add debian 12 support (#684)

rndmh3ro · Sebastian Gumprich · web-flow · commit ef5e8801e402 · 2023-08-04T12:59:40.000+02:00
* add debian 12 support Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * temp disable pam-checks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove debian12 from vagrant tests as there's no box yet Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use new pam-tester from pip Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * use new pam-tester from pip Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * install pam-tester with python3 and use full path to it Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * install python3-setupttools in verify-tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix path for pam-tester in all tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set python interpreter to 3 for verify-tests Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * Revert "set python interpreter to 3 for verify-tests" This reverts commit 00b6556. * add back accidentally deleted tasks Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
@@ -45,6 +45,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          - debian12
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # geerlingguy.mysql does not support arch
           - opensuse_tumbleweed
diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
@@ -44,6 +44,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          - debian12
           - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
@@ -46,6 +46,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          - debian12
           - amazon2023
           - opensuse_tumbleweed
           - arch
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
@@ -46,6 +46,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          # - debian12  # waiting for https://github.com/lavabit/robox/pull/274
           - opensuse15
           # - arch  # needs fix for audit
     steps:
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -46,6 +46,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          - debian12
           - amazon2023
           - arch
           # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -46,6 +46,7 @@ jobs:
           - ubuntu2204
           - debian10
           - debian11
+          - debian12
           - amazon2023
           - arch
           # - opensuse_tumbleweed  # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
diff --git a/README.md b/README.md
@@ -11,9 +11,9 @@
 This collection provides battle tested hardening for:
 
 - Linux operating systems:
-  - CentOS 7
-  - Rocky Linux 8
-  - Debian 10/11
+  - CentOS 7/8/9
+  - Rocky Linux 8/9
+  - Debian 10/11/12
   - Ubuntu 18.04/20.04/22.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)
diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml
@@ -7,6 +7,10 @@
     https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
+    - name: set ansible_python_interpreter to "/usr/bin/python3"
+      set_fact:
+        ansible_python_interpreter: "/usr/bin/python3"
+
     - name: include verification tasks
       ansible.builtin.include_tasks:
         file: "{{ item }}"
diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml
@@ -1,9 +1,17 @@
 ---
-- name: download pam-tester
-  get_url:
-    url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
-    dest: /bin/pam-tester
-    mode: 0555
+
+- name: install pip
+  package:
+    name:
+      - python3-pip
+      - python3-setuptools
+    state: present
+
+- name: install pam-tester
+  ansible.builtin.pip:
+    name: pam-tester
+    state: present
+    executable: /usr/bin/pip3
 
 - name: set password for test
   set_fact:
@@ -23,15 +31,15 @@
 
 - name: check successful login with correct password
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
     LANG: "{{ locale | default('C.UTF-8') }}"
 
 - name: check unsuccessful login with incorrect password
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
@@ -40,7 +48,7 @@
 
 - name: check unsuccessful login, with correct password (lockout)
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
@@ -52,7 +60,7 @@
 
 - name: check successful login
   shell:
-    cmd: "pam-tester --user testuser --password {{ test_pw }}"
+    cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
   environment:
     TMPDIR: /var/tmp
     LC_ALL: "{{ locale | default('C.UTF-8') }}"
diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml
@@ -1,9 +1,15 @@
 ---
-- name: download pam-tester
-  get_url:
-    url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
-    dest: /bin/pam-tester
-    mode: 0555
+- name: install pip
+  package:
+    name:
+      - python3-pip
+      - python3-setuptools
+    state: present
+
+- name: install pam-tester
+  ansible.builtin.pip:
+    name: pam-tester
+    state: present
 
 - name: set password for test
   set_fact:
