Ansible Role Hardening Versions Save

What's Changed

• add ufw_rate_limit variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/608
• ensure upgrade dont change by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/610
• Vagrantfile: Added Bookworm by @jdaln in https://github.com/konstruktoid/ansible-role-hardening/pull/615
• set restrictive permssions on journal files by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/622
• add additional kernel configuration options by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/624
• add additional sysctl variables by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/625
• replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/630
• ensure kdump-tools are masked by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/635
• replace focal with noble in the Vagrantfile by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/636
• add custom installations and extend tests by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/638
• dont try to install empty lists by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/637
• ignore case in UFW comments by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/639

New Contributors

• @jdaln made their first contribution in https://github.com/konstruktoid/ansible-role-hardening/pull/615

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.4...v2.1.0-rc.2

What's Changed

• add ufw_rate_limit variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/608
• set restrictive permssions on journal files by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/622
• add additional kernel configuration options by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/624
• add additional sysctl variables by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/625
• replace Ubuntu 20.04 with Ubuntu 24.04 (Noble Numbat) by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/630
• ensure kdump-tools are masked by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/635
• ignore case in UFW comments by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/639

New Contributors

• @jdaln made their first contribution in https://github.com/konstruktoid/ansible-role-hardening/pull/615

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.4...v2.1.0-rc.1

What's Changed

• update test docs by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/601
• dont recurse when creating custom facts directories by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/602

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.3...v2.0.4

What's Changed

• add journald variables by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/581
• add aide_dir_exclusions variable and use include directories if present by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/587
• ensure usb/devices exists before installing USBGuard by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/591

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.2...v2.0.3

What's Changed

• document the sysctl_conf_dir variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/572
• add auditd_enable_flag variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/578

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.1...v2.0.2

What's Changed

• set sysctl conf dir as default variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/571

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.0...v2.0.1

What's Changed

This is a breaking release, read the documentation and update any variables effected

Changes include, but are not limited to:

• variables with multiple configuration options are now lists
• manage_aide, manage_auditd, manage_timesyncd, manage_faillock, manage_ssh, manage_ufw, manage_usbguard, manage_resolved, manage_rkhunter, manage_compilers are variables that can be set to false if configuration of named services is done outside of this role
• blocking blacklisted kernel modules is now the default and not optional
• automatic_updates: true will install and configure dnf-automatic or unattended-upgrades, depending on the distribution
• the sshd_update_moduli variable, if set to true, will download a updated moduli file from the konstruktoid/ssh-moduli repository.
• all template paths are now variables

What's Changed

• add extra comment in template files by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/399
• add passlib dependency by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/402
• fix template variable for task mount.yml by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/398
• correct grep exit codes by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/406
• improvements restrict compilers by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/403
• update suid list from @GTFOBins by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/415
• extend sshd configuration by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/401
• faillock and password hash improvements by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/421
• add sshd_match_user variables by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/428
• fix sshd configuration by @cleberb in https://github.com/konstruktoid/ansible-role-hardening/pull/430
• changed sysctl configuration to exclusively use templates. by @KoenDG in https://github.com/konstruktoid/ansible-role-hardening/pull/431
• move ipv6 into main sysctl file, add one for ufw settings by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/433
• rename sysctl files by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/434
• defaults readability by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/439
• rewrite audit rules by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/440
• ensure TMOUT and shell umask settings by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/448
• handle sysctl VLANs by @sgnsys3 in https://github.com/konstruktoid/ansible-role-hardening/pull/405
• ensure motd-news is masked by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/467
• refactor and verify rsyslog FileCreateMode by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/468
• ensure package managers clean and remove after installation by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/469
• loop default deny by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/471
• consistent command and shell usage by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/472
• remove pam backups by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/474
• refactor auditd rules by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/475
• add local accounts to password list by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/476
• fix local passwords by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/478
• update test boxes by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/479
• remove dsa host keys, generate ecdsa and ed25519 by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/483
• add variable to update ssh moduli file by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/486
• disable systemd-journal-remote by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/488
• add session_timeout variable and declare TMOUT by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/489
• add rsyslog FileCreateMode variable by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/490
• add tmout verification by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/491
• merge kernel module tasks by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/492
• fix sshd host key permissions by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/493
• set correct permissions on sysctl configuration files by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/499
• handle missing pam file by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/500
• get version from sshd instead of the client by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/501
• ensure kmod is installed by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/504
• require ansible 2.15 by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/510
• add support for automatic updates by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/512
• blacklist blocked kernel modules by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/518
• convert dns defaults to list by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/519
• convert ntp defaults to list by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/520
• use ntp servers with IPv4 and IPv6 support by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/522
• verify sysctl settings using systemd-sysctl by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/523
• use only @Cloudflare and @Quad9DNS DNS servers by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/524
• add @USBGuard management by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/529
• rename ufw_enable to manage_ufw and handle disconnects better by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/530
• split when: for readability by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/531
• rename default variables to manage_ by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/532
• put apt hardening options in variable by @andersuno in https://github.com/konstruktoid/ansible-role-hardening/pull/539
• add apt configuration verification by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/540
• add option to manage sysctl by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/542
• refactor tags by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/545
• redhat block named after debian by @KoenDG in https://github.com/konstruktoid/ansible-role-hardening/pull/546
• restructure dnf, ssh and yum tags by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/547
• add manage_resolved by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/548
• add manage_rkhunter and extend configuration by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/556
• add manage_compilers variable and verification by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/559
• add AuthorizedPrincipalsFile and TrustedUserCAKeys to sshd config by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/560
• dont repeat keywords in blocks by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/562

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v1.15.0...v2.0.0

What's Changed

• add manage_compilers variable and verification by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/559
• add AuthorizedPrincipalsFile and TrustedUserCAKeys to sshd config by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/560
• dont repeat keywords in blocks by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/562

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.0-rc.3...v2.0.0-rc.4

What's Changed

• add manage_rkhunter and extend configuration by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/556

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.0-rc.2...v2.0.0-rc.3

What's Changed

• put apt hardening options in variable by @andersuno in https://github.com/konstruktoid/ansible-role-hardening/pull/539
• add apt configuration verification by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/540
• add option to manage sysctl by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/542
• refactor tags by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/545
• redhat block named after debian by @KoenDG in https://github.com/konstruktoid/ansible-role-hardening/pull/546
• restructure dnf, ssh and yum tags by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/547
• add manage_resolved by @konstruktoid in https://github.com/konstruktoid/ansible-role-hardening/pull/548

New Contributors

• @andersuno made their first contribution in https://github.com/konstruktoid/ansible-role-hardening/pull/539

Full Changelog: https://github.com/konstruktoid/ansible-role-hardening/compare/v2.0.0-rc.1...v2.0.0-rc.2