From 9f38db57753faab6833094f1ad352cd66510a4ea Mon Sep 17 00:00:00 2001 From: Oleg Lavrovsky Date: Thu, 18 Feb 2021 16:40:18 +0100 Subject: [PATCH] Ansible roles updated --- Pipfile.lock | 389 ++++++++++-------- README.md | 10 +- .../inventories/carbon/files/cloudflare.key | 28 ++ .../inventories/carbon/files/cloudflare.pem | 29 ++ .../group_vars/webservers/vars.yaml | 0 .../carbon/group_vars/webservers/vault.yaml | 48 +++ ansible/inventories/carbon/webservers | 13 + .../lagoon}/files/cloudflare.key | 0 .../lagoon}/files/cloudflare.pem | 0 .../lagoon/group_vars/webservers/vars.yaml | 29 ++ .../group_vars/webservers/vault.yaml | 0 .../{production => lagoon}/webservers | 0 .../inventories/nations/files/cloudflare.key | 90 ++++ .../inventories/nations/files/cloudflare.pem | 122 ++++++ .../group_vars/webservers/vars.yaml | 0 .../group_vars/webservers/vault.yaml | 0 .../{evolution => nations}/webservers | 0 .../meta/.galaxy_install_info | 2 +- .../.github/workflows/changelog.yml | 34 -- .../.github/workflows/release.yml | 22 +- .../dev-sec.os-hardening/.kitchen.vagrant.yml | 11 + .../roles/dev-sec.os-hardening/.kitchen.yml | 58 ++- .../roles/dev-sec.os-hardening/.travis.yml | 86 ++-- .../roles/dev-sec.os-hardening/CHANGELOG.md | 79 +++- ansible/roles/dev-sec.os-hardening/README.md | 3 +- .../dev-sec.os-hardening/defaults/main.yml | 3 + .../meta/.galaxy_install_info | 4 +- .../dev-sec.os-hardening/rhel6_provision.rb | 7 + .../dev-sec.os-hardening/suse_provision.rb | 7 + .../roles/dev-sec.os-hardening/tasks/apt.yml | 1 + .../dev-sec.os-hardening/tasks/auditd.yml | 1 - .../dev-sec.os-hardening/tasks/hardening.yml | 5 +- .../dev-sec.os-hardening/tasks/limits.yml | 1 - .../roles/dev-sec.os-hardening/tasks/main.yml | 1 - .../tasks/minimize_access.yml | 8 + .../dev-sec.os-hardening/tasks/modprobe.yml | 10 +- .../roles/dev-sec.os-hardening/tasks/pam.yml | 5 +- .../dev-sec.os-hardening/tasks/sysctl.yml | 19 +- .../roles/dev-sec.os-hardening/tasks/yum.yml | 37 +- .../roles/dev-sec.os-hardening/tests/test.yml | 7 + .../.github/workflows/changelog.yml | 34 -- .../.github/workflows/release.yml | 25 +- .../.kitchen.vagrant.yml | 3 + .../roles/dev-sec.ssh-hardening/.kitchen.yml | 61 ++- .../roles/dev-sec.ssh-hardening/.travis.yml | 80 ++-- .../roles/dev-sec.ssh-hardening/CHANGELOG.md | 164 +++++++- ansible/roles/dev-sec.ssh-hardening/README.md | 27 +- .../dev-sec.ssh-hardening/defaults/main.yml | 105 +++-- .../roles/dev-sec.ssh-hardening/files/sshd | 17 + .../dev-sec.ssh-hardening/handlers/main.yml | 6 +- .../meta/.galaxy_install_info | 4 +- .../roles/dev-sec.ssh-hardening/meta/main.yml | 3 + .../tasks/ca_keys_and_principals.yml | 10 +- .../dev-sec.ssh-hardening/tasks/crypto.yml | 75 ---- .../tasks/crypto_ciphers.yml | 10 + .../tasks/crypto_hostkeys.yml | 21 + .../tasks/crypto_kex.yml | 15 + .../tasks/crypto_macs.yml | 27 ++ .../dev-sec.ssh-hardening/tasks/hardening.yml | 48 ++- .../dev-sec.ssh-hardening/tasks/main.yml | 1 - .../dev-sec.ssh-hardening/tasks/selinux.yml | 59 +-- .../templates/authorized_principals.j2 | 2 +- .../templates/openssh.conf.j2 | 26 +- .../templates/opensshd.conf.j2 | 117 +++--- .../templates/revoked_keys.j2 | 5 +- .../templates/trusted_user_ca_keys.j2 | 6 +- .../dev-sec.ssh-hardening/tests/default.yml | 45 +- .../tests/default_custom.yml | 52 ++- .../dev-sec.ssh-hardening/vars/Archlinux.yml | 10 + .../dev-sec.ssh-hardening/vars/Debian.yml | 3 + .../dev-sec.ssh-hardening/vars/Fedora.yml | 3 + .../dev-sec.ssh-hardening/vars/FreeBSD.yml | 3 + .../dev-sec.ssh-hardening/vars/OpenBSD.yml | 3 + .../vars/Oracle Linux.yml | 3 + .../dev-sec.ssh-hardening/vars/RedHat.yml | 3 + .../dev-sec.ssh-hardening/vars/RedHat_8.yml | 3 + .../dev-sec.ssh-hardening/vars/SmartOS.yml | 8 + .../meta/.galaxy_install_info | 2 +- 78 files changed, 1540 insertions(+), 718 deletions(-) create mode 100644 ansible/inventories/carbon/files/cloudflare.key create mode 100644 ansible/inventories/carbon/files/cloudflare.pem rename ansible/inventories/{production => carbon}/group_vars/webservers/vars.yaml (100%) create mode 100644 ansible/inventories/carbon/group_vars/webservers/vault.yaml create mode 100644 ansible/inventories/carbon/webservers rename ansible/{ => inventories/lagoon}/files/cloudflare.key (100%) rename ansible/{ => inventories/lagoon}/files/cloudflare.pem (100%) create mode 100644 ansible/inventories/lagoon/group_vars/webservers/vars.yaml rename ansible/inventories/{production => lagoon}/group_vars/webservers/vault.yaml (100%) rename ansible/inventories/{production => lagoon}/webservers (100%) create mode 100644 ansible/inventories/nations/files/cloudflare.key create mode 100644 ansible/inventories/nations/files/cloudflare.pem rename ansible/inventories/{evolution => nations}/group_vars/webservers/vars.yaml (100%) rename ansible/inventories/{evolution => nations}/group_vars/webservers/vault.yaml (100%) rename ansible/inventories/{evolution => nations}/webservers (100%) delete mode 100644 ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml create mode 100644 ansible/roles/dev-sec.os-hardening/rhel6_provision.rb create mode 100644 ansible/roles/dev-sec.os-hardening/suse_provision.rb delete mode 100644 ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/files/sshd delete mode 100644 ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml create mode 100644 ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml diff --git a/Pipfile.lock b/Pipfile.lock index 2e754d2..963f01f 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -39,10 +39,11 @@ }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" }, "click": { "hashes": [ @@ -54,10 +55,10 @@ }, "concurrentloghandler": { "hashes": [ - "sha256:8225a590fd4194c413fa26675bde5f6b80ad79e4182d5876ba3e264f77755918", "sha256:4ccae08b7f9b3257de35f847e2de8629c00c2075f8ce66db8ed06d7657e2eeae", - "sha256:aa608aa0ce32d86d2061dec91cd58a2a367f97110851529d2aa6ebf96d9dcd4d", - "sha256:5d199eecc23751ab1f705826660f733c1090f62789f3e3c44296e706fc75b547" + "sha256:5d199eecc23751ab1f705826660f733c1090f62789f3e3c44296e706fc75b547", + "sha256:8225a590fd4194c413fa26675bde5f6b80ad79e4182d5876ba3e264f77755918", + "sha256:aa608aa0ce32d86d2061dec91cd58a2a367f97110851529d2aa6ebf96d9dcd4d" ], "index": "pypi", "version": "==0.9.1" @@ -86,19 +87,19 @@ }, "django": { "hashes": [ - "sha256:558cb27930defd9a6042133258caf797b2d1dee233959f537e3dc475cb49bd7c", - "sha256:cf5370a4d7765a9dd6d42a7b96b53c74f9446cd38209211304b210fe0404b861" + "sha256:0eaca08f236bf502a9773e53623f766cc3ceee6453cc41e6de1c8b80f07d2364", + "sha256:c9c994f5e0a032cbd45089798b52e4080f4dea7241c58e3e0636c54146480bb4" ], "index": "pypi", - "version": "==2.2.17" + "version": "==2.2.18" }, "django-anymail": { "hashes": [ - "sha256:0301f2ea1dde7840e5276a5e2d1ca2a56fd558e2b71800e89ca895c18aa3c615", - "sha256:0c3e56a339a37e654b7511572564fe0949f4fbb12c072761c9e35cfc49cb4dc1" + "sha256:6381e04c41b2644e2d3ba2f95ee61ee3ee40cb6184506c52a363b9ddef0b098e", + "sha256:e011c582e771ce3970480c10d1e129ac036ba773e37ec56780a79776534b2ba6" ], "index": "pypi", - "version": "==8.1" + "version": "==8.2" }, "django-appconf": { "hashes": [ @@ -124,19 +125,19 @@ }, "django-contrib-comments": { "hashes": [ - "sha256:b83320a86081a76bc0570e6cc0f924c0ced40b46ae9f5dd783ab2c745b449529", - "sha256:d1232bade3094de07dcc205fc833204384e71ba9d30caadcb5bb2882ce8e8d31" + "sha256:26350b2c353816570a74b7fb19c558ce00288625ac32886a5274f4f931c098f9", + "sha256:d15ce050c6b1589ec3086c4f5db3e4dec8adf54bb0d9d6b7efc1372669773752" ], "index": "pypi", - "version": "==1.9.2" + "version": "==2.0.0" }, "django-crispy-forms": { "hashes": [ - "sha256:92ed3fdc52c08d21d60adbb9de24e432c590e66e894f43cee0974fc959209976", - "sha256:d3f808d20cafe20fd38a49a47e72db1fd519fcf31bef4f47f008619336a3ebff" + "sha256:21cf717b621f93cdf01bac0a419b520fe3b17bffd67e140b6c16558d9b75ab80", + "sha256:a2aa34ee3fccafdebb33c016cbd60246b37df85dae717637c6419b929fa24b25" ], "index": "pypi", - "version": "==1.10.0" + "version": "==1.11.0" }, "django-el-pagination": { "hashes": [ @@ -179,11 +180,11 @@ }, "django-social-share": { "hashes": [ - "sha256:5cae1a68a298a5312f6e5900b6b9d341ba5568609eba7aadcdb3ee41db372e1a", - "sha256:9fca9558c4fbe496e09e0bed3d26d51ee84c8a397762cfb0107d8cbd56c4a9dc" + "sha256:4062c31ddad15eb9f7796cdfaae5a813018a3fd8da2b77f3e063e3a31252f84a", + "sha256:6de83acdd2a566c70af29b229a6430ccf8031d3d0ae1612419f633cbd9f649f5" ], "index": "pypi", - "version": "==2.1.0" + "version": "==2.2.1" }, "django-taggit": { "hashes": [ @@ -202,21 +203,24 @@ }, "django-treebeard": { "hashes": [ - "sha256:83aebc34a9f06de7daaec330d858d1c47887e81be3da77e3541fe7368196dd8a" + "sha256:214ae3ab331a7de11fb055a2015c201e34f3fa14255b667e1e07752231a7a398", + "sha256:f50e4eea146f7af6702decf7ef198ac1eee1fb9bb4af2c5dba276c3c48f76623" ], - "version": "==4.3.1" + "markers": "python_version >= '3.6'", + "version": "==4.4" }, "djangorestframework": { "hashes": [ - "sha256:0209bafcb7b5010fdfec784034f059d512256424de2a0f084cb82b096d6dd6a7" + "sha256:0209bafcb7b5010fdfec784034f059d512256424de2a0f084cb82b096d6dd6a7", + "sha256:0898182b4737a7b584a2c73735d89816343369f259fea932d90dc78e35d8ac33" ], "markers": "python_version >= '3.5'", "version": "==3.12.2" }, "draftjs-exporter": { "hashes": [ - "sha256:d415a9964690a2cddb66a31ef32dd46c277e9b80434b94e39e3043188ed83e33", - "sha256:5839cbc29d7bce2fb99837a404ca40c3a07313f2a20e2700de7ad6aa9a9a18fb" + "sha256:5839cbc29d7bce2fb99837a404ca40c3a07313f2a20e2700de7ad6aa9a9a18fb", + "sha256:d415a9964690a2cddb66a31ef32dd46c277e9b80434b94e39e3043188ed83e33" ], "version": "==2.1.7" }, @@ -259,11 +263,11 @@ }, "humanize": { "hashes": [ - "sha256:6790d9ba139ce09761ae901be9b22bd32a131fa65ecc82cdfc4d86f377f7395d", - "sha256:fd3eb915310335c63a54d4507289ecc7b3a7454cd2c22ac5086d061a3cbfd592" + "sha256:ab69004895689951b79f2ae4fdd6b8127ff0c180aff107856d5d98119a33f026", + "sha256:d47d80cd47c1511ed3e49ca5f10c82ed940ea020b45b49ab106ed77fa8bb9d22" ], "markers": "python_version >= '3.6'", - "version": "==3.1.0" + "version": "==3.2.0" }, "idna": { "hashes": [ @@ -307,61 +311,82 @@ }, "openpyxl": { "hashes": [ - "sha256:18e11f9a650128a12580a58e3daba14e00a11d9e907c554a17ea016bf1a2c71b", - "sha256:f7d666b569f729257082cf7ddc56262431878f602dcc2bc3980775c59439cdab" + "sha256:1a4b3869c2500b5c713e8e28341cdada49ecfcff1b10cd9006945f5bcefc090d", + "sha256:b229112b46e158b910a5d1b270b212c42773d39cab24e8db527f775b82afc041" ], - "version": "==3.0.5" + "version": "==3.0.6" }, "pillow": { "hashes": [ - "sha256:006de60d7580d81f4a1a7e9f0173dc90a932e3905cc4d47ea909bc946302311a", - "sha256:0a2e8d03787ec7ad71dc18aec9367c946ef8ef50e1e78c71f743bc3a770f9fae", - "sha256:0eeeae397e5a79dc088d8297a4c2c6f901f8fb30db47795113a4a605d0f1e5ce", - "sha256:11c5c6e9b02c9dac08af04f093eb5a2f84857df70a7d4a6a6ad461aca803fb9e", - "sha256:2fb113757a369a6cdb189f8df3226e995acfed0a8919a72416626af1a0a71140", - "sha256:4b0ef2470c4979e345e4e0cc1bbac65fda11d0d7b789dbac035e4c6ce3f98adb", - "sha256:59e903ca800c8cfd1ebe482349ec7c35687b95e98cefae213e271c8c7fffa021", - "sha256:5abd653a23c35d980b332bc0431d39663b1709d64142e3652890df4c9b6970f6", - "sha256:5f9403af9c790cc18411ea398a6950ee2def2a830ad0cfe6dc9122e6d528b302", - "sha256:6b4a8fd632b4ebee28282a9fef4c341835a1aa8671e2770b6f89adc8e8c2703c", - "sha256:6c1aca8231625115104a06e4389fcd9ec88f0c9befbabd80dc206c35561be271", - "sha256:795e91a60f291e75de2e20e6bdd67770f793c8605b553cb6e4387ce0cb302e09", - "sha256:7ba0ba61252ab23052e642abdb17fd08fdcfdbbf3b74c969a30c58ac1ade7cd3", - "sha256:7c9401e68730d6c4245b8e361d3d13e1035cbc94db86b49dc7da8bec235d0015", - "sha256:81f812d8f5e8a09b246515fac141e9d10113229bc33ea073fec11403b016bcf3", - "sha256:895d54c0ddc78a478c80f9c438579ac15f3e27bf442c2a9aa74d41d0e4d12544", - "sha256:8de332053707c80963b589b22f8e0229f1be1f3ca862a932c1bcd48dafb18dd8", - "sha256:92c882b70a40c79de9f5294dc99390671e07fc0b0113d472cbea3fde15db1792", - "sha256:95edb1ed513e68bddc2aee3de66ceaf743590bf16c023fb9977adc4be15bd3f0", - "sha256:b63d4ff734263ae4ce6593798bcfee6dbfb00523c82753a3a03cbc05555a9cc3", - "sha256:bd7bf289e05470b1bc74889d1466d9ad4a56d201f24397557b6f65c24a6844b8", - "sha256:cc3ea6b23954da84dbee8025c616040d9aa5eaf34ea6895a0a762ee9d3e12e11", - "sha256:cc9ec588c6ef3a1325fa032ec14d97b7309db493782ea8c304666fb10c3bd9a7", - "sha256:d3d07c86d4efa1facdf32aa878bd508c0dc4f87c48125cc16b937baa4e5b5e11", - "sha256:d8a96747df78cda35980905bf26e72960cba6d355ace4780d4bdde3b217cdf1e", - "sha256:e38d58d9138ef972fceb7aeec4be02e3f01d383723965bfcef14d174c8ccd039", - "sha256:eb472586374dc66b31e36e14720747595c2b265ae962987261f044e5cce644b5", - "sha256:fbd922f702582cb0d71ef94442bfca57624352622d75e3be7a1e7e9360b07e72" + "sha256:165c88bc9d8dba670110c689e3cc5c71dbe4bfb984ffa7cbebf1fac9554071d6", + "sha256:1d208e670abfeb41b6143537a681299ef86e92d2a3dac299d3cd6830d5c7bded", + "sha256:22d070ca2e60c99929ef274cfced04294d2368193e935c5d6febfd8b601bf865", + "sha256:2353834b2c49b95e1313fb34edf18fca4d57446675d05298bb694bca4b194174", + "sha256:39725acf2d2e9c17356e6835dccebe7a697db55f25a09207e38b835d5e1bc032", + "sha256:3de6b2ee4f78c6b3d89d184ade5d8fa68af0848f9b6b6da2b9ab7943ec46971a", + "sha256:47c0d93ee9c8b181f353dbead6530b26980fe4f5485aa18be8f1fd3c3cbc685e", + "sha256:5e2fe3bb2363b862671eba632537cd3a823847db4d98be95690b7e382f3d6378", + "sha256:604815c55fd92e735f9738f65dabf4edc3e79f88541c221d292faec1904a4b17", + "sha256:6c5275bd82711cd3dcd0af8ce0bb99113ae8911fc2952805f1d012de7d600a4c", + "sha256:731ca5aabe9085160cf68b2dbef95fc1991015bc0a3a6ea46a371ab88f3d0913", + "sha256:7612520e5e1a371d77e1d1ca3a3ee6227eef00d0a9cddb4ef7ecb0b7396eddf7", + "sha256:7916cbc94f1c6b1301ac04510d0881b9e9feb20ae34094d3615a8a7c3db0dcc0", + "sha256:81c3fa9a75d9f1afafdb916d5995633f319db09bd773cb56b8e39f1e98d90820", + "sha256:887668e792b7edbfb1d3c9d8b5d8c859269a0f0eba4dda562adb95500f60dbba", + "sha256:93a473b53cc6e0b3ce6bf51b1b95b7b1e7e6084be3a07e40f79b42e83503fbf2", + "sha256:96d4dc103d1a0fa6d47c6c55a47de5f5dafd5ef0114fa10c85a1fd8e0216284b", + "sha256:a3d3e086474ef12ef13d42e5f9b7bbf09d39cf6bd4940f982263d6954b13f6a9", + "sha256:b02a0b9f332086657852b1f7cb380f6a42403a6d9c42a4c34a561aa4530d5234", + "sha256:b09e10ec453de97f9a23a5aa5e30b334195e8d2ddd1ce76cc32e52ba63c8b31d", + "sha256:b6f00ad5ebe846cc91763b1d0c6d30a8042e02b2316e27b05de04fa6ec831ec5", + "sha256:bba80df38cfc17f490ec651c73bb37cd896bc2400cfba27d078c2135223c1206", + "sha256:c3d911614b008e8a576b8e5303e3db29224b455d3d66d1b2848ba6ca83f9ece9", + "sha256:ca20739e303254287138234485579b28cb0d524401f83d5129b5ff9d606cb0a8", + "sha256:cb192176b477d49b0a327b2a5a4979552b7a58cd42037034316b8018ac3ebb59", + "sha256:cdbbe7dff4a677fb555a54f9bc0450f2a21a93c5ba2b44e09e54fcb72d2bd13d", + "sha256:cf6e33d92b1526190a1de904df21663c46a456758c0424e4f947ae9aa6088bf7", + "sha256:d355502dce85ade85a2511b40b4c61a128902f246504f7de29bbeec1ae27933a", + "sha256:d673c4990acd016229a5c1c4ee8a9e6d8f481b27ade5fc3d95938697fa443ce0", + "sha256:dc577f4cfdda354db3ae37a572428a90ffdbe4e51eda7849bf442fb803f09c9b", + "sha256:dd9eef866c70d2cbbea1ae58134eaffda0d4bfea403025f4db6859724b18ab3d", + "sha256:f50e7a98b0453f39000619d845be8b06e611e56ee6e8186f7f60c3b1e2f0feae" ], "index": "pypi", - "version": "==8.0.1" + "version": "==8.1.0" }, "psutil": { "hashes": [ - "sha256:01bc82813fbc3ea304914581954979e637bcc7084e59ac904d870d6eb8bb2bc7", - "sha256:1cd6a0c9fb35ece2ccf2d1dd733c1e165b342604c67454fd56a4c12e0a106787", - "sha256:2cb55ef9591b03ef0104bedf67cc4edb38a3edf015cf8cf24007b99cb8497542", - "sha256:56c85120fa173a5d2ad1d15a0c6e0ae62b388bfb956bb036ac231fbdaf9e4c22", - "sha256:5d9106ff5ec2712e2f659ebbd112967f44e7d33f40ba40530c485cc5904360b8", - "sha256:6a3e1fd2800ca45083d976b5478a2402dd62afdfb719b30ca46cd28bb25a2eb4", - "sha256:ade6af32eb80a536eff162d799e31b7ef92ddcda707c27bbd077238065018df4", - "sha256:af73f7bcebdc538eda9cc81d19db1db7bf26f103f91081d780bbacfcb620dee2", - "sha256:e02c31b2990dcd2431f4524b93491941df39f99619b0d312dfe1d4d530b08b4b", - "sha256:fa38ac15dbf161ab1e941ff4ce39abd64b53fec5ddf60c23290daed2bc7d1157", - "sha256:fbcac492cb082fa38d88587d75feb90785d05d7e12d4565cbf1ecc727aff71b7" + "sha256:0066a82f7b1b37d334e68697faba68e5ad5e858279fd6351c8ca6024e8d6ba64", + "sha256:02b8292609b1f7fcb34173b25e48d0da8667bc85f81d7476584d889c6e0f2131", + "sha256:0ae6f386d8d297177fd288be6e8d1afc05966878704dad9847719650e44fc49c", + "sha256:0c9ccb99ab76025f2f0bbecf341d4656e9c1351db8cc8a03ccd62e318ab4b5c6", + "sha256:0dd4465a039d343925cdc29023bb6960ccf4e74a65ad53e768403746a9207023", + "sha256:12d844996d6c2b1d3881cfa6fa201fd635971869a9da945cf6756105af73d2df", + "sha256:1bff0d07e76114ec24ee32e7f7f8d0c4b0514b3fae93e3d2aaafd65d22502394", + "sha256:245b5509968ac0bd179287d91210cd3f37add77dad385ef238b275bad35fa1c4", + "sha256:28ff7c95293ae74bf1ca1a79e8805fcde005c18a122ca983abf676ea3466362b", + "sha256:36b3b6c9e2a34b7d7fbae330a85bf72c30b1c827a4366a07443fc4b6270449e2", + "sha256:52de075468cd394ac98c66f9ca33b2f54ae1d9bff1ef6b67a212ee8f639ec06d", + "sha256:5da29e394bdedd9144c7331192e20c1f79283fb03b06e6abd3a8ae45ffecee65", + "sha256:61f05864b42fedc0771d6d8e49c35f07efd209ade09a5afe6a5059e7bb7bf83d", + "sha256:6223d07a1ae93f86451d0198a0c361032c4c93ebd4bf6d25e2fb3edfad9571ef", + "sha256:6323d5d845c2785efb20aded4726636546b26d3b577aded22492908f7c1bdda7", + "sha256:6ffe81843131ee0ffa02c317186ed1e759a145267d54fdef1bc4ea5f5931ab60", + "sha256:74f2d0be88db96ada78756cb3a3e1b107ce8ab79f65aa885f76d7664e56928f6", + "sha256:74fb2557d1430fff18ff0d72613c5ca30c45cdbfcddd6a5773e9fc1fe9364be8", + "sha256:90d4091c2d30ddd0a03e0b97e6a33a48628469b99585e2ad6bf21f17423b112b", + "sha256:90f31c34d25b1b3ed6c40cdd34ff122b1887a825297c017e4cbd6796dd8b672d", + "sha256:99de3e8739258b3c3e8669cb9757c9a861b2a25ad0955f8e53ac662d66de61ac", + "sha256:c6a5fd10ce6b6344e616cf01cc5b849fa8103fbb5ba507b6b2dee4c11e84c935", + "sha256:ce8b867423291cb65cfc6d9c4955ee9bfc1e21fe03bb50e177f2b957f1c2469d", + "sha256:d225cd8319aa1d3c85bf195c4e07d17d3cd68636b8fc97e6cf198f782f99af28", + "sha256:ea313bb02e5e25224e518e4352af4bf5e062755160f77e4b1767dd5ccb65f876", + "sha256:ea372bcc129394485824ae3e3ddabe67dc0b118d262c568b4d2602a7070afdb0", + "sha256:f4634b033faf0d968bb9220dd1c793b897ab7f1189956e1aa9eae752527127d3", + "sha256:fcc01e900c1d7bee2a37e5d6e4f9194760a93597c97fee89c4ae51701de03563" ], "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==5.7.3" + "version": "==5.8.0" }, "psycopg2": { "hashes": [ @@ -443,28 +468,37 @@ }, "pytz": { "hashes": [ - "sha256:3e6b7dd2d1e0a59084bcee14a17af60c5c562cdc16d828e8eba2e683d3a7e268", - "sha256:5c55e189b682d420be27c6995ba6edce0c0a77dd67bfbe2ae6607134d5851ffd" + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" ], - "version": "==2020.4" + "version": "==2021.1" }, "pyyaml": { "hashes": [ - "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", - "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a", - "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", - "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", - "sha256:ad9c67312c84def58f3c04504727ca879cb0013b2517c85a9a253f0cb6380c0a", - "sha256:6034f55dab5fea9e53f436aa68fa3ace2634918e8b5994d82f3621c04ff5ed2e", - "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", - "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", - "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", - "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", - "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", - "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", - "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc" ], - "version": "==5.3.