From 6d8f4dfbfb8a45298f93a5ed2c7224f0890bd690 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 20 Jun 2023 15:30:22 +0200 Subject: [PATCH 01/16] add debian 12 support Signed-off-by: Sebastian Gumprich --- .github/workflows/mysql_hardening.yml | 1 + .github/workflows/nginx_hardening.yml | 1 + .github/workflows/os_hardening.yml | 1 + .github/workflows/os_hardening_vm.yml | 1 + .github/workflows/ssh_hardening.yml | 1 + .github/workflows/ssh_hardening_custom_tests.yml | 1 + README.md | 6 +++--- 7 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 9a241b095..94c04d41d 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -45,6 +45,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 # - amazon # geerlingguy.mysql does not support fedora # - arch # geerlingguy.mysql does not support arch - opensuse_tumbleweed diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 076a4b5d4..08bc83d1f 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -44,6 +44,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 8a198c7d2..13a0d1e6a 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - opensuse_tumbleweed - arch diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index b1e62e2e5..ed663eceb 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - opensuse15 # - arch # needs fix for audit steps: diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index ea6537de1..ae86418b3 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index af69e4038..ce99f41fe 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/README.md b/README.md index 789b37cff..d237e05ed 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ This collection provides battle tested hardening for: - Linux operating systems: - - CentOS 7 - - Rocky Linux 8 - - Debian 10/11 + - CentOS 7/8/9 + - Rocky Linux 8/9 + - Debian 10/11/12 - Ubuntu 18.04/20.04/22.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) From 7f8b34e0fbff6d6cc6d9f9fcad1e8e8c30889b3d Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 21 Jun 2023 13:40:11 +0200 Subject: [PATCH 02/16] temp disable pam-checks Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 58e6d6794..4fb868ba9 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -16,9 +16,10 @@ - verify_tasks/netrc.yml - verify_tasks/ignore_home_folders.yml - - name: include PAM tests - include_tasks: verify_tasks/pam.yml - when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' +# temporarily excluded until pam-tester is fixed +# - name: include PAM tests +# include_tasks: verify_tasks/pam.yml +# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' - name: include YUM tests include_tasks: verify_tasks/yum.yml From 49e8d4fdda33effd0697c67ee10dcef37a4b4d7b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 21 Jun 2023 14:36:11 +0200 Subject: [PATCH 03/16] remove debian12 from vagrant tests as there's no box yet Signed-off-by: Sebastian Gumprich --- .github/workflows/os_hardening_vm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index ed663eceb..f1d49b8a4 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -46,7 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 - - debian12 + # - debian12 # waiting for https://github.com/lavabit/robox/pull/274 - opensuse15 # - arch # needs fix for audit steps: From 186b36d9542498ae6ec63b8d93d086a7b5a1b683 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 09:00:13 +0200 Subject: [PATCH 04/16] use new pam-tester from pip Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 62bdb3305..8bde33ab7 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,9 +1,8 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 +- name: install qpam-tester + ansible.builtin.pip: + name: pam-tester + state: present - name: set password for test set_fact: From f901b684ba53529ac71df3bb60bc893d17bfd153 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 09:29:17 +0200 Subject: [PATCH 05/16] use new pam-tester from pip Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 4fb868ba9..58e6d6794 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -16,10 +16,9 @@ - verify_tasks/netrc.yml - verify_tasks/ignore_home_folders.yml -# temporarily excluded until pam-tester is fixed -# - name: include PAM tests -# include_tasks: verify_tasks/pam.yml -# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' + - name: include PAM tests + include_tasks: verify_tasks/pam.yml + when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' - name: include YUM tests include_tasks: verify_tasks/yum.yml From 6ca2f114335ab71765f1ed90541dc304f3855fe1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 12:49:53 +0200 Subject: [PATCH 06/16] add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 8bde33ab7..83dedc173 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,7 +1,9 @@ --- - name: install qpam-tester ansible.builtin.pip: - name: pam-tester + name: + - pam-tester + - setuptools state: present - name: set password for test From a2aae0f49b4c50f133f8b0376ad30f8858cae9d3 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 13:13:16 +0200 Subject: [PATCH 07/16] add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 2 +- molecule/os_hardening_vm/verify_tasks/pam.yml | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 83dedc173..a2387671c 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,5 +1,5 @@ --- -- name: install qpam-tester +- name: install pam-tester ansible.builtin.pip: name: - pam-tester diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index 62bdb3305..a2387671c 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,9 +1,10 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 +- name: install pam-tester + ansible.builtin.pip: + name: + - pam-tester + - setuptools + state: present - name: set password for test set_fact: From c9d6d981a30a4defdb51564a17760b945d2aa101 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 13:39:06 +0200 Subject: [PATCH 08/16] add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 10 +++++++--- molecule/os_hardening_vm/verify_tasks/pam.yml | 9 ++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index a2387671c..b5188ef41 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,9 +1,13 @@ --- + +- name: install pip + package: + name: python3-pip + state: present + - name: install pam-tester ansible.builtin.pip: - name: - - pam-tester - - setuptools + name: pam-tester state: present - name: set password for test diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index a2387671c..9d8e16e71 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,9 +1,12 @@ --- +- name: install pip + package: + name: python3-pip + state: present + - name: install pam-tester ansible.builtin.pip: - name: - - pam-tester - - setuptools + name: pam-tester state: present - name: set password for test From c678514bb6c8653475cb39abbddf6a3c83165a82 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 1 Aug 2023 13:55:02 +0200 Subject: [PATCH 09/16] add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich --- molecule/os_hardening_vm/verify_tasks/pam.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index 9d8e16e71..bfbb7a3b1 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,7 +1,9 @@ --- - name: install pip package: - name: python3-pip + name: + - python3-pip + - python3-setuptools state: present - name: install pam-tester From 5fbed64dd401df03bda0dfb73ddf14736aef4230 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 09:59:41 +0200 Subject: [PATCH 10/16] install pam-tester with python3 and use full path to it Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index b5188ef41..274ba436b 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -9,6 +9,7 @@ ansible.builtin.pip: name: pam-tester state: present + executable: /usr/bin/pip3 - name: set password for test set_fact: @@ -28,7 +29,7 @@ - name: check successful login with correct password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" From 35d3e6aa9d8454c5a2c6039c9b95e084f1d5a3dc Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 10:59:19 +0200 Subject: [PATCH 11/16] install python3-setupttools in verify-tests Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 274ba436b..d8ce47e1f 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -2,7 +2,9 @@ - name: install pip package: - name: python3-pip + name: + - python3-pip + - python3-setuptools state: present - name: install pam-tester From c87fe430c7fa7eda30bad31a58d8645c06d1f342 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 10:59:32 +0200 Subject: [PATCH 12/16] fix path for pam-tester in all tests Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify_tasks/pam.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index d8ce47e1f..c71cae010 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -39,7 +39,7 @@ - name: check unsuccessful login with incorrect password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -48,7 +48,7 @@ - name: check unsuccessful login, with correct password (lockout) shell: - cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -60,7 +60,7 @@ - name: check successful login shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" From 00b6556e332dbac06ace86397b8e6a9481a8a1c4 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 11:40:48 +0200 Subject: [PATCH 13/16] set python interpreter to 3 for verify-tests Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 58e6d6794..afb5cf4bf 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,14 +7,9 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - name: include verification tasks - ansible.builtin.include_tasks: - file: "{{ item }}" - loop: - - verify_tasks/sys_account_shell.yml - - verify_tasks/pw_ageing.yml - - verify_tasks/netrc.yml - - verify_tasks/ignore_home_folders.yml + - name: set ansible_python_interpreter to "/usr/bin/python3" + set_fact: + ansible_python_interpreter: "/usr/bin/python3" - name: include PAM tests include_tasks: verify_tasks/pam.yml From a1c44a14593ec674835ebc43c8ce3decacc9f167 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 12:41:40 +0200 Subject: [PATCH 14/16] Revert "set python interpreter to 3 for verify-tests" This reverts commit 00b6556e332dbac06ace86397b8e6a9481a8a1c4. --- molecule/os_hardening/verify.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index afb5cf4bf..58e6d6794 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,9 +7,14 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - name: set ansible_python_interpreter to "/usr/bin/python3" - set_fact: - ansible_python_interpreter: "/usr/bin/python3" + - name: include verification tasks + ansible.builtin.include_tasks: + file: "{{ item }}" + loop: + - verify_tasks/sys_account_shell.yml + - verify_tasks/pw_ageing.yml + - verify_tasks/netrc.yml + - verify_tasks/ignore_home_folders.yml - name: include PAM tests include_tasks: verify_tasks/pam.yml From a81b9bc0e6ea72a192446958f402541b77f9d8e8 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 12:42:14 +0200 Subject: [PATCH 15/16] add back accidentally deleted tasks Signed-off-by: Sebastian Gumprich --- molecule/os_hardening/verify.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 58e6d6794..8641874b0 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,6 +7,10 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: + - name: set ansible_python_interpreter to "/usr/bin/python3" + set_fact: + ansible_python_interpreter: "/usr/bin/python3" + - name: include verification tasks ansible.builtin.include_tasks: file: "{{ item }}" From 8effc06c91dc710411248d71442a909dfa8e5671 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 22 Sep 2023 08:52:27 +0200 Subject: [PATCH 16/16] enable debian12 for vm tests Signed-off-by: Sebastian Gumprich --- .github/workflows/os_hardening_vm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index f1d49b8a4..ed663eceb 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -46,7 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 - # - debian12 # waiting for https://github.com/lavabit/robox/pull/274 + - debian12 - opensuse15 # - arch # needs fix for audit steps: