From d8e96939a1be9c540e3a289ea33315e0d1bd72d9 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 10 Aug 2025 17:27:15 +0200 Subject: [PATCH 01/11] Add support for current versions of Debian and EL Signed-off-by: Martin Schurz --- .github/workflows/mysql_hardening.yml | 5 +++++ .github/workflows/nginx_hardening.yml | 5 +++++ .github/workflows/os_hardening.yml | 5 +++++ .github/workflows/ssh_hardening.yml | 5 +++++ .github/workflows/ssh_hardening_custom_tests.yml | 5 +++++ roles/mysql_hardening/meta/main.yml | 4 +++- roles/nginx_hardening/meta/main.yml | 2 ++ roles/os_hardening/meta/main.yml | 2 ++ roles/ssh_hardening/meta/main.yml | 2 ++ 9 files changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 6cc851c06..a93fd313e 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -37,14 +37,19 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - ubuntu2004 - ubuntu2204 - ubuntu2404 - debian11 - debian12 + - debian13 # - amazon # geerlingguy.mysql does not support fedora # - arch # geerlingguy.mysql does not support arch - opensuse_tumbleweed diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 6602837be..03a7b5019 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -36,14 +36,19 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - ubuntu2004 - ubuntu2204 - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index ab37b3508..127e18ad9 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -39,9 +39,13 @@ jobs: - molecule_distro: opensuse_tumbleweed molecule_docker_command: "/usr/lib/systemd/systemd" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -49,6 +53,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index 0c49d2e73..ac211c9c4 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -42,9 +42,13 @@ jobs: - molecule_distro: alpine molecule_docker_command: "/sbin/init" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -52,6 +56,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index 79c8285a8..ac511da54 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -42,9 +42,13 @@ jobs: - molecule_distro: alpine molecule_docker_command: "/sbin/init" molecule_distro: + - almalinux8 + - almalinux9 + - almalinux10 - centosstream9 - rocky8 - rocky9 + - rocky10 - fedora39 - fedora40 - ubuntu2004 @@ -52,6 +56,7 @@ jobs: - ubuntu2404 - debian11 - debian12 + - debian13 - amazon2023 - arch molecule_docker_command: diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml index db5fd3e2e..da10dd4f6 100644 --- a/roles/mysql_hardening/meta/main.yml +++ b/roles/mysql_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,8 +18,9 @@ galaxy_info: - noble - name: Debian versions: - - bullseye + - trixie - bookworm + - bullseye - name: Amazon - name: opensuse galaxy_tags: diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index c9d1d0f98..a9c529aec 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Amazon diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index ac94f336f..648cfe3af 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Amazon diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index c710039c8..b8f3b1311 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - "8" - "9" + - "10" - name: Ubuntu versions: - focal @@ -17,6 +18,7 @@ galaxy_info: - noble - name: Debian versions: + - trixie - bookworm - bullseye - name: Alpine From a1e003dfee3f3b6a4dd21127c2fcc46672d2490c Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Sun, 10 Aug 2025 17:42:38 +0200 Subject: [PATCH 02/11] Add conditions for EL8 Signed-off-by: Martin Schurz --- .github/workflows/mysql_hardening.yml | 2 +- .github/workflows/nginx_hardening.yml | 2 +- .github/workflows/os_hardening.yml | 2 +- .github/workflows/os_hardening_vm.yml | 8 +++++++- .github/workflows/ssh_hardening.yml | 2 +- .github/workflows/ssh_hardening_custom_tests.yml | 2 +- 6 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index a93fd313e..2f27cb5bb 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -76,7 +76,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' # that was a hard one to fix. robert did it thankfully # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212 diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 03a7b5019..433999ad0 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -75,7 +75,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' # Molecule has problems detecting the proper location for installing