8.6.0

Changelog

8.6.0 (2023-02-04)

Full Changelog

Implemented enhancements:

• make number of warning days before user password expires configurable #628 [os_hardening] (Normo)

Merged pull requests:

• Bump hugo19941994/delete-draft-releases from 1.0.0 to 1.0.1 #627 (dependabot[bot])

8.5.0

Changelog

8.5.0 (2023-01-31)

Full Changelog

Implemented enhancements:

• Add support for /etc/auditd.conf num_logs to go with max_log_file_action #616
• password ageing not enforced #570
• Rewrite system account detection and hardening and create tests #621 [os_hardening] [ssh_hardening] (rndmh3ro)
• Add support for /etc/auditd.conf num_logs to go with max_log_file_action #617 [os_hardening] (richardlock)
• Preserve default ownership and dir mode for /var/log on Ubuntu #615 [os_hardening] (stdtom)
• rewrite user home dir hardening #584 [os_hardening] (DonEstefan)
• apply password age settings to exisiting regular users #582 [os_hardening] (DonEstefan)
• Parametrize more auditd.conf options #535 [os_hardening] (kravietz)

Fixed bugs:

• os_hardening is setting wrong ownership for /var/log on Ubuntu #614
• [os_hardening] Task for setting initramfs modules does not match its condition #590 [os_hardening]
• Support for Amazon Linux 2 #624 [ssh_hardening] (mmitnyan)

Deprecated:

• deprecate rebuilding of initramfs #618 [os_hardening] (rndmh3ro)

Closed issues:

• Ubuntu 22.04 vars file missing? #619
• SSH KexAlgorithms causes SSH daemon to fail #500
• Playbook won't run for hardening #462

Merged pull requests:

• do not let dependabot label our prs #626 (rndmh3ro)
• run linting only when files inside roles change #625 (rndmh3ro)
• cancel running tests if new commit to branch is made #622 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Fixed problems with running molecule locally with cgroup v2 #620 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• Bump actions/setup-python from 1 to 4 #611 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (dependabot[bot])
• Bump creyD/prettier_action from 3.1 to 4.2 #610 (dependabot[bot])
• linting #603 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

8.4.0

Changelog

8.4.0 (2022-12-17)

Full Changelog

Implemented enhancements:

• Implement Test for MySQL systemd service #606
• Extended net hardening #607 [os_hardening] (DonEstefan)
• Add OpenSUSE support #605 [mysql_hardening] (rndmh3ro)
• Allow ssh_allow_tcp_forwarding to be a boolean #600 [ssh_hardening] (crisbal)
• OpenBSD does not support GSSAPI Authentication #598 [ssh_hardening] (dennisse)
• add Ansible specific templates for issues #596 (schurzi)
• use github templates for new issues #595 (schurzi)

Fixed bugs:

• os_auth_retries variable causes a comparison type error on pam tasks #593
• ssh_hardening: Install selinux dependencies fails on Oracle Linux (RHEL) 9 #585
• OpenBSD does not set distributiuon_major_version #597 [ssh_hardening] (dennisse)

Merged pull requests:

• Check for github action updates daily #609 (jlosito)
• add verify-task to check if mysql is running and enabled #608 [mysql_hardening] (rndmh3ro)
• Updates handlers for new ansible syntax and deprecated options for legacy commands #602 [os_hardening] (jsievertde)
• add notice to sign-off work to contributor guideline #601 (schurzi)

8.3.0

Changelog

8.3.0 (2022-10-27)

Full Changelog

Implemented enhancements:

• add hardening of root user account(s) #579 [os_hardening] (donestefan)

Fixed bugs:

• os_auth_retries variable causes a comparison type error on pam tasks #593
• cast expected int types in pam tasks #594 [os_hardening] (dlouzan)
• do not manage trusted user ca keys if none exist #580 [ssh_hardening] (hollow)

Closed issues:

• Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587
• auditd increasing logfiles #586
• Path to nginx.conf should be configurable in a variable #577

Merged pull requests:

• adopt all current suggestions from ansible-lint #592 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
• Support more os #588 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• run tests only on pushes to master or to PRs #581 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)

8.2.0

Changelog

8.2.0 (2022-09-08)

Full Changelog

Implemented enhancements:

• Add nginx variables for config-path and owner/group #578 [nginx_hardening] (hagenbauer)
• add centos >8 Support #573 [ssh_hardening] (sbaerlocher)
• add always-tag to include so other tags can be used #569 [os_hardening] (rndmh3ro)

Closed issues:

• Bug using os_hardening "tags" #567

8.1.0

Changelog

8.1.0 (2022-08-26)

Full Changelog

Implemented enhancements:

• add always-tag to include so other tags can be used #569 [os_hardening] (rndmh3ro)

Closed issues:

• Bug using os_hardening "tags" #567
• dev-sec CI bot should not update CHANGELOG.md in fork repository #566

Merged pull requests:

• update supported OS in meta and fix linting #572 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
• fix misleading comment #571 [os_hardening] (donestefan)
• only run release actions on upstream-repo #568 (rndmh3ro)

8.0.0

Changelog

8.0.0 (2022-08-22)

Full Changelog

Breaking changes:

• change default to allow SFTP #564 [ssh_hardening] (schurzi)

Implemented enhancements:

• add possibility to keep .netrc files in users homedir #563 [os_hardening] (PhilippFunk)
• rework filesystem hardening #555 [os_hardening] (divialth)

Closed issues:

• Error in Task 'Create sshd_config and set permissions to root/600' #565 [ssh_hardening]
• [ssh_hardening] Debian 11 - Ansible cannot transfer files #557
• Add the old SFTP-Reminder to the stable ssh_hardening role for ansible #521

7.16.0

Changelog

7.16.0 (2022-08-16)

Full Changelog

Implemented enhancements:

• revert debian 9 change, only one tls variable now #562 [nginx_hardening] (rndmh3ro)
• add posibility to run ssh_hardening as unprivileged user #561 [ssh_hardening] (schurzi)
• add basic support for ubuntu22.04 #554 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
• Add full support for Debian 11 #538 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (addianto)

Fixed bugs:

• Replace default 2048 bits RSA keypair fails on Ubuntu 20.04 #459

Closed issues:

• os-hardening: yum gpg-check fails if gpg-check already set #556
• Ubuntu 22.04 LTS #553
• Revert nginx ssl-protocol after deprecation of debian9 #528
• Support for Debian 11 #527
• Support baseline-control os-14 #507

7.15.1

Changelog

7.15.1 (2022-07-26)

Full Changelog

Fixed bugs:

• Fix broken mode for /var/log/audit #552 [os_hardening] (hollow)

Merged pull requests:

• Only run hardening if /var/log/audit exists #550 [os_hardening] (mego22)

7.15.0

Changelog

7.15.0 (2022-07-11)

Full Changelog

Implemented enhancements:

• Harden mountpoints #531 [os_hardening] (lbayerlein)

Fixed bugs:

• os_hardening gpg-check enabled fails on success #549 [os_hardening]
• add VM tests for os_hardening #547 [os_hardening] (schurzi)
• Linting #546 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)