CHANGELOG.md

Changelog

9.0.2 (2024-03-25)

Full Changelog

Implemented enhancements:

• Make Publickey authentication configurable #750
• Ansible Linting #747
• Make value of kernel.unprivileged_userns_clone depending on kernel version #727
• Add ssh_pubkey_authentication variable to ssh hardening #749 [ssh_hardening] (debbabi)

Fixed bugs:

• Error: Missing privilege separation directory: /run/sshd #752
• harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #741

Closed issues:

• Dependency Dashboard #655

Merged pull requests:

• Update dependency ansible-core to v2.16.5 #754 (renovate[bot])
• Update dependency ansible-core to v2.16.4 #751 (renovate[bot])
• Update ansible/ansible-lint action to v24 #745 (renovate[bot])
• Always update Vagrant Boxes before using #744 (schurzi)
• Remove Docker containers on self-hosted runner after tests #743 (schurzi)
• Update dependency ansible-core to v2.16.3 #742 (renovate[bot])

9.0.1 (2024-01-15)

Full Changelog

Implemented enhancements:

• Extend ansible-lint testing to cover our test cases #731
• Complete tests for OS hardening #660
• support restarts of audit service on Arch linux #722 [os_hardening] (schurzi)

Fixed bugs:

• Fails to install #735
• Amazon Linux gpg check fails #734
• ssh_hardening ipv6 #719
• boolean variable inconsistency? #330
• Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #718 [os_hardening] (akikanellis)

Closed issues:

• 9.0.0 version number in galaxy.yml file is wrong #740

Merged pull requests:

• restructure readme to move known limitations up top #739 [os_hardening] [ssh_hardening] (rndmh3ro)
• release only on releases, not pre-releases #738 (rndmh3ro)
• Update dependency ansible-core to v2.16.2 #737 (renovate[bot])
• fix linting for github config #736 (rndmh3ro)
• Update actions/setup-python action to v5 #733 (renovate[bot])
• Update ansible-lint action and revise configuration to scan all Ansible code #732 (schurzi)
• update labeler to new config format #730 [ssh_hardening] (schurzi)
• Update dependency ansible-core to v2.16.1 #728 [os_hardening] (renovate[bot])
• pin Ansible to always let Renovate update to the most current version in our tests #721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)

9.0.0 (2023-11-16)

Full Changelog

Breaking changes:

• make it possible to configure more then yes and no for PermitTunnel #715 [ssh_hardening] (rndmh3ro)
• add role argument spec for os, ssh, mysql #687 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

Implemented enhancements:

• Create role documentation with Automated-Ansible-Role-Documentation #694
• Minimize access user paths should be fully configurable #689
• Add support for Debian 12 #672
• add testing and support for current versions of Fedora and FreeBSD #709 [os_hardening] [ssh_hardening] (schurzi)
• feat: workflow for roles readme #705 [ssh_hardening] (Nemental)
• do not try to drop roles in mysql hardening #649 [mysql_hardening] (rndmh3ro)

Fixed bugs:

• nginx conf.d directory is missing on Rocky Linux 8 #707
• Default value of ssh_client_alive_interval is inconsistent with what documentation says #701
• [devsec.hardening.os_hardening : restart-auditd] fails #698
• sshd_hardening role cannot be used to build system images #697
• Error: No file was found when using first_found on Ubuntu 20.04 #676
• PUBLIC-role breaks mysql-hardening #648
• Error deploying the playbook #630
• Gather facts when os_hardening role is executed with tags #708 [os_hardening] (schurzi)

Closed issues:

• Add send-to-mailinglist to github release action #434

Merged pull requests:

• update status badges in README #714 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• fix CI test for os_hardening #711 [os_hardening] (schurzi)
• fix nginx CI tests #710 [nginx_hardening] (schurzi)
• fix: roles-readme action default value #706 [ssh_hardening] (Nemental)
• fix some wrong defaults and types in the readmes #703 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• update links to new Ansible Galaxy #702 [nginx_hardening] (schurzi)
• Fix typo in login.defs.j2 #700 [os_hardening] (nejch)
• chore(deps): update actions/checkout action to v4 #696 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
• test debian12 on VM #695 (rndmh3ro)
• fix descriptions in readme #693 [os_hardening] (rndmh3ro)
• feat: customize user paths default #692 [os_hardening] (S0obi)
• disable PAM tests #691 [os_hardening] (rndmh3ro)

8.8.0 (2023-08-04)

Full Changelog

Implemented enhancements:

• Add support for Fedora 38 #671
• auditd: add possibility to override config template #685 [os_hardening] (Meecr0b)
• add debian 12 support #684 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• feat: explicitly support Fedora 37 and 38 #682 [os_hardening] [ssh_hardening] (nejch)
• Replace ssh_keys group with root, where applicable and use less permissive file mode #677 [ssh_hardening] (rndmh3ro)
• Add oddjob mkhomedir option rhel pam #675 [os_hardening] (imp1sh)

Fixed bugs:

• How does one set sshd_authenticationmethods to include password authentication? #686
• FreeIPA environment mkhomedir fails #664

Closed issues:

• What is the uscase of sysctl_overwrite over ansible.posix.sysctl? #683
• Ensure permissions on mysql-logfile are correct chokes when log_error is set to stderr #673
• TASK TASK FAILED: [devsec.hardening.os_hardening : Set password ageing for existing regular (non-system, non-root) accounts] #670
• After os_hardening ssh not working #663
• Unsupported parameters for (ansible.builtin.user) module #650

