v1.4.2

• add APT::Sandbox::Seccomp
• add timesyncd.conf verification
• remove Ubuntu 21.04 from testing
• ubuntu hirsute End of Life
• update suid list from @GTFOBins

Full Changelog: v1.4.1...v1.4.2

v1.4.1 - The Switch

• Remove CentOS and focus on AlmaLinux instead
• Switch to ubuntu/impish64 instead of weekly builds
• Fix faillock configuration

v1.4.0

This release:

• Adds Common Configuration Enumeration, Center for Internet Security and @mitre ATT&CK/D3fend tags to the tasks
• Adds sysctl fs.protected_fifos: 2, and sets kernel.perf_event_paranoid: 3 instead of kernel.perf_event_paranoid: 2
• Adds a cracklib task and handlers, including a password file generated from files by @ukncsc and @dropbox (konstruktoid/hardening@9bb79e9)
• Adds a couple of playbook examples to the documentation
• Adds more compilers and try to locate every name variation (#72)
• Adds support for @AlmaLinux
• Adds the block_blacklisted variable, it will block, or disable, any automatic loading of blacklisted kernel modules if set to true
• Adds the delete_users variable, which is a list of users to be removed from the system
• Adds the hide_pid and process_group /proc variables
• Adds the pwquality_config variable to configure libpwquality](https://manpages.ubuntu.com/manpages/focal/man5/pwquality.conf.5.html)
• All ignore_errors: has been removed and replaced by error handling (ansible/ansible-lint#1540)
• Configures timedatectl set-ntp true
• Correctly handles grub permission changes (closes #70)
• Includes a basic tox.ini configuration
• Moves @Debian Bullseye from testing to a supported release
• Sets sshd_client_alive_count_max: 1 instead of sshd_client_alive_count_max: 3
• Sets sudo Defaults timestamp_type=tty
• Sets shell TMOUT=600 instead of TMOUT=900
• The action-lint/Dockerfile should now handle most situations when installing cryptography
• The molecule testing and verification has been expanded
• Updates the list of suid binaries, courtesy of @GTFOBins
• Uses pam_faillock instead of pam_tally2 if available
• Various updates to the Vagrant file used for testing

v1.3.2 - Correct Galaxy meta

min_ansible_version: "2.10"

v1.3.1 - Ansible 2.10

• Require Ansible 2.10 due to FQCN

v1.3.0 - The Red Hatter release

• Add RHEL support
• Add additional auditd variables
• Update Molecule configuration, linting and many other small things related to testing
• Make the installation of aide optional, using the install_aide variable
• Mask the motdnews (Ubuntu) service
• Add support for (U)EFI booting
• systemd tmp mount paths are now correct
• Add Docker auditd rules
• Fixed PAM configuration, it sometimes failed when changing user passwords

A big thanks to @polachz for adding RHEL support and fixing many other things in this release.

v1.2.0 - The split Molecule release

• Split the README.md into README.md, TESTING.md and STRUCTURE.md
• Stop supporting Ubuntu 18.04 and Fedora
• Start testing Ubuntu 20.04 with known issue: https://bugs.launchpad.net/ubuntu/+source/aide/+bug/1903298
• Split the defaults/main.yml into multiple files in the defaults/main/ directory
• defaults/main/suid_sgid_blocklist.yml: add the suid_sgid_permissions variable and update applications in the suid_sgid_blocklist
• Add the genREADME.sh script, used to generate a README.md skeleton
• Add restart postfix and update grub2 handlers
• Set min_ansible_version: 2.9 in meta/main.yml
• Add Ansible Molecule testing with the Vagrant plugin
• tasks/aide.yml should also catch aide.db.new
• tasks/apparmor.yml should only enforce profiles when there's something to enforce
• tasks/auditd.yml : manage grub and configure /etc/audit/auditd.conf
• tasks/compilers.yml restricts compiler access
• tasks/cron.yml use regexp: "^(?!root).*$" to clean cron and at
• tasks/firewall.yml: ufw is now blocking outgoing traffic by default and removes all firewall rules without comment: ansible managed
• tasks/issue.yml : split motd and issue file configuration
• tasks/journalconf.yml : handle rsyslog.conf $FileCreateMode 0600 configuration in a more flexible way
• tasks/main.yml: add a description for all task file includes
• tasks/pkgupdate.yml → tasks/packagemgmt.yml and configure apt and dnf
• tasks/packages.yml: configure needrestart configuration directory and sysstat
• tasks/password.yml: add configuration of crypto-policies
• tasks/post.yml runs all notified handlers and then modifies grub configuration permissions
• tasks/sudo.yml now creates the group sugroup for use in /etc/pam.d/su
• tasks/umask.yml now replaces umask(\s+.*) with "umask 077"
• tasks/users.yml sets 0750 on all directories in /home
• ssh_config.j2 and sshd_config.j2 templates now supports multiple variables

v1.1.0 - The pexpected release

• Adapt to new ansible-lint and update related Github Action
• Add ProcessSizeMax=0 to /etc/systemd/coredump.conf
• Add RootDistanceMaxSec=1 to /etc/systemd/timesyncd.conf
• Add audispd-plugins, cracklib-runtime, gnupg2and libpam-pwquality packages
• Add auditd configuration to grub
• Add dev.tty.ldisc_autoload = 0 if ansible_kernel is version('5','>')
• Add packages_ubuntu with fwupd and secureboot-db
• Add sshd_allow_agent_forwarding, sshd_allow_tcp_forwarding, sshd_authentication_methods, sshd_log_level, sshd_password_authentication variables
• Add basic Molecule structure
• Configure apparmor for Debian family distributions
• Configure sudo timeouts and configure sudo group requirement for su
• Configure useradd: INACTIVE=35 -> INACTIVE=30
• Correct custom, local facts
• Enable PowerTools repo for CentOS
• Enable nf_conntrack_tcp_be_liberal so ufw don't drop connections when enabling policies
• Extend the suid_sgid_blocklist
• Fix aidecheck.service.j2
• Install python(2|3)-pexpect using Ansible, not Vagrant
• Logrotate su root syslog is usable only on ansible_distribution == 'Ubuntu'
• Remove become_method: sudo and let Ansible handle it
• Remove /var/tmp configuration
• Rename all tasks, [0-9][0-9]_ is removed
• Separate grub_audit_backlog_cmdline and grub_audit_cmdline
• Update Vagrantfile to fix timeouts and update boxes
• Use apt or dnf unless package is the only option
• Variables named *_blacklist renamed to *_blocklist

v1.0.1 - Galaxy

• Adapt to Ansible Galaxy Quality Score
• Change CentOS Vagrant box

v1.0.0 - The Focal Release

v1.0.0 - The Focal Release

• First release 4 years after the first commit
• Centos 8, Debian Buster, Fedora 31, Ubuntu 18.04 Bionic Beaver and Ubuntu 20.04 Focal Fossa supported and tested.