible 2.15 by @konstruktoid in #510
- add support for automatic updates by @konstruktoid in #512
- blacklist blocked kernel modules by @konstruktoid in #518
- convert dns defaults to list by @konstruktoid in #519
- convert ntp defaults to list by @konstruktoid in #520
- use ntp servers with IPv4 and IPv6 support by @konstruktoid in #522
- verify sysctl settings using systemd-sysctl by @konstruktoid in #523
- use only @cloudflare and @Quad9DNS DNS servers by @konstruktoid in #524
- add @USBGuard management by @konstruktoid in #529
- rename
ufw_enable
tomanage_ufw
and handle disconnects better by @konstruktoid in #530 - split when: for readability by @konstruktoid in #531
- rename default variables to manage_ by @konstruktoid in #532
- put apt hardening options in variable by @andersuno in #539
- add apt configuration verification by @konstruktoid in #540
- add option to manage sysctl by @konstruktoid in #542
- refactor tags by @konstruktoid in #545
- redhat block named after debian by @KoenDG in #546
- restructure dnf, ssh and yum tags by @konstruktoid in #547
- add
manage_resolved
by @konstruktoid in #548 - add
manage_rkhunter
and extend configuration by @konstruktoid in #556 - add
manage_compilers
variable and verification by @konstruktoid in #559 - add
AuthorizedPrincipalsFile
andTrustedUserCAKeys
tosshd
config by @konstruktoid in #560 - dont repeat keywords in blocks by @konstruktoid in #562
Full Changelog: v1.15.0...v2.0.0
v2.0.0-rc.4
What's Changed
- add
manage_compilers
variable and verification by @konstruktoid in #559 - add
AuthorizedPrincipalsFile
andTrustedUserCAKeys
tosshd
config by @konstruktoid in #560 - dont repeat keywords in blocks by @konstruktoid in #562
Full Changelog: v2.0.0-rc.3...v2.0.0-rc.4
v2.0.0-rc.3
What's Changed
- add manage_rkhunter and extend configuration by @konstruktoid in #556
Full Changelog: v2.0.0-rc.2...v2.0.0-rc.3