Migrating our Ansible roles to a collection

Sunday, Nov 8, 2020 In July 2020 we decided to move our existing Ansible roles for Linux, ssh, nginx and MySQL into an Ansible collection (what is a collection?). Why? Having only one repository for all roles means we don’t have to duplicate code. We have one common test-suite for all roles that works the same for every role. Also Collections are the future, as there is possibly no support for roles in the next version of Ansible Galaxy (see ansible/galaxy_ng#58). Read More »

Automating dev-sec releases with Github Actions

Saturday, May 30, 2020 Hey friends, some time ago someone who uses our Ansible roles created an issue in our ansible-os-hardening role stating that the readme in the Ansible Galaxy diverged from the actual releases you can find on Galaxy. The reason for that is simple: Galaxy shows the from the master-branch in the Github-repository - not from the latest release that is uploaded there. That produced a discrepancy between the functions of the role and what is described in the readme. Read More »

DevSec takes part in Hacktoberfest

Saturday, Oct 5, 2019 Dear DevSec friends, it’s Hacktoberfest 2019 and we from the DevSec project are taking part in it! And this year not only as contributors but as maintainers as well. We looked for issues in our Chef-cookbooks, Ansible-roles, Puppet-Modules and InSpec-profiles that are good candidates for your contributions to Hacktoberfest. Then we collected them in our Github-project so you have one place to find them all! So go grab a Issue, create a Pull Request and grab your Hacktoberfest-swag! Read More »

DevSec Baseline releases, major update for our Windows baseline

Wednesday, May 15, 2019 Dear DevSec friends, today, we released many DevSec baselines. Thank you, the dev-sec community, for all the contributions to make it happen. We released: Windows Baseline 2.0.0 and 1.2.0 Linux Baseline 2.3.0 Nginx Baselinne 2.3.0 MySQL Baseline 3.1.0 Apache Baseline 2.1.0 Postgres Baseline 2.0.4 Linux Patch Baseline 0.5.0 Especially, I’d like to thank Karsten Müller from Lichtblick, Patrick Münch and Torsten Löbner TLoebner from SVA for their major contribution to our Windows baseline. Read More »

Change of contact and communication ways

Wednesday, Feb 13, 2019 Dear DevSec friends, Some of you maybe already noticed, we are improving the website of the project: updating the content, rebuilding and refreshing it. Besides that, we took a decision to change some of the communication ways of the project. Gitter chat was not heavily used in the past and wasn’t accepted even by some of core maintainers. As mailing lists are still a wide used communication way of many OpenSource projects, we decided to give them a try: Read More »

Our new homepage

Monday, Oct 15, 2018 Hi Security Friends, We had this update in the works for a while and the new homepage is finally here. I’ll look at some of the updates and encourage you to reach out for future improvements. We finally migrated from our old custom-built pages to Hugo and combined our frontpage, blog and documentation into one single repository. This is easier to maintain and to contribute to. Besides these technical improvements, we also worked on the user experience, a fresh front-page, and a new contributor page, and and improved baseline overview. Read More »

chef-os-hardening 3.0.0 is released

Thursday, Dec 21, 2017 DevSec Hardening Framework project is releasing a new major release chef-os-hardening 3.0.0 today. The major points of this release are listed below, many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: Blacklisting of filesystems (PR 169). Important: vfat is included in the default list, so be careful if you have some desktop systems. SELinux support for RHEL family distributions. SELinux is unmanaged per default and can be enabled via setting ['os-hardening']['security']['selinux_mode'] (PR 173, many thanks to AnMoeller for this contribution) Adaptation of some attributes to better RH defaults (PR 177, many thanks to strangeman for updating the baseline) New attributes and features: Read More »


cis-docker-benchmark 2.0.0 is released

Friday, Nov 24, 2017 DevSec Hardening Framework project is releasing a new major release of cis-docker-benchmark today. The major points of this release are listed below, however there are also many changes under the hood like cleanups of documentation and improvements of the InSpec Profile. Many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: Update of InSpec Profile to support the CIS Docker Benchmark 1. Read More »

CIS Kubernetes and CIS Independent Linux Benchmark

Monday, May 15, 2017 The mission of DevSec Hardening Framework is to provide users with the best content to stay secure across their infrastructure fleet. We started by providing hardening solutions written in Chef cookbooks, Puppet modules as well as Ansible modules. Beginning of this year, we started to transform our testing suite into standalone InSpec baselines. Since then we added more and more baselines like Nginx, TLS/SSL, OpenStack, MySQL or PostgreSQL. We are happy to announce that we got a major contribution by Kristian Vlaardingerbroek from Schuberg Philis. Read More »

chef-windows-hardening 0.9.0 is released

Monday, May 15, 2017 DevSec Hardening Framework project is releasing a new minor release chef-windows-hardening today. The release introduces the, always, disabling of SMB1 protocol on Windows operating systems. Note: This resource was introduced in the wake of the WannaCrypt/WannaCry ransomware worm which exploits a known vulnerability in the SMBv1 protocol Highlights and breaking changes: Enforce the disabling of SMBv1 on all versions of Windows, regardless of installation or whether the feature is enabled (e. Read More »

New Ansible os-, ssh- and mysql-hardening releases

Sunday, Apr 23, 2017 Hey friends, We released new versions of ansible-os-hardening, ansible-ssh-hardening and ansible-mysql-hardening! These releases are important to us in multiple ways: As always, they provide new features and configuration possibilities for you to use! More on that below. Complete tests in TravisCI Furthermore we now leverage the full possibilities of TravisCI for the os-hardening, ssh-hardening and mysql-hardening roles. This means that all supported operating systems are now tested and verified online. Read More »