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", + "version": "==5.4.1" }, "rcssmin": { "hashes": [ @@ -482,11 +516,11 @@ }, "requests": { "hashes": [ - "sha256:7f1a0b932f4a60a1a65caa4263921bb7d9ee911957e0ae4a23a6dd08185ad5f8", - "sha256:e786fa28d8c9154e6a4de5d46a1d921b8749f8b74e28bde23768e5e16eece998" + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==2.25.0" + "version": "==2.25.1" }, "rjsmin": { "hashes": [ @@ -508,10 +542,10 @@ }, "schema": { "hashes": [ - "sha256:3a03c2e2b22e6a331ae73750ab1da46916da6ca861b16e6f073ac1d1eba43b71", - "sha256:b536f2375b49fdf56f36279addae98bd86a8afbd58b3c32ce363c464bed5fc1c" + "sha256:cf97e4cd27e203ab6bb35968532de1ed8991bce542a646f0ff1d643629a4945d", + "sha256:fbb6a52eb2d9facf292f233adcc6008cffd94343c63ccac9a1cb1f3e6de1db17" ], - "version": "==0.7.2" + "version": "==0.7.4" }, "six": { "hashes": [ @@ -523,55 +557,55 @@ }, "soupsieve": { "hashes": [ - "sha256:4bb21a6ee4707bf43b61230e80740e71bfe56e55d1f1f50924b087bb2975c851", - "sha256:6dc52924dc0bc710a5d16794e6b3480b2c7c08b07729505feab2b2c16661ff6e" + "sha256:407fa1e8eb3458d1b5614df51d9651a1180ea5fedf07feb46e45d7e25e6d6cdd", + "sha256:d3a5ea5b350423f47d07639f74475afedad48cf41c0ad7a82ca13a3928af34f6" ], - "markers": "python_version >= '3.5'", - "version": "==2.1" + "markers": "python_version >= '3.6'", + "version": "==2.2" }, "sqlalchemy": { "hashes": [ - "sha256:009e8388d4d551a2107632921320886650b46332f61dc935e70c8bcf37d8e0d6", - "sha256:0157c269701d88f5faf1fa0e4560e4d814f210c01a5b55df3cab95e9346a8bcc", - "sha256:0a92745bb1ebbcb3985ed7bda379b94627f0edbc6c82e9e4bac4fb5647ae609a", - "sha256:0cca1844ba870e81c03633a99aa3dc62256fb96323431a5dec7d4e503c26372d", - "sha256:166917a729b9226decff29416f212c516227c2eb8a9c9f920d69ced24e30109f", - "sha256:1f5f369202912be72fdf9a8f25067a5ece31a2b38507bb869306f173336348da", - "sha256:2909dffe5c9a615b7e6c92d1ac2d31e3026dc436440a4f750f4749d114d88ceb", - "sha256:2b5dafed97f778e9901b79cc01b88d39c605e0545b4541f2551a2fd785adc15b", - "sha256:2e9bd5b23bba8ae8ce4219c9333974ff5e103c857d9ff0e4b73dc4cb244c7d86", - "sha256:3aa6d45e149a16aa1f0c46816397e12313d5e37f22205c26e06975e150ffcf2a", - "sha256:4bdbdb8ca577c6c366d15791747c1de6ab14529115a2eb52774240c412a7b403", - "sha256:53fd857c6c8ffc0aa6a5a3a2619f6a74247e42ec9e46b836a8ffa4abe7aab327", - "sha256:5cdfe54c1e37279dc70d92815464b77cd8ee30725adc9350f06074f91dbfeed2", - "sha256:5d92c18458a4aa27497a986038d5d797b5279268a2de303cd00910658e8d149c", - "sha256:632b32183c0cb0053194a4085c304bc2320e5299f77e3024556fa2aa395c2a8b", - "sha256:7c735c7a6db8ee9554a3935e741cf288f7dcbe8706320251eb38c412e6a4281d", - "sha256:7cd40cb4bc50d9e87b3540b23df6e6b24821ba7e1f305c1492b0806c33dbdbec", - "sha256:84f0ac4a09971536b38cc5d515d6add7926a7e13baa25135a1dbb6afa351a376", - "sha256:8dcbf377529a9af167cbfc5b8acec0fadd7c2357fc282a1494c222d3abfc9629", - "sha256:950f0e17ffba7a7ceb0dd056567bc5ade22a11a75920b0e8298865dc28c0eff6", - "sha256:9e379674728f43a0cd95c423ac0e95262500f9bfd81d33b999daa8ea1756d162", - "sha256:b15002b9788ffe84e42baffc334739d3b68008a973d65fad0a410ca5d0531980", - "sha256:b6f036ecc017ec2e2cc2a40615b41850dc7aaaea6a932628c0afc73ab98ba3fb", - "sha256:bad73f9888d30f9e1d57ac8829f8a12091bdee4949b91db279569774a866a18e", - "sha256:bbc58fca72ce45a64bb02b87f73df58e29848b693869e58bd890b2ddbb42d83b", - "sha256:bca4d367a725694dae3dfdc86cf1d1622b9f414e70bd19651f5ac4fb3aa96d61", - "sha256:be41d5de7a8e241864189b7530ca4aaf56a5204332caa70555c2d96379e18079", - "sha256:bf53d8dddfc3e53a5bda65f7f4aa40fae306843641e3e8e701c18a5609471edf", - "sha256:c092fe282de83d48e64d306b4bce03114859cdbfe19bf8a978a78a0d44ddadb1", - "sha256:c3ab23ee9674336654bf9cac30eb75ac6acb9150dc4b1391bec533a7a4126471", - "sha256:ce64a44c867d128ab8e675f587aae7f61bd2db836a3c4ba522d884cd7c298a77", - "sha256:d05cef4a164b44ffda58200efcb22355350979e000828479971ebca49b82ddb1", - "sha256:d2f25c7f410338d31666d7ddedfa67570900e248b940d186b48461bd4e5569a1", - "sha256:d3b709d64b5cf064972b3763b47139e4a0dc4ae28a36437757f7663f67b99710", - "sha256:e32e3455db14602b6117f0f422f46bc297a3853ae2c322ecd1e2c4c04daf6ed5", - "sha256:ed53209b5f0f383acb49a927179fa51a6e2259878e164273ebc6815f3a752465", - "sha256:f605f348f4e6a2ba00acb3399c71d213b92f27f2383fc4abebf7a37368c12142", - "sha256:fcdb3755a7c355bc29df1b5e6fb8226d5c8b90551d202d69d0076a8a5649d68b" + "sha256:040bdfc1d76a9074717a3f43455685f781c581f94472b010cd6c4754754e1862", + "sha256:1fe5d8d39118c2b018c215c37b73fd6893c3e1d4895be745ca8ff6eb83333ed3", + "sha256:23927c3981d1ec6b4ea71eb99d28424b874d9c696a21e5fbd9fa322718be3708", + "sha256:24f9569e82a009a09ce2d263559acb3466eba2617203170e4a0af91e75b4f075", + "sha256:2578dbdbe4dbb0e5126fb37ffcd9793a25dcad769a95f171a2161030bea850ff", + "sha256:269990b3ab53cb035d662dcde51df0943c1417bdab707dc4a7e4114a710504b4", + "sha256:29cccc9606750fe10c5d0e8bd847f17a97f3850b8682aef1f56f5d5e1a5a64b1", + "sha256:37b83bf81b4b85dda273aaaed5f35ea20ad80606f672d94d2218afc565fb0173", + "sha256:63677d0c08524af4c5893c18dbe42141de7178001360b3de0b86217502ed3601", + "sha256:639940bbe1108ac667dcffc79925db2966826c270112e9159439ab6bb14f8d80", + "sha256:6a939a868fdaa4b504e8b9d4a61f21aac11e3fecc8a8214455e144939e3d2aea", + "sha256:6b8b8c80c7f384f06825612dd078e4a31f0185e8f1f6b8c19e188ff246334205", + "sha256:6c9e6cc9237de5660bcddea63f332428bb83c8e2015c26777281f7ffbd2efb84", + "sha256:6ec1044908414013ebfe363450c22f14698803ce97fbb47e53284d55c5165848", + "sha256:6fca33672578666f657c131552c4ef8979c1606e494f78cd5199742dfb26918b", + "sha256:751934967f5336a3e26fc5993ccad1e4fee982029f9317eb6153bc0bc3d2d2da", + "sha256:8be835aac18ec85351385e17b8665bd4d63083a7160a017bef3d640e8e65cadb", + "sha256:927ce09e49bff3104459e1451ce82983b0a3062437a07d883a4c66f0b344c9b5", + "sha256:94208867f34e60f54a33a37f1c117251be91a47e3bfdb9ab8a7847f20886ad06", + "sha256:94f667d86be82dd4cb17d08de0c3622e77ca865320e0b95eae6153faa7b4ecaf", + "sha256:9e9c25522933e569e8b53ccc644dc993cab87e922fb7e142894653880fdd419d", + "sha256:a0e306e9bb76fd93b29ae3a5155298e4c1b504c7cbc620c09c20858d32d16234", + "sha256:a8bfc1e1afe523e94974132d7230b82ca7fa2511aedde1f537ec54db0399541a", + "sha256:ac2244e64485c3778f012951fdc869969a736cd61375fde6096d08850d8be729", + "sha256:b4b0e44d586cd64b65b507fa116a3814a1a53d55dce4836d7c1a6eb2823ff8d1", + "sha256:baeb451ee23e264de3f577fee5283c73d9bbaa8cb921d0305c0bbf700094b65b", + "sha256:c7dc052432cd5d060d7437e217dd33c97025287f99a69a50e2dc1478dd610d64", + "sha256:d1a85dfc5dee741bf49cb9b6b6b8d2725a268e4992507cf151cba26b17d97c37", + "sha256:d90010304abb4102123d10cbad2cdf2c25a9f2e66a50974199b24b468509bad5", + "sha256:ddfb511e76d016c3a160910642d57f4587dc542ce5ee823b0d415134790eeeb9", + "sha256:e273367f4076bd7b9a8dc2e771978ef2bfd6b82526e80775a7db52bff8ca01dd", + "sha256:e5bb3463df697279e5459a7316ad5a60b04b0107f9392e88674d0ece70e9cf70", + "sha256:e8a1750b44ad6422ace82bf3466638f1aa0862dbb9689690d5f2f48cce3476c8", + "sha256:eab063a70cca4a587c28824e18be41d8ecc4457f8f15b2933584c6c6cccd30f0", + "sha256:ecce8c021894a77d89808222b1ff9687ad84db54d18e4bd0500ca766737faaf6", + "sha256:f4d972139d5000105fcda9539a76452039434013570d6059993120dc2a65e447", + "sha256:fd3b96f8c705af8e938eaa99cbd8fd1450f632d38cad55e7367c33b263bf98ec", + "sha256:fdd2ed7395df8ac2dbb10cefc44737b66c6a5cd7755c92524733d7a443e5b7e2" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.3.20" + "version": "==1.3.23" }, "sqlalchemy-utils": { "hashes": [ @@ -612,28 +646,21 @@ "markers": "python_version >= '3.6'", "version": "==3.0.0" }, - "unidecode": { - "hashes": [ - "sha256:1d7a042116536098d05d599ef2b8616759f02985c85b4fef50c78a5aaf10822a", - "sha256:2b6aab710c2a1647e928e36d69c21e76b453cd455f4e2621000e54b2a9b8cce8" - ], - "version": "==1.1.1" - }, "urllib3": { "hashes": [ - "sha256:19188f96923873c92ccb987120ec4acaa12f0461fa9ce5d3d0772bc965a39e08", - "sha256:d8ff90d979214d7b4f8ce956e80f4028fc6860e4431f731ea4a8c08f23f99473" + "sha256:1b465e494e3e0d8939b50680403e3aedaa2bc434b7d5af64dfd3c958d7f5ae80", + "sha256:de3eedaad74a2683334e282005cd8d7f22f4d55fa690a2a1020a416cb0a47e73" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.2" + "version": "==1.26.3" }, "wagtail": { "hashes": [ - "sha256:2d153a61fc7cdff2ef71392301661b6a35a09e66758490ac346410b548e3368a", - "sha256:825c143b8acdadc4b85c7880dbd1cfaa35397c42bdbf7965baaf6b2fdd78f913" + "sha256:4ca8216ee434bdca8af35dabe55ba10f449723f00f94794bd832c52a561f44a1", + "sha256:dcf058fe72622b0598c4bd9e2a82611e338c5f3b671ee096b88b88d3be00248d" ], "index": "pypi", - "version": "==2.11.3" + "version": "==2.12.2" }, "webencodings": { "hashes": [ @@ -659,10 +686,10 @@ }, "xlrd": { "hashes": [ - "sha256:546eb36cee8db40c3eaa46c351e67ffee6eeb5fa2650b71bc4c758a29a1b29b2", - "sha256:e551fb498759fa3a5384a94ccd4c3c02eb7c00ea424426e212ac0c57be9dfbde" + "sha256:6a33ee89877bd9abc1158129f6e94be74e2679636b8a205b43b85206c3f0bbdd", + "sha256:f72f148f54442c6b056bf931dbc34f986fd0c3b0b6b5a58d013c9aef274d0c88" ], - "version": "==1.2.0" + "version": "==2.0.1" }, "xlsxwriter": { "hashes": [ @@ -712,11 +739,11 @@ }, "django": { "hashes": [ - "sha256:558cb27930defd9a6042133258caf797b2d1dee233959f537e3dc475cb49bd7c", - "sha256:cf5370a4d7765a9dd6d42a7b96b53c74f9446cd38209211304b210fe0404b861" + "sha256:0eaca08f236bf502a9773e53623f766cc3ceee6453cc41e6de1c8b80f07d2364", + "sha256:c9c994f5e0a032cbd45089798b52e4080f4dea7241c58e3e0636c54146480bb4" ], "index": "pypi", - "version": "==2.2.17" + "version": "==2.2.18" }, "django-debug-toolbar": { "hashes": [ @@ -742,11 +769,11 @@ }, "packaging": { "hashes": [ - "sha256:05af3bb85d320377db281cf254ab050e1a7ebcbf5410685a9a407e18a1f81236", - "sha256:eb41423378682dadb7166144a4926e443093863024de508ca5c9737d6bc08376" + "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", + "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.7" + "version": "==20.9" }, "pluggy": { "hashes": [ @@ -758,11 +785,11 @@ }, "py": { "hashes": [ - "sha256:366389d1db726cd2fcfc79732e75410e5fe4d31db13692115529d34069a043c2", - "sha256:9ca6883ce56b4e8da7e79ac18787889fa5206c79dcc67fb065376cd2fe03f342" + "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", + "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.9.0" + "version": "==1.10.0" }, "pyparsing": { "hashes": [ @@ -774,25 +801,25 @@ }, "pytest": { "hashes": [ - "sha256:4288fed0d9153d9646bfcdf0c0428197dba1ecb27a33bb6e031d002fa88653fe", - "sha256:c0a7e94a8cdbc5422a51ccdad8e6f1024795939cc89159a0ae7f0b316ad3823e" + "sha256:9d1edf9e7d0b84d72ea3dbcdfd22b35fb543a5e8f2a60092dd578936bf63d7f9", + "sha256:b574b57423e818210672e07ca1fa90aaf194a4f63f3ab909a2c67ebb22913839" ], "index": "pypi", - "version": "==6.1.2" + "version": "==6.2.2" }, "pytest-splinter": { "hashes": [ - "sha256:b7ad35358c49ac02c497cc0a5ebe56ae6ec98c5415275aaf3abb3804e1412c91" + "sha256:16d93db719bcad19342935c1707b5c3ec7e34d9ae10df683f6fc2e9e982ddb39" ], "index": "pypi", - "version": "==3.3.0" + "version": "==3.3.1" }, "pytz": { "hashes": [ - "sha256:3e6b7dd2d1e0a59084bcee14a17af60c5c562cdc16d828e8eba2e683d3a7e268", - "sha256:5c55e189b682d420be27c6995ba6edce0c0a77dd67bfbe2ae6607134d5851ffd" + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" ], - "version": "==2020.4" + "version": "==2021.1" }, "selenium": { "hashes": [ @@ -834,27 +861,27 @@ }, "tox": { "hashes": [ - "sha256:42ce19ce5dc2f6d6b1fdc5666c476e1f1e2897359b47e0aa3a5b774f335d57c2", - "sha256:4321052bfe28f9d85082341ca8e233e3ea901fdd14dab8a5d3fbd810269fbaf6" + "sha256:89afa9c59c04beb55eda789c7a65feb1a70fde117f85f1bd1c27c66758456e60", + "sha256:ed1e650cf6368bcbc4a071eeeba363c480920e0ed8a9ad1793c7caaa5ad33d49" ], "index": "pypi", - "version": "==3.20.1" + "version": "==3.22.0" }, "urllib3": { "hashes": [ - "sha256:19188f96923873c92ccb987120ec4acaa12f0461fa9ce5d3d0772bc965a39e08", - "sha256:d8ff90d979214d7b4f8ce956e80f4028fc6860e4431f731ea4a8c08f23f99473" + "sha256:1b465e494e3e0d8939b50680403e3aedaa2bc434b7d5af64dfd3c958d7f5ae80", + "sha256:de3eedaad74a2683334e282005cd8d7f22f4d55fa690a2a1020a416cb0a47e73" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.2" + "version": "==1.26.3" }, "virtualenv": { "hashes": [ - "sha256:54b05fc737ea9c9ee9f8340f579e5da5b09fb64fd010ab5757eb90268616907c", - "sha256:b7a8ec323ee02fb2312f098b6b4c9de99559b462775bc8fe3627a73706603c1b" + "sha256:147b43894e51dd6bba882cf9c282447f780e2251cd35172403745fc381a0a80d", + "sha256:2be72df684b74df0ea47679a7df93fd0e04e72520022c57b479d8f881485dbe3" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==20.2.2" + "version": "==20.4.2" } } } diff --git a/README.md b/README.md index d1b33c5..1777ae5 100644 --- a/README.md +++ b/README.md @@ -98,25 +98,25 @@ ansible-galaxy install \ To check that the scripts and roles are correctly installed, use this command to do a "dry run": ``` -ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks +ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon --list-tasks ``` If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration: ``` -ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config" +ansible-playbook ansible/web.yaml -i ansible/inventories/lagoon --tags "nginx_template_config" ``` To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site: ``` -ansible-playbook ansible/*.yaml -i ansible/inventories/production +ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon ``` For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands): ``` -ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion= +ansible-playbook ansible/site.yaml -i ansible/inventories/lagoon --tags release -v -e gitversion= ``` You can also use the `gitrepo` parameter to use a different fork of the source code. @@ -136,7 +136,7 @@ The typical order of deployment is: For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.: ``` -ansible-playbook -i ansible/inventories/production --tags release ansible/wagtail.yaml +ansible-playbook -i ansible/inventories/lagoon --tags release ansible/wagtail.yaml ssh -i .keys/ansible.pem ansible@ "cd && make release" ``` diff --git a/ansible/inventories/carbon/files/cloudflare.key b/ansible/inventories/carbon/files/cloudflare.key new file mode 100644 index 0000000..6ee5e14 --- /dev/null +++ b/ansible/inventories/carbon/files/cloudflare.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCX+OAurxr0r4KC +l6nyf/xZGEu3G/LZEWiFYhYTHZZAVyeUtYBzjGiLiswbtnsFu4bDutvfX3OSynWd +TMBwc0sj8PO0+cJ5Bd9VGA2+PdEHpVWSXfc1c3a4s7C8xwrpxBfsxe3WtQ+lEfI2 +y8h+zVES0af2KDbg/xuipTnsIHRWt1mF7uRw/3R9vYXF44HQbE9c+NOv6knY3sax +xdTq7gKifM1JNIjocEo/r7kgTLW/S5fGbZaffjWopZeXwehXMvK2RR43awkOMg4w +xjhzO6wqC3Wlo9WQ7s3TfcZNE39ipa+lCo/eVzTphYm2gKW/MCG506lR7/s2mudw +p/gAyM5tAgMBAAECggEAA3qMGyrL9FTo07dytEfaDWoLyvsQod0O+5qlWbZVgE8z +wJOFB2AWlox3Tp0XOigy61u6zmVUyRk+/E+g9LysOCblqpCwXcJ/fGcADYjvC3yX +4FwBSCUb+cS3OM2vl26d2OrQ88ISQ8Y3jqnh2DE3+Ap6N0gatXzGyQAnkBr6vsS2 +TTEud/nQsaznD4rUaNcfDFHs8IbYGiDUleFuhsZTj44tUg9whIpDCKba4IAAdU5k +cyvWktd2XGlSuKUZsYuNrcydKZqhjleZq88/VccHtjP8O9L4+63BLost+VcznI3Y +vVT9eqhQwIZYIVsI0tj5X4EWXEyPDsluM/P5GnopMQKBgQDHppcwWhYsB80Jf4FO +TZAxvASMbMlxCdn3jhXt6mmucssqpiu9jQywnYFdEKGG5id40Cq4aJqZFo4534Og +0gTTWsYAJ94dpYDHrC/iqT9WOB8HQVO6UVVzfZu2L25EUQkW9dqEIGufeHtVdK6N +hm0ak1HfnoYhh7wVth+GuK4ICQKBgQDC3VrGsRJLeiHZAL/lIFzGUvG7MnEWE259 +Kf+GfnOa4hDDnd7bzK4L+3Ll8Nvo+Og1VZqnJlvMX6IqVO2lv/RgfBGYuCD1I/Og +b6sZ2+X0S3OYUYGn1hkiiidB8QUALh30Q2JrTs6IPl6XZdPiX8LKi7U0UXJvgnm9 +nLJMZtyERQKBgQC5yiopobu+T6gbbZ8r+fv0fE4TS20OFyfSOlPn6dtcrpCn6KkN +pMOpW3k13LMj8OvMfpMyto0fZyEFdB1uu+InuPJG1NLa7dfweCi7mdpJ5sHhI4bB +/MwzRDFyEaNgSbTWvAUULYNZjGnhdUq2guDm+S8YlNGnREPgRHIEEbpJ2QKBgENK +OvmX1fB4aU3NQ3a02TSnGdCB16k+5o2UPifMbNFUNWPHlVijcoqytveOV/I4Wb9p +IzGLPnHxqEcj8rik85eJ4G2zT7Y3Rv7k8NnKJLtafr1fj/1MInvZ5zqPJyHryu45 +grf5i7pihzmSsTtfxB07Z0R8x56YGMAQZ0WY05ddAoGACVilm2mfLenQDT8bUvor +++zrdk2zdvDRLgYiWu/+O7UhJF8P0ozCYmqeTsgcjKuqgqyfuBNwTKmUeaPbvmxr +CM+gKBmuinQNNF3OjkoRv77fMkMS1+uUZ03iPjIgLz6J4cobdKRvcjVxLfPgyrJp +n0R2KghPhNb9l/XIgqeJNGw= +-----END PRIVATE KEY----- diff --git a/ansible/inventories/carbon/files/cloudflare.pem b/ansible/inventories/carbon/files/cloudflare.pem new file mode 100644 index 0000000..d482ffe --- /dev/null +++ b/ansible/inventories/carbon/files/cloudflare.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFADCCA+igAwIBAgIUK7EkF7xtZ1tTux+Q2ygKgP5cAScwDQYJKoZIhvcNAQEL +BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw +MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh +MB4XDTE5MTAxNzE1MzAwMFoXDTM0MTAxMzE1MzAwMFowYjEZMBcGA1UEChMQQ2xv +dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk +BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/jgLq8a9K+Cgpep8n/8WRhLtxvy2RFohWIW +Ex2WQFcnlLWAc4xoi4rMG7Z7BbuGw7rb319zksp1nUzAcHNLI/DztPnCeQXfVRgN +vj3RB6VVkl33NXN2uLOwvMcK6cQX7MXt1rUPpRHyNsvIfs1REtGn9ig24P8boqU5 +7CB0VrdZhe7kcP90fb2FxeOB0GxPXPjTr+pJ2N7GscXU6u4ConzNSTSI6HBKP6+5 +IEy1v0uXxm2Wn341qKWXl8HoVzLytkUeN2sJDjIOMMY4czusKgt1paPVkO7N033G +TRN/YqWvpQqP3lc06YWJtoClvzAhudOpUe/7NprncKf4AMjObQIDAQABo4IBgjCC +AX4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQqrDW0atPbYUVW62/oonVTxNlU3TAf +BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw +MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j +YTCBggYDVR0RBHsweYISKi5wdWJsaWMtaGVhbHRoLmNoggkqLnNwaGMuY2iCFmdl +c3VuZGhlaXRzbWFuaWZlc3QuY2iCEW1hbmlmZXN0ZXNhbnRlLmNoghJuZ28tYWxs +aWFuei1lYmsuY2iCEHB1YmxpYy1oZWFsdGguY2iCB3NwaGMuY2gwOAYDVR0fBDEw +LzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCnkhHew7PXdOcJduzRTtBX1oBRpAiky92RkM5/ +jweojEt3I8QIjs1m/7ZUYCQW8grmBRS75x6geKy9prmHoRcRB0Akc6QfDSRBYaK/ +AADSmShPYPFenicVDMOt9hSAYBHihmf5muPIZ/4yrK+FLPpPZibKi7ODmBzZ6Slz +NILCxV8Yz0PG7hGQru8ey0YEno2RBLIIhkzJs80X79r25mdUNVnvk98AbXwF2eyl +njNs7/eKemEe5Ia7OD9R33L/c36hr5HPTnXEfmcUqSeLq0mpoy8xWgsg7ykLUqmy +j6QT71+TT4P1WYYEXwTl0mPqD51Kn7AZCgmq8RMZ83/ocGF9 +-----END CERTIFICATE----- diff --git a/ansible/inventories/production/group_vars/webservers/vars.yaml b/ansible/inventories/carbon/group_vars/webservers/vars.yaml similarity index 100% rename from ansible/inventories/production/group_vars/webservers/vars.yaml rename to ansible/inventories/carbon/group_vars/webservers/vars.yaml diff --git a/ansible/inventories/carbon/group_vars/webservers/vault.yaml b/ansible/inventories/carbon/group_vars/webservers/vault.yaml new file mode 100644 index 0000000..8f4ab78 --- /dev/null +++ b/ansible/inventories/carbon/group_vars/webservers/vault.yaml @@ -0,0 +1,48 @@ +$ANSIBLE_VAULT;1.1;AES256 +32616665363039353938346565666133353839663266373534373330363932316531363932656135 +6166636334613037346432353262333738353930316362610a633337373066313236656562666531 +61636661666636636132306134393733303537363933376166363338306163633466363966343439 +3731346464663438390a353135366630313438376264656632656261623563333538333661623766 +61656336643236303137656166363936653533626165346338386165636438396332636366663262 +63656231303834343130363864396233623161386533383531333366643865323932613931623133 +30306432636666666535643533313935356232613035633935383532616565356163303164313464 +33373936343135346431653034303839346364346434353930306363323165646666633062363661 +37313638383935656234336136353662353139333462656433383164393030326464393934646236 +33666262656365356663366638636661653734656633383664646230313832336263306134666239 +65336335636264383330646365633565373531633866613162666139343761633639613134323064 +32656162393965353133663930373564643766366136313465663933323761366164623036376236 +64383666366562616337346237313761313237613264346336373538346465376361363037353332 +36343530353138353862363632613536386139333630623237343763303439393761326165393330 +65346262303231623331643963643432626562363962363530633331646139393330646330386139 +63356330363538313932663034636638333062313063343830386435613264303165316334386336 +61626666376164356237633165316462343165313638623061343730346462343462363332313230 +38633230393665626362333661666439633938346339316130393839356362613231616465373335 +64623466386634653464393434336261313237313064656534353437346461656634626539636336 +32366136636333363637373430643538666533613031643234613635316461366362633635643232 +65653732383637306635373637363162333339646530616663396137383333636336333936303734 +65653065363164306337623338623437353231343062626138353834643239323261383237353266 +63383534656233393166396330393161356265306439643463616535333533643261616136643533 +36663564303566393632633530366533393833643262363338616533323263393234373163623265 +65306330323865323364353235663261383365333462343933333165383239386566663731303963 +62313636623837333233373863393835323564633264666536356434663662636163383566613131 +39383930313663313034653462323330366531656130383761353339653933636661663439333138 +32633339303166393035393039323433386630376433646466653763383632303766343837363234 +38633662613431656330393130666437363963373863323433376566393634383332636662646565 +33656337393835353231623935613236353633633037663632663634393064376662373963633035 +33613139393031613363376162366138626132313430633865363461326634656362323039303238 +62306137343132633736663662306532353831333033613662383762613938346465366661393366 +64616436323364313165623633343434653531616232643036326238333565623132393465336433 +37336337346434323033393732336465323731326263663332346466623138636265633236626565 +32393639643563613761303464353265376464363266353631656238346233303330373136313332 +62623239636636306134623831386136666466333263663637326262373030653837353464363434 +33376238303736393536626463623033333738343030633634323765626332366230323133626161 +61356137663232393534616466353662353731343632653839326437313632653334656539653030 +39623830396363396566313466366335366666643235666666393036666437333737643033353337 +33333263393566633935333136353465366363353930383535633064346366646538323634383537 +30636535336236313131666665313832363937613461306635386539366434323465346235326265 +34393166623564376439396531653539313563356364383733363131303662623163313736366261 +34326565626233646162303532626136363237373531643966653437326436363038613961663064 +34383232316634653130393230633665616537363130326366303938306636363534636534383231 +37656432663134303630663533376339336236356466646366303939616239613462363232383734 +65663062386264376330656130313135373138303431633063633135373339653437613930626263 +633861393035376438633031393935356530 diff --git a/ansible/inventories/carbon/webservers b/ansible/inventories/carbon/webservers new file mode 100644 index 0000000..d7dc75c --- /dev/null +++ b/ansible/inventories/carbon/webservers @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +65373566353363396261353836316461353537636561316565353137306636373330306361396438 +3435646636363566346635323838346138306239653735320a306263616264343862393065626234 +61633866336565363137353231656534356538333661663961333938336233396439333564666334 +3934373332383231380a316436663639323062373636363635656664663564363866373665376337 +34653036396639313735326436663966393538316136663839623938343164626335626661336432 +62333061376565613731663932326539333137386662653264616338333662613939656538663039 +36623062366332346166663937626537613738633839666330623034653561663536646364653939 +61313230326564653632353966343135353762356663653931653331633633653735623066386462 +34326666313634633635353761633936313264393163333566353937623235313635656166323966 +37373339353236633566376539373632663862626232383065666464633337336562333966383161 +66613765643266636435353866636165393666313439373361323338653839643136343364356130 +37363764653366633738 diff --git a/ansible/files/cloudflare.key b/ansible/inventories/lagoon/files/cloudflare.key similarity index 100% rename from ansible/files/cloudflare.key rename to ansible/inventories/lagoon/files/cloudflare.key diff --git a/ansible/files/cloudflare.pem b/ansible/inventories/lagoon/files/cloudflare.pem similarity index 100% rename from ansible/files/cloudflare.pem rename to ansible/inventories/lagoon/files/cloudflare.pem diff --git a/ansible/inventories/lagoon/group_vars/webservers/vars.yaml b/ansible/inventories/lagoon/group_vars/webservers/vars.yaml new file mode 100644 index 0000000..ef08c51 --- /dev/null +++ b/ansible/inventories/lagoon/group_vars/webservers/vars.yaml @@ -0,0 +1,29 @@ +--- + +django_project_name: publichealth + +elasticsearch_heap_size: 1g + +memcached_memory_allocation_mb: 256 + +nginx_worker_processes: 2 +nginx_worker_connections: 1024 + +domain: "{{ vault_domain }}" + +allowed_domains: "{{ vault_allowed_domains }}" + +django_email_key: "{{ vault_django_email_key }}" +django_email_domain: "{{ vault_django_email_domain }}" +django_email_from: "{{ vault_django_email_from }}" + +django_secret_key: "{{ vault_django_secret_key }}" + +# Default: postgres://postgres:@postgres:5432/postgres +django_postgres_url: "{{ vault_django_postgres_url }}" + +# Default: http://elasticsearch:9200 +django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}" + +# Default: redis://redis:6379 +django_redis_url: "{{ vault_django_redis_url }}" diff --git a/ansible/inventories/production/group_vars/webservers/vault.yaml b/ansible/inventories/lagoon/group_vars/webservers/vault.yaml similarity index 100% rename from ansible/inventories/production/group_vars/webservers/vault.yaml rename to ansible/inventories/lagoon/group_vars/webservers/vault.yaml diff --git a/ansible/inventories/production/webservers b/ansible/inventories/lagoon/webservers similarity index 100% rename from ansible/inventories/production/webservers rename to ansible/inventories/lagoon/webservers diff --git a/ansible/inventories/nations/files/cloudflare.key b/ansible/inventories/nations/files/cloudflare.key new file mode 100644 index 0000000..0948ffb --- /dev/null +++ b/ansible/inventories/nations/files/cloudflare.key @@ -0,0 +1,90 @@ +$ANSIBLE_VAULT;1.1;AES256 +37396437326330653831623831646432643031303962636636353931303064636262343439383238 +3965386661613063656436346661363633613866646435630a333962393066636239643165643666 +37346330313165643263656230373633363135376535376536373961633366613339333263376230 +3164363738313339310a336235336465623835333262333866636434653066313736356138353461 +30303332303264643839393462346236316464376138653832633331303365646565343237386662 +61393166313138396334313132663165653131313532663331323237626163633764346162303564 +64343034363139326238383633353463616135366636613262356366663364616438366432343463 +61353135663234663231643865616430636466306161323336363866383838393931363134316532 +62616336346134306363643533303030343531363930346361313864323166343536366564353166 +39643762656364623765626334313663313337326537353664323464363661323665646665656634 +33313332336461663333393632383330616434626362613832663030303334326662323562646535 +34616139343436383866323362363633333632363666626561396534633734393432333363333330 +66643864383133303634333432306332623534643232353963323665623833316237316231303831 +33393431623136323239346261626430643266653262373262396530623338383232646263366361 +65316336393661626537343666373332613030633138376533373331643966616630393036343462 +34623664623339383030373666346131633836393338616462303563643038383463353462643862 +64303037343765616666663635333264363039376463623766353833623337643639343631353931 +61373361636231386334643337356664333061333834656632363762313466613661666234383133 +66333766363264373939336133303830333136336439303136326539383231323235656262363338 +66653666616634653233343032326461396361643266666565633933303532653035663130663736 +37323434393639646435386432656563363961333265353065653564343037326131333333666237 +31363461656632613931656239326132346338346264643232643165613936643863626130616631 +61663439366338383033613135306533393933353933326561386537613263616132616337353534 +39336565656631323530303965323466636663643266373165303937336465646132663839313136 +30316330393535346265323763376639323363333734323334366234323531373763613439353035 +64383361346638653364656338623465663532383836643433323330343834313564363331323834 +61353333366465636266316264306262326263343139313631326161663165313561393162616236 +39626439656436336134346232653662373336623734666239316365303265373061343234306439 +61363236396231383265366264386236313736643962316562373962383832306231336363346537 +35613032353832383463663366396539333263616262386337353235653632633764303730313062 +32636430653136656538306630316235666331346466633834616632333139663232323464386239 +66653362303139373261656533373866646363373965323962623063313532396664393436363135 +35333333306563626239653938653732613630323464363034346638393631386531613963316338 +64303833316466333439323065323539343933303861626665396565373761333634653435376562 +65626165393937643261626266626430643962633963373839663736373332643162343332373762 +64633166653665333933393937383763313166646462356232346332363632363833373366316463 +35343536613264613230353334666630373964386165663162623533303136366338626531306533 +35623565356234653763356134376635303634353961653831666438643265313230343530393336 +65323762643034376635636234653139366439313233383539666365376130623539613732376636 +64366636346366303533656461326263376566613461633436333336346236653932386230656661 +61393533623131326164343263643666376334366134326433323630623436333132633962323837 +35303034353161363131376266336466663138633961363030356536623834353163623264626233 +37643562396232393932633536343232633334303039396163656231313462386435303839656431 +30386632336434353638386166306565643930623831393834343237373861393731353334646466 +36656237393635373039333161326134333064393863353663323261353430613064313661383064 +63316138653131343334646330643435643532386537373163666639646532663366643534343438 +33366138373230306161653061393538373664373639346261373230313133353561613236353761 +33613333313231336661303635356531323536353836323765306533333864643834616533343161 +33396632343938333633343430393364636139626161303834383535656639376633393133643139 +61346365373465613861646631353039656465373665623535333936653135353936343035313662 +32643537303630633764656563336434313533623166323738353836666565626333326662636139 +31303630653039363065616432353334396231303430313166643532343861353262636336656238 +33643064373839376261316633646430336663356663393366303032376131333437653630663736 +30386235386261306633303538323464626464303962303133333933393164653933396430393464 +35313234356534323032323161326630313738316466386139313138653738373232386462313961 +32316464316532306330333932613537376562613761323737396537346466663037303839653430 +35363237306334386631396537306332646563386538626533323337313438393439323035363064 +37346434643966326366636238383262373231613566303462373539336333346166323138623033 +33393533396438653439663430653930343233356131393562396232393537326562616131643261 +63666237393835326635623265636434373031666639356563333436666362633363303466383366 +66343464616666383531653966636130336530623532616566333737396338386165623961636438 +36383564326661343865366230313731343232646331663464663932313663333065623965613565 +65343138376561656537313663373135633463636537633131306237363062346239343162363332 +39303365373561316465363134393635623636363839653839643866636164663932633165326662 +36303362333862306531363238643266623631643337656636373139653531616538656132646631 +64656236366235393235353865636232363239336136376430376236623537643833356163383133 +63626434393736303233656433353734303763326362363436633939333433333932663131336530 +66663936666464313135376466633364663231636531346331383739323735363132326162383830 +34386163656131326365333534306437616435303239333233356430636166643361623333636436 +34363065636335336230633565373366303666393961303066623662306461623365333431663964 +39303366343964373438316135393164383262633438633665346562626337336666646463343461 +62386632616563643162383465656631623731616562663733356266346637343936366439623736 +61313037373834306438363430373636383466613334386165656238343038353831633139363362 +31333735306631613732363661326136663938666135626232636531616435626364633263353662 +61313239326239316130353236316434623261363565343831336339613965336664666132376637 +30313436306239633461633931306633333562396639643836663937303965353831383065653261 +61623839346438316364373634376665633831366434373135646537643735613230346564363630 +61356666323937393164643636393262373039613139663437353939383839326162346463393562 +61316365346361383266326135616638323762326661373764346437386539313466633337323939 +37653938373236333763626135313237363761623539663038303234623634343836313861653336 +61303365656633643435633061643761656339623231303065306435366535386434343635343538 +33343037626165633039663632646532386364626635306138623938656563336433636130613033 +32363233343061383065653231646439396465353337656636356166383263356665626238356139 +66636537313461393865336639626163306438623630303663633163363339323863616339336432 +61356138353363366639383764633862393234626533373736366130326334333861636537633537 +38383233313063646539613931323837373530343935623562666431633431396538383331396632 +35326266333930343236333937363030356231303061393362373536303337633964646132393862 +39393963326136666361663363653936356333663565316331663331376636303966376637343236 +64636531306635323731663334396663306262333730653335363364633839333339 diff --git a/ansible/inventories/nations/files/cloudflare.pem b/ansible/inventories/nations/files/cloudflare.pem new file mode 100644 index 0000000..0900b68 --- /dev/null +++ b/ansible/inventories/nations/files/cloudflare.pem @@ -0,0 +1,122 @@ +$ANSIBLE_VAULT;1.1;AES256 +36363564613066383633626239613031613162623365303031383037303365383835353462343835 +3031636161616532613464623932343761323932653831640a306336386331326363396335376231 +37363230353662383430633763396264623066636563366365633631623137626463303662396134 +6665306336636535360a313035303031303431353437363263646539386132666561653433363939 +38373463303933303133393730353831393862366232323532373635663435623638613762616537 +33343931333939626139353439343965373935616436663864363234326235363530616334636465 +34343836313761353332353232613964356363306538366633623131636264396434366666336134 +32643230333666363139313165626636306562646236663964656466643735663961303565316265 +38316436356262666334393264363966633737346635663135356633306463336437383030383264 +66653435626566303637353039373539373961643338376464626165366434363431373364313636 +38366632313532653539326138396434666434613731303662643134346535386435393531626639 +62666436636366316338313630663665623736326465336432396366356239666261373863656536 +35613138646635353362393963383665653764306137306462343063316137656137616135363663 +37373937626564343233376562623430393231376636323563353637386230323161323230396531 +64303136363562306162326664373639323866393833656266366662666434343963333038616566 +64383462306237346564323238373963363630326266626330383261626231346439373138323531 +35323430643063653638636164623334336630633661353331363831636665616666313438396334 +61386138613738653038633233653565336435393530363730613637353438363434373637373362 +65326435666264376433653865323730303664303231363963323539353532653364626562333162 +30656539336631633065346166383835633261393463623866313866343764626333313432643530 +31613666613462663662616131333531666533343661346333383539343638393336366235666437 +37313264323434326538303736666535616362613334396133313363336532343335636631646331 +38656633393863303934313466333530333737376235396233323839393030396530323862363763 +30616561303165386331356562333164373830663531366662643463303466383765663032613166 +64313465303362316465373134663264616234346530373031643830386166653038616134353632 +64376637643534373864373030323232356430316434323765363861303462366232666136626663 +39626261396263316434366462376563326439396438373966303933643931383730373834616166 +36646134336336353334623165656361623436346465396463393530633463373930393139626365 +61306339313662643130303733613636623433646332646335306163386637626532646630623139 +37323366366231363864663132373964363837356236623162306336343631333361616635376430 +32386465376334396134626133313764326637613966626364343831636234363437333662666339 +33393331666562306264346339663965343364353938646634393432363363393131616234663237 +33363461613233643461623338396335333032316566623233633538653566336138386464656533 +37303835306234613163376362353964383935623465396362616164616233323437336566666136 +31383536656438386536333766616334633739353731303766666433323230613339653265646463 +66633161663339656433653535373865353463306135653739656330363064633563613531336365 +36646262353566336135316462666138313732333864353431383762646662346362313863613932 +62613038626661396637396366636264373537373966333938663931663532353862636561393764 +66313065393963306564393637616231386137633465306164343234373665383265326462373961 +35333766613232376234363336663865343663656631353565366461343964643265623064616562 +64656462313333376534313333646630383462343935333439623061343464316139313331663966 +30613236333239396137346361613830633738386162306633303033613938643138646465636364 +36626236396633306162623461393764643661353634303237303862666136323337333362383538 +38613866643032653565616266363637643036326465393734633239386535373038653464396563 +39623561363862393131623764366261323932643733383066373436346236326630383966383433 +35373835323436396235636337303564646433386431356165383337343334316432613065316133 +66303937626631396334323838636436393533356535346436613531376330313230623439363136 +33333839343239353762663130623735643262363036376433373963333937326533323466383235 +61363639393835633035396634316538386463333461383334346438303134396433613665303664 +38613532383562613862333765616665643134616532373762643432663337643132663233326664 +66356530633561343862326666313264323637313239366161663031343265303833376539653430 +37643435313265306135393736396535336333373665613836633465373761373266613031633636 +65623363623134323430386632653232303461636162323466386564346565636532373438323839 +66386463333635653535623139643235383437313761363532316561343939336166383562666335 +31626561633264323766303565653566393164646638353861653838363466646639633361646536 +65656235626330333538666365383230373563373230353263666361633965396133393430323165 +30333066656231333738633264396162363063646532656265663232346135373330613566323131 +36323966373832663564383433383235356664306439323764303638623736633262623533366532 +61353938323462633637313263663238626535366234393864343533383561356532363564323963 +63663033633866366366633161383238663537303339386239373035343061613066346532333533 +32363964666235653062316164393634393337326136363235343231386633323436373762633337 +65336430366539363461363165346537346134616135346139633235366334363266336566663738 +36643331376161383532316366363766303463656137333864336163326238626138643939613237 +30323062326465306561313364323630343238393531613963353065663861363336616331643065 +39623533303861363263333461633637623164333762316665323835353334323364666466623839 +62323839326339383231346233323636663261316439653035313265326237326266393331646365 +33643639386131333063663463323534383737636563346463316433646361363338616631376431 +63653434303736366266373937626261646230653363636661613034363863343539363832366361 +34643832376662336632363533323666303530343933636234376631646536336261336566336264 +39633637343537323865356266383864303462303538373565623566316635663366626438626237 +66366438656634336364623639653736353836343739646237633734373834636530633238653132 +38363833333937623738323935373034626464316536646435613036663938643436366566323036 +39376339666131653365376265626131626136313663306339316230303934353231343437306161 +35656634353732386337323364343431333631356664343333353963663537373431333562356330 +65636238663438653864633938636664373637313163633766613963343563366464623437323530 +61376133623531326435313737396261393130646239323239336530353466303362336136306136 +36386564633236326530643236626630313561653630616564616139623033303438363235343136 +63333164653332323630666535663237376632323339383563333639343931333536353032653761 +61616364313739663462333336306164623365383236616539386132373733613763386166373235 +30323834316532616464323539383362653161303461333465383333353465356133623862323464 +34623661653263613366623933393330313038663837363834336561306538363335613263643362 +32636665383662613835356630636537303561663532383039633163326566336631313564643936 +37633031663133343164333032386262343861653665653663323732393130636263343932666636 +35613335386237323832663832346438633764383039616138656636633565316566636335643734 +36653931633336343665353762326336376435653963386666626534636533306632646162356561 +61656336373730666663306536336461356130663866623431646330346161376634303732313461 +37656362346636343063396662636633383633306231616363396635343533346139616438306433 +62663262656430326533613864383232356564336565643733633336626466633265366132653962 +32373963386264343132623338363263383136663963623463353239386133333932316663306331 +66396265396235383630323830353962376266393933396563666434333534633931626534663865 +37363839633135646435383535663965363437363231613162393864323161663330633266363033 +38373634323733356464313461626261633136646661613833306362306339386434666362303435 +66343430363631326366383437336338636534646664383461653733353531623466373831623631 +35393934386235356138633833333265316464363064626463316139616666613664623136663731 +65656637633436643333343738613433323733636465303762623438316162356138663838343765 +34353433353066383634643536366562633864623039383032303365323261313966646262323332 +66373235343265356639656434353865393239343965366462346435353165346333326131656565 +30613061636636353233316637313338326635643238353937323236353032386461646363633563 +30343636376338613363303964356334666439633136336530303964316563313561623034666631 +65313464306535313863663937303565323164383537336334383437343234316437643338343231 +61326365383534643931623361373339333666626463306336623464393062313762393064346634 +39643030353063396635616139666130633235636434383861333938343039373731643166313364 +64306239666639363739323137663231653761356239633236343936313939346562633530666532 +31343032623139363130633136353036646231326339623037336533353064356165303932666536 +66646537333663313034336236373037306636343632643636663634626235323038306134306564 +34656631623439636633333830623462616364653431323035393331333331396163633539393364 +38633662366631633431653864373739333039663966383765303863343036633337636636643436 +35393962333732383732663063316532393332666332623934326166393236393936646337346564 +39373935383136356362623339363432396632396534623030656333663165643363633038336465 +35653430613738306232636632356135343533306139393334333439646136353432386365633137 +63326639613166343262343037303536363230613666313932616565373932333538326633396137 +37366562383662646461633639343338333766643564376431333332326564626434666338313466 +63396137353862653835613339646532343561373261393432393632396235326466373338333762 +39313637316462333333376539623261343139386164653664636133313434353937376230303865 +38323061663833666563366133653635323466326231346637656337366333393863366332333338 +31636239633436646633623165333833343737383137303263326361346531623237323937313762 +31323261656331656362323364313231373930666639383730633234643738663330326436303334 +34373439373538323364396433613033656333346261656338646237313236303261346636636362 +62386162323163626635363039383031663738666430653964346430646532656162373933356338 +33323631623936623236373932613133646631306566333061616538356434363165636464636235 +62643461383139633361326463306162333530363365663064353266343734353361 diff --git a/ansible/inventories/evolution/group_vars/webservers/vars.yaml b/ansible/inventories/nations/group_vars/webservers/vars.yaml similarity index 100% rename from ansible/inventories/evolution/group_vars/webservers/vars.yaml rename to ansible/inventories/nations/group_vars/webservers/vars.yaml diff --git a/ansible/inventories/evolution/group_vars/webservers/vault.yaml b/ansible/inventories/nations/group_vars/webservers/vault.yaml similarity index 100% rename from ansible/inventories/evolution/group_vars/webservers/vault.yaml rename to ansible/inventories/nations/group_vars/webservers/vault.yaml diff --git a/ansible/inventories/evolution/webservers b/ansible/inventories/nations/webservers similarity index 100% rename from ansible/inventories/evolution/webservers rename to ansible/inventories/nations/webservers diff --git a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info index 9266ae8..2388dc8 100644 --- a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:19 2020 +install_date: Thu Feb 18 15:39:21 2021 version: 2.1.0 diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml deleted file mode 100644 index 99857c7..0000000 --- a/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Create Changelog - -on: - pull_request: - types: [closed] - - release: - types: [published] - - issues: - types: [closed, edited] - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: Generate changelog for master branch - steps: - - uses: actions/checkout@v1 - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: push - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml index 34cf1cf..4d5fa69 100644 --- a/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml +++ b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml @@ -25,17 +25,35 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 + uses: charmixer/auto-changelog-action@8095796 + with: + token: ${{ secrets.GITHUB_TOKEN }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Generate changelog for the release + uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} future_release: ${{ steps.version.outputs.next-version }} + output: CHANGELOGRELEASE.md + + - name: push changelog + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: hello@dev-sec.io - name: Read CHANGELOG.md id: package uses: juliangruber/read-file-action@v1 with: - path: ./CHANGELOG.md + path: ./CHANGELOGRELEASE.md - name: Create Release draft id: create_release diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml index ab58ecd..504dd2c 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml @@ -33,6 +33,9 @@ platforms: - name: centos-6 driver_config: box: bento/centos-6.7 + provision: true + vagrantfiles: + - rhel6_provision.rb - name: centos-7 driver_config: box: bento/centos-7 @@ -42,6 +45,9 @@ platforms: - name: oracle-6 driver_config: box: bento/oracle-6 + provision: true + vagrantfiles: + - rhel6_provision.rb - name: oracle-7 driver_config: box: bento/oracle-7 @@ -57,6 +63,11 @@ platforms: - name: opensuse_tumbleweed driver_config: box: opensuse/Tumbleweed.x86_64 + provision: true + vagrantfiles: + - suse_provision.rb + provisioner: + ansible_binary_path: "/usr/local/bin" verifier: name: inspec diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.yml index cceda4e..b5ae255 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.yml @@ -2,7 +2,16 @@ driver: name: docker use_sudo: false - privileged: true + cap_add: + - SYS_ADMIN + volume: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + run_options: + tmpfs: + - /tmp + - /run + - /run/lock + run_command: /sbin/init http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> @@ -28,95 +37,108 @@ platforms: driver: image: rndmh3ro/docker-centos6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: centos7-ansible-latest driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: centos8-ansible-latest driver: image: rndmh3ro/docker-centos8-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + provisioner: + ansible_binary_path: "/usr/local/bin" + - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init platform: centos provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - yum -y install initscripts + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: debian10-ansible-latest driver: image: rndmh3ro/docker-debian10-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: fedora-ansible-latest driver: image: rndmh3ro/docker-fedora-ansible:latest platform: centos - run_command: /sbin/init provision_command: - dnf install -y python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: opensuse_tumbleweed-ansible-latest driver: image: rndmh3ro/docker-opensuse_tumbleweed-ansible platform: opensuse provision_command: - - zypper -n install python-xml rpm-python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - zypper -n install python-xml + - sed -i '/nologin/d' /etc/pam.d/sshd + - sed -i '/systemd/d' /etc/pam.d/common-session - systemctl enable sshd.service verifier: name: inspec sudo: true inspec_tests: - - https://github.com/dev-sec/tests-os-hardening + - https://github.com/dev-sec/linux-baseline + controls: + # skip sysctl checks, since they make no sense in docker + - /^(?!sysctl-|package-07).+/ suites: - name: os diff --git a/ansible/roles/dev-sec.os-hardening/.travis.yml b/ansible/roles/dev-sec.os-hardening/.travis.yml index ed74614..c9f49f5 100644 --- a/ansible/roles/dev-sec.os-hardening/.travis.yml +++ b/ansible/roles/dev-sec.os-hardening/.travis.yml @@ -2,63 +2,31 @@ services: docker env: - - distro: centos6 - version: latest - init: /sbin/init - - - distro: centos7 - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: centos8 - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: fedora - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: oracle6 - version: latest - init: /sbin/init - -# - distro: oracle7 -# init: /lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# version: latest - - - distro: ubuntu1604 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1804 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian9 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian10 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - # - distro: opensuse_tumbleweed - # init: /usr/lib/systemd/systemd - # version: latest - # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro" + global: + - version=latest + - init=/sbin/init + - run_opts="--cap-add SYS_ADMIN" + - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro" + jobs: + - distro=centos6 + volume=":" + run_opts="" + - distro=centos7 + - distro=centos8 + - distro=oracle6 + volume=":" + run_opts="" +# - distro=oracle7 + - distro=ubuntu1604 + - distro=ubuntu1804 + - distro=debian9 + init=/lib/systemd/systemd + - distro=debian10 + - distro=amazon + - distro=fedora + init=/lib/systemd/systemd + - distro=opensuse_tumbleweed + run_opts="--privileged" before_install: # Pull container @@ -70,7 +38,7 @@ script: - container_id=$(mktemp) # Run container in detached state. - - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Output Ansible version from docker image - 'docker exec "$(cat ${container_id})" ansible-playbook --version' @@ -79,7 +47,7 @@ script: - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff' # Verify role - - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md index faa840e..7125878 100644 --- a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md @@ -1,8 +1,71 @@ # Changelog -## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD) +## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-16) -[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD) +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0) + +**Implemented enhancements:** + +- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha)) +- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat)) +- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi)) + +**Fixed bugs:** + +- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284) + +**Closed issues:** + +- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293) +- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292) +- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288) +- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249) + +**Merged