All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- iptables ipset
- grub md5 password
- vars/Debian-10
- repository: pre-commit config, detect-secrets, lint
- misc: logcheck, aide-hids, hash updates
- github action: lint as separated workflow
- misc: hash updates
- repository: lint
- sshd certificates configuration
- sudo 1.9.4+ options: json logs, remote syslog
- github workflow
- allow custom immutable apt directories and alternate file list
- misc: hash updates, logcheck
- sshd_config: allow to customize UseDNS
- sshd-monit: decrease check frequency
- s/travis-ci.org/travis-ci.com/
- Travis-ci
- support for Ubuntu 20.04
- Update tools and hashes
- lint
- Update to configuration of: logcheck, aide hids
- RHEL/Centos8 support, packer config
- proxy support for kitchen-test through environment variables
- custom /etc/issue
- optional harden_backup vars (default: false) to have backup of files modified by copy/template modules
- update inspec to 4.18
- update ansible to 2.9.1/2.8.3
- update ansible to 2.8.3/2.7.12
- update lkrg to 0.7
- fix ansible syntax for rsyslog tasks and templates
- aide-hids exclusion: +prometheus
- proxy system configuration (apt, dnf, /etc/environment)
- optional openwall lkrg https://www.openwall.com/lkrg/
- Github: rename tags to match semantic versioning: 0.7.0, 0.8.0
- Travis: switch dist to Xenial + lxd3
- Centos7: default to python36 from EPEL
- more linting
- test/full: add falco, ntpclient, osquery, harden-mailserver, auditd roles
- test: add openscap check on centos/redhat and ubuntu
- test/full inspec: use multiple baselines controls
- custom shell PS1 variable
- /etc/securetty: remove some lines (openscap)
- ssh/moduli: cleaning
- packer: Azure, Virtualbox, Vmware configurations
- Initial RedHat-8 (beta) support
- Heavy lint following galaxy new rules following adoption of ansible-lint https://groups.google.com/forum/#!topic/ansible-project/ehrb6AEptzA https://docs.ansible.com/ansible-lint/rules/default_rules.html https://github.com/ansible/ansible-lint
- Galaxy dependency naming evolution (juju4.redhat_epel, harden_sysctl...)
- Travis: update ansible to 2.7.5/2.6.11
- password dictionary danielmiessler/SecLists: enforce specific tag
- Firewall iptables: review Alpine Linux support
- Firewall iptables: owner filtering rules, restrict ssh from root [TODO]
- Centos/RHEL7: fix multiple issues (ansible syntax, openscap...)
- Centos/RHEL7: use pwquality package instead of cracklib (CIS/openscap)
- ssh/sshd: use templates for configuration
- default umask: from 022 to 077
- package open-iscsi
- package setroubleshoot (CIS1.6.1.4)
- Monit for sshd, rsyslog and osqueryd
- More loop devices (ubuntu livepatch)
- Rhel: enable selinux
- Audit mode for apparmor
- Experimental: rhel7.2 kpatch support
- External dictionary for pam_cracklib (danielmiessler/SecLists)
- Shell, sudo timeout
- Motd
- UTC Timezone
- Optional testing: inspec (custom dev-sec linux-baseline), lynis, privilege escalation (kernelpop)
- Optional testing: speculative execution vulnerabilities
- Gitignore
- iptables rules.v6
- disable LLMNR
- Osquery
- Auditd
- iptables rules.v4
- sshd config
- Initial commit on Github, include simple travis, kitchen and vagrant tests
- Jenkinsfile