ansible-collection-hardening
ansible-collection-hardening copied to clipboard
dev-sec
This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
We should update the release action so that it sends an email to our announcement mailinglist once a new release is published. Mailinglist: [email protected]
OpenBSD doesn't have an `ansible_facts.distribution_major_version` fact; I think SmartOS is the same way, but haven't confirmed. For example, here are all the `ansible_distribution*` facts on OpenBSD: ```json { "ansible_distribution": "OpenBSD",...
**Describe the bug** If I want to set agent forwarding and tcp forwarding true in the last version, I need to do ssh_allow_tcp_forwarding: 'yes' ssh_allow_agent_forwarding: yes notice the quotes **Expected...
CIS Benchmark has a section for configuring sudo. I think that the suggestions in that section makes sense, so I have created a playbook to fix that. I think that...
**Describe the bug** Setting the variable `ssh_server_password_login: true` sets `PasswordAuthentication yes` just as supposed to. But `AuthenticationMethods publickey` is set (if sshd_version is version('6.2', '>=')). Due to AuthenticationMethods set to...
Tragic: https://github.com/dev-sec/ansible-ssh-hardening/blob/master/tasks/selinux.yml#L53-L57 Even after reading this I don't think I quite understand the problem here: https://danwalsh.livejournal.com/12333.html?mode=reply Is there no way to configure `pam_unix` to skip the /etc/shadow read and just...
Hello, I use Percona and tried this role. It creates a hardening file in conf.d but in Percona we also use /etc/mysql/percona.conf.d/ and I'm wondering in which order the files...
System user UID range was extended from 0-499 to 0-999 (https://access.redhat.com/articles/1190233). In the template `rhel_system_auth.j2` there is a 500 harcoded. I think there should be a variable with the max...
We are using Okta Advanced Server Access (formerly ScaleFT) and we need to configure sshd with the trusted user ca from Okta. When setting `ssh_trusted_user_ca_keys_file` to the ca file managed...
* adds user_account hardening for root user(s) * you might want to change the defaults I used for new varaibles * tested on RHEL8 only