pull requests:** + +- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro)) +- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0) + +**Implemented enhancements:** + +- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91)) + +**Fixed bugs:** + +- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281) + +**Closed issues:** + +- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269) + +**Merged pull requests:** + +- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi)) +- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3) + +**Implemented enhancements:** + +- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2) + +**Implemented enhancements:** + +- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock)) + +## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1) **Implemented enhancements:** @@ -19,7 +82,7 @@ - Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233) - Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232) - Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154) -- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg)) +- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg)) - Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz)) - add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro)) - Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz)) @@ -28,7 +91,7 @@ - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd)) -- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov)) +- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost)) - Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina)) - add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove)) - Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina)) @@ -47,7 +110,7 @@ - Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148) - Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel)) - Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta)) -- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov)) +- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost)) - Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina)) ## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09) @@ -123,9 +186,7 @@ - Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault)) - Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo)) - Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan)) -- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro)) - Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill)) -- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) - Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos)) **Fixed bugs:** @@ -148,12 +209,14 @@ - Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155) - Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129) +- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro)) - Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1)) - Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz)) - Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz)) - Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault)) - add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro)) - update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro)) +- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** @@ -184,7 +247,7 @@ **Implemented enhancements:** -- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) +- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) - new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro)) - add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro)) - remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro)) diff --git a/ansible/roles/dev-sec.os-hardening/README.md b/ansible/roles/dev-sec.os-hardening/README.md index 5186dcb..cdc50d3 100644 --- a/ansible/roles/dev-sec.os-hardening/README.md +++ b/ansible/roles/dev-sec.os-hardening/README.md @@ -1,7 +1,6 @@ # os-hardening (Ansible Role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1] -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3] ## Description @@ -81,6 +80,8 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` | | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. | | `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. | +| `hidepid_option` | `2` | `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. | +| `proc_mnt_options` | `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` | Mount proc with hardenized options, including `hidepid` with variable value. | ## Packages diff --git a/ansible/roles/dev-sec.os-hardening/defaults/main.yml b/ansible/roles/dev-sec.os-hardening/defaults/main.yml index e047f49..db87948 100644 --- a/ansible/roles/dev-sec.os-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.os-hardening/defaults/main.yml @@ -278,3 +278,6 @@ os_auditd_max_log_file_action: keep_logs os_selinux_state: enforcing # Set the SELinux polixy. os_selinux_policy: targeted + +hidepid_option: '2' # allowed values: 0, 1, 2 +proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}' diff --git a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info index 099ab8c..e635dbc 100644 --- a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:23 2020 -version: 6.0.1 +install_date: Thu Feb 18 15:39:25 2021 +version: 6.2.0 diff --git a/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb b/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb new file mode 100644 index 0000000..169dddb --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb @@ -0,0 +1,7 @@ +Vagrant.configure(2) do |config| + config.vm.provision "shell", inline: <<-SHELL + rpm -i http://mirror.de.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm + sed -i 's/\\(mirrorlist=http\\)s/\\1/' /etc/yum.repos.d/epel.repo + yum install -y ansible libselinux-python + SHELL +end \ No newline at end of file diff --git a/ansible/roles/dev-sec.os-hardening/suse_provision.rb b/ansible/roles/dev-sec.os-hardening/suse_provision.rb new file mode 100644 index 0000000..5db4bd2 --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/suse_provision.rb @@ -0,0 +1,7 @@ +Vagrant.configure(2) do |config| + config.vm.provision "shell", inline: <<-SHELL + zypper -n install python2-setuptools + mkdir -p /usr/local/lib/python2.7/site-packages/ + ln -s /usr/local/bin/pip /usr/bin/ + SHELL +end \ No newline at end of file diff --git a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml index 9eabf31..bf47469 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml @@ -3,4 +3,5 @@ apt: name: '{{ os_security_packages_list }}' state: 'absent' + purge: 'yes' when: os_security_packages_clean | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml b/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml index 2ff1ed2..13a6241 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml @@ -1,5 +1,4 @@ --- - - name: install auditd package | package-08 package: name: '{{ auditd_package }}' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml index 3f309f0..a31123d 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml @@ -56,10 +56,9 @@ tags: yum - import_tasks: apt.yml - when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu' + when: ansible_facts.distribution in ['Debian', 'Ubuntu'] tags: apt - import_tasks: selinux.yml tags: selinux - when: - - ansible_facts.selinux.status == 'enabled' + when: ansible_facts.selinux.status == 'enabled' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml index 804cbad..ab7c37e 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml @@ -1,5 +1,4 @@ --- - - block: - name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b file: diff --git a/ansible/roles/dev-sec.os-hardening/tasks/main.yml b/ansible/roles/dev-sec.os-hardening/tasks/main.yml index 3571b6f..441fd98 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/main.yml @@ -1,4 +1,3 @@ --- - - import_tasks: hardening.yml when: os_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml index 1b5f94b..53dfeb5 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml @@ -48,3 +48,11 @@ group: 'root' mode: '0750' when: '"change_user" not in os_security_users_allow' + +- name: set option hidepid for proc filesystem + mount: + path: /proc + src: proc + fstype: proc + opts: '{{ proc_mnt_options }}' + state: present diff --git a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml index bccb54b..5cd7434 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml @@ -12,7 +12,15 @@ - name: remove vfat from fs-list if efi is used set_fact: os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}" - when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir + when: + - efi_installed.stat.isdir is defined + - efi_installed.stat.isdir + +- name: remove used filesystems from fs-list + set_fact: + os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}" + # we cannot do this on el6 and below, because these systems don't support the map function + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') - name: disable unused filesystems | os-10 template: diff --git a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml index 1beeac4..a996729 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml @@ -121,6 +121,7 @@ - name: Gather package facts package_facts: manager: auto + when: ansible_facts.os_family != 'Suse' - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 template: @@ -129,4 +130,6 @@ mode: '0640' owner: 'root' group: 'root' - when: "'libuser' in ansible_facts.packages" + when: + - ansible_facts.os_family != 'Suse' + - "'libuser' in ansible_facts.packages" diff --git a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml index fa1afc5..7a6d83b 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml @@ -13,15 +13,16 @@ owner: 'root' group: 'root' mode: '0544' - when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or - ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon' + when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat'] - name: install initramfs-tools apt: name: 'initramfs-tools' state: 'present' update_cache: true - when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading + when: + - ansible_facts.os_family == 'Debian' + - os_security_kernel_enable_module_loading - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled template: @@ -32,7 +33,9 @@ mode: '0440' notify: - update-initramfs - when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading + when: + - ansible_facts.os_family == 'Debian' + - os_security_kernel_enable_module_loading register: initramfs - name: change sysctls @@ -60,14 +63,16 @@ reload: yes ignoreerrors: yes with_dict: '{{ sysctl_rhel_config }}' - when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and + when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon' - when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc'] + when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] - name: Apply ufw defaults template: src: 'etc/default/ufw.j2' dest: '/etc/default/ufw' - when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu') + when: + - ufw_manage_defaults + - ansible_facts.distribution in ['Debian', 'Ubuntu'] tags: ufw diff --git a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml index 9902af6..9d6599a 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml @@ -3,35 +3,42 @@ file: name: '/etc/yum.repos.d/{{ item }}.repo' state: 'absent' - with_items: + loop: - 'CentOS-Debuginfo' - 'CentOS-Media' - 'CentOS-Vault' when: os_security_packages_clean | bool - name: get yum-repository-files - shell: 'find /etc/yum.repos.d/ -type f -name *.repo' - changed_when: False + find: + paths: '/etc/yum.repos.d' + patterns: '*.repo' register: yum_repos - # for the 'default([])' see here: - # https://github.com/dev-sec/ansible-os-hardening/issues/99 and - # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause - # - # failed_when is needed because by default replace module will fail if the file doesn't exists. - # status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. - # All other errors will still be raised. +# for the 'default([])' see here: +# https://github.com/dev-sec/ansible-os-hardening/issues/99 and +# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause +- name: activate gpg-check for yum-repository-files + replace: + path: '{{ item.path }}' + regexp: '^\s*gpgcheck.*' + replace: 'gpgcheck=1' + with_items: + - '{{ yum_repos.files | default([]) }}' + +# failed_when is needed because by default replace module will fail if the file doesn't exists. +# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. +# All other errors will still be raised. - name: activate gpg-check for config files replace: - dest: '{{ item }}' - regexp: '^\s*gpgcheck: 0' - replace: 'gpgcheck: 1' + path: '{{ item }}' + regexp: '^\s*gpgcheck\W.*' + replace: 'gpgcheck=1' register: status failed_when: status.rc is defined and status.rc != 257 - with_flattened: + loop: - '/etc/yum.conf' - '/etc/dnf/dnf.conf' - - '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104 - '/etc/yum/pluginconf.d/rhnplugin.conf' - name: remove deprecated or insecure packages | package-01 - package-09 diff --git a/ansible/roles/dev-sec.os-hardening/tests/test.yml b/ansible/roles/dev-sec.os-hardening/tests/test.yml index 3816755..dd26d0f 100644 --- a/ansible/roles/dev-sec.os-hardening/tests/test.yml +++ b/ansible/roles/dev-sec.os-hardening/tests/test.yml @@ -13,6 +13,10 @@ apt: update_cache: yes when: ansible_facts.os_family == 'Debian' + - name: install required tools on debian + apt: + name: procps + when: ansible_facts.os_family == 'Debian' - name: install required tools on fedora dnf: name: @@ -20,6 +24,9 @@ - findutils - procps-ng when: ansible_facts.distribution == 'Fedora' + - name: install required tools on SuSE + shell: "zypper -n install python-xml" + when: ansible_facts.os_family == 'Suse' - name: create recursing symlink to test minimize access shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" vars: diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml deleted file mode 100644 index 99857c7..0000000 --- a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Create Changelog - -on: - pull_request: - types: [closed] - - release: - types: [published] - - issues: - types: [closed, edited] - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: Generate changelog for master branch - steps: - - uses: actions/checkout@v1 - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: push - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml index 951f439..4d5fa69 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml @@ -25,18 +25,35 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 + uses: charmixer/auto-changelog-action@8095796 + with: + token: ${{ secrets.GITHUB_TOKEN }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Generate changelog for the release + uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} - # wait for https://github.com/CharMixer/auto-changelog-action/pull/3 - #future_release: ${{ steps.version.outputs.next-version }} + future_release: ${{ steps.version.outputs.next-version }} + output: CHANGELOGRELEASE.md + + - name: push changelog + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: hello@dev-sec.io - name: Read CHANGELOG.md id: package uses: juliangruber/read-file-action@v1 with: - path: ./CHANGELOG.md + path: ./CHANGELOGRELEASE.md - name: Create Release draft id: create_release diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml index 2a1dff0..2c43610 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml @@ -33,6 +33,9 @@ platforms: - name: centos-7 driver_config: box: bento/centos-7 +- name: centos-8 + driver_config: + box: bento/centos-8 - name: oracle-6 driver_config: box: bento/oracle-6 diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml index e243825..fde7b51 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml @@ -2,7 +2,16 @@ driver: name: docker use_sudo: false - privileged: true + cap_add: + - SYS_ADMIN + volume: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + run_options: + tmpfs: + - /tmp + - /run + - /run/lock + run_command: /sbin/init http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> @@ -28,72 +37,96 @@ platforms: driver: image: rndmh3ro/docker-centos6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: centos7-ansible-latest driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + +- name: centos8-ansible-latest + driver: + image: rndmh3ro/docker-centos8-ansible:latest + platform: centos + provision_command: + - sed -i '/nologin/d' /etc/pam.d/sshd + - systemctl enable sshd.service + provisioner: + ansible_binary_path: "/usr/local/bin" + - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init platform: centos provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: debian10-ansible-latest driver: image: rndmh3ro/docker-debian10-ansible platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: fedora-ansible-latest driver: image: rndmh3ro/docker-fedora-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - dnf install -y python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - dnf install -y python procps-ng + - sed -i '/nologin/d' /etc/pam.d/sshd + - systemctl enable sshd.service + +- name: arch-ansible-latest + driver: + image: rndmh3ro/docker-arch-ansible:latest + platform: arch + run_command: /usr/lib/systemd/systemd + provision_command: + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service verifier: diff --git a/ansible/roles/dev-sec.ssh-hardening/.travis.yml b/ansible/roles/dev-sec.ssh-hardening/.travis.yml index c21539a..391091d 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.travis.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.travis.yml @@ -2,53 +2,32 @@ services: docker env: - - distro: centos6 - version: latest - init: /sbin/init - - - distro: centos7 - init: /usr/lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: oracle6 - version: latest - init: /sbin/init - -# - distro: oracle7 -# init: /usr/lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# version: latest - - - distro: ubuntu1604 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1804 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian9 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian10 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: fedora - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + global: + - version=latest + - init=/sbin/init + - run_opts="--cap-add SYS_ADMIN" + - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro" + jobs: + - distro=centos6 + volume=":" + run_opts="" + - distro=centos7 + - distro=centos8 + - distro=oracle6 + volume=":" + run_opts="" +# - distro=oracle7 + - distro=ubuntu1604 + - distro=ubuntu1804 + - distro=debian9 + init=/lib/systemd/systemd + - distro=debian10 + - distro=amazon + - distro=fedora + init=/lib/systemd/systemd + - distro=arch + init=/usr/lib/systemd/systemd + run_opts="--privileged" before_install: # Pull container @@ -60,17 +39,14 @@ script: - container_id=$(mktemp) # Run container in detached state. - - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Test role. - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff' # Verify role - # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit' - # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md index 22e13f7..dcfad78 100644 --- a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md @@ -1,8 +1,147 @@ # Changelog -## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD) +## [9.7.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.7.0) (2020-08-09) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.6.0...9.7.0) + +**Implemented enhancements:** + +- add separate option for controlling motd via pam [\#320](https://github.com/dev-sec/ansible-ssh-hardening/pull/320) ([schurzi](https://github.com/schurzi)) + +## [9.6.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.6.0) (2020-07-28) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.5.0...9.6.0) + +**Implemented enhancements:** + +- add SmartOS support [\#294](https://github.com/dev-sec/ansible-ssh-hardening/pull/294) ([aqw](https://github.com/aqw)) + +**Fixed bugs:** + +- fix local kitchen tests [\#318](https://github.com/dev-sec/ansible-ssh-hardening/pull/318) ([schurzi](https://github.com/schurzi)) +- fix sftp\_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw)) + +**Closed issues:** + +- Make SSH banner path configurable [\#315](https://github.com/dev-sec/ansible-ssh-hardening/issues/315) + +## [9.5.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.5.0) (2020-07-27) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.4.0...9.5.0) + +**Implemented enhancements:** + +- add ssh\_banner\_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua)) +- rework CRYPTO\_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi)) + +**Fixed bugs:** + +- network\_ipv6\_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311) + +**Closed issues:** + +- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh\*.config [\#275](https://github.com/dev-sec/ansible-ssh-hardening/issues/275) + +**Merged pull requests:** + +- improve testing in kitchen and travis [\#313](https://github.com/dev-sec/ansible-ssh-hardening/pull/313) ([schurzi](https://github.com/schurzi)) + +## [9.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.4.0) (2020-07-21) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.3.0...9.4.0) + +**Implemented enhancements:** + +- Add CentOS 8 support for ansible-ssh-hardening [\#247](https://github.com/dev-sec/ansible-ssh-hardening/issues/247) +- adding specific things for IPv6 support [\#312](https://github.com/dev-sec/ansible-ssh-hardening/pull/312) ([altf4arnold](https://github.com/altf4arnold)) +- add support for CentOS8 [\#309](https://github.com/dev-sec/ansible-ssh-hardening/pull/309) ([schurzi](https://github.com/schurzi)) +- README: New section on server port and idempotency [\#307](https://github.com/dev-sec/ansible-ssh-hardening/pull/307) ([nununo](https://github.com/nununo)) + +**Fixed bugs:** + +- CBC Ciphers should be disabled by default. [\#308](https://github.com/dev-sec/ansible-ssh-hardening/issues/308) + +**Closed issues:** + +- Idempotency when changing sshd ports [\#299](https://github.com/dev-sec/ansible-ssh-hardening/issues/299) +- Simplify crypto.yml checks with blocks [\#256](https://github.com/dev-sec/ansible-ssh-hardening/issues/256) +- Possibility for customising host key algorithms? [\#243](https://github.com/dev-sec/ansible-ssh-hardening/issues/243) + +## [9.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.3.0) (2020-07-09) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.2.0...9.3.0) + +**Implemented enhancements:** + +- Add support for X11 configuration [\#297](https://github.com/dev-sec/ansible-ssh-hardening/issues/297) +- add blocks to crypto.yml checks [\#305](https://github.com/dev-sec/ansible-ssh-hardening/pull/305) ([schurzi](https://github.com/schurzi)) +- fix typo in hardening.yml [\#304](https://github.com/dev-sec/ansible-ssh-hardening/pull/304) ([schurzi](https://github.com/schurzi)) +- allow customization of X11Forwarding [\#300](https://github.com/dev-sec/ansible-ssh-hardening/pull/300) ([divialth](https://github.com/divialth)) + +**Fixed bugs:** + +- fix package install in tests [\#301](https://github.com/dev-sec/ansible-ssh-hardening/pull/301) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Closed issues:** + +- Typo in hardening.yml [\#303](https://github.com/dev-sec/ansible-ssh-hardening/issues/303) +- Task create sshd\_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302) + +## [9.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.2.0) (2020-06-25) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.1...9.2.0) + +**Implemented enhancements:** + +- Add RHEL 8 Support [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261) +- Add option to create 'LocalPort' match blocks [\#295](https://github.com/dev-sec/ansible-ssh-hardening/pull/295) ([aisbergg](https://github.com/aisbergg)) +- Add archlinux support [\#291](https://github.com/dev-sec/ansible-ssh-hardening/pull/291) ([djesionek](https://github.com/djesionek)) +- Harmonize style [\#290](https://github.com/dev-sec/ansible-ssh-hardening/pull/290) ([aisbergg](https://github.com/aisbergg)) + +**Merged pull requests:** + +- add centos 8 to meta [\#298](https://github.com/dev-sec/ansible-ssh-hardening/pull/298) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [9.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.1) (2020-06-06) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.0...9.1.1) + +**Implemented enhancements:** + +- unify changelog and release actions [\#289](https://github.com/dev-sec/ansible-ssh-hardening/pull/289) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- AllowTCPForwarding set to `no` although I have `ssh\_allow\_tcp\_forwarding: yes` [\#286](https://github.com/dev-sec/ansible-ssh-hardening/issues/286) +- `ssh\_allow\_tcp\_forwarding`: use quotes for values [\#288](https://github.com/dev-sec/ansible-ssh-hardening/pull/288) ([jeanmonet](https://github.com/jeanmonet)) + +## [9.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.0) (2020-06-02) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.0.0...9.1.0) + +**Implemented enhancements:** + +- allow customization of login gracetime and max sessins [\#287](https://github.com/dev-sec/ansible-ssh-hardening/pull/287) ([chris-rock](https://github.com/chris-rock)) + +## [9.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.0.0) (2020-05-18) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.1.0...9.0.0) + +**Breaking changes:** + +- make ssh client-side compression configurable [\#284](https://github.com/dev-sec/ansible-ssh-hardening/pull/284) ([aqw](https://github.com/aqw)) + +**Fixed bugs:** + +- Disable Ubuntu dynamic login MOTD [\#271](https://github.com/dev-sec/ansible-ssh-hardening/issues/271) + +**Closed issues:** + +- Ubuntu disable dynamic MOTD failing [\#283](https://github.com/dev-sec/ansible-ssh-hardening/issues/283) + +## [8.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.1.0) (2020-05-09) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...8.1.0) **Implemented enhancements:** @@ -377,7 +516,6 @@ **Implemented enhancements:** - CentOS 7 selinux dependencies [\#76](https://github.com/dev-sec/ansible-ssh-hardening/issues/76) -- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro)) - Parameterise Banner and DebianBanner as defaults [\#77](https://github.com/dev-sec/ansible-ssh-hardening/pull/77) ([tsenart](https://github.com/tsenart)) **Fixed bugs:** @@ -386,6 +524,10 @@ - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75) - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61) +**Closed issues:** + +- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) + ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0) @@ -401,6 +543,7 @@ **Implemented enhancements:** - Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63) +- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro)) - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111)) - add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro)) - add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -462,19 +605,19 @@ ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2.1) **Merged pull requests:** - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) -## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) - -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2) - ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.0) + +## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2) **Merged pull requests:** @@ -493,9 +636,7 @@ **Closed issues:** - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33) -- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23) -- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** @@ -527,6 +668,7 @@ - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7) - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6) +- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** diff --git a/ansible/roles/dev-sec.ssh-hardening/README.md b/ansible/roles/dev-sec.ssh-hardening/README.md index cd61aec..c1d02e9 100644 --- a/ansible/roles/dev-sec.ssh-hardening/README.md +++ b/ansible/roles/dev-sec.ssh-hardening/README.md @@ -1,12 +1,11 @@ # ssh-hardening (Ansible Role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-ssh-hardening.svg)][1] -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-ssh--hardening-660198.svg)][3] ## Description -This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline). +This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline). Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server. @@ -17,10 +16,10 @@ Warning: This role disables root-login on the target server! Please make sure yo ## Role Variables | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| -|`network_ipv6_enable` | false |true if IPv6 is needed| +|`network_ipv6_enable` | false |true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).| |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen| |`ssh_client_port` | '22' |port to which ssh-client should connect| -|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!| +|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!| |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version| |`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms| |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | @@ -28,9 +27,10 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login | -|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`| +|`ssh_allow_tcp_forwarding` | no | `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`.
*Note*: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes. | |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.| |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.| +|`ssh_x11_forwarding` | false | false to disable X11 Forwarding. Set to true to allow X11 Forwarding.| |`ssh_pam_support` | true | true if SSH has PAM support.| |`ssh_use_pam` | true | false to disable pam authentication.| |`ssh_gssapi_support` | false | true if SSH has GSSAPI support.| @@ -45,9 +45,10 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_authorized_principals_file` | '' | specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. | |`ssh_authorized_principals` | [] | list of hashes containing file paths and authorized principals, see default_custom.yml for all options. Only used if ssh_authorized_principals_file is set. | |`ssh_print_motd` | false | false to disable printing of the MOTD| +|`ssh_print_pam_motd` | false | false to disable printing of the MOTD via pam (Debian and Ubuntu)| |`ssh_print_last_log` | false | false to disable display of last login information| |`sftp_enabled` | false | true to enable sftp configuration| -|`sftp_umask` | 0027 | Specifies the umask for sftp| +|`sftp_umask` | '0027' | Specifies the umask for sftp| |`sftp_chroot` | true | false to disable chroot for sftp| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`ssh_client_roaming` | false | enable experimental client roaming| @@ -57,16 +58,21 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | |`ssh_banner` | `false` | `true` to print a banner on login | +|`ssh_banner_path`| '/etc/sshd/banner.txt' | path to the SSH banner file | |`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | -|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. | +|`ssh_client_compression` | `false` | Specifies whether the client requests compression. | +|`ssh_compression` | `false` | Specifies whether server-side compression is enabled after the user has authenticated successfully. | +|`ssh_login_grace_time` | `30s` | specifies the time allowed for successful authentication to the SSH server | |`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. | +|`ssh_max_sessions` | `10` | Specifies the maximum number of open sessions permitted from a given connection. | |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner | |`ssh_server_enabled` | `true` | `false` to disable the opensshd server | |`ssh_server_hardening` | `true` | `false` to stop harden the server | |`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | +|`ssh_server_match_local_port` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings | |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | @@ -99,6 +105,12 @@ Example playbook: - "AcceptEnv LANG" ``` +## Changing the default port and idempotency + +This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port. + +If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable. + ## Example Playbook - hosts: localhost @@ -120,6 +132,7 @@ bundle install ``` ### Testing with Docker + ``` # fast test on one machine bundle exec kitchen test ssh-ubuntu1804-ansible-latest diff --git a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml index 865bf18..aeb0198 100644 --- a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml @@ -1,48 +1,55 @@ # true if IPv6 is needed -network_ipv6_enable: false # sshd + ssh +network_ipv6_enable: false # sshd + ssh # true if sshd should be started and enabled -ssh_server_enabled: true # sshd +ssh_server_enabled: true # sshd # true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8 -ssh_use_dns: false # sshd +ssh_use_dns: false # sshd # true or value if compression is needed -ssh_compression: false # sshd +ssh_client_compression: false # ssh +ssh_compression: false # sshd # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server. ssh_client_hardening: true # ssh ssh_server_hardening: true # sshd # If true, password login is allowed -ssh_client_password_login: false # ssh -ssh_server_password_login: false # sshd +ssh_client_password_login: false # ssh +ssh_server_password_login: false # sshd # ports on which ssh-server should listen -ssh_server_ports: ['22'] # sshd +ssh_server_ports: ['22'] # sshd # port to which ssh-client should connect -ssh_client_port: '22' # ssh +ssh_client_port: '22' # ssh # one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! -ssh_listen_to: ['0.0.0.0'] # sshd +ssh_listen_to: ['0.0.0.0'] # sshd # Host keys to look for when starting sshd. -ssh_host_key_files: [] # sshd +ssh_host_key_files: [] # sshd # Specifies the host key algorithms that the server offers -ssh_host_key_algorithms: [] # sshd +ssh_host_key_algorithms: [] # sshd + +# specifies the time allowed for successful authentication to the SSH server +ssh_login_grace_time: 30s # Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. ssh_max_auth_retries: 2 -ssh_client_alive_interval: 300 # sshd -ssh_client_alive_count: 3 # sshd +# Specifies the maximum number of open sessions permitted from a given connection +ssh_max_sessions: 10 + +ssh_client_alive_interval: 300 # sshd +ssh_client_alive_count: 3 # sshd # Allow SSH Tunnels ssh_permit_tunnel: false -# Hosts with custom options. # ssh +# Hosts with custom options. # ssh # Example: # ssh_remote_hosts: # - names: ['example.com', 'example2.com'] @@ -52,23 +59,26 @@ ssh_permit_tunnel: false ssh_remote_hosts: [] # Set this to "without-password" or "yes" to allow root to login -ssh_permit_root_login: 'no' # sshd +ssh_permit_root_login: 'no' # sshd # false to disable TCP Forwarding. Set to true to allow TCP Forwarding. -ssh_allow_tcp_forwarding: 'no' # sshd +ssh_allow_tcp_forwarding: 'no' # sshd # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. # Set to 'clientspecified' to allow the client to specify which address to bind to. -ssh_gateway_ports: false # sshd +ssh_gateway_ports: false # sshd # false to disable Agent Forwarding. Set to true to allow Agent Forwarding. -ssh_allow_agent_forwarding: false # sshd +ssh_allow_agent_forwarding: false # sshd + +# false to disable X11 Forwarding. Set to true to allow X11 Forwarding. +ssh_x11_forwarding: false # sshd # true if SSH has PAM support ssh_pam_support: true # false to disable pam authentication. -ssh_use_pam: true # sshd +ssh_use_pam: true # sshd # specify AuthenticationMethods sshd_authenticationmethods: 'publickey' @@ -80,29 +90,29 @@ ssh_gssapi_support: false ssh_kerberos_support: true # if specified, login is disallowed for user names that match one of the patterns. -ssh_deny_users: '' # sshd +ssh_deny_users: '' # sshd # if specified, login is allowed only for user names that match one of the patterns. -ssh_allow_users: '' # sshd +ssh_allow_users: '' # sshd # if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -ssh_deny_groups: '' # sshd +ssh_deny_groups: '' # sshd # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -ssh_allow_groups: '' # sshd +ssh_allow_groups: '' # sshd # change default file that contains the public keys that can be used for user authentication. -ssh_authorized_keys_file: '' # sshd +ssh_authorized_keys_file: '' # sshd # specifies the file containing trusted certificate authorities public keys used to sign user certificates. -ssh_trusted_user_ca_keys_file: '' # sshd +ssh_trusted_user_ca_keys_file: '' # sshd # set the trusted certificate authorities public keys used to sign user certificates. # Example: # ssh_trusted_user_ca_keys: # - 'ssh-rsa ... comment1' # - 'ssh-rsa ... comment2' -ssh_trusted_user_ca_keys: [] # sshd +ssh_trusted_user_ca_keys: [] # sshd # specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. # Example: @@ -112,26 +122,30 @@ ssh_trusted_user_ca_keys: [] # sshd # replaced by the username of that user. After expansion, the path is taken to be # an absolute path or one relative to the user's home directory. # -ssh_authorized_principals_file: '' # sshd +ssh_authorized_principals_file: '' # sshd # list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set. # Example: # ssh_authorized_principals: # - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" } # - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] } -ssh_authorized_principals: [] # sshd +ssh_authorized_principals: [] # sshd # false to disable printing of the MOTD -ssh_print_motd: false # sshd +ssh_print_motd: false # sshd +ssh_print_pam_motd: false # sshd # false to disable display of last login information -ssh_print_last_log: false # sshd +ssh_print_last_log: false # sshd -# false to disable serving /etc/ssh/banner.txt before authentication is allowed -ssh_banner: false # sshd +# false to disable serving ssh warning banner before authentication is allowed +ssh_banner: false # sshd + +# path to file with ssh warning banner +ssh_banner_path: '/etc/ssh/banner.txt' # false to disable distribution version leakage during initial protocol handshake -ssh_print_debian_banner: false # sshd (Debian OS family only) +ssh_print_debian_banner: false # sshd (Debian OS family only) # true to enable sftp configuration sftp_enabled: false @@ -140,7 +154,7 @@ sftp_enabled: false sftp_chroot: true # sftp default umask -sftp_umask: 0027 +sftp_umask: '0027' # change default sftp chroot location sftp_chroot_dir: /home/%u @@ -148,20 +162,23 @@ sftp_chroot_dir: /home/%u # enable experimental client roaming ssh_client_roaming: false -# list of hashes (containing user and rules) to generate Match User blocks for. -ssh_server_match_user: false # sshd +# list of hashes (containing user and rules) to generate Match User blocks for +ssh_server_match_user: false # sshd -# list of hashes (containing group and rules) to generate Match Group blocks for. -ssh_server_match_group: false # sshd +# list of hashes (containing group and rules) to generate Match Group blocks for +ssh_server_match_group: false # sshd -# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for. -ssh_server_match_address: false # sshd +# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for +ssh_server_match_address: false # sshd + +# list of hashes (containing port and rules) to generate Match LocalPort blocks for +ssh_server_match_local_port: false # sshd ssh_server_permit_environment_vars: 'no' -ssh_server_accept_env_vars : '' +ssh_server_accept_env_vars: '' # maximum number of concurrent unauthenticated connections to the SSH daemon -ssh_max_startups: '10:30:100' # sshd +ssh_max_startups: '10:30:100' # sshd ssh_ps53: 'yes' ssh_ps59: 'sandbox' @@ -249,3 +266,7 @@ sshd_syslog_facility: 'AUTH' sshd_log_level: 'VERBOSE' sshd_strict_modes: yes + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/ansible/roles/dev-sec.ssh-hardening/files/sshd b/ansible/roles/dev-sec.ssh-hardening/files/sshd new file mode 100644 index 0000000..085c208 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/files/sshd @@ -0,0 +1,17 @@ +# Configuration file for the sshd service. + +# The server keys are automatically generated if they are missing. +# To change the automatic creation, adjust sshd.service options for +# example using systemctl enable sshd-keygen@dsa.service to allow creation +# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key +# creation. + +# Do not change this option unless you have hardware random +# generator and you REALLY know what you are doing + +SSH_USE_STRONG_RNG=0 +# SSH_USE_STRONG_RNG=1 + +# System-wide crypto policy: +# To opt-out, uncomment the following line +CRYPTO_POLICY= diff --git a/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml b/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml index 2b39da5..7cc0fde 100644 --- a/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml @@ -1,4 +1,6 @@ - name: restart sshd - service: name={{ sshd_service_name }} state=restarted - when: "(ssh_server_enabled|bool)" + service: + name: '{{ sshd_service_name }}' + state: restarted + when: ssh_server_enabled | bool become: yes diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info index b8b48bf..51f79a5 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:21 2020 -version: 8.1.0 +install_date: Thu Feb 18 15:39:23 2021 +version: 9.7.0 diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml index 2f7eb5a..9b997db 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - 6 - 7 + - 8 - name: Ubuntu versions: - xenial @@ -20,6 +21,8 @@ galaxy_info: - buster - name: Amazon - name: Fedora + - name: Archlinux + - name: SmartOS galaxy_tags: - system - security diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml index d628461..54b5635 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml @@ -1,5 +1,5 @@ --- -- name: Set ssh CA pub keys +- name: set ssh CA pub keys template: src: 'trusted_user_ca_keys.j2' dest: '{{ ssh_trusted_user_ca_keys_file }}' @@ -8,20 +8,20 @@ group: '{{ ssh_group }}' notify: restart sshd -- name: Create ssh authorized principals directories +- name: create ssh authorized principals directories file: path: '{{ item.path | dirname }}' mode: '{{ item.directorymode | default(0700) }}' owner: '{{ item.directoryowner | default(ssh_owner) }}' group: '{{ item.directorygroup | default(ssh_group) }}' state: directory - with_items: '{{ ssh_authorized_principals }}' + loop: '{{ ssh_authorized_principals }}' -- name: Set ssh authorized principals +- name: set ssh authorized principals template: src: 'authorized_principals.j2' dest: '{{ item.path }}' mode: '{{ item.filemode | default(0600) }}' owner: '{{ item.owner| default(ssh_owner) }}' group: '{{ item.group | default(ssh_group) }}' - with_items: '{{ ssh_authorized_principals }}' + loop: '{{ ssh_authorized_principals }}' diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml deleted file mode 100644 index 364f6b7..0000000 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] - when: sshd_version is version('6.3', '>=') and not ssh_host_key_files - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] - when: sshd_version is version('6.0', '>=') and not ssh_host_key_files - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] - when: sshd_version is version('5.3', '>=') and not ssh_host_key_files - -### - -- name: set macs according to openssh-version if openssh >= 7.6 - set_fact: - ssh_macs: '{{ ssh_macs_76_default }}' - when: sshd_version is version('7.6', '>=') and not ssh_macs - -- name: set macs according to openssh-version if openssh >= 6.6 - set_fact: - ssh_macs: '{{ ssh_macs_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_macs - -- name: set macs according to openssh-version - set_fact: - ssh_macs: '{{ ssh_macs_59_default }}' - when: sshd_version is version('5.9', '>=') and not ssh_macs - -- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports) - set_fact: - ssh_macs: '{{ ssh_macs_53_el_6_5_default }}' - when: - - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat'] - - ansible_facts.distribution_version is version('6.5', '>=') - - not ssh_macs - -- name: set macs according to openssh-version - set_fact: - ssh_macs: '{{ ssh_macs_53_default }}' - when: sshd_version is version('5.3', '>=') and not ssh_macs - -### - -- name: set ciphers according to openssh-version if openssh >= 6.6 - set_fact: - ssh_ciphers: '{{ ssh_ciphers_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_ciphers - -- name: set ciphers according to openssh-version - set_fact: - ssh_ciphers: '{{ ssh_ciphers_53_default }}' - when: sshd_version is version('5.3', '>=') and not ssh_ciphers - -### - -- name: set kex according to openssh-version if openssh >= 8.0 - set_fact: - ssh_kex: '{{ ssh_kex_80_default }}' - when: sshd_version is version('8.0', '>=') and not ssh_kex - -- name: set kex according to openssh-version if openssh >= 6.6 - set_fact: - ssh_kex: '{{ ssh_kex_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_kex - -- name: set kex according to openssh-version - set_fact: - ssh_kex: '{{ ssh_kex_59_default }}' - when: sshd_version is version('5.9', '>=') and not ssh_kex diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml new file mode 100644 index 0000000..45344c4 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml @@ -0,0 +1,10 @@ +--- +- name: set ciphers according to openssh-version if openssh >= 5.3 + set_fact: + ssh_ciphers: '{{ ssh_ciphers_53_default }}' + when: sshd_version is version('5.3', '>=') + +- name: set ciphers according to openssh-version if openssh >= 6.6 + set_fact: + ssh_ciphers: '{{ ssh_ciphers_66_default }}' + when: sshd_version is version('6.6', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml new file mode 100644 index 0000000..76ff7ad --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml @@ -0,0 +1,21 @@ +--- +- name: set hostkeys according to openssh-version if openssh >= 5.3 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + when: sshd_version is version('5.3', '>=') + +- name: set hostkeys according to openssh-version if openssh >= 6.0 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + when: sshd_version is version('6.0', '>=') + +- name: set hostkeys according to openssh-version if openssh >= 6.3 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key" + when: sshd_version is version('6.3', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml new file mode 100644 index 0000000..e55e721 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml @@ -0,0 +1,15 @@ +--- +- name: set kex according to openssh-version if openssh >= 5.9 + set_fact: + ssh_kex: '{{ ssh_kex_59_default }}' + when: sshd_version is version('5.9', '>=') + +- name: set kex according to openssh-version if openssh >= 6.6 + set_fact: + ssh_kex: '{{ ssh_kex_66_default }}' + when: sshd_version is version('6.6', '>=') + +- name: set kex according to openssh-version if openssh >= 8.0 + set_fact: + ssh_kex: '{{ ssh_kex_80_default }}' + when: sshd_version is version('8.0', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml new file mode 100644 index 0000000..f4cdf54 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml @@ -0,0 +1,27 @@ +--- +- name: set macs according to openssh-version if openssh >= 5.3 + set_fact: + ssh_macs: '{{ ssh_macs_53_default }}' + when: sshd_version is version('5.3', '>=') + +- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports) + set_fact: + ssh_macs: '{{ ssh_macs_53_el_6_5_default }}' + when: + - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat'] + - ansible_facts.distribution_version is version('6.5', '>=') + +- name: set macs according to openssh-version if openssh >= 5.9 + set_fact: + ssh_macs: '{{ ssh_macs_59_default }}' + when: sshd_version is version('5.9', '>=') + +- name: set macs according to openssh-version if openssh >= 6.6 + set_fact: + ssh_macs: '{{ ssh_macs_66_default }}' + when: sshd_version is version('6.6', '>=') + +- name: set macs according to openssh-version if openssh >= 7.6 + set_fact: + ssh_macs: '{{ ssh_macs_76_default }}' + when: sshd_version is version('7.6', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml index 02be78f..705840e 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml @@ -1,11 +1,11 @@ --- -- name: Set OS dependent variables +- name: set OS dependent variables include_vars: '{{ item }}' with_first_found: - - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.distribution }}.yml' - - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.os_family }}.yml' + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' - name: get openssh-version command: ssh -V @@ -17,8 +17,21 @@ set_fact: sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}" -- name: include tasks to create crypo-vars - include_tasks: crypto.yml +- name: set default for ssh_host_key_files if not supplied + include_tasks: crypto_hostkeys.yml + when: not ssh_host_key_files + +- name: set default for ssh_macs if not supplied + include_tasks: crypto_macs.yml + when: not ssh_macs + +- name: set default for ssh_ciphers if not supplied + include_tasks: crypto_ciphers.yml + when: not ssh_ciphers + +- name: set default for ssh_kex if not supplied + include_tasks: crypto_kex.yml + when: not ssh_kex - name: create revoked_keys and set permissions to root/600 template: @@ -37,7 +50,7 @@ mode: '0600' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s' + validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' notify: restart sshd when: ssh_server_hardening | bool @@ -48,10 +61,11 @@ control: optional module_path: pam_motd.so state: absent + backup: yes when: - ssh_server_hardening | bool - ssh_pam_support | bool - - not (ssh_print_motd | bool) + - not (ssh_print_pam_motd | bool) - name: create ssh_config and set permissions to root/644 template: @@ -62,7 +76,7 @@ group: '{{ ssh_group }}' when: ssh_client_hardening | bool -- name: Check if {{ sshd_moduli_file }} contains weak DH parameters +- name: check if {{ sshd_moduli_file }} contains weak DH parameters shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} register: sshd_register_moduli changed_when: false @@ -84,3 +98,17 @@ - name: include selinux specific tasks include_tasks: selinux.yml when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled" + +- name: gather package facts + package_facts: + check_mode: no + when: + - sshd_disable_crypto_policy | bool + +- name: disable SSH server CRYPTO_POLICY + copy: + src: sshd + dest: /etc/sysconfig/sshd + when: + - sshd_disable_crypto_policy | bool + - ('crypto-policies' in ansible_facts.packages) diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml index 32f9d02..a62da78 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml @@ -1,4 +1,3 @@ --- - - include_tasks: hardening.yml when: ssh_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml index 43b8d08..f08f5af 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml @@ -4,14 +4,13 @@ name: '{{ ssh_selinux_packages }}' state: present -- name: "authorize {{ ssh_server_ports }} ports for selinux" +- name: authorize {{ ssh_server_ports }} ports for selinux seport: ports: '{{ item }}' proto: tcp setype: ssh_port_t state: present - with_items: - - "{{ ssh_server_ports }}" + loop: '{{ ssh_server_ports }}' - name: check if ssh_password module is already installed shell: 'set -o pipefail && semodule -l | grep ssh_password' @@ -22,35 +21,41 @@ changed_when: false check_mode: no -# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed. -# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 -- block: - - name: Create selinux custom policy drop folder - file: - path: '{{ ssh_custom_selinux_dir }}' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0750' +# The following tasks only get executed when selinux is in state enforcing, +# UsePam is 'no' and the ssh_password module is not installed. See this issue for +# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 +- when: + - not (ssh_use_pam | bool) + - ('ssh_password' not in ssh_password_module.stdout) + block: + - name: create selinux custom policy drop folder + file: + path: '{{ ssh_custom_selinux_dir }}' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0750' - - name: Distributing custom selinux policies - copy: - src: 'ssh_password' - dest: '{{ ssh_custom_selinux_dir }}' + - name: distributing custom selinux policies + copy: + src: 'ssh_password' + dest: '{{ ssh_custom_selinux_dir }}' - - name: check and compile policy - command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password + - name: check and compile policy + command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password - - name: create selinux policy module package - command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod + - name: create selinux policy module package + command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod - - name: install selinux policy - command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp + - name: install selinux policy + command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp - when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0 -# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed. -# See http://danwalsh.livejournal.com/12333.html for more info +# The following tasks only get executed when selinux is installed, UsePam is +# 'yes' and the ssh_password module is installed. See +# http://danwalsh.livejournal.com/12333.html for more info - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk command: semodule -r ssh_password - when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0 + when: + - ssh_use_pam | bool + - ('ssh_password' in ssh_password_module.stdout) diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 index 01ef844..be83791 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 @@ -1,4 +1,4 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} {% for principal in item.principals %} {{ principal }} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 index 106b887..c26957e 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 @@ -1,9 +1,10 @@ -# {{ansible_managed|comment}} +#jinja2: trim_blocks: "true", lstrip_blocks: "true" +{{ ansible_managed | comment }} # This is the ssh client system-wide configuration file. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. -{% if ssh_custom_options -%} +{% if ssh_custom_options %} # Custom configuration that overwrites default configuration # ========================================================== {% for line in ssh_custom_options %} @@ -17,14 +18,14 @@ # Address family should always be limited to the active network configuration. AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} -{% for host in ssh_remote_hosts -%} +{% for host in ssh_remote_hosts %} {% if loop.first %} # Host-specific configuration {% endif %} Host {{ host.names | join(' ') }} - {{ host.options | join("\n") | indent(2) }} + {{ host.options | join('\n') | indent(2) }} -{% endfor -%} +{% endfor %} # Global defaults for all Hosts Host * @@ -60,16 +61,16 @@ StrictHostKeyChecking ask # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -{# This outputs "Ciphers " if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} -{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} +{# This outputs 'Ciphers ' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #} +{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }} # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # Weak HMAC is sometimes required if older package versions are used # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # -{# This outputs "MACs " if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} -{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} +{# This outputs 'MACs ' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #} +{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }} # Alternative setting, if OpenSSH version is below v5.9 #MACs hmac-ripemd160 @@ -79,8 +80,8 @@ StrictHostKeyChecking ask # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{# This outputs "KexAlgorithms " if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} -{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} +{# This outputs 'KexAlgorithms ' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #} +{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }} # Disable agent forwarding, since local agent could be accessed through forwarded connection. ForwardAgent no @@ -113,8 +114,7 @@ PermitLocalCommand no # Misc. configuration # =================== -# Enable compression. More pressure on the CPU, less on the network. -Compression yes +Compression {{ 'yes' if (ssh_client_compression|bool) else 'no' }} #EscapeChar ~ #VisualHostKey yes diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 index 0a60174..eb681c2 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 @@ -1,12 +1,13 @@ -# {{ansible_managed|comment}} +#jinja2: trim_blocks: "true", lstrip_blocks: "true" +{{ ansible_managed | comment }} # This is the ssh client system-wide configuration file. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. -{% if sshd_custom_options -%} +{% if sshd_custom_options %} # Custom configuration that overwrites default configuration # ========================================================== -{% for line in sshd_custom_options -%} +{% for line in sshd_custom_options %} {{ line }} {% endfor %} {% endif %} @@ -18,26 +19,26 @@ PermitRootLogin {{ ssh_permit_root_login }} # Define which port sshd should listen to. Default to `22`. -{% for port in ssh_server_ports -%} -Port {{port}} +{% for port in ssh_server_ports %} +Port {{ port }} {% endfor %} # Address family should always be limited to the active network configuration. AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }} # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone. -{% for address in ssh_listen_to -%} -ListenAddress {{address}} +{% for address in ssh_listen_to %} +ListenAddress {{ address }} {% endfor %} # List HostKeys here. -{% for key in ssh_host_key_files -%} -HostKey {{key}} +{% for key in ssh_host_key_files %} +HostKey {{ key }} {% endfor %} # Specifies the host key algorithms that the server offers. {% if sshd_version is version('5.8', '>=') %} -{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} +{{ "HostKeyAlgorithms " ~ ssh_host_key_algorithms|join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} {% endif %} # Security configuration @@ -62,16 +63,16 @@ LogLevel {{ sshd_log_level }} # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -{# This outputs "Ciphers " if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} -{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} +{# This outputs 'Ciphers ' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #} +{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }} # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # Weak HMAC is sometimes required if older package versions are used # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # -{# This outputs "MACs " if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} -{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} +{# This outputs 'MACs ' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #} +{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }} # Alternative setting, if OpenSSH version is below v5.9 #MACs hmac-ripemd160 @@ -81,8 +82,8 @@ LogLevel {{ sshd_log_level }} # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{# This outputs "KexAlgorithms " if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} -{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} +{# This outputs 'KexAlgorithms ' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #} +{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }} # Authentication # -------------- @@ -92,13 +93,17 @@ LogLevel {{ sshd_log_level }} UseLogin no {% endif %} {% if sshd_version is version('7.5', '<') %} -UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} +UsePrivilegeSeparation {{ + (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') + or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') + | ternary(ssh_ps53, ssh_ps59) +}} {% endif %} -LoginGraceTime 30s -MaxAuthTries {{ssh_max_auth_retries}} -MaxSessions 10 -MaxStartups {{ssh_max_startups}} +LoginGraceTime {{ ssh_login_grace_time }} +MaxAuthTries {{ ssh_max_auth_retries }} +MaxSessions {{ ssh_max_sessions }} +MaxStartups {{ ssh_max_startups }} # Enable public key authentication PubkeyAuthentication yes @@ -109,7 +114,7 @@ IgnoreUserKnownHosts yes HostbasedAuthentication no # Enable PAM to enforce system wide rules -{% if ssh_pam_support -%} +{% if ssh_pam_support %} UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} {% endif %} @@ -124,7 +129,7 @@ PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }} PermitEmptyPasswords no ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }} -{% if ssh_kerberos_support -%} +{% if ssh_kerberos_support %} # Only enable Kerberos authentication if it is configured. KerberosAuthentication no KerberosOrLocalPasswd no @@ -137,29 +142,29 @@ GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }} GSSAPICleanupCredentials yes # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. -{% if ssh_deny_users -%} -DenyUsers {{ssh_deny_users}} +{% if ssh_deny_users %} +DenyUsers {{ ssh_deny_users }} {% endif %} -{% if ssh_allow_users -%} -AllowUsers {{ssh_allow_users}} +{% if ssh_allow_users %} +AllowUsers {{ ssh_allow_users }} {% endif %} -{% if ssh_deny_groups -%} -DenyGroups {{ssh_deny_groups}} +{% if ssh_deny_groups %} +DenyGroups {{ ssh_deny_groups }} {% endif %} -{% if ssh_allow_groups -%} -AllowGroups {{ssh_allow_groups}} +{% if ssh_allow_groups %} +AllowGroups {{ ssh_allow_groups }} {% endif %} -{% if ssh_authorized_keys_file -%} +{% if ssh_authorized_keys_file %} AuthorizedKeysFile {{ ssh_authorized_keys_file }} {% endif %} -{% if ssh_trusted_user_ca_keys_file -%} +{% if ssh_trusted_user_ca_keys_file %} TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }} -{% if ssh_authorized_principals_file -%} +{% if ssh_authorized_principals_file %} AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} {% endif %} {% endif %} @@ -171,8 +176,8 @@ AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} TCPKeepAlive no # Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail. -ClientAliveInterval {{ssh_client_alive_interval}} -ClientAliveCountMax {{ssh_client_alive_count}} +ClientAliveInterval {{ ssh_client_alive_interval }} +ClientAliveCountMax {{ ssh_client_alive_count }} # Disable tunneling PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} @@ -189,19 +194,19 @@ AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ( # no real advantage without denied shell access AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }} -{% if ssh_gateway_ports|bool -%} +{% if ssh_gateway_ports|bool %} # Port forwardings are forced to bind to the wildcard address GatewayPorts yes -{% elif ssh_gateway_ports == 'clientspecified' -%} +{% elif ssh_gateway_ports == 'clientspecified' %} # Clients allowed to specify which address to bind port forwardings to GatewayPorts clientspecified -{% else -%} +{% else %} # Do not allow remote port forwardings to bind to non-loopback addresses. GatewayPorts no {% endif %} # Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. -X11Forwarding no +X11Forwarding {{ 'yes' if (ssh_x11_forwarding|bool) else 'no' }} X11UseLocalhost yes # User environment configuration @@ -209,7 +214,7 @@ X11UseLocalhost yes PermitUserEnvironment {{ ssh_server_permit_environment_vars }} -{% if ssh_server_accept_env_vars -%} +{% if ssh_server_accept_env_vars %} AcceptEnv {{ ssh_server_accept_env_vars }} {% endif %} @@ -226,16 +231,16 @@ PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} {% endif %} -Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }} +Banner {{ ssh_banner_path if (ssh_banner|bool) else 'none' }} -{% if ansible_facts.os_family == 'Debian' -%} +{% if ansible_facts.os_family == 'Debian' %} DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }} {% endif %} # Reject keys that are explicitly blacklisted RevokedKeys /etc/ssh/revoked_keys -{% if sftp_enabled -%} +{% if sftp_enabled %} # SFTP matching configuration # =========================== # Configuration, in case SFTP is used @@ -256,39 +261,51 @@ Match Group sftponly PermitRootLogin no X11Forwarding no {% endif %} +{% if ssh_server_match_address %} -{% if ssh_server_match_address -%} # Address matching configuration # ============================ -{% for item in ssh_server_match_address -%} +{% for item in ssh_server_match_address %} Match Address {{ item.address }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_group %} -{% if ssh_server_match_group -%} # Group matching configuration # ============================ -{% for item in ssh_server_match_group -%} +{% for item in ssh_server_match_group %} Match Group {{ item.group }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_user %} -{% if ssh_server_match_user -%} # User matching configuration # =========================== -{% for item in ssh_server_match_user -%} +{% for item in ssh_server_match_user %} Match User {{ item.user }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_local_port %} + +# LocalPort matching configuration +# ================================ + +{% for item in ssh_server_match_local_port %} +Match LocalPort {{ item.port }} + {% for rule in item.rules %} + {{ rule | indent(4) }} + {% endfor %} +{% endfor %} +{% endif %} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 index 7156211..1a7eba6 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 @@ -1,4 +1,5 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} + {% for key in ssh_server_revoked_keys %} -{{key}} +{{ key }} {% endfor %} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 index e6305dc..bd62ccd 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 @@ -1,5 +1,5 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} -{% for item in ssh_trusted_user_ca_keys %} -{{ item }} +{% for key in ssh_trusted_user_ca_keys %} +{{ key }} {% endfor %} diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml index 231d09b..bb3b71d 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml @@ -7,25 +7,48 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - package: name="{{ packages }}" state=present - vars: - packages: + - yum: + name: - openssh-clients - openssh-server - libselinux-python + state: present + update_cache: true ignore_errors: true - - apt: name="{{packages}}" state=present update_cache=true - vars: - packages: - - "openssh-client" - - "openssh-server" + + - dnf: + name: + - openssh-clients + - openssh-server + - procps-ng + state: present + update_cache: true ignore_errors: true - - file: path="/var/run/sshd" state=directory + + - apt: + name: + - openssh-client + - openssh-server + state: present + update_cache: true + ignore_errors: true + + - file: + path: "/var/run/sshd" + state: directory + + - pacman: + name: + - "openssh" + - "awk" + state: present + update_cache: true + ignore_errors: true + - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" - roles: - ansible-ssh-hardening diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml index b88a6e8..b8a49f1 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml @@ -7,23 +7,47 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - package: name="{{ packages }}" state=present - vars: - packages: + - yum: + name: - openssh-clients - openssh-server - libselinux-python + state: present + update_cache: true ignore_errors: true - - apt: name="{{packages}}" state=present update_cache=true - vars: - packages: - - "openssh-client" - - "openssh-server" + + - dnf: + name: + - openssh-clients + - openssh-server + - procps-ng + state: present + update_cache: true ignore_errors: true - - file: path="/var/run/sshd" state=directory + + - apt: + name: + - openssh-client + - openssh-server + state: present + update_cache: true + ignore_errors: true + + - file: + path: "/var/run/sshd" + state: directory + + - pacman: + name: + - "openssh" + - "awk" + state: present + update_cache: true + ignore_errors: true + - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" @@ -56,6 +80,9 @@ sftp_enabled: true sftp_chroot: true #ssh_server_enabled: false + ssh_server_ports: + - 22 + - 222 ssh_server_match_address: - address: '192.168.1.1/24' rules: @@ -71,6 +98,11 @@ rules: - 'AllowTcpForwarding yes' - 'AllowAgentForwarding no' + ssh_server_match_local_port: + - port: 222 + rules: + - 'AllowTcpForwarding yes' + - 'AllowAgentForwarding no' ssh_remote_hosts: - names: ['example.com', 'example2.com'] options: ['Port 2222', 'ForwardAgent yes'] diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml new file mode 100644 index 0000000..5de26a2 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml @@ -0,0 +1,10 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' +sshd_service_name: sshd +ssh_owner: root +ssh_group: root + +# CRYPTO_POLICY is not supported on Archlinux +# and the package check only works in Ansible >2.10 +sshd_disable_crypto_policy: false diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml index df491f3..062c204 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: ssh ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml index b42c9c2..7655866 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml b/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml index 173b78a..4a69f24 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml b/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml index 8e3c804..546ce77 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml index 5694cea..36f0ee0 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml index 5694cea..36f0ee0 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml index b42c9c2..7655866 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml b/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml new file mode 100644 index 0000000..ef38877 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml @@ -0,0 +1,8 @@ +--- +sshd_path: /usr/lib/ssh/sshd +ssh_host_keys_dir: '/var/ssh' +sshd_service_name: ssh +ssh_owner: root +ssh_group: root + +ssh_pam_support: false diff --git a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info index 86d7774..00c7e15 100644 --- a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info +++ b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:27:04 2020 +install_date: Thu Feb 18 15:39:27 2021 version: 5.1.1