Merged pull requests:

• setting gets ignored #680 [os_hardening] (rndmh3ro)
• add var-naming[no-role-prefix] to skip-list #679 (rndmh3ro)
• expand on check conditions for non-file locations of logs #674 [mysql_hardening] (whysthatso)
• use new molecule-plugins #667 (schurzi)
• add spellchecking with codespell #662 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)

8.7.0 (2023-04-12)

Full Changelog

Implemented enhancements:

• Support BSD and other operating systems CI with VM based tests #599
• add check mode to molecule tests #644 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• add testing for OpenBSD and FreeBSD #642 [ssh_hardening] (schurzi)
• Only skip audit restart handler in docker #637 [os_hardening] (nejch)
• Make action_mail_acct configurable in auditd #631 [os_hardening] (nejch)

Fixed bugs:

• getent task is skipped if user previously ran it with a key parameter #646
• Error running devsec.hardening.os_hardening role #645
• devsec.hardening.mysql_hardening - Get all users that have no authentication_string - Hello world #640
• fixes #646 - add another condition to getent task #647 [os_hardening] (gbolo)

Closed issues:

• Invalid login.defs for RHEL6 #651
• Deprecation warnings for os_hardening #638
• Write tests for MySQL user-deletion #445

Merged pull requests:

• Update minimum required Ansible version for os_hardening #657 [os_hardening] [ssh_hardening] (schurzi)
• Update test environment #656 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• Update dependency geerlingguy.git to v3.0.1 #654 [mysql_hardening] (renovate[bot])
• Configure Renovate #653 (renovate[bot])
• simplify MySQL queries for user deletion #641 [mysql_hardening] (schurzi)
• Bump creyD/prettier_action from 4.2 to 4.3 #639 (dependabot[bot])
• Fix molecule tests for EL7 #636 [mysql_hardening] (rndmh3ro)
• run our CI tests periodically #634 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• try to fix molecule local tests #632 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• remove unnecessary tasks for VM based test #629 [os_hardening] (schurzi)

8.6.0 (2023-02-04)

Full Changelog

Implemented enhancements:

• make number of warning days before user password expires configurable #628 [os_hardening] (Normo)

Merged pull requests:

• Bump hugo19941994/delete-draft-releases from 1.0.0 to 1.0.1 #627 (dependabot[bot])

8.5.0 (2023-01-30)

Full Changelog

Implemented enhancements:

• Add support for /etc/auditd.conf num_logs to go with max_log_file_action #616
• password ageing not enforced #570
• Rewrite system account detection and hardening and create tests #621 [os_hardening] [ssh_hardening] (rndmh3ro)
• Add support for /etc/auditd.conf num_logs to go with max_log_file_action #617 [os_hardening] (richardlock)
• Preserve default ownership and dir mode for /var/log on Ubuntu #615 [os_hardening] (stdtom)
• rewrite user home dir hardening #584 [os_hardening] (DonEstefan)
• apply password age settings to existing regular users #582 [os_hardening] (DonEstefan)
• Parametrize more auditd.conf options #535 [os_hardening] (kravietz)

Fixed bugs:

• os_hardening is setting wrong ownership for /var/log on Ubuntu #614
• [os_hardening] Task for setting initramfs modules does not match its condition #590 [os_hardening]
• Support for Amazon Linux 2 #624 [ssh_hardening] (mmitnyan)

Deprecated:

• deprecate rebuilding of initramfs #618 [os_hardening] (rndmh3ro)

Closed issues:

• Ubuntu 22.04 vars file missing? #619
• SSH KexAlgorithms causes SSH daemon to fail #500
• Playbook won't run for hardening #462

Merged pull requests:

• do not let dependabot label our prs #626 (rndmh3ro)
• run linting only when files inside roles change #625 (rndmh3ro)
• cancel running tests if new commit to branch is made #622 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Fixed problems with running molecule locally with cgroup v2 #620 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Bump actions/setup-python from 1 to 4 #611 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (dependabot[bot])
• Bump creyD/prettier_action from 3.1 to 4.2 #610 (dependabot[bot])
• linting #603 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

8.4.0 (2022-12-17)

Full Changelog

Implemented enhancements:

• Implement Test for MySQL systemd service #606
• Extended net hardening #607 [os_hardening] (DonEstefan)
• Add OpenSUSE support #605 [mysql_hardening] (rndmh3ro)
• Allow ssh_allow_tcp_forwarding to be a boolean #600 [ssh_hardening] (crisbal)
• OpenBSD does not support GSSAPI Authentication #598 [ssh_hardening] (dennisse)
• add Ansible specific templates for issues #596 (schurzi)
• use github templates for new issues #595 (schurzi)

Fixed bugs:

• os_auth_retries variable causes a comparison type error on pam tasks #593
• ssh_hardening: Install selinux dependencies fails on Oracle Linux (RHEL) 9 #585
• OpenBSD does not set distributiuon_major_version #597 [ssh_hardening] (dennisse)

Merged pull requests:

• Check for github action updates daily #609 (jlosito)
• add verify-task to check if mysql is running and enabled #608 [mysql_hardening] (rndmh3ro)
• Updates handlers for new ansible syntax and deprecated options for legacy commands #602 [os_hardening] (jsievertde)
• add notice to sign-off work to contributor guideline #601 (schurzi)

