Releases: dev-sec/ansible-collection-hardening
Releases · dev-sec/ansible-collection-hardening
7.9.0
Changelog
7.9.0 (2021-07-22)
Implemented enhancements:
- Allow configuration of password remember in pam #467 [os_hardening] (m41kc0d3)
- Add CVE-2021-33909 mitigations #466 [os_hardening] (kravietz)
- Add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT #463 [os_hardening] (elgalu)
- Add os_auth_uid_max, os_auth_gid_max #461 [os_hardening] (elgalu)
Closed issues:
- MySQL hardening fails because of missing attribute #464
- devsec.hardenting.os_hardening breaks pmlogger_daily on Oracle Linux 8 (maybe RHEL 8 too) #460
- add "when" statements for every import_tasks in hardening.yml #453
Merged pull requests:
7.8.0
Changelog
7.8.0 (2021-07-01)
Implemented enhancements:
- SHA_CRYPT_MIN_ROUNDS should be increased in login.defs #365 [os_hardening]
- Add support for Rocky Linux 8 #454 [mysql_hardening] [os_hardening] [ssh_hardening] (sherwind)
- make sha rounds configurable and increase no of rounds #452 [os_hardening] (rndmh3ro)
Fixed bugs:
- add tag always to os dependent vars task #456 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
- Use
include_tasksfor os_hardening/main.yml #451 [os_hardening] (coadler)
Closed issues:
- add "when" statements for every import_tasks in hardening.yml #453
- Disable IPv6 | sysctl-18 net.ipv6.conf.all.disable_ipv6: 1 #406 [os_hardening]
Merged pull requests:
- Cleanup old OS-support and simplify vars #458 [os_hardening] [ssh_hardening] (rndmh3ro)
- add rocky linux 8 tests and make sure that all relevant tasks are execd #457 [mysql_hardening] [nginx_hardening] [os_hardening] [ssh_hardening] (rndmh3ro)
- add "when" statements in hardening.yml(#453) #455 [os_hardening] (jqiuyin)
- enable ipv6 globally #450 [os_hardening] [ssh_hardening] (rndmh3ro)
7.7.0
Changelog
7.7.0 (2021-05-24)
Implemented enhancements:
- Add tasks for new controls #123
- ssh_allow_tcp_forwarding remote option added #447 [ssh_hardening] (alimli)
Fixed bugs:
- Warning: iptables-legacy tables present, Debian 10 #274
- Check for MariaDB Version when selecting users without passwords #444 [mysql_hardening] (neubi4)
- Adds dependency on ansible.posix and community.general #415 (irl)
Closed issues:
- No dependency on ansible.posix collection #414
- No dependency on community.general #413
- in lxc/docker/openvz IPv6 is always disabled by ufw-configuration #402
- Allow login_unix_socket to be specified #327
Merged pull requests:
7.6.0
Changelog
7.6.0 (2021-04-27)
Implemented enhancements:
Fixed bugs:
Closed issues:
- Support HostKeyAlgorithms configuration for ssh_client file #441
Merged pull requests:
- fixed a typo in comments #439 (ssttehrani)
7.5.0
Changelog
7.5.0 (2021-04-01)
Implemented enhancements:
Fixed bugs:
- SSH kex [email protected] replaced #433
- Fix ssh kex [email protected] for openssh >= 8.5 #437 (BenjaminBoehm)
Closed issues:
- Harden user home directories #276
Merged pull requests:
- remove secure-auth param if mysql >= 8.0.3 #438 (rndmh3ro)
- Improved comments. #436 (joubbi)
- os_auth_pam_pwquality_options: Changed type to authtok_type #432 (joubbi)
- add restart-auditd handler after configuration change #427 (rndmh3ro)
- add new tasks to delete mysql users without passwords #423 (rndmh3ro)
- Uppercased first letter of task names. #422 (joubbi)
7.4.0
Changelog
7.4.0 (2021-03-23)
Closed issues:
- Errors in packer build for vagrant builder #244
Merged pull requests:
- Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords #431 (joubbi)
- Remove comments from PAM config file, but keep it in the template #430 (joubbi)
- add support for using a proxy to test with molecule #429 (rndmh3ro)
- Harden user home dirs #428 (rndmh3ro)
- Improve Documentation for sysctl defaults #418 (joubbi)
- Ensure permissions on /etc/crontab are configured #405 (joubbi)
7.3.0
Changelog
7.3.0 (2021-03-16)
Implemented enhancements:
- pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead. #377
- Replace pam_tally2 with pam_faillock in Redhat #273
- Extend GSSAPI configuration support to ssh_config #403 (wzzrd)
- add restart handler variable for mysql role #399 (rndmh3ro)
- restructure PAM handling and update for currently supported Linux distributions #392 (schurzi)
Fixed bugs:
- Not able to use
sudocommand for user authenticated via ActiveDirectory #278 - You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS #252
Closed issues:
- Netdata monitoring of docker in docker no longer possible #412
- Unable to connect with SSH (Permission denied (publickey)) #411
- TASK [os_hardening : configure auditd | package-08] #410
- Collection throws undefined ansible_role_name error in auditd task #409
- Ensure permissions on /etc/crontab are configured #375
- Documentation should be updated #361
Merged pull requests:
- Improve Release Action #421 (schurzi)
- remove FQCN from roles in examples #420 (schurzi)
- Ensure permissions on /etc/crontab are configured #405 (joubbi)
- remove FQCN from roles in examples #404 (schurzi)
- do not install mysql python package on target host #401 (rndmh3ro)
- make wrong password fail task #400 (rndmh3ro)
7.2.0
Changelog
7.2.0 (2021-02-10)
Implemented enhancements:
- Add variable to specify SSH host RSA key size #394 (Normo)
- Set default for ssh host key files only when hardening the server #393 (Normo)
Fixed bugs:
- A reason why instance would go in rescue mode ? #267
- fix galaxy action to update local galaxy.yml #395 (Normo)
Closed issues:
- Updating version in galaxy.yml should be part of the release process #396
- ssh_hardening fail on keypair generation #388
- The system must display the date and time of the last successful account logon upon an SSH logon. #362
- Error in "root password is present" step #326
Merged pull requests:
- update ansible-lint to version 5 #397 (schurzi)
- fix minimum required ansible version in docs #390 (schurzi)
* This Changelog was automatically generated by github_changelog_generator
7.1.1
Changelog
7.1.1 (2021-02-05)
Fixed bugs:
Closed issues:
- ssh_hardening fail on keypair generation #388
- AnsibleUndefinedVariable: 'ansible_role_name' is undefined with 7.1.0 #387
Merged pull requests:
* This Changelog was automatically generated by github_changelog_generator
7.1.0
Changelog
7.1.0 (2021-02-02)
Implemented enhancements:
- Default value for ssh_max_startups should be changed #366
- Comment in configuration files should state which collection was there #345
- Error on applying the sysctl vars on Debian Jessy #230
- add Support for OpenSSH HostCertificate config option #380 (mpraeger)
- Syncookie #372 (joubbi)
- Sorted sysctl values and lists in READMEs alphabetically (No functional changes). #371 (joubbi)
- make auditd 'max_log_file' configurable #370 (tgueldner-mms)
- reduce maximum unauthenticated ssh sessions #368 (schurzi)
- add a runtime.yml to declare minimum ansible version #363 (rndmh3ro)
- change inclusion of os specific defaults #353 (schurzi)
- make the os_env_umask variable usable #351 (sprat)
- Fix #348: make ssh configuration files paths configurable #350 (sprat)
- Removed Protocol statement in later versions of sshd, since the code … #342 (joubbi)
- Improvements of comments in opensshd.conf.j2 #338 #339 (joubbi)
Fixed bugs:
- Comments in opensshd.conf.j2 should be improved #338
- check for correct cpu vendor in initramfs-tools #374 (schurzi)
- set hidepid=0 on RHEL/CentOS 7 #369 (schurzi)
Closed issues:
- initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs #373
- How do i install this on Centos 8? #367
- hidepid=2 gives error when running systemctl on EL7 #364
- Allow putting the ssh/sshd config in alternative files #348
- os_env_umask has no effect #344
- Don't modify /etc/sysctl.conf #343
Merged pull requests:
- use version tag for changelog action #386 (schurzi)
- make release workflow manually runnable #384 (schurzi)
- run labeler workflow with higher privileges #383 (schurzi)
- remove issue labels from changelog #382 (schurzi)
- Added comment on top of templates about which role manages the file #378 (joubbi)
- Regenerate RSA key with size 4096 bits #376 (ssttehrani)
- fix second changelog generation task, too #349 (rndmh3ro)
- fix changelog generation #341 (rndmh3ro)
- Improve README for ssh_hardening #335 (szEvEz)
* This Changelog was automatically generated by github_changelog_generator