Releases: dev-sec/ansible-collection-hardening
Releases · dev-sec/ansible-collection-hardening
10.1.0
Changelog
10.1.0 (2024-10-22)
Implemented enhancements:
- Allow configuring the name_format variable in auditd config #796
- Ubuntu 24.04 support #764
- Add variable to set name_format for auditd #810 [os_hardening] (schurzi)
- feat(ssh): add alpine support #809 [ssh_hardening] (rndmh3ro)
- Provide granular noop for ssh configuration #789 [ssh_hardening] (seven-beep)
Fixed bugs:
- molecule scenario ssh_hardening if failing due to missing docker image #790
- getent_shadow empty #787
- Error: Missing privilege separation directory: /run/sshd #752
- fix(ssh_hardening): test setting kex to false, remove wrong default #808 [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Pin python dependencies and optimize GitHub Actions #811 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix(cicd): test idempotence on ssh custom tests #807 [ssh_hardening] (rndmh3ro)
- Document correct quotes for ssh_permit_tunnel parameter #806 [ssh_hardening] (vmpr)
- fix(docs): add 'become: true' to example playbooks. fix #787 #804 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- chore(deps): update dependency ansible-core to v2.17.5 #802 (renovate[bot])
- Don't run tests if the environment is not correct #801 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- chore(deps): update actions/checkout digest to eef6144 #800 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- feat: Corrected package name #799 [ssh_hardening] (PapaPeskwo)
- Use Python venv for VM tests #798 (schurzi)
- Remove unused files and variables #797 [os_hardening] (schurzi)
- chore(deps): update ansible/ansible-lint digest to 3b5bee1 #795 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 25f783c #792 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.4 #791 (renovate[bot])
- chore(deps): update actions/setup-python digest to f677139 #788 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.3 #786 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.2 #756 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.0.0
Changelog
10.0.0 (2024-08-06)
Implemented enhancements:
- option to disable regeneration of ssh private key #772
- Ubuntu 24.04 support #764
- Support systemd socket activation for sshd #763 [ssh_hardening]
- Release 9.0.2 #758
- Make Publickey authentication configurable #750
- Ansible Linting #747
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Ensure that ssh is installed (cf #771) #774 [ssh_hardening] (Byh0ki)
- ssh: explicitly enable or disable the service at boot #771 [ssh_hardening] (Byh0ki)
- disable systemd socket activation #769 [ssh_hardening] (rndmh3ro)
- Add ssh_pubkey_authentication variable to ssh hardening #749 [ssh_hardening] (debbabi)
Fixed bugs:
- ssh hardening role fails when
ssh_permit_root_loginvar is set on ubuntu 24.04 #768 - os_hardening fails when setting vm.mmap_rnd_bits #757
ssh_gateway_portsis documented to accept 'clientspecified' string, but only accepts bools #755- Error: Missing privilege separation directory: /run/sshd #752
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #741
- Update Debian compatibility #784 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- do not force type of ssh_gateway_ports #765 [mysql_hardening] [os_hardening] [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Update to current Fedora releases #783 [os_hardening] [ssh_hardening] (schurzi)
- Remove deprecated rebuild of initrd #782 [os_hardening] (schurzi)
- chore(deps): update patrickjahns/version-drafter-action digest to 2076fa4 #781 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 95382d3 #779 (renovate[bot])
- chore(deps): update actions/setup-python digest to 39cd149 #778 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- remove tests for FreeBSD12 since it's out of support #777 [ssh_hardening] (schurzi)
- chore(deps): pin dependencies #776 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- Use best-practice preset for renovate #775 (schurzi)
- Deprecate Centos Stream 8 #770 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- centos7 is eol, remove it #767 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- fix spelling #766 [os_hardening] [ssh_hardening] (rndmh3ro)
- ci: define permissions for enforce-labels workflow #760 (fgreinacher)
- Update dependency ansible-core to v2.16.5 #754 (renovate[bot])
- Update dependency ansible-core to v2.16.4 #751 (renovate[bot])
- Update ansible/ansible-lint action to v24 #745 (renovate[bot])
- Always update Vagrant Boxes before using #744 (schurzi)
- Remove Docker containers on self-hosted runner after tests #743 (schurzi)
- Update dependency ansible-core to v2.16.3 #742 (renovate[bot])
9.0.1
Changelog
9.0.1 (2024-01-15)
Implemented enhancements:
- Extend ansible-lint testing to cover our test cases #731
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Complete tests for OS hardening #660
- support restarts of audit service on Arch linux #722 [os_hardening] (schurzi)
Fixed bugs:
- Fails to install #735
- Amazon Linux gpg check fails #734
- ssh_hardening ipv6 #719
- boolean variable inconsistency? #330
- Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #718 [os_hardening] (akikanellis)
Closed issues:
Merged pull requests:
- restructure readme to move known limitations up top #739 [os_hardening] [ssh_hardening] (rndmh3ro)
- release only on releases, not pre-releases #738 (rndmh3ro)
- Update dependency ansible-core to v2.16.2 #737 (renovate[bot])
- fix linting for github config #736 (rndmh3ro)
- Update actions/setup-python action to v5 #733 (renovate[bot])
- Update ansible-lint action and revise configuration to scan all Ansible code #732 (schurzi)
- update labeler to new config format #730 [ssh_hardening] (schurzi)
- Update dependency ansible-core to v2.16.1 #728 [os_hardening] (renovate[bot])
- pin Ansible to always let Renovate update to the most current version in our tests #721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
9.0.0
Changelog
9.0.0 (2023-11-16)
Breaking changes:
- make it possible to configure more then yes and no for PermitTunnel #715 [ssh_hardening] (rndmh3ro)
- add role argument spec for os, ssh, mysql #687 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
Implemented enhancements:
- Create role documentation with Automated-Ansible-Role-Documentation #694
- Minimize access user paths should be fully configurable #689
- Add support for Debian 12 #672
- add testing and support for current versions of Fedora and FreeBSD #709 [os_hardening] [ssh_hardening] (schurzi)
- feat: workflow for roles readme #705 [ssh_hardening] (Nemental)
- do not try to drop roles in mysql hardening #649 [mysql_hardening] (rndmh3ro)
Fixed bugs:
- nginx conf.d directory is missing on Rocky Linux 8 #707
- Default value of
ssh_client_alive_intervalis inconsistent with what documentation says #701 - [devsec.hardening.os_hardening : restart-auditd] fails #698
- sshd_hardening role cannot be used to build system images #697
- Error: No file was found when using first_found on Ubuntu 20.04 #676
- PUBLIC-role breaks mysql-hardening #648
- Error deploying the playbook #630
- boolean variable inconcistency ? #330
- Gather facts when os_hardening role is executed with tags #708 [os_hardening] (schurzi)
Closed issues:
Merged pull requests:
- update status badges in README #714 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix CI test for os_hardening #711 [os_hardening] (schurzi)
- fix nginx CI tests #710 [nginx_hardening] (schurzi)
- fix: roles-readme action default value #706 [ssh_hardening] (Nemental)
- fix some wrong defaults and types in the readmes #703 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- update links to new Ansible Galaxy #702 [nginx_hardening] (schurzi)
- Fix typo in login.defs.j2 #700 [os_hardening] (nejch)
- chore(deps): update actions/checkout action to v4 #696 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- test debian12 on VM #695 (rndmh3ro)
- fix descriptions in readme #693 [os_hardening] (rndmh3ro)
- feat: customize user paths default #692 [os_hardening] (S0obi)
- disable PAM tests #691 [os_hardening] (rndmh3ro)
8.8.0
Changelog
8.8.0 (2023-08-04)
Implemented enhancements:
- Add support for Fedora 38 #671
- auditd: add possibility to override config template #685 [os_hardening] (Meecr0b)
- add debian 12 support #684 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- feat: explicitly support Fedora 37 and 38 #682 [os_hardening] [ssh_hardening] (nejch)
- Replace ssh_keys group with root, where applicable and use less permissive file mode #677 [ssh_hardening] (rndmh3ro)
- Add oddjob mkhomedir option rhel pam #675 [os_hardening] (imp1sh)
Fixed bugs:
- How does one set
sshd_authenticationmethodsto include password authentication? #686 - Error: No file was found when using first_found on Ubuntu 20.04 #676
- FreeIPA environment mkhomedir fails #664
Closed issues:
- What is the uscase of sysctl_overwrite over ansible.posix.sysctl? #683
Ensure permissions on mysql-logfile are correctchokes whenlog_erroris set tostderr#673- TASK TASK FAILED: [devsec.hardening.os_hardening : Set password ageing for existing regular (non-system, non-root) accounts] #670
- After os_hardening ssh not working #663
- Unsupported parameters for (ansible.builtin.user) module #650
Merged pull requests:
- setting gets ignored #680 [os_hardening] (rndmh3ro)
- add var-naming[no-role-prefix] to skip-list #679 (rndmh3ro)
- expand on check conditions for non-file locations of logs #674 [mysql_hardening] (whysthatso)
- use new molecule-plugins #667 (schurzi)
- add spellchecking with codespell #662 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
8.7.0
Changelog
8.7.0 (2023-04-12)
Implemented enhancements:
- Support BSD and other operating systems CI with VM based tests #599
- add check mode to molecule tests #644 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- add testing for OpenBSD and FreeBSD #642 [ssh_hardening] (schurzi)
- Only skip audit restart handler in docker #637 [os_hardening] (nejch)
- Make action_mail_acct configurable in auditd #631 [os_hardening] (nejch)
Fixed bugs:
- getent task is skipped if user previously ran it with a key parameter #646
- Error running devsec.hardening.os_hardening role #645
- devsec.hardening.mysql_hardening - Get all users that have no authentication_string - Hello world #640
