Merge branch 'master' into tally

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

.github/workflows/galaxy.yml

@@ -20,6 +20,11 @@ jobs:
           api_key: ${{ secrets.GALAXY_API_KEY }}
           galaxy_version: ${{ github.event.release.tag_name }}
 
+      # checkout master instead of the release-tag so we can push the galaxy.yml
+      - uses: actions/checkout@v2
+        with:
+          ref: master
+
       - name: update galaxy.yml with new version
         uses: microsoft/variable-substitution@v1
         with:

.prettierignore

@@ -0,0 +1 @@
+CHANGELOG.md

CHANGELOG.md

@@ -1,22 +1,56 @@
 # Changelog
 
-## [7.1.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.1) (2021-02-05)
+## [7.2.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.2.1) (2021-02-10)
 
-[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.1.0...7.1.1)
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.2.0...7.2.1)
+
+**Implemented enhancements:**
+
+- add restart handler variable for mysql role [\#399](https://github.com/dev-sec/ansible-collection-hardening/pull/399) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Merged pull requests:**
+
+- do not install mysql python package on target host [\#401](https://github.com/dev-sec/ansible-collection-hardening/pull/401) ([rndmh3ro](https://github.com/rndmh3ro))
+- make wrong password fail task [\#400](https://github.com/dev-sec/ansible-collection-hardening/pull/400) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [7.2.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.2.0) (2021-02-10)
+
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.1.1...7.2.0)
+
+**Implemented enhancements:**
+
+- Add variable to specify SSH host RSA key size [\#394](https://github.com/dev-sec/ansible-collection-hardening/pull/394) ([Normo](https://github.com/Normo))
+- Set default for ssh host key files only when hardening the server [\#393](https://github.com/dev-sec/ansible-collection-hardening/pull/393) ([Normo](https://github.com/Normo))
 
 **Fixed bugs:**
 
-- use fqcn for community.crypto.openssh\_keypair module [\#389](https://github.com/dev-sec/ansible-collection-hardening/pull/389) ([schurzi](https://github.com/schurzi))
+- A reason why instance would go in rescue mode ?  [\#267](https://github.com/dev-sec/ansible-collection-hardening/issues/267)
+- fix galaxy action to update local galaxy.yml [\#395](https://github.com/dev-sec/ansible-collection-hardening/pull/395) ([Normo](https://github.com/Normo))
 
 **Closed issues:**
 
+- Updating version in galaxy.yml should be part of the release process [\#396](https://github.com/dev-sec/ansible-collection-hardening/issues/396)
 - ssh\_hardening fail on keypair generation  [\#388](https://github.com/dev-sec/ansible-collection-hardening/issues/388)
-- AnsibleUndefinedVariable: 'ansible\_role\_name' is undefined with 7.1.0 [\#387](https://github.com/dev-sec/ansible-collection-hardening/issues/387)
+- The system must display the date and time of the last successful account logon upon an SSH logon. [\#362](https://github.com/dev-sec/ansible-collection-hardening/issues/362)
+- Error in "root password is present" step [\#326](https://github.com/dev-sec/ansible-collection-hardening/issues/326)
 
 **Merged pull requests:**
 
+- update ansible-lint to version 5 [\#397](https://github.com/dev-sec/ansible-collection-hardening/pull/397) ([schurzi](https://github.com/schurzi))
 - fix minimum required ansible version in docs [\#390](https://github.com/dev-sec/ansible-collection-hardening/pull/390) ([schurzi](https://github.com/schurzi))
 
+## [7.1.1](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.1) (2021-02-05)
+
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.1.0...7.1.1)
+
+**Fixed bugs:**
+
+- use fqcn for community.crypto.openssh\_keypair module [\#389](https://github.com/dev-sec/ansible-collection-hardening/pull/389) ([schurzi](https://github.com/schurzi))
+
+**Closed issues:**
+
+- AnsibleUndefinedVariable: 'ansible\_role\_name' is undefined with 7.1.0 [\#387](https://github.com/dev-sec/ansible-collection-hardening/issues/387)
+
 ## [7.1.0](https://github.com/dev-sec/ansible-collection-hardening/tree/7.1.0) (2021-02-02)
 
