From ef5e8801e402a1e497c2c97834f64f956a139c48 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 12:59:40 +0200 Subject: [PATCH] add debian 12 support (#684) * add debian 12 support Signed-off-by: Sebastian Gumprich * temp disable pam-checks Signed-off-by: Sebastian Gumprich * remove debian12 from vagrant tests as there's no box yet Signed-off-by: Sebastian Gumprich * use new pam-tester from pip Signed-off-by: Sebastian Gumprich * use new pam-tester from pip Signed-off-by: Sebastian Gumprich * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich * add setuptoolks to pam-tester install Signed-off-by: Sebastian Gumprich * install pam-tester with python3 and use full path to it Signed-off-by: Sebastian Gumprich * install python3-setupttools in verify-tests Signed-off-by: Sebastian Gumprich * fix path for pam-tester in all tests Signed-off-by: Sebastian Gumprich * set python interpreter to 3 for verify-tests Signed-off-by: Sebastian Gumprich * Revert "set python interpreter to 3 for verify-tests" This reverts commit 00b6556e332dbac06ace86397b8e6a9481a8a1c4. * add back accidentally deleted tasks Signed-off-by: Sebastian Gumprich --------- Signed-off-by: Sebastian Gumprich Co-authored-by: Sebastian Gumprich --- .github/workflows/mysql_hardening.yml | 1 + .github/workflows/nginx_hardening.yml | 1 + .github/workflows/os_hardening.yml | 1 + .github/workflows/os_hardening_vm.yml | 1 + .github/workflows/ssh_hardening.yml | 1 + .../workflows/ssh_hardening_custom_tests.yml | 1 + README.md | 6 ++--- molecule/os_hardening/verify.yml | 4 +++ molecule/os_hardening/verify_tasks/pam.yml | 26 ++++++++++++------- molecule/os_hardening_vm/verify_tasks/pam.yml | 16 ++++++++---- 10 files changed, 41 insertions(+), 17 deletions(-) diff --git a/.github/workflows/mysql_hardening.yml b/.github/workflows/mysql_hardening.yml index 9a241b095..94c04d41d 100644 --- a/.github/workflows/mysql_hardening.yml +++ b/.github/workflows/mysql_hardening.yml @@ -45,6 +45,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 # - amazon # geerlingguy.mysql does not support fedora # - arch # geerlingguy.mysql does not support arch - opensuse_tumbleweed diff --git a/.github/workflows/nginx_hardening.yml b/.github/workflows/nginx_hardening.yml index 076a4b5d4..08bc83d1f 100644 --- a/.github/workflows/nginx_hardening.yml +++ b/.github/workflows/nginx_hardening.yml @@ -44,6 +44,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 # - arch # needs to be fixed # - opensuse_tumbleweed # needs to be fixed diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml index 8a198c7d2..13a0d1e6a 100644 --- a/.github/workflows/os_hardening.yml +++ b/.github/workflows/os_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - opensuse_tumbleweed - arch diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml index b1e62e2e5..f1d49b8a4 100644 --- a/.github/workflows/os_hardening_vm.yml +++ b/.github/workflows/os_hardening_vm.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + # - debian12 # waiting for https://github.com/lavabit/robox/pull/274 - opensuse15 # - arch # needs fix for audit steps: diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index ea6537de1..ae86418b3 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml index af69e4038..ce99f41fe 100644 --- a/.github/workflows/ssh_hardening_custom_tests.yml +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -46,6 +46,7 @@ jobs: - ubuntu2204 - debian10 - debian11 + - debian12 - amazon2023 - arch # - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?) diff --git a/README.md b/README.md index 789b37cff..d237e05ed 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,9 @@ This collection provides battle tested hardening for: - Linux operating systems: - - CentOS 7 - - Rocky Linux 8 - - Debian 10/11 + - CentOS 7/8/9 + - Rocky Linux 8/9 + - Debian 10/11/12 - Ubuntu 18.04/20.04/22.04 - Amazon Linux (some roles supported) - Arch Linux (some roles supported) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index 58e6d6794..8641874b0 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,6 +7,10 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: + - name: set ansible_python_interpreter to "/usr/bin/python3" + set_fact: + ansible_python_interpreter: "/usr/bin/python3" + - name: include verification tasks ansible.builtin.include_tasks: file: "{{ item }}" diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index 62bdb3305..c71cae010 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,9 +1,17 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 + +- name: install pip + package: + name: + - python3-pip + - python3-setuptools + state: present + +- name: install pam-tester + ansible.builtin.pip: + name: pam-tester + state: present + executable: /usr/bin/pip3 - name: set password for test set_fact: @@ -23,7 +31,7 @@ - name: check successful login with correct password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -31,7 +39,7 @@ - name: check unsuccessful login with incorrect password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -40,7 +48,7 @@ - name: check unsuccessful login, with correct password (lockout) shell: - cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -52,7 +60,7 @@ - name: check successful login shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index 62bdb3305..bfbb7a3b1 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,9 +1,15 @@ --- -- name: download pam-tester - get_url: - url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester - dest: /bin/pam-tester - mode: 0555 +- name: install pip + package: + name: + - python3-pip + - python3-setuptools + state: present + +- name: install pam-tester + ansible.builtin.pip: + name: pam-tester + state: present - name: set password for test set_fact: