From 5e1e2513c5294406282d7e54c174f990b7c6f178 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Tue, 23 Jun 2015 18:20:06 +0000
Subject: [PATCH 1/3] Update readme, todo, changelog, vars

* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
---
 CHANGELOG.md                             |  9 +++++++
 README.md                                | 30 ++++++++++++------------
 TODO.md                                  |  4 ++++
 roles/ansible-os-hardening/vars/main.yml | 14 +----------
 4 files changed, 29 insertions(+), 28 deletions(-)
 create mode 100644 CHANGELOG.md
 create mode 100644 TODO.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 000000000..885b6531f
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,9 @@
+# Changelog
+
+## 1.0.0
+
+ * Implement os-hardening to meet our [tests](https://github.com/hardening-io/tests-os-hardening)
+ * Enable GPG-checking on all yum-repository files [#5](https://github.com/hardening-io/ansible-os-hardening/pull/5)
+ * Disable system accounts [#6](https://github.com/hardening-io/ansible-os-hardening/issues/6)
+ * Module-loading configuration [#22](https://github.com/hardening-io/ansible-os-hardening/pull/22)
+ * Travis support [#17](https://github.com/hardening-io/ansible-os-hardening/pull/17)
diff --git a/README.md b/README.md
index 4223a8377..3d5a04bcd 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,7 @@
 # os-hardening (Ansible Role)
 
-[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][2]
-[![Code Coverage](http://img.shields.io/coveralls/hardening-io/ansible-os-hardening.svg)][3]
-[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][5]
+[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][1]
+[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
 
 ## Description
 
@@ -31,13 +30,11 @@ It will not:
 
 ## Variables
 
+### in main.yml
+
 * `os_desktop_enable: false` -  true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
-* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
-* `os_network_ipv6_enable: false`
-* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 * `os_env_extra_user_paths: []` - add additional paths to the user's `PATH` variable (default is empty).
 * `os_env_umask: "027"`
-* `os_env_root_path: "/"` - where root is mounted
 * `os_auth_pw_max_age: 60` - maximum password age
 * `os_auth_pw_min_age: 7` - minimum password age (before allowing any other password change)
 * `os_auth_retries: 5` - the maximum number of authentication attempts, before the account is locked for some time
@@ -53,10 +50,14 @@ It will not:
 * `os_security_suid_sgid_enforce: true` - true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
 * `os_security_suid_sgid_blacklist: []` - a list of paths which should have their SUID/SGID bits removed
 * `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
-* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
-* `os_security_suid_sgid_dry_run_on_unknown: false` - like `remove_from_unknown` above, only that SUID/SGID bits aren't removed.
-  It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
-* `os_security_packages_clean']  = true` - removes packages with known issues. See section packages.
+* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
+* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
+
+### in sysctl.yml
+
+* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
+* `os_network_ipv6_enable: false`
+* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
 
 ## Packages
 
@@ -117,7 +118,7 @@ This role is mostly based on guides by:
 * [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
 * [Deutsche Telekom, Group IT Security, Security Requirements (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si)
 
-Thanks to all of you!!
+Thanks to all of you!
 ## Contributing
 
 See [contributor guideline](CONTRIBUTING.md).
@@ -139,6 +140,5 @@ See the License for the specific language governing permissions and
 limitations under the License.
 
 
-[2]: http://travis-ci.org/hardening-io/ansible-os-hardening
-[3]: https://coveralls.io/r/hardening-io/ansible-os-hardening
-[5]: https://gitter.im/hardening-io
+[1]: http://travis-ci.org/hardening-io/ansible-os-hardening
+[2]: https://gitter.im/hardening-io
diff --git a/TODO.md b/TODO.md
new file mode 100644
index 000000000..94005dc1b
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,4 @@
+# TODO
+
+* [Adduser consistency](https://github.com/hardening-io/chef-os-hardening/pull/73)
+* [add support for limiting password re-use](https://github.com/hardening-io/puppet-os-hardening/pull/61)
diff --git a/roles/ansible-os-hardening/vars/main.yml b/roles/ansible-os-hardening/vars/main.yml
index 976b487e1..5858f0c22 100644
--- a/roles/ansible-os-hardening/vars/main.yml
+++ b/roles/ansible-os-hardening/vars/main.yml
@@ -1,14 +1,6 @@
-# rhel, centos autoconf configuration
-#os_authconfig_shadow_enable:  true
-#os_authconfig_md5_enable:  true
-
 os_desktop_enable: false
-os_network_forwarding: false
-os_network_ipv6_enable: false
-os_network_arp_restricted: true 
 os_env_extra_user_paths: []
 os_env_umask: '027'
-os_env_root_path: '/'
 os_auth_pw_max_age: 60
 os_auth_pw_min_age: 7 # discourage password cycling
 os_auth_retries: 5
@@ -26,7 +18,6 @@ os_security_users_allow: []
 # specify system accounts those login should not be disabled and password not changed
 os_ignore_users: ['vagrant']
 os_security_kernel_enable_module_loading: true
-os_security_kernel_enable_sysrq: false
 os_security_kernel_enable_core_dump: false
 os_security_suid_sgid_enforce: true
 # user-defined blacklist and whitelist
@@ -36,15 +27,12 @@ os_security_suid_sgid_whitelist: []
 os_security_suid_sgid_remove_from_unknown: false
 
 # remove packages with known issues
-os_security_packages_clean: true
+os_security_packages_clean: false
 
 # SYSTEM CONFIGURATION
 # ====================
 # These are not meant to be modified by the user
 
-# misc
-os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
-
 # suid and sgid blacklists and whitelists
 # ---------------------------------------
 # don't change values in the system_blacklist/whitelist

From 1ff8b21a034cb2a5764aecc85f5230a2f89656f3 Mon Sep 17 00:00:00 2001
From: Christoph Hartmann <chris@lollyrock.com>
Date: Wed, 24 Jun 2015 00:02:42 +0200
Subject: [PATCH 2/3] update gitter url

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3d5a04bcd..fdca5404f 100644
--- a/README.md
+++ b/README.md
@@ -141,4 +141,4 @@ limitations under the License.
 
 
 [1]: http://travis-ci.org/hardening-io/ansible-os-hardening
-[2]: https://gitter.im/hardening-io
+[2]: https://gitter.im/hardening-io/general

From 348fb1cc530c595a3f927b8a4d68826f3072f2df Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Wed, 24 Jun 2015 10:21:13 +0000
Subject: [PATCH 3/3] Change var to true to remove pkgs by default

---
 roles/ansible-os-hardening/vars/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ansible-os-hardening/vars/main.yml b/roles/ansible-os-hardening/vars/main.yml
index 5858f0c22..f77b67d59 100644
--- a/roles/ansible-os-hardening/vars/main.yml
+++ b/roles/ansible-os-hardening/vars/main.yml
@@ -27,7 +27,7 @@ os_security_suid_sgid_whitelist: []
 os_security_suid_sgid_remove_from_unknown: false
 
 # remove packages with known issues
-os_security_packages_clean: false
+os_security_packages_clean: true
 
 # SYSTEM CONFIGURATION
 # ====================