 [Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/7.0.0...7.1.0)
@@ -86,7 +120,6 @@
 - Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-collection-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
 - unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-collection-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
 - purge insecure packages [\#275](https://github.com/dev-sec/ansible-collection-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
-- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-collection-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
 
 **Fixed bugs:**
 

galaxy.yml

@@ -1,36 +1,13 @@
-# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
-# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
-# underscores or numbers and cannot contain consecutive underscores
 namespace: devsec
-
-# The name of the collection. Has the same character restrictions as 'namespace'
 name: hardening
-
-# The version of the collection. Must be compatible with semantic versioning
-version: 7.0.0
-
-# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
+version: 7.2.0
 readme: README.md
-
-# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
-# @nicks:irc/im.site#channel'
 authors:
-- dev-sec <hello@dev-sec.io>
-
-# A short summary description of the collection
-description: This collection provides battle tested hardening for Linux, SSH, nginx, MySQL
-
-# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
-# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
+  - dev-sec <hello@dev-sec.io>
+description: 'This collection provides battle tested hardening for Linux, SSH, nginx, MySQL'
 license:
-- GPL-2.0-or-later
-
-# The path to the license file for the collection. This path is relative to the root of the collection. This key is
-# mutually exclusive with 'license'
+  - GPL-2.0-or-later
 license_file: ''
-
-# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
-# requirements as 'namespace' and 'name'
 tags:
   - devsec
   - hardening
@@ -40,24 +17,11 @@ tags:
   - nginx
   - mysql
   - openssh
-
-# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
-# collection label 'namespace.name'. The value is a version range
-# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
-# range specifiers can be set and are separated by ','
 dependencies:
   community.crypto: '>=1.0.0'
-
-# The URL of the originating SCM repository
-repository: https://github.com/dev-sec/ansible-os-hardening
-
-# The URL to the homepage of the collection/project
-homepage: https://dev-sec.io/
-
-# The URL to the collection issue tracker
-issues: https://github.com/dev-sec/ansible-os-hardening/issues
-
-# ignore files not needed for release
+repository: 'https://github.com/dev-sec/ansible-os-hardening'
+homepage: 'https://dev-sec.io/'
+issues: 'https://github.com/dev-sec/ansible-os-hardening/issues'
 build_ignore:
   - codecov.yml
   - .github

requirements.txt

@@ -1,5 +1,6 @@
 molecule[docker]
 yamllint
+ansible
 ansible-lint
 docker
 flake8

roles/mysql_hardening/README.md

@@ -75,5 +75,8 @@ This role expects an existing installation of MySQL or MariaDB. Please ensure th
 - `mysql_remove_test_database`
   - Default: true
   - Description: remove test database
+- `mysql_hardening_restart_mysql`
+  - Default: true
+  - Description: Restart mysql after running this role
 
 Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)

roles/mysql_hardening/defaults/main.yml

@@ -4,6 +4,8 @@ mysql_hardening_enabled: true
 
 mysql_daemon_enabled: true
 
+mysql_hardening_restart_mysql: true
+
 # general configuration
 mysql_datadir: '/var/lib/mysql'
 mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'

roles/mysql_hardening/handlers/main.yml

@@ -1,4 +1,7 @@
 ---
 
 - name: restart mysql
-  service: name='{{ mysql_daemon }}' state=restarted
+  service:
+    name: '{{ mysql_daemon }}'
+    state: restarted
+  when: mysql_hardening_restart_mysql | bool