8.3.0 (2022-10-27)

Full Changelog

Implemented enhancements:

• add hardening of root user account(s) #579 [os_hardening] (DonEstefan)

Fixed bugs:

• cast expected int types in pam tasks #594 [os_hardening] (dlouzan)
• do not manage trusted user ca keys if none exist #580 [ssh_hardening] (hollow)

Closed issues:

• Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587
• auditd increasing logfiles #586
• Path to nginx.conf should be configurable in a variable #577

Merged pull requests:

• adopt all current suggestions from ansible-lint #592 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
• Support more os #588 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• run tests only on pushes to master or to PRs #581 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

8.2.0 (2022-09-08)

Full Changelog

Implemented enhancements:

• Add nginx variables for config-path and owner/group #578 [nginx_hardening] (hagenbauer)
• add centos >8 Support #573 [ssh_hardening] (sbaerlocher)
• add always-tag to include so other tags can be used #569 [os_hardening] (rndmh3ro)

Closed issues:

• Bug using os_hardening "tags" #567

8.1.0 (2022-08-26)

Full Changelog

Closed issues:

• dev-sec CI bot should not update CHANGELOG.md in fork repository #566

Merged pull requests:

• update supported OS in meta and fix linting #572 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• fix misleading comment #571 [os_hardening] (DonEstefan)
• only run release actions on upstream-repo #568 (rndmh3ro)

8.0.0 (2022-08-22)

Full Changelog

Breaking changes:

• change default to allow SFTP #564 [ssh_hardening] (schurzi)

Implemented enhancements:

• add possibility to keep .netrc files in users homedir #563 [os_hardening] (PhilippFunk)
• rework filesystem hardening #555 [os_hardening] (divialth)

Closed issues:

• Error in Task 'Create sshd_config and set permissions to root/600' #565 [ssh_hardening]
• [ssh_hardening] Debian 11 - Ansible cannot transfer files #557
• Add the old SFTP-Reminder to the stable ssh_hardening role for ansible #521

7.16.0 (2022-08-16)

Full Changelog

Implemented enhancements:

• revert debian 9 change, only one tls variable now #562 [nginx_hardening] (rndmh3ro)
• add possibility to run ssh_hardening as unprivileged user #561 [ssh_hardening] (schurzi)
• add basic support for ubuntu22.04 #554 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• Add full support for Debian 11 #538 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (addianto)

Fixed bugs:

• Replace default 2048 bits RSA keypair fails on Ubuntu 20.04 #459

Closed issues:

• os-hardening: yum gpg-check fails if gpg-check already set #556
• Ubuntu 22.04 LTS #553
• Revert nginx ssl-protocol after deprecation of debian9 #528
• Support for Debian 11 #527
• Support baseline-control os-14 #507

7.15.1 (2022-07-26)

Full Changelog

Fixed bugs:

• Fix broken mode for /var/log/audit #552 [os_hardening] (hollow)

Merged pull requests:

• Only run hardening if /var/log/audit exists #550 [os_hardening] (mego22)

7.15.0 (2022-07-11)

Full Changelog

Implemented enhancements:

• Harden mountpoints #531 [os_hardening] (lbayerlein)

Fixed bugs:

• os_hardening gpg-check enabled fails on success #549 [os_hardening]
• add VM tests for os_hardening #547 [os_hardening] (schurzi)
• Linting #546 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

7.14.3 (2022-06-29)

Full Changelog

Closed issues:

• Version 7.14.2 not released to Ansible Galaxy #544
• os_hardening role: os_ignore_users not described in the Readme's variable topic #542
• doc: incorrect description for ssh_client_alive_count #540
• 'legacy' branch is mentioned in README, but apparently doesn't exist #539
• ansible_role_name is undefined #532
• Can't sudo anymore after hardening #518
• Any planned official support for RHEL/CentOS Stream 9? #517

Merged pull requests:

• Improve documentation #541 [ssh_hardening] (schurzi)

7.14.2 (2022-02-28)

Full Changelog

Fixed bugs:

• debian 9's nginx doesn't support tls1.3 #526 [nginx_hardening] (rndmh3ro)
• Change permissions of the tmout.sh file #520 [os_hardening] (abejotaR)

Closed issues:

• No such file directory error triggered by the kernel.unprivileged_userns_clone configuration. #514

Merged pull requests:

• delete obsolete release drafts #530 (schurzi)
• add waivers to skip controls #529 [os_hardening] (rndmh3ro)
• remove centos8 tests #525 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

7.14.1 (2022-02-18)

Full Changelog

Fixed bugs:

• move sysctls to debian specific vars #524 [os_hardening] (rndmh3ro)

Closed issues:

• Error when using the ssh_hardening role #519

7.14.0 (2021-12-16)

Full Changelog

Implemented enhancements:

• Add option to set timeout in seconds to logout users #516 [os_hardening] (lbayerlein)
• add feature to disable coredump to limit task #511 [os_hardening] (lbayerlein)
• change hidepid mount task state to mounted #510 [os_hardening] (alegrey91)
• prettify nginx options #509 [nginx_hardening] (schurzi)
• Update nginx_add_header README to match default #506 [nginx_hardening] (duffn)
• Updated dh_params to 4096 #501 [nginx_hardening] (ksaadDE)

Fixed bugs:

• Duplication of sysctl default parameter fs.protected_hardlinks and fs.protected_symlinks #502
• Fix duplicate sysctl config in fs #505 [os_hardening] (tekicat)

Merged pull requests:

• Feature coredump #513 [os_hardening] (rndmh3ro)

7.13.2 (2021-11-23)

Full Changelog

7.13.1 (2021-11-23)

Full Changelog

Closed issues:

• Unable to use 7.13.0 Release #503

7.13.0 (2021-11-15)

Full Changelog

Implemented enhancements:

• os_hardening: Provide a whitelist for yum repositories with non-signed RPMs #485
• Disable ctrl-alt-del key combination #496 [os_hardening] (lbayerlein)
• implement sysctl-34 - link protection settings #494 [os_hardening] (rndmh3ro)
• Add whitelist option for yum repository files #487 [os_hardening] (darxriggs)
• Add TLSv1.3 to nginx default configuration #470 [nginx_hardening] (ksaadDE)

Closed issues:

• Please create the collection in ansible-galaxy #407

Merged pull requests:

• Improve testing: install packages on Arch Linux #499 [os_hardening] [ssh_hardening] (darxriggs)
• add old role names to tags in Galaxy #495 (schurzi)
• update minimum ansible version for roles #493 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• revive old tests with custom ssh settings #491 (rndmh3ro)

7.12.0 (2021-10-21)

Full Changelog

Implemented enhancements:

• feat(os_hardening): extend file permission tasks to cover more files #489 [os_hardening] (cmhe)

Fixed bugs:

• mysql remove deprecated 'secure_auth' parameter in mysql #346
• change baseline urls to full zip-url #490 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• fix filter error in ansible.builtin.file mode parameter #486 [ssh_hardening] (ssttehrani)

Closed issues:

• Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths #488
• postgresql_hardening role #484
• os_hardening fails on "Create a combined sysctl-dict if overwrites are defined" task #482
• Improve changelog generation #381

7.11.0 (2021-08-30)

Full Changelog

Implemented enhancements:

• Use log_error file and datadir from mysql_info settings instead of variables mysql_datadir and mysql_hardening_log_file #478 [mysql_hardening] (123quhiwiwk)
• Execute check of MySQL error logfile permissions on Debian 11 only when log_error is defined #477 [mysql_hardening] (123quhiwiwk)
• [mysql_hardening] Setup defaults for MySQL on FreeBSD #474 [mysql_hardening] (sdwilsh)

Closed issues:

• MariaDB hardening fails, because log_error file is missing [Debian 11] #476

Merged pull requests:

• ssh_allow_tcp_forwarding is not a boolean #480 [ssh_hardening] (ReinerNippes)
• chore(ssh_hardening): set min_ansible_version to >=2.9.10 #479 [ssh_hardening] (bufferoverflow)

7.10.0 (2021-08-15)

Full Changelog

Implemented enhancements:

• use Ansible lint in separate task #475 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• [mysql_hardening] Allow setting the mysql_distribution #473 [mysql_hardening] (sdwilsh)

Fixed bugs:

• mysql_hardening cannot work with mysql on freebsd #472

Closed issues:

• run ansible-lint only once in Github Actions #398

Merged pull requests:

• SSH Hardening: backtick typo #471 [ssh_hardening] (Slamdunk)
• fix license in galaxy #469 (rndmh3ro)

7.9.0 (2021-07-22)

Full Changelog

Implemented enhancements:

• Allow configuration of password remember in pam #467 [os_hardening] (m41kc0d3)
• Add CVE-2021-33909 mitigations #466 [os_hardening] (kravietz)
• Add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT #463 [os_hardening] (elgalu)
• Add os_auth_uid_max, os_auth_gid_max #461 [os_hardening] (elgalu)

Closed issues:

• MySQL hardening fails because of missing attribute #464
• add "when" statements for every import_tasks in hardening.yml #453

Merged pull requests:

• update metadata to include community.mysql deps #465 (rndmh3ro)

7.8.0 (2021-07-01)

Full Changelog

Implemented enhancements:

• SHA_CRYPT_MIN_ROUNDS should be increased in login.defs #365 [os_hardening]
• Add support for Rocky Linux 8 #454 [mysql_hardening] [os_hardening] [ssh_hardening] (sherwind)
• make sha rounds configurable and increase no of rounds #452 [os_hardening] (rndmh3ro)

Fixed bugs:

• add tag always to os dependent vars task #456 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
• Use include_tasks for os_hardening/main.yml #451 [os_hardening] (coadler)

Closed issues:

• Disable IPv6 | sysctl-18 net.ipv6.conf.all.disable_ipv6: 1 #406 [os_hardening]

Merged pull requests:

• Cleanup old OS-support and simplify vars #458 [os_hardening] [ssh_hardening] (rndmh3ro)
• add rocky linux 8 tests and make sure that all relevant tasks are execd #457 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• add "when" statements in hardening.yml(#453) #455 [os_hardening] (jqiuyin)
• enable ipv6 globally #450 [os_hardening] [ssh_hardening] (rndmh3ro)

7.7.0 (2021-05-24)

Full Changelog

Implemented enhancements:

• Add tasks for new controls #123
• ssh_allow_tcp_forwarding remote option added #447 [ssh_hardening] (alimli)

