Releases: konstruktoid/ansible-role-hardening
Releases · konstruktoid/ansible-role-hardening
v2.0.0-rc.3
What's Changed
- add manage_rkhunter and extend configuration by @konstruktoid in #556
Full Changelog: v2.0.0-rc.2...v2.0.0-rc.3
v2.0.0-rc.2
What's Changed
- put apt hardening options in variable by @andersuno in #539
- add apt configuration verification by @konstruktoid in #540
- add option to manage sysctl by @konstruktoid in #542
- refactor tags by @konstruktoid in #545
- redhat block named after debian by @KoenDG in #546
- restructure dnf, ssh and yum tags by @konstruktoid in #547
- add manage_resolved by @konstruktoid in #548
New Contributors
- @andersuno made their first contribution in #539
Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2
v2.0.0-rc.1 - Breaking
This is a breaking release, read the documentation and update any variables effected
Changes include:
- variables with multiple configuration options are now lists
manage_aide
,manage_auditd
,manage_timesyncd
,manage_faillock
,manage_ssh
,manage_ufw
,manage_usbguard
are variables that can be set tofalse
if configuration of named services is done outside of this role- blocking blacklisted kernel modules is now the default and not optional
automatic_updates: true
will install and configure dnf-automatic or unattended-upgrades, depending on the distribution- the
sshd_update_moduli
variable, if set totrue
, will download a updated moduli file from the konstruktoid/ssh-moduli repository. - all template paths are now variables
What's Changed
- add extra comment in template files by @cleberb in #399
- add passlib dependency by @konstruktoid in #402
- fix template variable for task mount.yml by @cleberb in #398
- correct grep exit codes by @konstruktoid in #406
- improvements restrict compilers by @cleberb in #403
- update suid list from @GTFOBins by @konstruktoid in #415
- extend sshd configuration by @cleberb in #401
faillock
and password hash improvements by @cleberb in #421- add sshd_match_user variables by @konstruktoid in #428
- fix sshd configuration by @cleberb in #430
- changed sysctl configuration to exclusively use templates. by @KoenDG in #431
- move ipv6 into main sysctl file, add one for ufw settings by @konstruktoid in #433
- rename sysctl files by @konstruktoid in #434
- defaults readability by @konstruktoid in #439
- rewrite audit rules by @konstruktoid in #440
- ensure TMOUT and shell umask settings by @konstruktoid in #448
- handle sysctl VLANs by @sgnsys3 in #405
- ensure motd-news is masked by @konstruktoid in #467
- refactor and verify rsyslog FileCreateMode by @konstruktoid in #468
- ensure package managers clean and remove after installation by @konstruktoid in #469
- loop default deny by @konstruktoid in #471
- consistent command and shell usage by @konstruktoid in #472
- remove pam backups by @konstruktoid in #474
- refactor auditd rules by @konstruktoid in #475
- add local accounts to password list by @konstruktoid in #476
- fix local passwords by @konstruktoid in #478
- update test boxes by @konstruktoid in #479
- remove dsa host keys, generate ecdsa and ed25519 by @konstruktoid in #483
- add variable to update ssh moduli file by @konstruktoid in #486
- disable systemd-journal-remote by @konstruktoid in #488
- add session_timeout variable and declare TMOUT by @konstruktoid in #489
- add rsyslog FileCreateMode variable by @konstruktoid in #490
- add tmout verification by @konstruktoid in #491
- merge kernel module tasks by @konstruktoid in #492
- fix sshd host key permissions by @konstruktoid in #493
- set correct permissions on sysctl configuration files by @konstruktoid in #499
- handle missing pam file by @konstruktoid in #500
- get version from sshd instead of the client by @konstruktoid in #501
- ensure kmod is installed by @konstruktoid in #504
- require ansible 2.15 by @konstruktoid in #510
- add support for automatic updates by @konstruktoid in #512
- blacklist blocked kernel modules by @konstruktoid in #518
- convert dns defaults to list by @konstruktoid in #519
- convert ntp defaults to list by @konstruktoid in #520
- use ntp servers with IPv4 and IPv6 support by @konstruktoid in #522
- verify sysctl settings using systemd-sysctl by @konstruktoid in #523
- use only @cloudflare and @Quad9DNS DNS servers by @konstruktoid in #524
- add @USBGuard management by @konstruktoid in #529
- rename
ufw_enable
tomanage_ufw
and handle disconnects better by @konstruktoid in #530 - split when: for readability by @konstruktoid in #531
- rename default variables to manage_ by @konstruktoid in #532
New Contributors
Full Changelog: v1.15.0...v2.0.0-rc.1
v1.15.0
What's Changed
- handle missing cron directories by @konstruktoid in #382
- split aide defaults and add checksums variable by @konstruktoid in #384
- add template variables by @konstruktoid in #392
Full Changelog: v1.14.1...v1.15.0
v1.14.1
What's Changed
- fix undefined sshd_allow_users by @konstruktoid in #376 #377
- call update-grub after updating or creating a grub configuration by @KoenDG in #379
Full Changelog: v1.14.0...v1.14.1
v1.14.0
What's Changed
- update password list by @konstruktoid in #352 #362
- update auditd conf and add flush by @konstruktoid in #360
- install systemd-journal-remote by @konstruktoid in #363
- add IgnoreRhosts to sshd variables by @konstruktoid in #367
- adapt ssh configuration to crypto-policies by @konstruktoid in #369
- dont try to block ipv6 loopback if ipv6 is disabled by @konstruktoid in #368
Full Changelog: v1.13.0...v1.14.0
v1.13.0
What's Changed
- remove ubuntu esm apt hook by @konstruktoid in #297
- correct apt_news verification by @konstruktoid in #320
- added extra clarification on blacklist/block functionality of modprobe and what the code in this project does. by @KoenDG in #325
- fsshd allow ansible_user by default by @gimiki in #327
- ensure snapd isnt removed by @konstruktoid in #339
- update suid list from @GTFOBins by @konstruktoid in #341
- update password list by @konstruktoid in #342
- ensure postfix restarts by @konstruktoid in #346
New Contributors
Full Changelog: v1.12.1...v1.13.0
v1.12.2
Merge pull request #296 from konstruktoid/ghaperm update GHA permissions
v1.12.1
v1.12.0
What's Changed
- add enable_timesyncd variable by @konstruktoid in #289
- fix ssh verification by @konstruktoid in #291
Full Changelog: v1.11.0...v1.12.0