v2.1.0-rc.3

What's Changed

• add kernel_lockdown variable by @konstruktoid in #648

Full Changelog: v2.1.0-rc.2...v2.1.0-rc.3

v2.1.0-rc2

What's Changed

• add ufw_rate_limit variable by @konstruktoid in #608
• ensure upgrade dont change by @konstruktoid in #610
• Vagrantfile: Added Bookworm by @jdaln in #615
• set restrictive permssions on journal files by @konstruktoid in #622
• add additional kernel configuration options by @konstruktoid in #624
• add additional sysctl variables by @konstruktoid in #625
• replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in #630
• ensure kdump-tools are masked by @konstruktoid in #635
• replace focal with noble in the Vagrantfile by @konstruktoid in #636
• add custom installations and extend tests by @konstruktoid in #638
• dont try to install empty lists by @konstruktoid in #637
• ignore case in UFW comments by @konstruktoid in #639

New Contributors

• @jdaln made their first contribution in #615

Full Changelog: v2.0.4...v2.1.0-rc.2

v2.1.0-rc.1

What's Changed

• add ufw_rate_limit variable by @konstruktoid in #608
• set restrictive permssions on journal files by @konstruktoid in #622
• add additional kernel configuration options by @konstruktoid in #624
• add additional sysctl variables by @konstruktoid in #625
• replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in #630
• ensure kdump-tools are masked by @konstruktoid in #635
• ignore case in UFW comments by @konstruktoid in #639

New Contributors

• @jdaln made their first contribution in #615

Full Changelog: v2.0.4...v2.1.0-rc.1

v2.0.4

What's Changed

• update test docs by @konstruktoid in #601
• dont recurse when creating custom facts directories by @konstruktoid in #602

Full Changelog: v2.0.3...v2.0.4

v2.0.3

What's Changed

• add journald variables by @konstruktoid in #581
• add aide_dir_exclusions variable and use include directories if present by @konstruktoid in #587
• ensure usb/devices exists before installing USBGuard by @konstruktoid in #591

Full Changelog: v2.0.2...v2.0.3

v2.0.2

What's Changed

• document the sysctl_conf_dir variable by @konstruktoid in #572
• add auditd_enable_flag variable by @konstruktoid in #578

Full Changelog: v2.0.1...v2.0.2

v2.0.1

What's Changed

• set sysctl conf dir as default variable by @konstruktoid in #571

Full Changelog: v2.0.0...v2.0.1

v2.0.0

What's Changed

This is a breaking release, read the documentation and update any variables effected

Changes include, but are not limited to:

• variables with multiple configuration options are now lists
• manage_aide, manage_auditd, manage_timesyncd, manage_faillock, manage_ssh, manage_ufw, manage_usbguard, manage_resolved, manage_rkhunter, manage_compilers are variables that can be set to false if configuration of named services is done outside of this role
• blocking blacklisted kernel modules is now the default and not optional
• automatic_updates: true will install and configure dnf-automatic or unattended-upgrades, depending on the distribution
• the sshd_update_moduli variable, if set to true, will download a updated moduli file from the konstruktoid/ssh-moduli repository.
• all template paths are now variables

What's Changed

• add extra comment in template files by @cleberb in #399
• add passlib dependency by @konstruktoid in #402
• fix template variable for task mount.yml by @cleberb in #398
• correct grep exit codes by @konstruktoid in #406
• improvements restrict compilers by @cleberb in #403
• update suid list from @GTFOBins by @konstruktoid in #415
• extend sshd configuration by @cleberb in #401
• faillock and password hash improvements by @cleberb in #421
• add sshd_match_user variables by @konstruktoid in #428
• fix sshd configuration by @cleberb in #430
• changed sysctl configuration to exclusively use templates. by @KoenDG in #431
• move ipv6 into main sysctl file, add one for ufw settings by @konstruktoid in #433
• rename sysctl files by @konstruktoid in #434
• defaults readability by @konstruktoid in #439
• rewrite audit rules by @konstruktoid in #440
• ensure TMOUT and shell umask settings by @konstruktoid in #448
• handle sysctl VLANs by @sgnsys3 in #405
• ensure motd-news is masked by @konstruktoid in #467
• refactor and verify rsyslog FileCreateMode by @konstruktoid in #468
• ensure package managers clean and remove after installation by @konstruktoid in #469
• loop default deny by @konstruktoid in #471
• consistent command and shell usage by @konstruktoid in #472
• remove pam backups by @konstruktoid in #474
• refactor auditd rules by @konstruktoid in #475
• add local accounts to password list by @konstruktoid in #476
• fix local passwords by @konstruktoid in #478
• update test boxes by @konstruktoid in #479
• remove dsa host keys, generate ecdsa and ed25519 by @konstruktoid in #483
• add variable to update ssh moduli file by @konstruktoid in #486
• disable systemd-journal-remote by @konstruktoid in #488
• add session_timeout variable and declare TMOUT by @konstruktoid in #489
• add rsyslog FileCreateMode variable by @konstruktoid in #490
• add tmout verification by @konstruktoid in #491
• merge kernel module tasks by @konstruktoid in #492
• fix sshd host key permissions by @konstruktoid in #493
• set correct permissions on sysctl configuration files by @konstruktoid in #499
• handle missing pam file by @konstruktoid in #500
• get version from sshd instead of the client by @konstruktoid in #501
• ensure kmod is installed by @konstruktoid in #504
• require ansible 2.15 by @konstruktoid in #510
• add support for automatic updates by @konstruktoid in #512
• blacklist blocked kernel modules by @konstruktoid in #518
• convert dns defaults to list by @konstruktoid in #519
• convert ntp defaults to list by @konstruktoid in #520
• use ntp servers with IPv4 and IPv6 support by @konstruktoid in #522
• verify sysctl settings using systemd-sysctl by @konstruktoid in #523
• use only @cloudflare and @Quad9DNS DNS servers by @konstruktoid in #524
• add @USBGuard management by @konstruktoid in #529
• rename ufw_enable to manage_ufw and handle disconnects better by @konstruktoid in #530
• split when: for readability by @konstruktoid in #531
• rename default variables to manage_ by @konstruktoid in #532
• put apt hardening options in variable by @andersuno in #539
• add apt configuration verification by @konstruktoid in #540
• add option to manage sysctl by @konstruktoid in #542
• refactor tags by @konstruktoid in #545
• redhat block named after debian by @KoenDG in #546
• restructure dnf, ssh and yum tags by @konstruktoid in #547
• add manage_resolved by @konstruktoid in #548
• add manage_rkhunter and extend configuration by @konstruktoid in #556
• add manage_compilers variable and verification by @konstruktoid in #559
• add AuthorizedPrincipalsFile and TrustedUserCAKeys to sshd config by @konstruktoid in #560
• dont repeat keywords in blocks by @konstruktoid in #562

Full Changelog: v1.15.0...v2.0.0

v2.0.0-rc.4

What's Changed

• add manage_compilers variable and verification by @konstruktoid in #559
• add AuthorizedPrincipalsFile and TrustedUserCAKeys to sshd config by @konstruktoid in #560
• dont repeat keywords in blocks by @konstruktoid in #562

Full Changelog: v2.0.0-rc.3...v2.0.0-rc.4

v2.0.0-rc.3

What's Changed

• add manage_rkhunter and extend configuration by @konstruktoid in #556

Full Changelog: v2.0.0-rc.2...v2.0.0-rc.3