Fixed bugs:

• Warning: iptables-legacy tables present, Debian 10 #274
• Check for MariaDB Version when selecting users without passwords #444 [mysql_hardening] (neubi4)
• Adds dependency on ansible.posix and community.general #415 (irl)

Closed issues:

• No dependency on ansible.posix collection #414
• No dependency on community.general #413
• in lxc/docker/openvz IPv6 is always disabled by ufw-configuration #402
• Allow login_unix_socket to be specified #327

Merged pull requests:

• Removed sysctl that tries to disable IPv6 #449 [os_hardening] (lduesing)
• limit changelog labels to role names #448 (schurzi)
• add back labels to changelog #446 (rndmh3ro)

7.6.0 (2021-04-27)

Full Changelog

Implemented enhancements:

• ssh: Client HostKeyAlgorithms configuration variable #442 [ssh_hardening] (sepek)

Fixed bugs:

• mysql USER and HOST should be quoted for drop query #443 [mysql_hardening] (neubi4)

Closed issues:

• Support HostKeyAlgorithms configuration for ssh_client file #441

Merged pull requests:

• fixed a typo in comments #439 [ssh_hardening] (ssttehrani)

7.5.0 (2021-04-01)

Full Changelog

Implemented enhancements:

• Not accepting source routing for IPv6. This was already done for IPv4. #424 [os_hardening] (joubbi)

Fixed bugs:

• SSH kex sntrup4591761x25519-sha512@tinyssh.org replaced #433
• Fix ssh kex sntrup761x25519-sha512@openssh.com for openssh >= 8.5 #437 [ssh_hardening] (BenjaminBoehm)

Closed issues:

• Harden user home directories #276

Merged pull requests:

• remove secure-auth param if mysql >= 8.0.3 #438 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Improved comments. #436 [os_hardening] (joubbi)
• os_auth_pam_pwquality_options: Changed type to authtok_type #432 [os_hardening] (joubbi)
• add restart-auditd handler after configuration change #427 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• add new tasks to delete mysql users without passwords #423 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Uppercased first letter of task names. #422 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (joubbi)

7.4.0 (2021-03-23)

Full Changelog

Implemented enhancements:

• Harden user home dirs #428 [os_hardening] (rndmh3ro)

Closed issues:

• Errors in packer build for vagrant builder #244

Merged pull requests:

• Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords #431 [os_hardening] (joubbi)
• Remove comments from PAM config file, but keep it in the template #430 [os_hardening] (joubbi)
• add support for using a proxy to test with molecule #429 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Improve Documentation for sysctl defaults #418 [os_hardening] (joubbi)

7.3.0 (2021-03-16)

Full Changelog

Implemented enhancements:

• pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead. #377 [os_hardening]
• Replace pam_tally2 with pam_faillock in Redhat #273 [os_hardening]
• Extend GSSAPI configuration support to ssh_config #403 [ssh_hardening] (wzzrd)
• add restart handler variable for mysql role #399 [mysql_hardening] (rndmh3ro)
• restructure PAM handling and update for currently supported Linux distributions #392 [os_hardening] (schurzi)

Fixed bugs:

• Not able to use sudo command for user authenticated via ActiveDirectory #278 [os_hardening]
• You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS #252 [os_hardening]

Closed issues:

• Netdata monitoring of docker in docker no longer possible #412
• Unable to connect with SSH (Permission denied (publickey)) #411
• TASK [os_hardening : configure auditd | package-08] #410
• Collection throws undefined ansible_role_name error in auditd task #409
• Ensure permissions on /etc/crontab are configured #375 [os_hardening]
• Documentation should be updated #361

Merged pull requests:

• Improve Release Action #421 (schurzi)
• remove FQCN from roles in examples #420 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• Ensure permissions on /etc/crontab are configured #405 [os_hardening] (joubbi)
• remove FQCN from roles in examples #404 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• do not install mysql python package on target host #401 [mysql_hardening] (rndmh3ro)
• make wrong password fail task #400 [mysql_hardening] (rndmh3ro)

7.2.0 (2021-02-10)

Full Changelog

Implemented enhancements:

• Add variable to specify SSH host RSA key size #394 [ssh_hardening] (Normo)
• Set default for ssh host key files only when hardening the server #393 [ssh_hardening] (Normo)

Fixed bugs:

• A reason why instance would go in rescue mode ? #267
• fix galaxy action to update local galaxy.yml #395 (Normo)

Closed issues:

• Updating version in galaxy.yml should be part of the release process #396
• ssh_hardening fail on keypair generation #388
• The system must display the date and time of the last successful account logon upon an SSH logon. #362
• Error in "root password is present" step #326

Merged pull requests:

• update ansible-lint to version 5 #397 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• fix minimum required ansible version in docs #390 (schurzi)

7.1.1 (2021-02-05)

Full Changelog

Fixed bugs:

• use fqcn for community.crypto.openssh_keypair module #389 [ssh_hardening] (schurzi)

Closed issues:

• AnsibleUndefinedVariable: 'ansible_role_name' is undefined with 7.1.0 #387

7.1.0 (2021-02-02)

Full Changelog

Implemented enhancements:

• Default value for ssh_max_startups should be changed #366 [ssh_hardening]
• Comment in configuration files should state which collection was there #345
• Error on applying the sysctl vars on Debian Jessy #230
• add Support for OpenSSH HostCertificate config option #380 [ssh_hardening] (mpraeger)
• Syncookie #372 [os_hardening] (joubbi)
• Sorted sysctl values and lists in READMEs alphabetically (No functional changes). #371 [os_hardening] (joubbi)
• make auditd 'max_log_file' configurable #370 [os_hardening] (tgueldner-mms)
• reduce maximum unauthenticated ssh sessions #368 [ssh_hardening] (schurzi)
• add a runtime.yml to declare minimum ansible version #363 (rndmh3ro)
• change inclusion of os specific defaults #353 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
• make the os_env_umask variable usable #351 [os_hardening] (sprat)
• Fix #348: make ssh configuration files paths configurable #350 [ssh_hardening] (sprat)
• Removed Protocol statement in later versions of sshd, since the code … #342 [ssh_hardening] (joubbi)
• Improvements of comments in opensshd.conf.j2 #338 #339 [ssh_hardening] (joubbi)

Fixed bugs:

• Comments in opensshd.conf.j2 should be improved #338
• check for correct cpu vendor in initramfs-tools #374 [os_hardening] (schurzi)
• set hidepid=0 on RHEL/CentOS 7 #369 [os_hardening] (schurzi)

Closed issues:

• initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs #373
• How do i install this on Centos 8? #367
• hidepid=2 gives error when running systemctl on EL7 #364 [os_hardening]
• Allow putting the ssh/sshd config in alternative files #348
• os_env_umask has no effect #344
• Don't modify /etc/sysctl.conf #343 [os_hardening]

Merged pull requests:

• use version tag for changelog action #386 (schurzi)
• make release workflow manually runnable #384 (schurzi)
• run labeler workflow with higher privileges #383 (schurzi)
• remove issue labels from changelog #382 (schurzi)
• Added comment on top of templates about which role manages the file #378 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (joubbi)
• Regenerate RSA key with size 4096 bits #376 (ssttehrani)
• fix second changelog generation task, too #349 (rndmh3ro)
• fix changelog generation #341 (rndmh3ro)
• Improve README for ssh_hardening #335 [ssh_hardening] (szEvEz)

7.0.0 (2020-11-11)

Full Changelog

Breaking changes:

• Move all roles to one single collection #332 (rndmh3ro)

Implemented enhancements:

• Breaking change in ansible-lint - set file permissions explicitly #299 [os_hardening]
• Configure audit=1 for more accurate auid auditing #253
• Add Debian Buster support for ansible-os-hardening #233
• Add CentOS 8 support for ansible-os-hardening #232
• Speed up "minimize access on found files" task #208
• Fedora support? #163
• Update some RH settings in this role #155
• Add selinux configuration #154
• Warning about "include" for tasks for ansible-playbook 2.4.0 (devel f0a5854e39) #131
• Removal of core dump hardening configuration if core dumps are allowed #129
• Description of the Ansible roles of dev-sec says "This Ansible playbook" #97
• Improve Documentation #315 [os_hardening] (schurzi)
• Arch support #303 [os_hardening] (rndmh3ro)
• fix linting for molecule #301 [os_hardening] (schurzi)
• file permissions explicitly defined #300 [os_hardening] (danielkubat)
• Optimize and unify when clause #295 (Alexhha)
• use find module instead of shell #294 (danielkubat)
• improve testing #287 (schurzi)
• Mount proc filesystem using hidepid option #283 (alegrey91)
• unify changelog and release actions #279 (rndmh3ro)
• purge insecure packages #275 (chris-rock)
• add changelog and release workflow #271 (rndmh3ro)
• github action for changelog generation #270 (rndmh3ro)
• Make useradd defaults in login.defs dependent on OS #266 (aisbergg)
• Add kernel hardening parameters from Tails and CIS Benchmark #263 (kravietz)
• add ansible-lint #262 (rndmh3ro)
• Remove trailing space #261 (kravietz)
• Add kernel parameter information to README #259 (jaredledvina)
• Remove trailing whitespaces (ansible-lint 201) #254 (kravietz)
• Standardize the var ordering #251 (dustinmiller)
• Add initial support for OpenSUSE #250 (dustinmiller)
• Make max_log_file_action for auditd configurable #246 (jandd)
• Add exception in sysctl task #240 (ghost)
• Fedora - Use new auto ansible_python_interpreter for dnf #239 (jaredledvina)
• add test support for CentOS8 #237 (yeoldegrove)
• Support configuring SELinux and default to enforcing #236 (jaredledvina)
• Add test support for debian buster #234 (123Haynes)
• Changed local var name to a less common one #231 (rgarrigue)
• Use ansible facts for vars #226 (joshuatalb)
• Fix deprecation warnings in Ansible 2.8 #224 (Normo)
• add docs to find-task in minimize access. fix #219 #220 (rndmh3ro)
• remove eol'd OS and add new #217 (rndmh3ro)
• Add note about docker under warning #214 (ChrisMcKee)
• change minimize access tasks to speed them up #209 (rndmh3ro)
• Added fedora support #206 (jonaswre)
• Pass package list directly to apt and yum modules without using with_items loop #200 (Normo)
• add ubuntu 1804 support #196 (rndmh3ro)
• add option to disable auditd #192 (rndmh3ro)
• fix problems with efi and vfat #190 (rndmh3ro)
• added os_hardening_enabled flag #186 (jcheroske)
• add amazon run opts to travis #183 (rndmh3ro)
• use package instead of yum and apt #180 (rndmh3ro)
• add oracle7 to travis #178 (rndmh3ro)
• fix wrong permissions passwdqc #170 #176 (rndmh3ro)
• ipv4 forwarding comment is inconsistent with example #174 (carchrae)
• Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
• Use package state 'present' since 'installed' is deprecated #168 (Normo)
• Update syntax to Ansible 2.4 #161 (thomasjpfan)
• add amazon linux testing #160 (rndmh3ro)
• Add support for Amazon Linux #158 (woneill)
• Don't create home for system accounts #156 (oakey-b1)
• Prevent disabling of filesystems via whitelist #153 (manuelprinz)
• Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
• Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
• install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
• add missing sysctl parameter #143 (rndmh3ro)
• update readme #139 (rndmh3ro)
• add modprobe template, control os-10 #138 (rndmh3ro)
• new task for delete netrc files, control os-09 #137 (rndmh3ro)
• add passwd task, control os-03 #136 (rndmh3ro)
• remove prelink package, control package-09 #135 (rndmh3ro)
• style update #134 (rndmh3ro)
• Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)
• Fix ansible.cfg and use comment filter #130 (fazlearefin)
• install initramfs-tools #114 (rndmh3ro)
• omit empty variables #106 (rndmh3ro)
• Supports --check mode #93 (conorsch)
• Adds support for CentOS 7 #91 (conorsch)
• Docker #90 (rndmh3ro)
• debian 8 support #88 (rndmh3ro)
• Ufw manage defaults #85 (fitz123)
• replace ignore_errors to failed_when to suppress ugly error warnings #81 (fitz123)
• fix bare variables usage for loops #79 (fitz123)
• update platforms in meta-file #69 (rndmh3ro)
• add webhook for ansible galaxy #68 (rndmh3ro)
• Move sysctl vars to defaults #67 (rndmh3ro)
• make sys_uid and sys_gid configurable #62 (rndmh3ro)
• Ansible 2.0 support #59 (rndmh3ro)
• use inspec as test framework #58 (chris-rock)
• Packages as attributes #57 (rndmh3ro)
• Change categories to tags for upcoming ansible 2.0 #56 (rndmh3ro)
• Add SINGLE and PROMPT parameters. #55 (rndmh3ro)
• add changelog generator #54 (chris-rock)

Fixed bugs:

• Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode #313
• Inconsistent use of role vars/role defaults #284
• Is it safe to use on Debian 10? The build is failing. #281
• /etc/login.defs alters centos 7/8 default values #265
• Invalid Conditionals in user_accounts.yml #255
• auth-system related files are created for non-RHEL systems (e.g. Debian) #247
• NSA website links are stale #227
• Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
• [lots of] deprecation warnings in Ansible 2.8 #221
• squash_actions deprecation warning #218
• login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
• auditd causing v5.0 to fail on unprivileged LXC's #191
• Setting os_security_users_allow has no effect #175
• minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
• wrong permissions passwdqc #170
• 'sysctl_rhel_config' is undefined #167
• Update deprecated include statements #166
• Strongly recommend against disabling vfat by default #162
• bug in ufw.j2 template #151
• Add a "don't fail on error" switch ? #148
• System completely unresponsive after role execution #145
• Why is rsync removed? #141
• RHEL 7.4: Too many setuid bits removed #140
• Change system accounts not on the user provided ignore-list items are not JSON serializable #125
• playbook makes OS undetectable #124
• Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
• Could not find gem 'ruby (>= 2.1.0)' #116
• os_security_kernel_enable_sysrq is not implemented #115
• The task sysctl fails when /etc/initramfs-tools is not present #111
• The role fails when conditionally included #105
• Deprecation warning always_run #103
• CentOS 7 selinux dependencies #102
• ubuntu xenial warning during activate gpg-check for yum-repos #99
• rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
• Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
• Enable pam_pwquality in rhel-family > 7 #73
• Hardening fails on Centos 7.1 at task 'minimize access' #71
• "irc" user always changed after reboot #53
• use touch for 10.hardcore.conf to avoid problems with dry-run #314 (schurzi)
• use touch with no date changes #310 (rndmh3ro)
• do not touch sysctl file to avoid idempotency problems #309 (rndmh3ro)
• replace module parameter fixed #297 (danielkubat)
• Addressing issue #255 #258 (ljkimmel)
• Fix #247, cleanup conditions #248 (fernandezcuesta)
• Fix error on applying the sysctl vars on containers #243 (ghost)
• Update location of NSA RHEL 5 Guide #235 (jaredledvina)
• Fix typo #212 (ruslo)
• Update modprobe to 0644 #211 (joshuatalb)
• Test Kitchen Vagrant Fixes #210 (joshuatalb)
• [readme] Update documentation link #207 (pmav99)
• fix ansible lint remarks #204 (rndmh3ro)
• add colon to user env paths - fix #202 #203 (rndmh3ro)
• add /usr/bin/su to suid_guid whitelist #199 (ccolic)
• ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)
• do not install passwdqc on amazon linux #189 (rndmh3ro)
• add back run opts for debian 8 in travis #184 (rndmh3ro)
• Fix core dump config file creation when core dumps are disabled #182 (Normo)
• change minimize access method #181 (rndmh3ro)
• Fix errors produced by ansible-lint #159 (zbrojny120)
• replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
• fixed tag #149 (martinbydefault)
• Remove rsync from package blacklist #142 (duk3luk3)
• Updates "tags" parameters on includes in main.yml #66 (conorsch)
• Suid set def var, fix #64 #63 (rndmh3ro)

Closed issues:

• Any planned support for RHEL/CentOS 8? #298
• Consider using find module instead of shell #293
• Optimize logical OR in when clause #292
• vfat added to dev-sec.conf, but efi is used #288
• The state of the galaxy release #269
• OpenSUSE Support #249
• ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
• Enhancement: Test with TestInfra and Molecule #128
• Enhancement: Pin python dependencies for development and testing #127
• Update readme to include baselines #122
• Error running on RHEL 7 due to syntax issues #112
• disable password age #109
• Permissions on /etc/shadow can lock out GUI users #86
• network related sysctl rewritten by ufw in ubuntu #82
• ansible >= 2.0 complains: Using bare variables is deprecated #78
• Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
• ansible 2.0 | "remove suid/sgid" task fails #64
• Custom sysctl #50
• Fix directory structure. #48
• pam auth update error #47
• ansible-os-hardening/tasks/minimize_access.yml #38
• Role configuration. vars/main.yml? #34
• Sysctl reloading #18
• Add conditions for disabling of ip forwarding #15
• Disable System Accounts #6

Merged pull requests:

• prettier markdown files action added #322 (danielkubat)
• adjust permissions on shadow file on suse #311 (rndmh3ro)
• fix fedora build #296 (rndmh3ro)
• do not blacklist used filesystems #289 (schurzi)
• move hidepid vars into defaults so they're overwritable #285 (rndmh3ro)
• install procps in debian so sysctl.conf exists #282 (rndmh3ro)
• move defaults to os-specific vars #157 (rndmh3ro)
• Converts set to JSON-serializable list #126 (pestaa)
• add more sysctl settings, allow overwriting #120 (rndmh3ro)
• remove execshield sysctl-parameter on rhel7 #119 (rndmh3ro)
• change shadow owner in debian systems #117 (rndmh3ro)
• Rhel7 #113 (tyrken)
• use new Docker images #110 (rndmh3ro)
• Don’t refer to this role as "playbook" in the role description #104 (ypid)
• update template #101 (rndmh3ro)
• fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
• add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)
• Fix a formatting issue in readme. #92 (vivekagr)
• Permits overriding permissions on /etc/shadow #89 (conorsch)
• Release 3.0.0 #75 (rndmh3ro)
• Add explicit role-path to kitchen.yml #52 (rndmh3ro)
• Fix pam passwdqc template #51 (rndmh3ro)
• New dir layout #49 (rndmh3ro)
• remove duplicate "update pam" task #46 (fitz123)
• Fix stuck in case pam files was updated before by force update #45 (fitz123)
• Fix nologin shell path #44 (fitz123)
• improved travis-tests to cover more cases #42 (rndmh3ro)
• Update kitchen-ansible, remove separate debian install #40 (rndmh3ro)
• Add mode to su-binary task. Fix #38 #39 (rndmh3ro)
• update common kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) #37 (chris-rock)
• Change oneliner if-statements to be more readable #36 (rndmh3ro)
• Separate system-vars from editable vars. Fix #34 #35 (rndmh3ro)
• Create limits.d-directory if it does not exist. #33 (rndmh3ro)
• Add correct CONTRIB-file #32 (rndmh3ro)
• Add Ansible Galaxy badge #31 (rndmh3ro)
• Update readme, todo, changelog, vars #30 (rndmh3ro)
• List-cleanup and follow symlinks added #29 (rndmh3ro)
• Add module configuration #28 (rndmh3ro)
• Fix two sysctl-settings #27 (rndmh3ro)
• Add meta-files for Ansible Galaxy #26 (rndmh3ro)
• Disable System Accounts. Fix #6 #25 (rndmh3ro)
• Use changed_when to avoid changed tasks #24 (rndmh3ro)
• Delete authconfig-task on rhel-systems #23 (rndmh3ro)
• Add missing rhosts-include task #21 (rndmh3ro)
• Change sysctl-task. Fix #18 #20 (rndmh3ro)
• Add travis-support #17 (rndmh3ro)
• Add conditions for various tasks. Fix #15 #16 (rndmh3ro)
• fix configuration of playbook path #14 (chris-rock)
• Make tasks clearer #13 (rndmh3ro)
• Add remove suid/sgid function #12 (rndmh3ro)
• Add task to remove unused repos and pkgs #11 (rndmh3ro)
• Edit README to fit to os-hardening #10 (rndmh3ro)
• ignore RAs on Ipv6 #9 (rndmh3ro)
• Repair debian install script #8 (rndmh3ro)
• Separate tasks into multiple smaller files #7 (rndmh3ro)
• Enable gpg-check on all yum-repositories #5 (rndmh3ro)
• Change playbook-path to accommodate test-repo #4 (rndmh3ro)
• treat securetty config as an array #3 (arlimus)
• Add Securetty-support #2 (rndmh3ro)
• Add profile.conf configuration #1 (rndmh3ro)

* This Changelog was automatically generated by github_changelog_generator