roles # https://github.com/ansible/molecule/issues/3806 diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 127e18ad9..47017e7b1 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -80,7 +80,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s os_hardening diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index 2a7420df1..afb398cb4 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -36,6 +36,9 @@ jobs: fail-fast: false matrix: molecule_distro: + - almalinux/8 + - almalinux/9 + - almalinux/10 - generic/centos9s - generic/rocky8 - generic/rocky9 @@ -69,7 +72,10 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'generic/rocky8' || matrix.molecule_distro == 'generic/opensuse15' + if: > + matrix.molecule_distro == 'generic/rocky8' || + matrix.molecule_distro == 'almalinux/8' || + matrix.molecule_distro == 'generic/opensuse15' - name: Update Vagrant Box run: | diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index ac211c9c4..55e2d1777 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -83,7 +83,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s ssh_hardening diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index ac511da54..0371968c7 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -83,7 +83,7 @@ jobs: pip install "ansible-core<2.17" ansible-galaxy collection install 'community.crypto:<3.0.0' working-directory: ansible_collections/devsec/hardening - if: matrix.molecule_distro == 'rocky8' + if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8' - name: Test with molecule run: molecule test -s ssh_hardening_custom_tests From 16863ade7be907dad87d7f2e098bfcd5b6dedd42 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 08:03:49 +0200 Subject: [PATCH 03/11] Fix Audit in AlmaLinux Signed-off-by: Martin Schurz --- roles/os_hardening/handlers/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 864a7531b..20d4dbfa2 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -14,13 +14,14 @@ when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - not ansible_facts.os_family == 'RedHat' + - ansible_facts.distribution == 'AlmaLinux' - name: Restart auditd via service # noqa command-instead-of-module no-changed-when ansible.builtin.command: cmd: service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - - ansible_facts.os_family == 'RedHat' + - ansible_facts.os_family == 'RedHat' and not ansible_facts.distribution == 'AlmaLinux' - name: Remount filesystems ansible.posix.mount: From e12222905fc1cd48b1c02b2cabcc3a53f74c8d1e Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Thu, 31 Jul 2025 09:50:38 -0500 Subject: [PATCH 04/11] Fix broken SSH host key config in rhel/almalinux 10 Signed-off-by: Jonathan Wright --- roles/ssh_hardening/vars/RedHat_10.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 roles/ssh_hardening/vars/RedHat_10.yml diff --git a/roles/ssh_hardening/vars/RedHat_10.yml b/roles/ssh_hardening/vars/RedHat_10.yml new file mode 100644 index 000000000..5bffd0c1a --- /dev/null +++ b/roles/ssh_hardening/vars/RedHat_10.yml @@ -0,0 +1,26 @@ +--- +ssh_pkgs: + - openssh +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: /etc/ssh +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_host_keys_owner: root +ssh_host_keys_group: root +ssh_host_keys_mode: "0600" +ssh_selinux_packages: + - policycoreutils-python-utils + - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: /etc/ssh/moduli + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true From 77a26811751c5ae10a76354f74a8f2ad6b480f17 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 10:15:42 +0200 Subject: [PATCH 05/11] Generate SSH Keys on EL10 Signed-off-by: Martin Schurz --- molecule/ssh_hardening/prepare.yml | 4 +++- molecule/ssh_hardening_custom_tests/prepare.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 590736952..1729e69a2 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -77,7 +77,9 @@ - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) + and (ansible_facts.distribution_major_version < '7' + or ansible_facts.distribution_major_version > '9' )) or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse" diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index b1dfd56b4..7c13f36e3 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -77,7 +77,9 @@ - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) + and (ansible_facts.distribution_major_version < '7' + or ansible_facts.distribution_major_version > '9' )) or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" or ansible_facts.os_family == "Suse" From 30ee708918b6a0c4dd1aed7216a4ef8574962298 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 11:03:40 +0200 Subject: [PATCH 06/11] Generate SSH Keys for tests via Systemd Signed-off-by: Martin Schurz --- molecule/ssh_hardening/prepare.yml | 14 +++++--------- molecule/ssh_hardening_custom_tests/prepare.yml | 14 +++++--------- 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 1729e69a2..2402860e3 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -75,13 +75,9 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: Create ssh host keys # noqa ignore-errors - ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) - and (ansible_facts.distribution_major_version < '7' - or ansible_facts.distribution_major_version > '9' )) - or ansible_facts.distribution == "Fedora" - or ansible_facts.distribution == "Amazon" - or ansible_facts.os_family == "Suse" - changed_when: false + - name: Create ssh host keys via Systemd service start # noqa ignore-errors + ansible.builtin.service: + name: "sshd" + state: started + when: ansible_facts.service_mgr == 'systemd' ignore_errors: true diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index 7c13f36e3..e9cf86735 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -75,13 +75,9 @@ update_cache: true when: ansible_facts.os_family == 'Alpine' - - name: Create ssh host keys # noqa ignore-errors - ansible.builtin.command: ssh-keygen -A - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) - and (ansible_facts.distribution_major_version < '7' - or ansible_facts.distribution_major_version > '9' )) - or ansible_facts.distribution == "Fedora" - or ansible_facts.distribution == "Amazon" - or ansible_facts.os_family == "Suse" - changed_when: false + - name: Create ssh host keys via Systemd service start # noqa ignore-errors + ansible.builtin.service: + name: "sshd" + state: started + when: ansible_facts.service_mgr == 'systemd' ignore_errors: true From 612c1a49a0e94ff320d0a644890b80ccd75acd0c Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 15:38:36 +0200 Subject: [PATCH 07/11] Fixup tests Signed-off-by: Martin Schurz --- .github/workflows/mysql_hardening.yml | 4 ++-- .github/workflows/os_hardening_vm.yml | 2 +- molecule/os_hardening_vm/prepare.yml | 1 - molecule/ssh_hardening/prepare.yml | 7 ++----- molecule/ssh_hardening_custom_tests/prepare.yml | 7 ++----- roles/os_hardening/handlers/main.yml | 3 +-- 6 files changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 2f27cb5bb..fc49c0fc9 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -39,11 +39,11 @@ jobs: molecule_distro: - almalinux8 - almalinux9 - - almalinux10 + # - almalinux10 # problem with baseline - centosstream9 - rocky8 - rocky9 - - rocky10 + # - rocky10 # problem with baseline - ubuntu2004 - ubuntu2204 - ubuntu2404 diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index afb398cb4..f2e589187 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -38,7 +38,7 @@ jobs: molecule_distro: - almalinux/8 - almalinux/9 - - almalinux/10 + # - almalinux/10 # boot loop - generic/centos9s - generic/rocky8 - generic/rocky9 diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 9c865e727..05de346fa 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -84,7 +84,6 @@ ansible.posix.mount: path: /boot/efi state: unmounted - when: ansible_facts.distribution == 'Fedora' - name: Include YUM prepare tasks ansible.builtin.include_tasks: prepare_tasks/yum.yml diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 2402860e3..aaaa45ae6 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -75,9 +75,6 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: Create ssh host keys via Systemd service start # noqa ignore-errors - ansible.builtin.service: - name: "sshd" - state: started - when: ansible_facts.service_mgr == 'systemd' + - name: Create ssh host keys # noqa ignore-errors no-changed-when + ansible.builtin.command: ssh-keygen -A ignore_errors: true diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index e9cf86735..6b9322366 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -75,9 +75,6 @@ update_cache: true when: ansible_facts.os_family == 'Alpine' - - name: Create ssh host keys via Systemd service start # noqa ignore-errors - ansible.builtin.service: - name: "sshd" - state: started - when: ansible_facts.service_mgr == 'systemd' + - name: Create ssh host keys # noqa ignore-errors no-changed-when + ansible.builtin.command: ssh-keygen -A ignore_errors: true diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 20d4dbfa2..e20ec691e 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -13,8 +13,7 @@ ignore_errors: "{{ ansible_check_mode }}" when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - - not ansible_facts.os_family == 'RedHat' - - ansible_facts.distribution == 'AlmaLinux' + - not ansible_facts.os_family == 'RedHat' or ansible_facts.distribution == 'AlmaLinux' - name: Restart auditd via service # noqa command-instead-of-module no-changed-when ansible.builtin.command: From 505a395c3b35428f021deca0d95bc563e39a3a38 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 22:27:06 +0200 Subject: [PATCH 08/11] Remove auditd conditions Signed-off-by: Martin Schurz --- roles/os_hardening/handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index e20ec691e..864a7531b 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -13,14 +13,14 @@ ignore_errors: "{{ ansible_check_mode }}" when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - - not ansible_facts.os_family == 'RedHat' or ansible_facts.distribution == 'AlmaLinux' + - not ansible_facts.os_family == 'RedHat' - name: Restart auditd via service # noqa command-instead-of-module no-changed-when ansible.builtin.command: cmd: service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - - ansible_facts.os_family == 'RedHat' and not ansible_facts.distribution == 'AlmaLinux' + - ansible_facts.os_family == 'RedHat' - name: Remount filesystems ansible.posix.mount: From 9228db0a2f9f804eb6fda86788a629350cc2fd97 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 22:49:15 +0200 Subject: [PATCH 09/11] Add path to audit handler Signed-off-by: Martin Schurz --- roles/os_hardening/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 864a7531b..886672a6f 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -17,7 +17,7 @@ - name: Restart auditd via service # noqa command-instead-of-module no-changed-when ansible.builtin.command: - cmd: service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 + cmd: /usr/sbin/service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - ansible_facts.os_family == 'RedHat' From 6df3acd380f0d9a7a4f6db07976c93e49df625ff Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Mon, 11 Aug 2025 23:15:59 +0200 Subject: [PATCH 10/11] Install init scripts Signed-off-by: Martin Schurz --- molecule/os_hardening_vm/prepare.yml | 6 ++++++ roles/os_hardening/handlers/main.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml index 05de346fa..2537b4ac3 100644 --- a/molecule/os_hardening_vm/prepare.yml +++ b/molecule/os_hardening_vm/prepare.yml @@ -59,6 +59,12 @@ - python3-libselinux when: ansible_facts.distribution == 'Fedora' + - name: Install required tools on AlmaLinux + ansible.builtin.dnf: + name: + - initscripts + when: ansible_facts.distribution == 'AlmaLinux' + - name: Install required tools on Arch community.general.pacman: name: diff --git a/roles/os_hardening/handlers/main.yml b/roles/os_hardening/handlers/main.yml index 886672a6f..864a7531b 100644 --- a/roles/os_hardening/handlers/main.yml +++ b/roles/os_hardening/handlers/main.yml @@ -17,7 +17,7 @@ - name: Restart auditd via service # noqa command-instead-of-module no-changed-when ansible.builtin.command: - cmd: /usr/sbin/service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 + cmd: service auditd restart # rhel: see: https://access.redhat.com/solutions/2664811 when: - molecule_yml.driver.name | default() != "docker" # restarting auditd in a container does not work - ansible_facts.os_family == 'RedHat' From fe4cfb397ff867225300b55c7a00284fef607521 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Tue, 12 Aug 2025 12:01:40 +0200 Subject: [PATCH 11/11] Update main README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7680756af..c0d43effd 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,9 @@ This collection provides battle tested hardening for: - Linux operating systems: - CentOS Stream 9 - - AlmaLinux 8/9 - - Rocky Linux 8/9 - - Debian 11/12 + - AlmaLinux 8/9/10 + - Rocky Linux 8/9/10 + - Debian 11/12/13 - Ubuntu 20.04/22.04/24.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported)