Releases: dev-sec/ansible-collection-hardening
Releases · dev-sec/ansible-collection-hardening
10.3.1
Changelog
10.3.1 (2025-07-24)
Fixed bugs:
- Readme states Ansible >= 2.9.10, but it uses password_expire_warn from 2.16 #871
Merged pull requests:
- Use fixed test env for BSD VMs #884 [ssh_hardening] (schurzi)
- Downgrade community.crypto for rocky8 #882 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- chore(deps): update dependency aar-doc to v2.2.0 #877 (renovate[bot])
- chore(deps): update creyd/prettier_action action to v4.6 #876 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 06f616d #873 [ssh_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.6 #872 (renovate[bot])
- chore(deps): update creyd/prettier_action action to v4.5 #869 (renovate[bot])
- chore(ssh_hardening): ansible 2.19 compatibility #868 [ssh_hardening] (Nemental)
- chore(deps): update ansible/ansible-lint digest to e98f9b3 #867 (renovate[bot])
- chore(deps): update actions/setup-python digest to a26af69 #866 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.5 #865 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to c16f018 #863 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 6a4fcdb #862 (renovate[bot])
- chore(deps): update dependency aar-doc to v2.1.0 #861 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.4 #860 (renovate[bot])
- chore(deps): update actions/setup-python digest to 8d9ed9a #859 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- Fix: ForwardAgent j2 template space #856 [ssh_hardening] (AliMehraji)
- chore(deps): update artis3n/ansible_galaxy_collection digest to f6110ae #853 (renovate[bot])
10.3.0
Changelog
10.3.0 (2025-02-25)
Implemented enhancements:
- Password expiry for users without password should not block SSH key based login #681
- Set number of warning days before password expires for existing users #839 [os_hardening] (Normo)
- Allow to override settings for sftponly users #794 [ssh_hardening] (mib1185)
Closed issues:
- os_hardening & sysctl_overwrite with host_vars #837
Merged pull requests:
- chore(deps): update dependency ansible-core to v2.18.3 #852 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 49ded6a #851 (renovate[bot])
- Pin runner image to specific version to decouple from GitHub updates #847 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Refactor: combine multiple set_fact into single jinja filter #846 [os_hardening] (Tinyblargon)
- chore(deps): update actions/setup-python digest to 4237552 #844 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.2 #843 (renovate[bot])
- chore(deps): update dependency molecule to v25 #841 (renovate[bot])
- chore(deps): update ansible/ansible-lint action to v25 #840 (renovate[bot])
10.2.0
Changelog
10.2.0 (2024-12-23)
Implemented enhancements:
- Re-enable OpenBSD tests #826 [ssh_hardening]
- Allow configuring the name_format variable in auditd config #796 [os_hardening]
- Password expiry for users without password should not block SSH key based login #681
- Modify PAM to allow SSH key based logins with locked passwords #835 [os_hardening] (schurzi)
- adding switch for ForwardAgent in ssh_config #818 [ssh_hardening] (Shizzlebix)
Fixed bugs:
- File system loop detected; ‘/bin/X11’ is part of the same file system loop as ‘/bin’." #815 [os_hardening]
- Not working ssh_hardening on Centos 7 #813 [ssh_hardening]
Merged pull requests:
- chore(deps): update dependency molecule-plugins to v23.6.0 #834 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 4ce8e49 #832 (renovate[bot])
- chore(deps): update dependency molecule to v24.12.0 #831 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.1 #829 (renovate[bot])
- Change installation source for OpenBSD tests #828 (schurzi)
- chore(deps): update ansible/ansible-lint digest to 44be233 #825 (renovate[bot])
- Bump ansible-core from 2.17.5 to 2.17.6 #820 (dependabot[bot])
- chore(deps): update dependency ansible-core to v2.18.0 #819 (renovate[bot])
- chore(deps): update dependency aar-doc to v2.0.1 #817 (renovate[bot])
- Update actions/setup-python digest to 0b93645 #814 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update actions/checkout digest to 11bd719 #812 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.1.0
Changelog
10.1.0 (2024-10-22)
Implemented enhancements:
- Allow configuring the name_format variable in auditd config #796
- Ubuntu 24.04 support #764
- Add variable to set name_format for auditd #810 [os_hardening] (schurzi)
- feat(ssh): add alpine support #809 [ssh_hardening] (rndmh3ro)
- Provide granular noop for ssh configuration #789 [ssh_hardening] (seven-beep)
Fixed bugs:
- molecule scenario ssh_hardening if failing due to missing docker image #790
- getent_shadow empty #787
- Error: Missing privilege separation directory: /run/sshd #752
- fix(ssh_hardening): test setting kex to false, remove wrong default #808 [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Pin python dependencies and optimize GitHub Actions #811 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix(cicd): test idempotence on ssh custom tests #807 [ssh_hardening] (rndmh3ro)
- Document correct quotes for ssh_permit_tunnel parameter #806 [ssh_hardening] (vmpr)
- fix(docs): add 'become: true' to example playbooks. fix #787 #804 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- chore(deps): update dependency ansible-core to v2.17.5 #802 (renovate[bot])
