dev-sec · schurzi · Aug 12, 2025 · Aug 10, 2025 · Aug 10, 2025 · Aug 11, 2025
diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml
@@ -37,14 +37,19 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          # - almalinux10  # problem with baseline
           - centosstream9
           - rocky8
           - rocky9
+          # - rocky10 # problem with baseline
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # geerlingguy.mysql does not support arch
           - opensuse_tumbleweed
@@ -71,7 +76,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       # that was a hard one to fix. robert did it thankfully
       # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212

diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml
@@ -36,14 +36,19 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
@@ -70,7 +75,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       # Molecule has problems detecting the proper location for installing roles
       # https://github.com/ansible/molecule/issues/3806

diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
@@ -39,16 +39,21 @@ jobs:
           - molecule_distro: opensuse_tumbleweed
             molecule_docker_command: "/usr/lib/systemd/systemd"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -75,7 +80,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s os_hardening

diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
@@ -36,6 +36,9 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux/8
+          - almalinux/9
+          # - almalinux/10  # boot loop
           - generic/centos9s
           - generic/rocky8
           - generic/rocky9
@@ -69,7 +72,10 @@ jobs:
           pip install "ansible-core<2.17"
           ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'generic/rocky8' || matrix.molecule_distro == 'generic/opensuse15'
+        if: >
+          matrix.molecule_distro == 'generic/rocky8' ||
+          matrix.molecule_distro == 'almalinux/8' ||
+          matrix.molecule_distro == 'generic/opensuse15'
 
       - name: Update Vagrant Box
         run: |

diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -42,16 +42,21 @@ jobs:
           - molecule_distro: alpine
             molecule_docker_command: "/sbin/init"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -78,7 +83,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s ssh_hardening

diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -42,16 +42,21 @@ jobs:
           - molecule_distro: alpine
             molecule_docker_command: "/sbin/init"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -78,7 +83,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s ssh_hardening_custom_tests

diff --git a/README.md b/README.md
@@ -14,9 +14,9 @@ This collection provides battle tested hardening for:
 
 - Linux operating systems:
   - CentOS Stream 9
-  - AlmaLinux 8/9
-  - Rocky Linux 8/9
-  - Debian 11/12
+  - AlmaLinux 8/9/10
+  - Rocky Linux 8/9/10
+  - Debian 11/12/13
   - Ubuntu 20.04/22.04/24.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)

diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
@@ -59,6 +59,12 @@
           - python3-libselinux
       when: ansible_facts.distribution == 'Fedora'
 
+    - name: Install required tools on AlmaLinux
+      ansible.builtin.dnf:
+        name:
+          - initscripts
+      when: ansible_facts.distribution == 'AlmaLinux'
+
     - name: Install required tools on Arch
       community.general.pacman:
         name:
@@ -84,7 +90,6 @@
       ansible.posix.mount:
         path: /boot/efi
         state: unmounted
-      when: ansible_facts.distribution == 'Fedora'
 
     - name: Include YUM prepare tasks
       ansible.builtin.include_tasks: prepare_tasks/yum.yml

diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml
@@ -75,11 +75,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: Create ssh host keys # noqa ignore-errors
+    - name: Create ssh host keys # noqa ignore-errors no-changed-when
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon"
-        or ansible_facts.os_family == "Suse"
-      changed_when: false
       ignore_errors: true
diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml
@@ -75,11 +75,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Alpine'
 
-    - name: Create ssh host keys # noqa ignore-errors
+    - name: Create ssh host keys # noqa ignore-errors no-changed-when
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon"
-        or ansible_facts.os_family == "Suse"
-      changed_when: false
       ignore_errors: true
diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml
@@ -10,15 +10,17 @@ galaxy_info:
       versions:
         - "8"
         - "9"
+        - "10"
     - name: Ubuntu
       versions:
         - focal
         - jammy
         - noble
     - name: Debian
       versions:
-        - bullseye
+        - trixie
         - bookworm
+        - bullseye
     - name: Amazon
     - name: opensuse
   galaxy_tags:

diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml
@@ -10,13 +10,15 @@ galaxy_info:
       versions:
         - "8"
         - "9"
+        - "10"
     - name: Ubuntu
       versions:
         - focal
         - jammy
         - noble
     - name: Debian
       versions:
+        - trixie
         - bookworm
         - bullseye
     - name: Amazon

diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml
@@ -10,13 +10,15 @@ galaxy_info:
       versions:
         - "8"
         - "9"
+        - "10"
     - name: Ubuntu
       versions:
         - focal
         - jammy
         - noble
     - name: Debian
       versions:
+        - trixie
         - bookworm
         - bullseye
     - name: Amazon

diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml
@@ -10,13 +10,15 @@ galaxy_info:
       versions:
         - "8"
         - "9"
+        - "10"
     - name: Ubuntu
       versions:
         - focal
         - jammy
         - noble
     - name: Debian
       versions:
+        - trixie
         - bookworm
         - bullseye
     - name: Alpine

diff --git a/roles/ssh_hardening/vars/RedHat_10.yml b/roles/ssh_hardening/vars/RedHat_10.yml
@@ -0,0 +1,26 @@
+---
+ssh_pkgs:
+  - openssh
+sshd_path: /usr/sbin/sshd
+ssh_host_keys_dir: /etc/ssh
+sshd_service_name: sshd
+ssh_owner: root
+ssh_group: root
+ssh_host_keys_owner: root
+ssh_host_keys_group: root
+ssh_host_keys_mode: "0600"
+ssh_selinux_packages:
+  - policycoreutils-python-utils
+  - checkpolicy
+
+# true if SSH support Kerberos
+ssh_kerberos_support: true
+
+# true if SSH has PAM support
+ssh_pam_support: true
+
+sshd_moduli_file: /etc/ssh/moduli
+
+# disable CRYPTO_POLICY to take settings from sshd configuration
+# see: https://access.redhat.com/solutions/4410591
+sshd_disable_crypto_policy: true