Releases: konstruktoid/ansible-role-hardening
Releases · konstruktoid/ansible-role-hardening
v1.4.2
- add APT::Sandbox::Seccomp
- add timesyncd.conf verification
- remove Ubuntu 21.04 from testing
- ubuntu hirsute End of Life
- update suid list from @GTFOBins
Full Changelog: v1.4.1...v1.4.2
v1.4.1 - The Switch
- Remove CentOS and focus on AlmaLinux instead
- Switch to
ubuntu/impish64
instead of weekly builds - Fix
faillock
configuration
v1.4.0
This release:
- Adds Common Configuration Enumeration, Center for Internet Security and @mitre ATT&CK/D3fend tags to the tasks
- Adds
sysctl
fs.protected_fifos: 2
, and setskernel.perf_event_paranoid: 3
instead ofkernel.perf_event_paranoid: 2
- Adds a
cracklib
task and handlers, including a password file generated from files by @ukncsc and @dropbox (konstruktoid/hardening@9bb79e9) - Adds a couple of playbook examples to the documentation
- Adds more compilers and try to locate every name variation (#72)
- Adds support for @AlmaLinux
- Adds the
block_blacklisted
variable, it will block, or disable, any automatic loading of blacklisted kernel modules if set totrue
- Adds the
delete_users
variable, which is a list of users to be removed from the system - Adds the
hide_pid
andprocess_group
/proc
variables - Adds the
pwquality_config
variable to configure libpwquality](https://manpages.ubuntu.com/manpages/focal/man5/pwquality.conf.5.html) - All
ignore_errors:
has been removed and replaced by error handling (ansible/ansible-lint#1540) - Configures
timedatectl set-ntp true
- Correctly handles
grub
permission changes (closes #70) - Includes a basic
tox.ini
configuration - Moves @Debian Bullseye from testing to a supported release
- Sets
sshd_client_alive_count_max: 1
instead ofsshd_client_alive_count_max: 3
- Sets
sudo
Defaults timestamp_type=tty
- Sets shell
TMOUT=600
instead ofTMOUT=900
- The
action-lint/Dockerfile
should now handle most situations when installingcryptography
- The
molecule
testing and verification has been expanded - Updates the list of suid binaries, courtesy of @GTFOBins
- Uses
pam_faillock
instead ofpam_tally2
if available - Various updates to the Vagrant file used for testing
v1.3.2 - Correct Galaxy meta
min_ansible_version: "2.10"
v1.3.1 - Ansible 2.10
- Require Ansible 2.10 due to FQCN
v1.3.0 - The Red Hatter release
- Add RHEL support
- Add additional
auditd
variables - Update Molecule configuration, linting and many other small things related to testing
- Make the installation of
aide
optional, using theinstall_aide
variable - Mask the
motdnews
(Ubuntu) service - Add support for (U)EFI booting
systemd
tmp mount paths are now correct- Add Docker
auditd
rules - Fixed PAM configuration, it sometimes failed when changing user passwords
A big thanks to @polachz for adding RHEL support and fixing many other things in this release.
v1.2.0 - The split Molecule release
- Split the
README.md
intoREADME.md
,TESTING.md
andSTRUCTURE.md
- Stop supporting Ubuntu 18.04 and Fedora
- Start testing Ubuntu 20.04 with known issue: https://bugs.launchpad.net/ubuntu/+source/aide/+bug/1903298
- Split the
defaults/main.yml
into multiple files in thedefaults/main/
directory defaults/main/suid_sgid_blocklist.yml
: add thesuid_sgid_permissions
variable and update applications in thesuid_sgid_blocklist
- Add the
genREADME.sh
script, used to generate aREADME.md
skeleton - Add
restart postfix
andupdate grub2
handlers - Set
min_ansible_version: 2.9
inmeta/main.yml
- Add Ansible Molecule testing with the Vagrant plugin
tasks/aide.yml
should also catchaide.db.new
tasks/apparmor.yml
should only enforce profiles when there's something to enforcetasks/auditd.yml
: managegrub
and configure/etc/audit/auditd.conf
tasks/compilers.yml
restricts compiler accesstasks/cron.yml
useregexp: "^(?!root).*$"
to cleancron
andat
tasks/firewall.yml
:ufw
is now blocking outgoing traffic by default and removes all firewall rules withoutcomment: ansible managed
tasks/issue.yml
: splitmotd
andissue
file configurationtasks/journalconf.yml
: handlersyslog.conf
$FileCreateMode 0600
configuration in a more flexible waytasks/main.yml
: add a description for all task file includestasks/pkgupdate.yml
→tasks/packagemgmt.yml
and configureapt
anddnf
tasks/packages.yml
: configureneedrestart
configuration directory andsysstat
tasks/password.yml
: add configuration ofcrypto-policies
tasks/post.yml
runs all notified handlers and then modifiesgrub
configuration permissionstasks/sudo.yml
now creates the groupsugroup
for use in/etc/pam.d/su
tasks/umask.yml
now replacesumask(\s+.*)
with"umask 077"
tasks/users.yml
sets0750
on all directories in/home
ssh_config.j2
andsshd_config.j2
templates now supports multiple variables
v1.1.0 - The pexpected release
- Adapt to new
ansible-lint
and update related Github Action - Add
ProcessSizeMax=0
to /etc/systemd/coredump.conf - Add
RootDistanceMaxSec=1
to /etc/systemd/timesyncd.conf - Add
audispd-plugins
,cracklib-runtime
,gnupg2
andlibpam-pwquality
packages - Add
auditd
configuration togrub
- Add
dev.tty.ldisc_autoload = 0
if ansible_kernel is version('5','>') - Add
packages_ubuntu
withfwupd
andsecureboot-db
- Add
sshd_allow_agent_forwarding
,sshd_allow_tcp_forwarding
,sshd_authentication_methods
,sshd_log_level
,sshd_password_authentication
variables - Add basic Molecule structure
- Configure
apparmor
for Debian family distributions - Configure
sudo
timeouts and configuresudo
group requirement forsu
- Configure
useradd
:INACTIVE=35
->INACTIVE=30
- Correct custom, local facts
- Enable PowerTools repo for CentOS
- Enable
nf_conntrack_tcp_be_liberal
soufw
don't drop connections when enabling policies - Extend the
suid_sgid_blocklist
- Fix
aidecheck.service.j2
- Install
python(2|3)-pexpect
using Ansible, not Vagrant - Logrotate
su root syslog
is usable only on ansible_distribution == 'Ubuntu' - Remove
become_method: sudo
and let Ansible handle it - Remove
/var/tmp
configuration - Rename all tasks,
[0-9][0-9]_
is removed - Separate
grub_audit_backlog_cmdline
andgrub_audit_cmdline
- Update
Vagrantfile
to fix timeouts and update boxes - Use
apt
ordnf
unlesspackage
is the only option - Variables named *_blacklist renamed to *_blocklist
v1.0.1 - Galaxy
- Adapt to Ansible Galaxy Quality Score
- Change CentOS Vagrant box
v1.0.0 - The Focal Release
v1.0.0 - The Focal Release
- First release 4 years after the first commit
Centos 8
,Debian Buster
,Fedora 31
,Ubuntu 18.04 Bionic Beaver
andUbuntu 20.04 Focal Fossa
supported and tested.