ansible-os-hardening 5.0.0

5.0.0 (2018-09-02)

Full Changelog

Breaking Changes:

This role requires ansible version 2.5.0!

Implemented enhancements:

• Warning about "include" for tasks for ansible-playbook 2.4.0 (devel f0a5854e39) #131
• fix problems with efi and vfat #190 (rndmh3ro)
• added os_hardening_enabled flag #186 (jcheroske)
• add amazon run opts to travis #183 (rndmh3ro)
• use package instead of yum and apt #180 (rndmh3ro)
• add oracle7 to travis #178 (rndmh3ro)
• fix wrong permissions passwdqc #170 #176 (rndmh3ro)
• ipv4 forwarding comment is inconsistent with example #174 (carchrae)
• Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
• Use package state 'present' since 'installed' is deprecated #168 (Normo)
• Update syntax to Ansible 2.4 #161 (thomasjpfan)
• add amazon linux testing #160 (rndmh3ro)
• Add support for Amazon Linux #158 (woneill)
• install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
• Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)

Fixed bugs:

• minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
• wrong permissions passwdqc #170
• Update deprecated include statements #166
• Strongly recommend against disabling vfat by default #162
• System completely unresponsive after role execution #145
• do not install passwdqc on amazon linux #189 (rndmh3ro)
• add back run opts for debian 8 in travis #184 (rndmh3ro)
• Fix core dump config file creation when core dumps are disabled #182 (Normo)
• change minimize access method #181 (rndmh3ro)

ansible-os-hardening 4.3.0

4.3.0 (2018-01-03)

Full Changelog

Implemented enhancements:

• Update some RH settings in this role #155
• Removal of core dump hardening configuration if core dumps are allowed #129
• Don't create home for system accounts #156 (oakey-b1)
• Prevent disabling of filesystems via whitelist #153 (pinguinkiste)
• Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
• Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
• add missing sysctl parameter #143 (rndmh3ro)
• update readme #139 (rndmh3ro)

Fixed bugs:

• bug in ufw.j2 template #151
• os_security_kernel_enable_sysrq is not implemented #115
• replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
• fixed tag #149 (martinbydefault)

Closed issues:

• ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
• Enhancement: Test with TestInfra and Molecule #128

Merged pull requests:

• move defaults to os-specific vars #157 (rndmh3ro)

ansible-os-hardening 4.2.0

4.2.0 (2017-08-08)

Full Changelog

Implemented enhancements:

• add modprobe template, control os-10 #138 (rndmh3ro)
• new task for delete netrc files, control os-09 #137 (rndmh3ro)
• add passwd task, control os-03 #136 (rndmh3ro)
• remove prelink package, control package-09 #135 (rndmh3ro)
• style update #134 (rndmh3ro)
• Fix ansible.cfg and use comment filter #130 (fazlearefin)

Fixed bugs:

• Why is rsync removed? #141
• playbook makes OS undetectable #124
• Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
• Remove rsync from package blacklist #142 (duk3luk3)

Merged pull requests:

• remove execshield sysctl-parameter on rhel7 #119 (rndmh3ro)

ansible-os-hardening 4.1.0

4.1.0 (2017-06-27)

Full Changelog

Fixed bugs:

• Change system accounts not on the user provided ignore-list items are not JSON serializable #125

Closed issues:

• Enhancement: Pin python dependencies for development and testing #127
• Update readme to include baselines #122

Merged pull requests:

• Converts set to JSON-serializable list #126 (pestaa)
• add more sysctl settings, allow overwriting #120 (rndmh3ro)

ansible-os-hardening 4.0.0

4.0.0 (2017-03-14)

Full Changelog

Breaking Changes:

• remove support for ansible 1.9 #110 (rndmh3ro)
  • Ansible 1.9 is not supported anymore

Implemented enhancements:

• Description of the Ansible roles of dev-sec says "This Ansible playbook" #97
• install initramfs-tools #114 (rndmh3ro)
• omit empty variables #106 (rndmh3ro)

Fixed bugs:

• The role fails when conditionally included #105
• omit empty variables #106 (rndmh3ro)
• Could not find gem 'ruby (>= 2.1.0)' #116
• The task sysctl fails when /etc/initramfs-tools is not present #111
• Deprecation warning always_run #103

Closed issues:

• Error running on RHEL 7 due to syntax issues #112
• disable password age #109

Merged pull requests:

• change shadow owner in debian systems #117 (rndmh3ro)
• Rhel7 #113 (tyrken)
• use new Docker images #110 (rndmh3ro)
• Don’t refer to this role as "playbook" in the role description #104 (ypid)

ansible-os-hardening 3.2.0

3.2.0 (2016-10-24)

Full Changelog

Fixed bugs:

• CentOS 7 selinux dependencies #102
• ubuntu xenial warning during activate gpg-check for yum-repos #99
• rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
• Enable pam_pwquality in rhel-family > 7 #73
• "irc" user always changed after reboot #53

Merged pull requests:

• update template #101 (rndmh3ro)
• fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
• add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)

ansible-os-hardening 3.1.0

Full Changelog

Implemented enhancements:

• Supports --check mode #93 (conorsch)
• Adds support for CentOS 7 #91 (conorsch)
• Docker #90 (rndmh3ro)
• debian 8 support #88 (rndmh3ro)
• Ufw manage defaults #85 (fitz123)
• replace ignore_errors to failed_when to supress ugly error warnings #81 (fitz123)
• fix bare variables usage for loops #79 (fitz123)

Fixed bugs:

• Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
• Hardening fails on Centos 7.1 at task 'minimize access' #71

Closed issues:

• Permissions on /etc/shadow can lock out GUI users #86
• network related sysctl rewritten by ufw in ubuntu #82
• ansible >= 2.0 complains: Using bare variables is deprecated #78
• Norm-Audit-Hardening-Audit #76

Merged pull requests:

• Fix a formatting issue in readme. #92 (vivekagr)
• Permits overriding permissions on /etc/shadow #89 (conorsch)

ansible-os-hardening 3.0.0

Full Changelog

Implemented enhancements:

• update platforms in meta-file #69 (rndmh3ro)
• add webhook for ansible galaxy #68 (rndmh3ro)
• Move sysctl vars to defaults #67 (rndmh3ro)
• make sys_uid and sys_gid configurable #62 (rndmh3ro)
• Ansible 2.0 support #59 (rndmh3ro)
• use inspec as test framework #58 (chris-rock)
• Packages as attributes #57 (rndmh3ro)
• Change categories to tags for upcoming ansible 2.0 #56 (rndmh3ro)
• Add SINGLE and PROMPT parameters. #55 (rndmh3ro)
• add changelog generator #54 (chris-rock)

Fixed bugs:

• Updates "tags" parameters on includes in main.yml #66 (conorsch)
• Suid set def var, fix #64 #63 (rndmh3ro)
• ERROR! Include tasks should not specify tags in more than one way #60 (fitz123)

Closed issues:

• Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
• ansible 2.0 | "remove suid/sgid" task fails #64
• Custom sysctl #50

ansible-os-hardening 2.0.0

• Fix a bug in the passwdqc template (#51)
• Change directory layout so the role is easily installable from ansible-galaxy (#49)
• improved travis-tests to cover more cases (#42)

Thanks, @fitz123 for the following fixes!

• Fix passwdqc default options (#44)
• remove duplicate "update pam" task (#46)
• Fix stuck in case pam files was updated before by force update (#45)
• Fix nologin shell path (#44)

ansible-os-hardening 1.0.0

• Implement os-hardening to meet our tests
• Enable GPG-checking on all yum-repository files #5
• Disable system accounts #6
• Module-loading configuration #22
• Travis support #17
• Separate system-vars from editable vars. #34
• Add mode to su-binary task. #39
• Change oneliner if-statements to be more readable #36
• Create limits.d-directory if it does not exist. #33