- Don't run tests if the environment is not correct #801 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- chore(deps): update actions/checkout digest to eef6144 #800 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- feat: Corrected package name #799 [ssh_hardening] (PapaPeskwo)
- Use Python venv for VM tests #798 (schurzi)
- Remove unused files and variables #797 [os_hardening] (schurzi)
- chore(deps): update ansible/ansible-lint digest to 3b5bee1 #795 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 25f783c #792 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.4 #791 (renovate[bot])
- chore(deps): update actions/setup-python digest to f677139 #788 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.3 #786 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.2 #756 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.0.0
Changelog
10.0.0 (2024-08-06)
Implemented enhancements:
- option to disable regeneration of ssh private key #772
- Ubuntu 24.04 support #764
- Support systemd socket activation for sshd #763 [ssh_hardening]
- Release 9.0.2 #758
- Make Publickey authentication configurable #750
- Ansible Linting #747
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Ensure that ssh is installed (cf #771) #774 [ssh_hardening] (Byh0ki)
- ssh: explicitly enable or disable the service at boot #771 [ssh_hardening] (Byh0ki)
- disable systemd socket activation #769 [ssh_hardening] (rndmh3ro)
- Add ssh_pubkey_authentication variable to ssh hardening #749 [ssh_hardening] (debbabi)
Fixed bugs:
- ssh hardening role fails when
ssh_permit_root_loginvar is set on ubuntu 24.04 #768 - os_hardening fails when setting vm.mmap_rnd_bits #757
ssh_gateway_portsis documented to accept 'clientspecified' string, but only accepts bools #755- Error: Missing privilege separation directory: /run/sshd #752
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #741
- Update Debian compatibility #784 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- do not force type of ssh_gateway_ports #765 [mysql_hardening] [os_hardening] [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Update to current Fedora releases #783 [os_hardening] [ssh_hardening] (schurzi)
- Remove deprecated rebuild of initrd #782 [os_hardening] (schurzi)
- chore(deps): update patrickjahns/version-drafter-action digest to 2076fa4 #781 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 95382d3 #779 (renovate[bot])
- chore(deps): update actions/setup-python digest to 39cd149 #778 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- remove tests for FreeBSD12 since it's out of support #777 [ssh_hardening] (schurzi)
- chore(deps): pin dependencies #776 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- Use best-practice preset for renovate #775 (schurzi)
- Deprecate Centos Stream 8 #770 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- centos7 is eol, remove it #767 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- fix spelling #766 [os_hardening] [ssh_hardening] (rndmh3ro)
- ci: define permissions for enforce-labels workflow #760 (fgreinacher)
- Update dependency ansible-core to v2.16.5 #754 (renovate[bot])
- Update dependency ansible-core to v2.16.4 #751 (renovate[bot])
- Update ansible/ansible-lint action to v24 #745 (renovate[bot])
- Always update Vagrant Boxes before using #744 (schurzi)
- Remove Docker containers on self-hosted runner after tests #743 (schurzi)
- Update dependency ansible-core to v2.16.3 #742 (renovate[bot])
9.0.1
Changelog
9.0.1 (2024-01-15)
Implemented enhancements:
- Extend ansible-lint testing to cover our test cases #731
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Complete tests for OS hardening #660
- support restarts of audit service on Arch linux #722 [os_hardening] (schurzi)
Fixed bugs:
- Fails to install #735
- Amazon Linux gpg check fails #734
- ssh_hardening ipv6 #719
- boolean variable inconsistency? #330
- Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #718 [os_hardening] (akikanellis)
Closed issues:
Merged pull requests:
- restructure readme to move known limitations up top #739 [os_hardening] [ssh_hardening] (rndmh3ro)
- release only on releases, not pre-releases #738 (rndmh3ro)
- Update dependency ansible-core to v2.16.2 #737 (renovate[bot])
- fix linting for github config #736 (rndmh3ro)
- Update actions/setup-python action to v5 #733 (renovate[bot])
- Update ansible-lint action and revise configuration to scan all Ansible code #732 (schurzi)
- update labeler to new config format #730 [ssh_hardening] (schurzi)
- Update dependency ansible-core to v2.16.1 #728 [os_hardening] (renovate[bot])
- pin Ansible to always let Renovate update to the most current version in our tests #721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
9.0.0
Changelog
9.0.0 (2023-11-16)
Breaking changes:
- make it possible to configure more then yes and no for PermitTunnel #715 [ssh_hardening] (rndmh3ro)
- add role argument spec for os, ssh, mysql #687 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
Implemented enhancements:
- Create role documentation with Automated-Ansible-Role-Documentation #694
- Minimize access user paths should be fully configurable #689
- Add support for Debian 12 #672
- add testing and support for current versions of Fedora and FreeBSD #709 [os_hardening] [ssh_hardening] (schurzi)
- feat: workflow for roles readme #705 [ssh_hardening] (Nemental)
- do not try to drop roles in mysql hardening #649 [mysql_hardening] (rndmh3ro)
Fixed bugs:
- nginx conf.d directory is missing on Rocky Linux 8 #707
- Default value of
ssh_client_alive_intervalis inconsistent with what documentation says #701 - [devsec.hardening.os_hardening : restart-auditd] fails #698
- sshd_hardening role cannot be used to build system images #697
- Error: No file was found when using first_found on Ubuntu 20.04 #676
- PUBLIC-role breaks mysql-hardening #648
- Error deploying the playbook #630
- boolean variable inconcistency ? #330
- Gather facts when os_hardening role is executed with tags #708 [os_hardening] (schurzi)
Closed issues:
Merged pull requests:
- update status badges in README #714 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix CI test for os_hardening #711 [os_hardening] (schurzi)
- fix nginx CI tests #710 [nginx_hardening] (schurzi)
- fix: roles-readme action default value #706 [ssh_hardening] (Nemental)
- fix some wrong defaults and types in the readmes #703 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- update links to new Ansible Galaxy #702 [nginx_hardening] (schurzi)
- Fix typo in login.defs.j2 #700 [os_hardening] (nejch)
- chore(deps): update actions/checkout action to v4 #696 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- test debian12 on VM #695 (rndmh3ro)
- fix descriptions in readme #693 [os_hardening] (rndmh3ro)
- feat: customize user paths default #692 [os_hardening] (S0obi)
- disable PAM tests #691 [os_hardening] (rndmh3ro)
8.8.0
Changelog
8.8.0 (2023-08-04)
Implemented enhancements:
- Add support for Fedora 38 #671
- auditd: add possibility to override config template #685 [os_hardening] (Meecr0b)
- add debian 12 support #684 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- feat: explicitly support Fedora 37 and 38 #682 [os_hardening] [ssh_hardening] (nejch)
- Replace ssh_keys group with root, where applicable and use less permissive file mode #677 [ssh_hardening] (rndmh3ro)
- Add oddjob mkhomedir option rhel pam #675 [os_hardening] (imp1sh)
Fixed bugs:
- How does one set
sshd_authenticationmethodsto include password authentication? #686 - Error: No file was found when using first_found on Ubuntu 20.04 #676
- FreeIPA environment mkhomedir fails #664
Closed issues:
- What is the uscase of sysctl_overwrite over ansible.posix.sysctl? #683
Ensure permissions on mysql-logfile are correctchokes whenlog_erroris set tostderr#673- TASK TASK FAILED: [devsec.hardening.os_hardening : Set password ageing for existing regular (non-system, non-root) accounts] #670
- After os_hardening ssh not working #663
- Unsupported parameters for (ansible.builtin.user) module #650
Merged pull requests:
- setting gets ignored #680 [os_hardening] (rndmh3ro)
- add var-naming[no-role-prefix] to skip-list #679 (rndmh3ro)
- expand on check conditions for non-file locations of logs #674 [mysql_hardening] (whysthatso)
- use new molecule-plugins #667 (schurzi)
- add spellchecking with codespell #662 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
8.7.0
Changelog
8.7.0 (2023-04-12)
Implemented enhancements:
- Support BSD and other operating systems CI with VM based tests #599
- add check mode to molecule tests #644 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- add testing for OpenBSD and FreeBSD #642 [ssh_hardening] (schurzi)
- Only skip audit restart handler in docker #637 [os_hardening] (nejch)
- Make action_mail_acct configurable in auditd #631 [os_hardening] (nejch)
Fixed bugs:
- getent task is skipped if user previously ran it with a key parameter #646
- Error running devsec.hardening.os_hardening role #645
- devsec.hardening.mysql_hardening - Get all users that have no authentication_string - Hello world #640
- fixes #646 - add another condition to getent task #647 [os_hardening] (gbolo)
Closed issues:
- Dependency Dashboard #655
- Invalid login.defs for RHEL6 #651
- Unsupported parameters for (ansible.builtin.user) module #650
- Deprecation warnings for os_hardening #638
- Write tests for MySQL user-deletion #445
Merged pull requests:
- Update minimum required Ansible version for os_hardening #657 [os_hardening] [ssh_hardening] (schurzi)
- Update test environment #656 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Update dependency geerlingguy.git to v3.0.1 #654 [mysql_hardening] (renovate[bot])
- Configure Renovate #653 (renovate[bot])
- simplify MySQL queries for user deletion #641 [mysql_hardening] (schurzi)
- Bump creyD/prettier_action from 4.2 to 4.3 #639 (dependabot[bot])
- Fix molecule tests for EL7 #636 [mysql_hardening] (rndmh3ro)
- run our CI tests periodically #634 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- try to fix molecule local tests #632 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- remove unneccessary tasks for VM based test #629 [os_hardening] (schurzi)
8.6.0
Changelog
8.6.0 (2023-02-04)
Implemented enhancements:
- make number of warning days before user password expires configurable #628 [os_hardening] (Normo)
Merged pull requests:
- Bump hugo19941994/delete-draft-releases from 1.0.0 to 1.0.1 #627 (dependabot[bot])