Update Debian compatibility (#784)

* Update Ubuntu compatability

Signed-off-by: Martin Schurz <[email protected]>

* reload systemd when disabling ssh socket

Signed-off-by: Martin Schurz <[email protected]>

* manage systemd files

Signed-off-by: Martin Schurz <[email protected]>

* Create privsep directory for Debian

Signed-off-by: Martin Schurz <[email protected]>

* Use working Ubuntu 24.04 image for vm tests

Signed-off-by: Martin Schurz <[email protected]>

* Remove deprecated Debian 10

Signed-off-by: Martin Schurz <[email protected]>

---------

Signed-off-by: Martin Schurz <[email protected]>

.github/workflows/mysql_hardening.yml

@@ -40,10 +40,9 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
           - debian12
           # - amazon  # geerlingguy.mysql does not support fedora

.github/workflows/nginx_hardening.yml

@@ -39,10 +39,9 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
           - debian12
           - amazon2023

.github/workflows/os_hardening.yml

@@ -41,10 +41,9 @@ jobs:
           - rocky9
           - fedora39
           - fedora40
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
           - debian12
           - amazon2023

.github/workflows/os_hardening_vm.yml

@@ -41,10 +41,9 @@ jobs:
           - generic/rocky9
           - fedora/39-cloud-base
           - fedora/40-cloud-base
-          - generic/ubuntu1804
           - generic/ubuntu2004
           - generic/ubuntu2204
-          - generic/debian10
+          - alvistack/ubuntu-24.04
           - generic/debian11
           - generic/debian12
           - generic/opensuse15

.github/workflows/ssh_hardening.yml

@@ -41,10 +41,9 @@ jobs:
           - rocky9
           - fedora39
           - fedora40
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
           - debian12
           - amazon2023

.github/workflows/ssh_hardening_custom_tests.yml

@@ -41,10 +41,9 @@ jobs:
           - rocky9
           - fedora39
           - fedora40
-          - ubuntu1804
           - ubuntu2004
           - ubuntu2204
-          - debian10
+          - ubuntu2404
           - debian11
           - debian12
           - amazon2023

README.md

@@ -15,8 +15,8 @@ This collection provides battle tested hardening for:
 - Linux operating systems:
   - CentOS 9
   - Rocky Linux 8/9
-  - Debian 10/11/12
-  - Ubuntu 18.04/20.04/22.04
+  - Debian 11/12
+  - Ubuntu 20.04/22.04/24.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)
   - Fedora 39/40 (some roles supported)

molecule/mysql_hardening/prepare.yml

@@ -26,13 +26,6 @@
       when:
         - ansible_os_family == 'Suse'
 
-    - name: Use Python 2 on Debian 10
-      ansible.builtin.set_fact:
-        ansible_python_interpreter: /usr/bin/python
-      when:
-        - ansible_distribution == 'Debian'
-        - ansible_distribution_major_version|int == 10
-
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
         upgrade: safe

molecule/ssh_hardening/prepare.yml

@@ -62,12 +62,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: Created needed directory
-      ansible.builtin.file:
-        path: /var/run/sshd
-        state: directory
-        mode: "0755"
-
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')

molecule/ssh_hardening_bsd/prepare.yml

@@ -18,12 +18,6 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
-    - name: Created needed directory
-      ansible.builtin.file:
-        path: /var/run/sshd
-        state: directory
-        mode: "0755"
-
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -62,12 +62,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: Created needed directory
-      ansible.builtin.file:
-        path: /var/run/sshd
-        state: directory
-        mode: "0755"
-
     - name: Create ssh host keys # noqa ignore-errors
       ansible.builtin.command: ssh-keygen -A
       when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')

roles/mysql_hardening/meta/main.yml

@@ -12,13 +12,13 @@ galaxy_info:
         - "9"
     - name: Ubuntu
       versions:
-        - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
         - bullseye
-        - buster
+        - bookworm
     - name: Amazon
     - name: opensuse
   galaxy_tags:

roles/nginx_hardening/meta/main.yml

@@ -12,12 +12,12 @@ galaxy_info:
         - "9"
     - name: Ubuntu
       versions:
-        - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
-        - buster
+        - bookworm
         - bullseye
     - name: Amazon
   galaxy_tags:

roles/os_hardening/meta/main.yml

@@ -12,12 +12,12 @@ galaxy_info:
         - "9"
     - name: Ubuntu
       versions:
-        - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
-        - buster
+        - bookworm
         - bullseye
     - name: Amazon
     - name: Fedora

roles/ssh_hardening/meta/main.yml

@@ -12,12 +12,12 @@ galaxy_info:
         - "9"
     - name: Ubuntu
       versions:
-        - bionic
         - focal
         - jammy
+        - noble
     - name: Debian
       versions:
-        - buster
+        - bookworm
         - bullseye
     - name: Amazon
     - name: Fedora

roles/ssh_hardening/tasks/disable-systemd-socket.yml

@@ -1,8 +1,12 @@
 ---
 - name: Remove ssh service systemd-socket file
   ansible.builtin.file:
-    path: /etc/systemd/system/ssh.service.d/00-socket.conf
+    path: "{{ item }}"
     state: absent
+  loop:
+    - /etc/systemd/system/ssh.service.d/00-socket.conf
+    - /etc/systemd/system/ssh.service.requires/ssh.socket
+    - /etc/systemd/system/sockets.target.wants/ssh.socket
 
 - name: Disable systemd-socket activation
   ansible.builtin.systemd:

roles/ssh_hardening/tasks/install.yml

@@ -17,6 +17,18 @@
     - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or
       (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>='))
 
+- name: Ensure privilege separation directory exists
+  ansible.builtin.file:
+    path: /run/sshd
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  when:
+    - ssh_server_hardening | bool
+    - ssh_server_enabled | bool
+    - ansible_facts.os_family == 'Debian'
+
 - name: Enable or disable sshd service
   ansible.builtin.service:
     name: "{{ sshd_service_name }}"