- fixes #646 - add another condition to getent task #647 [os_hardening] (gbolo)
Closed issues:
- Dependency Dashboard #655
- Invalid login.defs for RHEL6 #651
- Unsupported parameters for (ansible.builtin.user) module #650
- Deprecation warnings for os_hardening #638
- Write tests for MySQL user-deletion #445
Merged pull requests:
- Update minimum required Ansible version for os_hardening #657 [os_hardening] [ssh_hardening] (schurzi)
- Update test environment #656 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Update dependency geerlingguy.git to v3.0.1 #654 [mysql_hardening] (renovate[bot])
- Configure Renovate #653 (renovate[bot])
- simplify MySQL queries for user deletion #641 [mysql_hardening] (schurzi)
- Bump creyD/prettier_action from 4.2 to 4.3 #639 (dependabot[bot])
- Fix molecule tests for EL7 #636 [mysql_hardening] (rndmh3ro)
- run our CI tests periodically #634 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- try to fix molecule local tests #632 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- remove unneccessary tasks for VM based test #629 [os_hardening] (schurzi)
8.6.0
Changelog
8.6.0 (2023-02-04)
Implemented enhancements:
- make number of warning days before user password expires configurable #628 [os_hardening] (Normo)
Merged pull requests:
- Bump hugo19941994/delete-draft-releases from 1.0.0 to 1.0.1 #627 (dependabot[bot])
8.5.0
Changelog
8.5.0 (2023-01-31)
Implemented enhancements:
- Add support for /etc/auditd.conf num_logs to go with max_log_file_action #616
- password ageing not enforced #570
- Rewrite system account detection and hardening and create tests #621 [os_hardening] [ssh_hardening] (rndmh3ro)
- Add support for /etc/auditd.conf num_logs to go with max_log_file_action #617 [os_hardening] (richardlock)
- Preserve default ownership and dir mode for /var/log on Ubuntu #615 [os_hardening] (stdtom)
- rewrite user home dir hardening #584 [os_hardening] (DonEstefan)
- apply password age settings to exisiting regular users #582 [os_hardening] (DonEstefan)
- Parametrize more auditd.conf options #535 [os_hardening] (kravietz)
Fixed bugs:
- os_hardening is setting wrong ownership for /var/log on Ubuntu #614
- [os_hardening] Task for setting
initramfsmodules does not match its condition #590 [os_hardening] - Support for Amazon Linux 2 #624 [ssh_hardening] (mmitnyan)
Deprecated:
- deprecate rebuilding of initramfs #618 [os_hardening] (rndmh3ro)
Closed issues:
- Ubuntu 22.04 vars file missing? #619
- SSH KexAlgorithms causes SSH daemon to fail #500
- Playbook won't run for hardening #462
Merged pull requests:
- do not let dependabot label our prs #626 (rndmh3ro)
- run linting only when files inside roles change #625 (rndmh3ro)
- cancel running tests if new commit to branch is made #622 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Fixed problems with running molecule locally with cgroup v2 #620 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Bump actions/setup-python from 1 to 4 #611 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (dependabot[bot])
- Bump creyD/prettier_action from 3.1 to 4.2 #610 (dependabot[bot])
- linting #603 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
8.4.0
Changelog
8.4.0 (2022-12-17)
Implemented enhancements:
- Implement Test for MySQL systemd service #606
- Extended net hardening #607 [os_hardening] (DonEstefan)
- Add OpenSUSE support #605 [mysql_hardening] (rndmh3ro)
- Allow ssh_allow_tcp_forwarding to be a boolean #600 [ssh_hardening] (crisbal)
- OpenBSD does not support GSSAPI Authentication #598 [ssh_hardening] (dennisse)
- add Ansible specific templates for issues #596 (schurzi)
- use github templates for new issues #595 (schurzi)
Fixed bugs:
- os_auth_retries variable causes a comparison type error on pam tasks #593
- ssh_hardening: Install selinux dependencies fails on Oracle Linux (RHEL) 9 #585
- OpenBSD does not set distributiuon_major_version #597 [ssh_hardening] (dennisse)
Merged pull requests:
- Check for github action updates daily #609 (jlosito)
- add verify-task to check if mysql is running and enabled #608 [mysql_hardening] (rndmh3ro)
- Updates handlers for new ansible syntax and deprecated options for legacy commands #602 [os_hardening] (jsievertde)
- add notice to sign-off work to contributor guideline #601 (schurzi)
8.3.0
Changelog
8.3.0 (2022-10-27)
Implemented enhancements:
- add hardening of root user account(s) #579 [os_hardening] (donestefan)
Fixed bugs:
- os_auth_retries variable causes a comparison type error on pam tasks #593
- cast expected int types in pam tasks #594 [os_hardening] (dlouzan)
- do not manage trusted user ca keys if none exist #580 [ssh_hardening] (hollow)
Closed issues:
- Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587
- auditd increasing logfiles #586
- Path to nginx.conf should be configurable in a variable #577
Merged pull requests:
- adopt all current suggestions from ansible-lint #592 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
- Support more os #588 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- run tests only on pushes to master or to PRs #581 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)