diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 6cc851c06..fc49c0fc9 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -37,14 +37,19 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux8 + - almalinux9 + # - almalinux10 # problem with baseline - centosstream9 - rocky8 - rocky9 + # - rocky10 # problem with baseline - ubuntu2004 - ubuntu2204 - ubuntu2404 - debian11 - debian12 + - debian13 # - amazon # geerlingguy.mysql does not support fedora # - arch # geerlingguy.mysql does not support arch - opensuse_tumbleweed @@ -71,7 +76,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' # that was a hard one to fix. robert did it thankfully # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212 diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 6602837be..433999ad0 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -36,14 +36,19 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - ubuntu2004 - ubuntu2204 - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed @@ -70,7 +75,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' # Molecule has problems detecting the proper location for installing roles # https://github.com/ansible/molecule/issues/3806 diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index ab37b3508..47017e7b1 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -39,9 +39,13 @@ jobs: - molecule_distro: opensuse_tumbleweed molecule_docker_command: "/usr/lib/systemd/systemd" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -49,6 +53,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: @@ -75,7 +80,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s os_hardening diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index 2a7420df1..f2e589187 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -36,6 +36,9 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux/8 + - almalinux/9 + # - almalinux/10 # boot loop - generic/centos9s - generic/rocky8 - generic/rocky9 @@ -69,7 +72,10 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'generic/rocky8' || matrix.molecule_distro == 'generic/opensuse15' + if: > + matrix.molecule_distro == 'generic/rocky8' || + matrix.molecule_distro == 'almalinux/8' || + matrix.molecule_distro == 'generic/opensuse15' - name: Update Vagrant Box run: | diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index 0c49d2e73..55e2d1777 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -42,9 +42,13 @@ jobs: - molecule_distro: alpine molecule_docker_command: "/sbin/init" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -52,6 +56,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: @@ -78,7 +83,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s ssh_hardening diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index 79c8285a8..0371968c7 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -42,9 +42,13 @@ jobs: - molecule_distro: alpine molecule_docker_command: "/sbin/init" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -52,6 +56,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: @@ -78,7 +83,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s ssh_hardening_custom_tests diff --git a/README.md b/README.md index 7680756af..c0d43effd 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,9 @@ This collection provides battle tested hardening for: - Linux operating systems: - CentOS Stream 9 - - AlmaLinux 8/9 - - Rocky Linux 8/9 - - Debian 11/12 + - AlmaLinux 8/9/10 + - Rocky Linux 8/9/10 + - Debian 11/12/13 - Ubuntu 20.04/22.04/24.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 9c865e727..2537b4ac3 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -59,6 +59,12 @@ - python3-libselinux when: ansible_facts.distribution == 'Fedora' + - name: Install required tools on AlmaLinux + ansible.builtin.dnf: + name: + - initscripts + when: ansible_facts.distribution == 'AlmaLinux' + - name: Install required tools on Arch community.general.pacman: name: @@ -84,7 +90,6 @@ ansible.posix.mount: path: /boot/efi state: unmounted - when: ansible_facts.distribution == 'Fedora' - name: Include YUM prepare tasks ansible.builtin.include_tasks: prepare_tasks/yum.yml diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 590736952..aaaa45ae6 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -75,11 +75,6 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: Create ssh host keys # noqa ignore-errors + - name: Create ssh host keys # noqa ignore-errors no-changed-when ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') - or ansible_facts.distribution == "Fedora" - or ansible_facts.distribution == "Amazon" - or ansible_facts.os_family == "Suse" - changed_when: false ignore_errors: true diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index b1dfd56b4..6b9322366 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -75,11 +75,6 @@ update_cache: true when: ansible_facts.os_family == 'Alpine' - - name: Create ssh host keys # noqa ignore-errors + - name: Create ssh host keys # noqa ignore-errors no-changed-when ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') - or ansible_facts.distribution == "Fedora" - or ansible_facts.distribution == "Amazon" - or ansible_facts.os_family == "Suse" - changed_when: false ignore_errors: true diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml index db5fd3e2e..da10dd4f6 100644 --- a/roles/mysql_hardening/meta/main.yml +++ b/roles/mysql_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,8 +18,9 @@ galaxy_info: - noble - name: Debian versions: - - bullseye + - trixie - bookworm + - bullseye - name: Amazon - name: opensuse galaxy_tags: diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index c9d1d0f98..a9c529aec 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Amazon diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index ac94f336f..648cfe3af 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Amazon diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index c710039c8..b8f3b1311 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Alpine diff --git a/roles/ssh_hardening/vars/RedHat_10.yml b/roles/ssh_hardening/vars/RedHat_10.yml new file mode 100644 index 000000000..5bffd0c1a --- /dev/null +++ b/roles/ssh_hardening/vars/RedHat_10.yml @@ -0,0 +1,26 @@ +--- +ssh_pkgs: + - openssh +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: /etc/ssh +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_host_keys_owner: root +ssh_host_keys_group: root +ssh_host_keys_mode: "0600" +ssh_selinux_packages: + - policycoreutils-python-utils + - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: /etc/ssh/moduli + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true