v2.0.0-rc.3

What's Changed

• add manage_rkhunter and extend configuration by @konstruktoid in #556

Full Changelog: v2.0.0-rc.2...v2.0.0-rc.3

v2.0.0-rc.2

What's Changed

• put apt hardening options in variable by @andersuno in #539
• add apt configuration verification by @konstruktoid in #540
• add option to manage sysctl by @konstruktoid in #542
• refactor tags by @konstruktoid in #545
• redhat block named after debian by @KoenDG in #546
• restructure dnf, ssh and yum tags by @konstruktoid in #547
• add manage_resolved by @konstruktoid in #548

New Contributors

• @andersuno made their first contribution in #539

Full Changelog: v2.0.0-rc.1...v2.0.0-rc.2

v2.0.0-rc.1 - Breaking

This is a breaking release, read the documentation and update any variables effected

Changes include:

• variables with multiple configuration options are now lists
• manage_aide, manage_auditd, manage_timesyncd, manage_faillock, manage_ssh, manage_ufw, manage_usbguard are variables that can be set to false if configuration of named services is done outside of this role
• blocking blacklisted kernel modules is now the default and not optional
• automatic_updates: true will install and configure dnf-automatic or unattended-upgrades, depending on the distribution
• the sshd_update_moduli variable, if set to true, will download a updated moduli file from the konstruktoid/ssh-moduli repository.
• all template paths are now variables

What's Changed

• add extra comment in template files by @cleberb in #399
• add passlib dependency by @konstruktoid in #402
• fix template variable for task mount.yml by @cleberb in #398
• correct grep exit codes by @konstruktoid in #406
• improvements restrict compilers by @cleberb in #403
• update suid list from @GTFOBins by @konstruktoid in #415
• extend sshd configuration by @cleberb in #401
• faillock and password hash improvements by @cleberb in #421
• add sshd_match_user variables by @konstruktoid in #428
• fix sshd configuration by @cleberb in #430
• changed sysctl configuration to exclusively use templates. by @KoenDG in #431
• move ipv6 into main sysctl file, add one for ufw settings by @konstruktoid in #433
• rename sysctl files by @konstruktoid in #434
• defaults readability by @konstruktoid in #439
• rewrite audit rules by @konstruktoid in #440
• ensure TMOUT and shell umask settings by @konstruktoid in #448
• handle sysctl VLANs by @sgnsys3 in #405
• ensure motd-news is masked by @konstruktoid in #467
• refactor and verify rsyslog FileCreateMode by @konstruktoid in #468
• ensure package managers clean and remove after installation by @konstruktoid in #469
• loop default deny by @konstruktoid in #471
• consistent command and shell usage by @konstruktoid in #472
• remove pam backups by @konstruktoid in #474
• refactor auditd rules by @konstruktoid in #475
• add local accounts to password list by @konstruktoid in #476
• fix local passwords by @konstruktoid in #478
• update test boxes by @konstruktoid in #479
• remove dsa host keys, generate ecdsa and ed25519 by @konstruktoid in #483
• add variable to update ssh moduli file by @konstruktoid in #486
• disable systemd-journal-remote by @konstruktoid in #488
• add session_timeout variable and declare TMOUT by @konstruktoid in #489
• add rsyslog FileCreateMode variable by @konstruktoid in #490
• add tmout verification by @konstruktoid in #491
• merge kernel module tasks by @konstruktoid in #492
• fix sshd host key permissions by @konstruktoid in #493
• set correct permissions on sysctl configuration files by @konstruktoid in #499
• handle missing pam file by @konstruktoid in #500
• get version from sshd instead of the client by @konstruktoid in #501
• ensure kmod is installed by @konstruktoid in #504
• require ansible 2.15 by @konstruktoid in #510
• add support for automatic updates by @konstruktoid in #512
• blacklist blocked kernel modules by @konstruktoid in #518
• convert dns defaults to list by @konstruktoid in #519
• convert ntp defaults to list by @konstruktoid in #520
• use ntp servers with IPv4 and IPv6 support by @konstruktoid in #522
• verify sysctl settings using systemd-sysctl by @konstruktoid in #523
• use only @cloudflare and @Quad9DNS DNS servers by @konstruktoid in #524
• add @USBGuard management by @konstruktoid in #529
• rename ufw_enable to manage_ufw and handle disconnects better by @konstruktoid in #530
• split when: for readability by @konstruktoid in #531
• rename default variables to manage_ by @konstruktoid in #532

New Contributors

• @cleberb made their first contribution in #399
• @sgnsys3 made their first contribution in #405

Full Changelog: v1.15.0...v2.0.0-rc.1

v1.15.0

What's Changed

• handle missing cron directories by @konstruktoid in #382
• split aide defaults and add checksums variable by @konstruktoid in #384
• add template variables by @konstruktoid in #392

Full Changelog: v1.14.1...v1.15.0

v1.14.1

What's Changed

• fix undefined sshd_allow_users by @konstruktoid in #376 #377
• call update-grub after updating or creating a grub configuration by @KoenDG in #379

Full Changelog: v1.14.0...v1.14.1

v1.14.0

What's Changed

• update password list by @konstruktoid in #352 #362
• update auditd conf and add flush by @konstruktoid in #360
• install systemd-journal-remote by @konstruktoid in #363
• add IgnoreRhosts to sshd variables by @konstruktoid in #367
• adapt ssh configuration to crypto-policies by @konstruktoid in #369
• dont try to block ipv6 loopback if ipv6 is disabled by @konstruktoid in #368

Full Changelog: v1.13.0...v1.14.0

v1.13.0

What's Changed

• remove ubuntu esm apt hook by @konstruktoid in #297
• correct apt_news verification by @konstruktoid in #320
• added extra clarification on blacklist/block functionality of modprobe and what the code in this project does. by @KoenDG in #325
• fsshd allow ansible_user by default by @gimiki in #327
• ensure snapd isnt removed by @konstruktoid in #339
• update suid list from @GTFOBins by @konstruktoid in #341
• update password list by @konstruktoid in #342
• ensure postfix restarts by @konstruktoid in #346

New Contributors

• @gimiki made their first contribution in #327

Full Changelog: v1.12.1...v1.13.0

v1.12.2

Merge pull request #296 from konstruktoid/ghaperm

update GHA permissions

v1.12.1

What's Changed

• update GHA permissions by @konstruktoid in #296

Full Changelog: v1.12.0...v1.12.1

v1.12.0

What's Changed

• add enable_timesyncd variable by @konstruktoid in #289
• fix ssh verification by @konstruktoid in #291

Full Changelog: v1.11.0...v1.12.0