From 69ab9e47ad3be4587170584476699c553db22aab Mon Sep 17 00:00:00 2001 From: schurzi Date: Tue, 6 Aug 2024 13:11:32 +0200 Subject: [PATCH] Update Debian compatibility (#784) * Update Ubuntu compatability Signed-off-by: Martin Schurz * reload systemd when disabling ssh socket Signed-off-by: Martin Schurz * manage systemd files Signed-off-by: Martin Schurz * Create privsep directory for Debian Signed-off-by: Martin Schurz * Use working Ubuntu 24.04 image for vm tests Signed-off-by: Martin Schurz * Remove deprecated Debian 10 Signed-off-by: Martin Schurz --------- Signed-off-by: Martin Schurz --- .github/workflows/mysql_hardening.yml | 3 +-- .github/workflows/nginx_hardening.yml | 3 +-- .github/workflows/os_hardening.yml | 3 +-- .github/workflows/os_hardening_vm.yml | 3 +-- .github/workflows/ssh_hardening.yml | 3 +-- .github/workflows/ssh_hardening_custom_tests.yml | 3 +-- README.md | 4 ++-- molecule/mysql_hardening/prepare.yml | 7 ------- molecule/ssh_hardening/prepare.yml | 6 ------ molecule/ssh_hardening_bsd/prepare.yml | 6 ------ molecule/ssh_hardening_custom_tests/prepare.yml | 6 ------ roles/mysql_hardening/meta/main.yml | 4 ++-- roles/nginx_hardening/meta/main.yml | 4 ++-- roles/os_hardening/meta/main.yml | 4 ++-- roles/ssh_hardening/meta/main.yml | 4 ++-- roles/ssh_hardening/tasks/disable-systemd-socket.yml | 6 +++++- roles/ssh_hardening/tasks/install.yml | 12 ++++++++++++ 17 files changed, 33 insertions(+), 48 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index f85c20138..906c4dbce 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -40,10 +40,9 @@ jobs: - centosstream9 - rocky8 - rocky9 - - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian10 + - ubuntu2404 - debian11 - debian12 # - amazon # geerlingguy.mysql does not support fedora diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 685b9e9f6..2ce75d16e 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -39,10 +39,9 @@ jobs: - centosstream9 - rocky8 - rocky9 - - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian10 + - ubuntu2404 - debian11 - debian12 - amazon2023 diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index f26b07c76..1ca0ff67d 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -41,10 +41,9 @@ jobs: - rocky9 - fedora39 - fedora40 - - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian10 + - ubuntu2404 - debian11 - debian12 - amazon2023 diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index eaa22ee88..c5bf744fa 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -41,10 +41,9 @@ jobs: - generic/rocky9 - fedora/39-cloud-base - fedora/40-cloud-base - - generic/ubuntu1804 - generic/ubuntu2004 - generic/ubuntu2204 - - generic/debian10 + - alvistack/ubuntu-24.04 - generic/debian11 - generic/debian12 - generic/opensuse15 diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index 2ffedc158..47e546574 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -41,10 +41,9 @@ jobs: - rocky9 - fedora39 - fedora40 - - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian10 + - ubuntu2404 - debian11 - debian12 - amazon2023 diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index 41344e8b1..63de7d4f7 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -41,10 +41,9 @@ jobs: - rocky9 - fedora39 - fedora40 - - ubuntu1804 - ubuntu2004 - ubuntu2204 - - debian10 + - ubuntu2404 - debian11 - debian12 - amazon2023 diff --git a/README.md b/README.md index 073e7b79c..8c3ef3393 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,8 @@ This collection provides battle tested hardening for: - Linux operating systems: - CentOS 9 - Rocky Linux 8/9 - - Debian 10/11/12 - - Ubuntu 18.04/20.04/22.04 + - Debian 11/12 + - Ubuntu 20.04/22.04/24.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) - Fedora 39/40 (some roles supported) diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml index bca652b3d..f78c8fbf6 100644 --- a/molecule/mysql_hardening/prepare.yml +++ b/molecule/mysql_hardening/prepare.yml @@ -26,13 +26,6 @@ when: - ansible_os_family == 'Suse' - - name: Use Python 2 on Debian 10 - ansible.builtin.set_fact: - ansible_python_interpreter: /usr/bin/python - when: - - ansible_distribution == 'Debian' - - ansible_distribution_major_version|int == 10 - - name: Run the equivalent of "apt-get update && apt-get upgrade" ansible.builtin.apt: upgrade: safe diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index e20edc487..08cb0e30b 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -62,12 +62,6 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: Created needed directory - ansible.builtin.file: - path: /var/run/sshd - state: directory - mode: "0755" - - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') diff --git a/molecule/ssh_hardening_bsd/prepare.yml b/molecule/ssh_hardening_bsd/prepare.yml index ce69adf55..baa8e13f7 100644 --- a/molecule/ssh_hardening_bsd/prepare.yml +++ b/molecule/ssh_hardening_bsd/prepare.yml @@ -18,12 +18,6 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - name: Created needed directory - ansible.builtin.file: - path: /var/run/sshd - state: directory - mode: "0755" - - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index e20edc487..08cb0e30b 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -62,12 +62,6 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: Created needed directory - ansible.builtin.file: - path: /var/run/sshd - state: directory - mode: "0755" - - name: Create ssh host keys # noqa ignore-errors ansible.builtin.command: ssh-keygen -A when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') diff --git a/roles/mysql_hardening/meta/main.yml b/roles/mysql_hardening/meta/main.yml index 09834b6d7..db5fd3e2e 100644 --- a/roles/mysql_hardening/meta/main.yml +++ b/roles/mysql_hardening/meta/main.yml @@ -12,13 +12,13 @@ galaxy_info: - "9" - name: Ubuntu versions: - - bionic - focal - jammy + - noble - name: Debian versions: - bullseye - - buster + - bookworm - name: Amazon - name: opensuse galaxy_tags: diff --git a/roles/nginx_hardening/meta/main.yml b/roles/nginx_hardening/meta/main.yml index 54199ca56..c9d1d0f98 100644 --- a/roles/nginx_hardening/meta/main.yml +++ b/roles/nginx_hardening/meta/main.yml @@ -12,12 +12,12 @@ galaxy_info: - "9" - name: Ubuntu versions: - - bionic - focal - jammy + - noble - name: Debian versions: - - buster + - bookworm - bullseye - name: Amazon galaxy_tags: diff --git a/roles/os_hardening/meta/main.yml b/roles/os_hardening/meta/main.yml index 01ab47bb4..03e5bbf48 100644 --- a/roles/os_hardening/meta/main.yml +++ b/roles/os_hardening/meta/main.yml @@ -12,12 +12,12 @@ galaxy_info: - "9" - name: Ubuntu versions: - - bionic - focal - jammy + - noble - name: Debian versions: - - buster + - bookworm - bullseye - name: Amazon - name: Fedora diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml index 319ce48db..663d671c1 100644 --- a/roles/ssh_hardening/meta/main.yml +++ b/roles/ssh_hardening/meta/main.yml @@ -12,12 +12,12 @@ galaxy_info: - "9" - name: Ubuntu versions: - - bionic - focal - jammy + - noble - name: Debian versions: - - buster + - bookworm - bullseye - name: Amazon - name: Fedora diff --git a/roles/ssh_hardening/tasks/disable-systemd-socket.yml b/roles/ssh_hardening/tasks/disable-systemd-socket.yml index 35f8988e7..04878ec32 100644 --- a/roles/ssh_hardening/tasks/disable-systemd-socket.yml +++ b/roles/ssh_hardening/tasks/disable-systemd-socket.yml @@ -1,8 +1,12 @@ --- - name: Remove ssh service systemd-socket file ansible.builtin.file: - path: /etc/systemd/system/ssh.service.d/00-socket.conf + path: "{{ item }}" state: absent + loop: + - /etc/systemd/system/ssh.service.d/00-socket.conf + - /etc/systemd/system/ssh.service.requires/ssh.socket + - /etc/systemd/system/sockets.target.wants/ssh.socket - name: Disable systemd-socket activation ansible.builtin.systemd: diff --git a/roles/ssh_hardening/tasks/install.yml b/roles/ssh_hardening/tasks/install.yml index f4232046f..cae179d69 100644 --- a/roles/ssh_hardening/tasks/install.yml +++ b/roles/ssh_hardening/tasks/install.yml @@ -17,6 +17,18 @@ - (ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version is version('22.04', '>=')) or (ansible_facts.os_family == 'Debian' and ansible_facts.distribution_major_version is version('12', '>=')) +- name: Ensure privilege separation directory exists + ansible.builtin.file: + path: /run/sshd + state: directory + owner: root + group: root + mode: '0755' + when: + - ssh_server_hardening | bool + - ssh_server_enabled | bool + - ansible_facts.os_family == 'Debian' + - name: Enable or disable sshd service ansible.builtin.service: name: "{{ sshd_service_name }}"