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -1,11 +1,7 @@
 ---
-- name: Install mysqld python libary for Ansible
-  package:
-    name: '{{ mysql_python_package }}'
-    state: present
-
-- debug:
-    msg: 'WARNING - you have to change default mysql_root_password'
+- name: fail the role if the mysql root password was not set
+  fail:
+    msg: 'ERROR - you have to change default mysql_root_password'
   when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 
 - name: root password is present

roles/mysql_hardening/vars/Debian.yml

@@ -10,5 +10,3 @@ mysql_hardening_group: 'adm'
 
 mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
-
-mysql_python_package: "python3-pymysql"

roles/mysql_hardening/vars/RedHat_7.yml

@@ -5,8 +5,6 @@ mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
 
 mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
 
-mysql_python_package: 'MySQL-python'
-
 mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 

roles/mysql_hardening/vars/RedHat_8.yml

@@ -4,8 +4,6 @@ mysql_hardening_mysql_conf_file: '/etc/my.cnf'
 mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
 mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
 
-mysql_python_package: 'python3-mysqlclient'
-
 mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 

roles/mysql_hardening/vars/Ubuntu_16.yml

@@ -10,5 +10,3 @@ mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_hardening_group: 'adm'
-
-mysql_python_package: "python-mysqldb"

roles/mysql_hardening/vars/Ubuntu_18.yml

@@ -10,5 +10,3 @@ mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_hardening_group: 'adm'
-
-mysql_python_package: "python-mysqldb"

roles/mysql_hardening/vars/Ubuntu_20.yml

@@ -10,5 +10,3 @@ mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_hardening_group: 'adm'
-
-mysql_python_package: "python3-mysqldb"

roles/os_hardening/tasks/minimize_access.yml

@@ -5,15 +5,15 @@
 # This is also the reason why there's ignore_errors: true on the task.
 # also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
 - name: find files with write-permissions for group
-  shell: "find -L {{ item }} -perm /go+w -type f"  # noqa 305
+  shell: "find -L {{ item }} -perm /go+w -type f"  # noqa command-instead-of-shell
   with_flattened:
     - '/usr/local/sbin'
     - '/usr/local/bin'
     - '/usr/sbin'
     - '/usr/bin'
     - '/sbin'
     - '/bin'
-    - "{{ os_env_extra_user_paths }}"  # noqa 104
+    - "{{ os_env_extra_user_paths }}"  # noqa deprecated-bare-vars
   register: minimize_access_directories
   ignore_errors: true
   changed_when: false

roles/ssh_hardening/README.md

@@ -35,6 +35,9 @@ Warning: This role disables root-login on the target server! Please make sure yo
 - `ssh_host_key_files`
   - Default: `[]`
   - Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version.
+- `ssh_host_rsa_key_size`
+  - Default: `4096`
+  - Description: Specifies the number of bits in the private host RSA key to create.
 - `ssh_host_key_algorithms`
   - Default: `[]`
   - Description: Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms.

roles/ssh_hardening/defaults/main.yml

@@ -36,6 +36,9 @@ ssh_listen_to: ['0.0.0.0']          # sshd
 # Host keys to look for when starting sshd.
 ssh_host_key_files: []              # sshd
 
+# Host RSA key size in bits
+ssh_host_rsa_key_size: 4096         # sshd
+
 # Host certificates to look for when starting sshd.
 ssh_host_certificates: []           # sshd
 

roles/ssh_hardening/tasks/crypto_hostkeys.yml

@@ -1,9 +1,9 @@
 ---
-- name: replace default 2048 bits RSA keypair with 4096 bits keypair
+- name: replace default 2048 bits RSA keypair
   community.crypto.openssh_keypair:
     state: present
     type: rsa
-    size: 4096
+    size: "{{ ssh_host_rsa_key_size }}"
     path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
     force: false
     regenerate: partial_idempotence

roles/ssh_hardening/tasks/hardening.yml

@@ -33,7 +33,9 @@
 
 - name: set default for ssh_host_key_files if not supplied
   include_tasks: crypto_hostkeys.yml
-  when: not ssh_host_key_files
+  when:
+    - ssh_server_hardening | bool
+    - not ssh_host_key_files
 
 - name: set default for ssh_macs if not supplied
   include_tasks: crypto_macs.yml