6.0.3

Changelog

6.0.3 (2020-06-06)

Full Changelog

Merged pull requests:

• unify changelog and release actions #279 (rndmh3ro)

* This Changelog was automatically generated by github_changelog_generator

6.0.2

Changelog

6.0.2 (2020-06-02)

Full Changelog

Merged pull requests:

• purge insecure packages #275 (chris-rock)

* This Changelog was automatically generated by github_changelog_generator

6.0.1

Changelog

6.0.1

Full Changelog

Implemented enhancements:

• add changelog and release workflow #271 (rndmh3ro)
• github action for changelog generation #270 (rndmh3ro)

* This Changelog was automatically generated by github_changelog_generator

ansible-os-hardening 6.0.0

6.0.0 (2020-04-13)

Full Changelog

Possibly Breaking Changes:

• On systems were SELinux is installed, it is now set to Enforcing.

Implemented enhancements:

• Configure audit=1 for more accurate auid auditing #253
• Add Debian Buster support for ansible-os-hardening #233
• Add CentOS 8 support for ansible-os-hardening #232
• Add selinux configuration #154
• Make useradd defaults in login.defs dependent on OS #266 (Aisbergg)
• Add kernel hardening parameters from Tails and CIS Benchmark #263 (kravietz)
• add ansible-lint #262 (rndmh3ro)
• Remove trailing space #261 (kravietz)
• Add kernel parameter information to README #259 (jaredledvina)
• Remove trailing whitespaces (ansible-lint 201) #254 (kravietz)
• Standardize the var ordering #251 (dustinmiller1337)
• Add intial support for OpenSUSE #250 (dustinmiller1337)
• Make max_log_file_action for auditd configurable #246 (jandd)
• Add exception in sysctl task #240 (okupriyanov)
• Fedora - Use new auto ansible_python_interpreter for dnf #239 (jaredledvina)
• add test support for CentOS8 #237 (yeoldegrove)
• Support configuring SELinux and default to enforcing #236 (jaredledvina)
• Add test support for debian buster #234 (123Haynes)
• Changed local var name to a less common one #231 (rgarrigue)
• Use ansible facts for vars #226 (joshuatalb)

Fixed bugs:

• Invalid Conditionals in user_accounts.yml #255
• auth-system related files are created for non-RHEL systems (e.g. Debian) #247
• NSA website links are stale #227
• Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
• [lots of] deprecation warnings in Ansible 2.8 #221
• Add a "don't fail on error" switch ? #148
• Addressing issue #255 #258 (ljkimmel)
• Fix #247, cleanup conditions #248 (fernandezcuesta)
• Fix error on applying the sysctl vars on containers #243 (okupriyanov)
• Update location of NSA RHEL 5 Guide #235 (jaredledvina)

Ansible-os-hardening 5.2.1

5.2.1 (2019-06-09)

Full Changelog

This release is a bugfix-release that fixes deprecation warnings in Ansible 2.8.

Implemented enhancements:

• Fix deprecation warnings in Ansible 2.8 #224 (Normo)
• add docs to find-task in minimize access. fix #219 #220 (rndmh3ro)

Fixed bugs:

• squash\_actions deprecation warning #218

Ansible-os-hardening 5.2.0

5.2.0 (2019-05-04)

Full Changelog

Implemented enhancements:

• Speed up "minimize access on found files" task #208
• Fedora support? #163
• remove eol'd OS and add new #217 (rndmh3ro)
• Add note about docker under warning #214 (ChrisMcKee)
• change minimize access tasks to speed them up #209 (rndmh3ro)
• Added fedora support #206 (jonaswre)
• Pass package list directly to apt and yum modules without using with_items loop #200 (Normo)

Fixed bugs:

• login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
• 'sysctl_rhel_config' is undefined #167
• RHEL 7.4: Too many setuid bits removed #140
• Fix typo #212 (ruslo)
• Update modprobe to 0644 #211 (joshuatalb)
• Test Kitchen Vagrant Fixes #210 (joshuatalb)
• [readme] Update documentation link #207 (pmav99)
• fix ansible lint remarks #204 (rndmh3ro)
• add colon to user env paths - fix #202 #203 (rndmh3ro)
• Fix errors produced by ansible-lint #159 (zbrojny120)

Ansible-os-hardening 5.1.0

5.1.0 (2018-10-17)

Full Changelog

Implemented enhancements:

• add ubuntu 1804 support #196 (rndmh3ro)
• add option to disable auditd #192 (rndmh3ro)

Fixed bugs:

• auditd causing v5.0 to fail on unpriviledged LXC's #191
• Setting os_security_users_allow has no effect #175
• add /usr/bin/su to suid_guid whitelist #199 (ccolic)
• ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)

ansible-os-hardening 5.0.0

5.0.0 (2018-09-02)

Full Changelog

Breaking Changes:

This role requires ansible version 2.5.0!

Implemented enhancements:

• Warning about "include" for tasks for ansible-playbook 2.4.0 (devel f0a5854e39) #131
• fix problems with efi and vfat #190 (rndmh3ro)
• added os_hardening_enabled flag #186 (jcheroske)
• add amazon run opts to travis #183 (rndmh3ro)
• use package instead of yum and apt #180 (rndmh3ro)
• add oracle7 to travis #178 (rndmh3ro)
• fix wrong permissions passwdqc #170 #176 (rndmh3ro)
• ipv4 forwarding comment is inconsistent with example #174 (carchrae)
• Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
• Use package state 'present' since 'installed' is deprecated #168 (Normo)
• Update syntax to Ansible 2.4 #161 (thomasjpfan)
• add amazon linux testing #160 (rndmh3ro)
• Add support for Amazon Linux #158 (woneill)
• install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
• Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)

Fixed bugs:

• minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
• wrong permissions passwdqc #170
• Update deprecated include statements #166
• Strongly recommend against disabling vfat by default #162
• System completely unresponsive after role execution #145
• do not install passwdqc on amazon linux #189 (rndmh3ro)
• add back run opts for debian 8 in travis #184 (rndmh3ro)
• Fix core dump config file creation when core dumps are disabled #182 (Normo)
• change minimize access method #181 (rndmh3ro)

ansible-os-hardening 4.3.0

4.3.0 (2018-01-03)

Full Changelog

Implemented enhancements:

• Update some RH settings in this role #155
• Removal of core dump hardening configuration if core dumps are allowed #129
• Don't create home for system accounts #156 (oakey-b1)
• Prevent disabling of filesystems via whitelist #153 (pinguinkiste)
• Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
• Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
• add missing sysctl parameter #143 (rndmh3ro)
• update readme #139 (rndmh3ro)

Fixed bugs:

• bug in ufw.j2 template #151
• os_security_kernel_enable_sysrq is not implemented #115
• replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
• fixed tag #149 (martinbydefault)

Closed issues:

• ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
• Enhancement: Test with TestInfra and Molecule #128

Merged pull requests:

• move defaults to os-specific vars #157 (rndmh3ro)

ansible-os-hardening 4.2.0

4.2.0 (2017-08-08)

Full Changelog

Implemented enhancements:

• add modprobe template, control os-10 #138 (rndmh3ro)
• new task for delete netrc files, control os-09 #137 (rndmh3ro)
• add passwd task, control os-03 #136 (rndmh3ro)
• remove prelink package, control package-09 #135 (rndmh3ro)
• style update #134 (rndmh3ro)
• Fix ansible.cfg and use comment filter #130 (fazlearefin)

Fixed bugs:

• Why is rsync removed? #141
• playbook makes OS undetectable #124
• Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
• Remove rsync from package blacklist #142 (duk3luk3)

Merged pull requests:

• remove execshield sysctl-parameter on rhel7 #119 (rndmh3ro)