ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Add partial support for Debian 11

Open addianto opened this issue 3 years ago • 2 comments

Hello!

This PR attempts to resolve #527 (adding support for Debian 11).

Currently WIP. I noticed there are some issues with ansible-lint GitHub Actions and mysql_hardening test failed due to missing Python package during prepare step in Molecule test.

addianto avatar Apr 28 '22 11:04 addianto

Here is a summary of failed baselines from GitHub Actions reports run on my fork:

mysql_hardening

  • mysql-conf-02: only one instance of mysql should run on a server
  • mysql-conf-06: ensure log file is owned by mysql user (2 failed)
  • mysql-db-05: default passwords must be changed
  • mysql-db-06: the grant option must not be used

ssh_hardening

  • ssh-08: Client: Check for secure ssh ciphers
  • ssh-10: Client: Check for secure ssh Message Authentication Codes
  • ssh-22: Client: CRYPTO_POLICY (2 failed)
  • sshd-01: Server: Check for secure ssh ciphers
  • sshd-03: Server: Check for secure ssh Message Authentication Codes
  • sshd-16: Server: Use privilege separation

Need to check if ssh_hardening role correctly modified the ciphers and MACs.

addianto avatar Apr 29 '22 05:04 addianto

I did some trial-and-error re: why mysql_hardening failed. One of the cause is mysqld process name has been changed to mariadbd on Debian 11. I cross-checked with the DevSec MySQL Baseline (https://github.com/dev-sec/mysql-baseline/blob/master/controls/mysql_conf.rb) and the current version still expect mysqld as the process name.

I haven't done any investigation for ssh_hardening, but I suspect it may be related with the rules in the baseline as well. I guess there will be additional tasks to update the related baselines before all the hardening roles can be fully supported on Debian 11.

To summarise: while this PR adds support for Debian 11, not all hardening roles have been successfully verified. At current state, only os_hardening and nginx_hardening that have been verified works on Debian 11. Should I continue working on this PR to ensure all hardening roles work on Debian 11? Or is it okay to leave the work for supporting the remaining hardening roles on separate, future PRs?

addianto avatar May 01 '22 18:05 addianto

Thanks @addianto for your initial work! There needed to be some changes done to our tests, but now everything works!

rndmh3ro avatar Aug 16 '22 13:08 rndmh3ro

Cool. Thank you, @rndmh3ro! 👍

addianto avatar Aug 24 '22 03:08 addianto