36 KiB
36 KiB
Changelog
6.2.0 (2020-08-16)
Implemented enhancements:
- Optimize and unify when clause #295 (Alexhha)
- use find module instead of shell #294 (danielkubat)
- improve testing #287 (schurzi)
Fixed bugs:
- Inconsistent use of role vars/role defaults #284
Closed issues:
- Consider using find module instead of shell #293
- Optimize logical OR in when clause #292
- vfat added to dev-sec.conf, but efi is used #288
- OpenSUSE Support #249
Merged pull requests:
- fix fedora build #296 (rndmh3ro)
- move hidepid vars into defaults so theyre overwritable #285 (rndmh3ro)
6.1.0 (2020-07-21)
Implemented enhancements:
Fixed bugs:
- Is it safe to use on Debian 10? The build is failing. #281
Closed issues:
- The state of the galaxy release #269
Merged pull requests:
- do not blacklist used filesystems #289 (schurzi)
- install procps in debian so sysctl.conf exists #282 (rndmh3ro)
6.0.3 (2020-06-06)
Implemented enhancements:
6.0.2 (2020-06-02)
Implemented enhancements:
- purge insecure packages #275 (chris-rock)
6.0.1 (2020-05-09)
Implemented enhancements:
- add changelog and release workflow #271 (rndmh3ro)
- github action for changelog generation #270 (rndmh3ro)
6.0.0 (2020-05-05)
Implemented enhancements:
- Configure audit=1 for more accurate auid auditing #253
- Add Debian Buster support for ansible-os-hardening #233
- Add CentOS 8 support for ansible-os-hardening #232
- Add selinux configuration #154
- Make useradd defaults in login.defs dependent on OS #266 (aisbergg)
- Add kernel hardening parameters from Tails and CIS Benchmark #263 (kravietz)
- add ansible-lint #262 (rndmh3ro)
- Remove trailing space #261 (kravietz)
- Add kernel parameter information to README #259 (jaredledvina)
- Remove trailing whitespaces
ansible-lint 201#254 (kravietz) - Standardize the var ordering #251 (dustinmiller1337)
- Add intial support for OpenSUSE #250 (dustinmiller1337)
- Make max_log_file_action for auditd configurable #246 (jandd)
- Add exception in sysctl task #240 (ghost)
- Fedora - Use new auto ansible_python_interpreter for dnf #239 (jaredledvina)
- add test support for CentOS8 #237 (yeoldegrove)
- Support configuring SELinux and default to enforcing #236 (jaredledvina)
- Add test support for debian buster #234 (123Haynes)
- Changed local var name to a less common one #231 (rgarrigue)
- Use ansible facts for vars #226 (joshuatalb)
Fixed bugs:
- /etc/login.defs alters centos 7/8 default values #265
- Invalid Conditionals in user_accounts.yml #255
auth-systemrelated files are created for non-RHEL systemse.g. Debian#247- NSA website links are stale #227
- Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
-
lots of - Add a "don't fail on error" switch ? #148
- Addressing issue #255 #258 (ljkimmel)
- Fix #247, cleanup conditions #248 (fernandezcuesta)
- Fix error on applying the sysctl vars on containers #243 (ghost)
- Update location of NSA RHEL 5 Guide #235 (jaredledvina)
5.2.1 (2019-06-09)
Implemented enhancements:
- Fix deprecation warnings in Ansible 2.8 #224 (Normo)
- add docs to find-task in minimize access. fix #219 #220 (rndmh3ro)
Fixed bugs:
squash\_actionsdeprecation warning #218
5.2.0 (2019-05-04)
Implemented enhancements:
- Speed up "minimize access on found files" task #208
- Fedora support? #163
- remove eol'd OS and add new #217 (rndmh3ro)
- Add note about docker under warning #214 (ChrisMcKee)
- change minimize access tasks to speed them up #209 (rndmh3ro)
- Added fedora support #206 (jonaswre)
- Pass package list directly to apt and yum modules without using with_items loop #200 (Normo)
Fixed bugs:
- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
- 'sysctl_rhel_config' is undefined #167
- RHEL 7.4: Too many setuid bits removed #140
- Fix typo #212 (ruslo)
- Update modprobe to 0644 #211 (joshuatalb)
- Test Kitchen Vagrant Fixes #210 (joshuatalb)
-
readme - fix ansible lint remarks #204 (rndmh3ro)
- add colon to user env paths - fix #202 #203 (rndmh3ro)
- Fix errors produced by ansible-lint #159 (zbrojny120)
5.1.0 (2018-10-17)
Implemented enhancements:
Fixed bugs:
- auditd causing v5.0 to fail on unpriviledged LXC's #191
- Setting os_security_users_allow has no effect #175
- add /usr/bin/su to suid_guid whitelist #199 (ccolic)
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)
5.0.0 (2018-09-02)
Implemented enhancements:
- Warning about "include" for tasks for ansible-playbook 2.4.0
devel f0a5854e39#131 - fix problems with efi and vfat #190 (rndmh3ro)
- added os_hardening_enabled flag #186 (jcheroske)
- add amazon run opts to travis #183 (rndmh3ro)
- use package instead of yum and apt #180 (rndmh3ro)
- add oracle7 to travis #178 (rndmh3ro)
- fix wrong permissions passwdqc #170 #176 (rndmh3ro)
- ipv4 forwarding comment is inconsistent with example #174 (carchrae)
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
- Use package state 'present' since 'installed' is deprecated #168 (Normo)
- Update syntax to Ansible 2.4 #161 (thomasjpfan)
- Add support for Amazon Linux #158 (woneill)
- Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)
Fixed bugs:
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
- wrong permissions passwdqc #170
- Update deprecated
includestatements #166 - Strongly recommend against disabling vfat by default #162
- System completely unresponsive after role execution #145
- do not install passwdqc on amazon linux #189 (rndmh3ro)
- add back run opts for debian 8 in travis #184 (rndmh3ro)
- Fix core dump config file creation when core dumps are disabled #182 (Normo)
- change minimize access method #181 (rndmh3ro)
4.3.0 (2018-01-03)
Implemented enhancements:
- Update some RH settings in this role #155
- Removal of core dump hardening configuration if core dumps are allowed #129
- add amazon linux testing #160 (rndmh3ro)
- Don't create home for system accounts #156 (oakey-b1)
- Prevent disabling of filesystems via whitelist #153 (manuelprinz)
- Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
- Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
- add missing sysctl parameter #143 (rndmh3ro)
- update readme #139 (rndmh3ro)
- add modprobe template, control os-10 #138 (rndmh3ro)
Fixed bugs:
- bug in ufw.j2 template #151
- replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
- fixed tag #149 (martinbydefault)
Closed issues:
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
- Enhancement: Test with TestInfra and Molecule #128
Merged pull requests:
4.3.1 (2017-09-13)
Fixed bugs:
- os_security_kernel_enable_sysrq is not implemented #115
4.2.0 (2017-08-08)
Implemented enhancements:
- install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
- new task for delete netrc files, control os-09 #137 (rndmh3ro)
- add passwd task, control os-03 #136 (rndmh3ro)
- remove prelink package, control package-09 #135 (rndmh3ro)
- style update #134 (rndmh3ro)
- Fix ansible.cfg and use comment filter #130 (fazlearefin)
Fixed bugs:
- Why is rsync removed? #141
- playbook makes OS undetectable #124
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
- Remove rsync from package blacklist #142 (duk3luk3)
Merged pull requests:
4.1.0 (2017-06-27)
Fixed bugs:
- Change system accounts not on the user provided ignore-list items are not JSON serializable #125
- Could not find gem 'ruby
\>= 2.1.0' #116 - The task sysctl fails when /etc/initramfs-tools is not present #111
- Deprecation warning always_run #103
Closed issues:
- Enhancement: Pin python dependencies for development and testing #127
- Update readme to include baselines #122
Merged pull requests:
- Converts set to JSON-serializable list #126 (pestaa)
- add more sysctl settings, allow overwriting #120 (rndmh3ro)
4.0.0 (2017-03-14)
Implemented enhancements:
- Description of the Ansible roles of dev-sec says "This Ansible playbook" #97
- install initramfs-tools #114 (rndmh3ro)
- omit empty variables #106 (rndmh3ro)
Fixed bugs:
- The role fails when conditionally included #105
Closed issues:
Merged pull requests:
- change shadow owner in debian systems #117 (rndmh3ro)
- Rhel7 #113 (tyrken)
- use new Docker images #110 (rndmh3ro)
- Don’t refer to this role as "playbook" in the role description #104 (ypid)
3.2.0 (2016-10-24)
Fixed bugs:
- CentOS 7 selinux dependencies #102
- ubuntu xenial warning during activate gpg-check for yum-repos #99
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
- Enable pam_pwquality in rhel-family > 7 #73
- "irc" user always changed after reboot #53
Merged pull requests:
- update template #101 (rndmh3ro)
- fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
- add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)
3.1.0 (2016-08-03)
3.1 (2016-07-27)
Implemented enhancements:
- Supports --check mode #93 (conorsch)
- Adds support for CentOS 7 #91 (conorsch)
- Docker #90 (rndmh3ro)
- debian 8 support #88 (rndmh3ro)
- Ufw manage defaults #85 (fitz123)
- replace ignore_errors to failed_when to supress ugly error warnings #81 (fitz123)
- fix bare variables usage for loops #79 (fitz123)
Fixed bugs:
- Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
- Hardening fails on Centos 7.1 at task 'minimize access' #71
Closed issues:
- Permissions on /etc/shadow can lock out GUI users #86
- network related sysctl rewritten by ufw in ubuntu #82
- ansible >= 2.0 complains: Using bare variables is deprecated #78
Merged pull requests:
- Fix a formatting issue in readme. #92 (vivekagr)
- Permits overriding permissions on /etc/shadow #89 (conorsch)
3.0.0 (2016-03-13)
Implemented enhancements:
- update platforms in meta-file #69 (rndmh3ro)
- add webhook for ansible galaxy #68 (rndmh3ro)
- Move sysctl vars to defaults #67 (rndmh3ro)
- make sys_uid and sys_gid configurable #62 (rndmh3ro)
- Ansible 2.0 support #59 (rndmh3ro)
- use inspec as test framework #58 (chris-rock)
- Packages as attributes #57 (rndmh3ro)
- Change categories to tags for upcoming ansible 2.0 #56 (rndmh3ro)
- Add SINGLE and PROMPT parameters. #55 (rndmh3ro)
- add changelog generator #54 (chris-rock)
Fixed bugs:
- Updates "tags" parameters on includes in main.yml #66 (conorsch)
- Suid set def var, fix #64 #63 (rndmh3ro)
Closed issues:
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
- ansible 2.0 | "remove suid/sgid" task fails #64
- Custom sysctl #50
Merged pull requests:
2.0.0 (2015-11-28)
Closed issues:
Merged pull requests:
- Add explicit role-path to kitchen.yml #52 (rndmh3ro)
- Fix pam passwdqc template #51 (rndmh3ro)
- New dir layout #49 (rndmh3ro)
- remove duplicate "update pam" task #46 (fitz123)
- Fix stuck in case pam files was updated before by force update #45 (fitz123)
- Fix nologin shell path #44 (fitz123)
- improved travis-tests to cover more cases #42 (rndmh3ro)
1.0.0 (2015-09-01)
Closed issues:
- ansible-os-hardening/tasks/minimize_access.yml #38
- Role configuration. vars/main.yml? #34
- Sysctl reloading #18
- Add conditions for disabling of ip forwarding #15
- Disable System Accounts #6
Merged pull requests:
- Update kitchen-ansible, remove separate debian install #40 (rndmh3ro)
- Add mode to su-binary task. Fix #38 #39 (rndmh3ro)
- update common kitchen.yml platforms
ansible, kitchen_debian.yml platformsansible#37 (chris-rock) - Change oneliner if-statements to be more readable #36 (rndmh3ro)
- Separate system-vars from editable vars. Fix #34 #35 (rndmh3ro)
- Create limits.d-directory if it does not exist. #33 (rndmh3ro)
- Add correct CONTRIB-file #32 (rndmh3ro)
- Add Ansible Galaxy badge #31 (rndmh3ro)
- Update readme, todo, changelog, vars #30 (rndmh3ro)
- List-cleanup and follow symlinks added #29 (rndmh3ro)
- Add module configuration #28 (rndmh3ro)
- Fix two sysctl-settings #27 (rndmh3ro)
- Add meta-files for Ansible Galaxy #26 (rndmh3ro)
- Disable System Accounts. Fix #6 #25 (rndmh3ro)
- Use changed_when to avoid changed tasks #24 (rndmh3ro)
- Delete authconfig-task on rhel-systems #23 (rndmh3ro)
- Add missing rhosts-include task #21 (rndmh3ro)
- Change sysctl-task. Fix #18 #20 (rndmh3ro)
- Add travis-support #17 (rndmh3ro)
- Add conditions for various tasks. Fix #15 #16 (rndmh3ro)
- fix configuration of playbook path #14 (chris-rock)
- Make tasks clearer #13 (rndmh3ro)
- Add remove suid/sgid function #12 (rndmh3ro)
- Add task to remove unused repos and pkgs #11 (rndmh3ro)
- Edit README to fit to os-hardening #10 (rndmh3ro)
- ignore RAs on Ipv6 #9 (rndmh3ro)
- Repair debian install script #8 (rndmh3ro)
- Separate tasks into multiple smaller files #7 (rndmh3ro)
- Enable gpg-check on all yum-repositories #5 (rndmh3ro)
- Change playbook-path to accomodate test-repo #4 (rndmh3ro)
- treat securetty config as an array #3 (arlimus)
- Add Securetty-support #2 (rndmh3ro)
- Add profile.conf configuration #1 (rndmh3ro)
* This Changelog was automatically generated by github_changelog_generator