Chef Software is contributing OpenStack Baseline

Thursday, Apr 13, 2017 I am happy to announce that the Chef Partners Team contributed a new OpenStack Baseline to our DevSec project. This Baseline is implementing the OpenStack Security Guide in InSpec. JJ Asghar will continue to be a core maintainer. The baseline is already covering a wide range of checks for: block-storage compute dashboard identity networking orchestration telemetry But we still have some white spots: data-processing databases messaging The baseline is designed to work hand-in-hand with multiple configuration management tools like Ansible, Chef or Puppet, which allows you to run the baseline easily against existing deployments. Read More »

chef-os-hardening 2.0.0 is released

Thursday, Apr 6, 2017 DevSec Hardening Framework project is releasing a new major release chef-os-hardening 2.0.0 today. The major points of this release are listed below, however there are also many changes under the hood like cleanups of documentation, improvements of the cookbook testing. Many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: New attribute namespace ['os-hardening'] for the entire cookbook Removal of dependencies to the apt and yum cookbooks Usage of modern versions of sysctl dependency cookbook Cleanup and resolution of Chef deprecations - preparation for the Chef 13 release New attributes: Read More »

chef-ssh-hardening 2.0.0 is released

Monday, Feb 6, 2017 DevSec Hardening Framework project is releasing a new major release chef-ssh-hardening 2.0.0 today. Highlights and breaking changes: On the modern chef versions (>= 12.10) autodiscovery of openssh version is used in the decision logic of crypto parameters New attribute namespace ['ssh-hardening'] for the entire cookbook Split of attributes to the server and client namespaces UsePAM is now set to yes per default (and does not break RHEL installations if set to no) Usage of different encryption algorithms based on the available openssh version Removal of DSA support Usage of strong primes for Diffie-Hellman New attributes: Read More »

We are happy to announce our new DevSec baselines

Tuesday, Jan 17, 2017 Happy New Year DevSec users, from day one of the DevSec Hardening Framework project, we used the same test suites for our Ansible, Chef and Puppet implementations. Those test suites have been implemented in [Serverspec]() and helped us to enforce the same rules for all hardening implementations. The combination with [test-kitchen]() allowed us to easily test Ansible, Chef and Puppet implementations across the multiple operating systems with the same test suites. Read More »

Ansible nginx-hardening role released

Tuesday, Sep 20, 2016 The next part of server hardening with Ansible is released today: The ansible-nginx-hardening role. This role hardens your existing nginx installations (version 1.0.15 or later). This time we tried to make sure that the hardening role works with popular nginx installation roles, so if you use any of the following (great!) roles to manage your nginx, you can use our hardening role: nginxinc.nginx geerlinggux.nginx jdauphant.nginx We also tried to provide good documentation on the various settings and think that it turned out very well, but see for yourself. Read More »

Ansible mysql-hardening role released

Sunday, Jul 17, 2016 Even though the Github repository already got 17 stars at the time of writing, we never officially released the ansible-mysql-hardening role. Today we change that and release 1.0.0! The mysql-hardening role joins the other two already existing Ansible roles, ssh-hardening and os-hardening. This role hardens a MySQL server according to best practices and implements the same guidelines as our successful Chef and Puppet implementations. The main work was done by Anton Lugovoi and Sebastian Gumprich who implemented the following changes: Read More »


Hardening Framework releases updated Ansbile os-hardening and ssh-hardening

Sunday, Mar 20, 2016 The Hardening Framework once again updates its framework’s Ansible modules, making them compatible with the new Ansible 2.0 release! But that’s not all. Next to bug-fixes and support for additional operating systems, this release focused on making the os-hardening and ssh-hardening roles more configurable. This allows you to alter them to your needs while still providing a strong baseline security. As always, thanks for all the contributors! Notable changes for os-hardening: Read More »

Hardening Framework releases updated Ansbile os-hardening and ssh-hardening

Monday, Nov 30, 2015 Continuously, the Hardening Framework improves its framework to cover up-to-date server hardening. Sebastian Gumprich and Anton Lugovoi did an amazing job to improve the Ansible implementation for os-hardening and ssh-hardening. Core focus of the last release was to improve and ease the installation via Ansible Galaxy. For os-hardening: Fix a bug in the passwdqc template (#51) Change directory layout so the role is easily installable from ansible-galaxy (#49) Improved travis-tests to cover more cases (#42) Fix passwdqc default options (#44) Remove duplicate “update pam” task (#46) Fix stuck in case pam files was updated before by force update (#45) Fix nologin shell path (#44) For ssh-hardening: Read More »

Ansible os-hardening role released

Monday, Jul 13, 2015 After two months of development the Hardening Framework team is glad to announce that we created our second Ansible role: ansible-os-hardening. This role hardens a Linux operating system according to best practices and implements the same guidelines as our successful Chef and Puppet implementations. In these two months Sebastian Gumprich implemented with the help of Christoph Hartmann and Dominik Richter the following changes: Implement os-hardening to meet our tests Enable GPG-checking on all yum-repository files #5 Disable system accounts #6 Module-loading configuration #22 Travis support #17 As always, this role supports Debian- and Enterprise Linux-based operating systems. Read More »

Hardening Framework supports Puppet 4

Tuesday, May 12, 2015 We are happy to announce Puppet 4 support for the Hardening Framework. All puppet modules have been updated and are continously tested for Puppet 4 support, now: Puppet OS Hardening Puppet SSH hardening Puppet MySql Hardening Puppet Postgres Hardening Puppet Apache Hardening Puppet Nginx Hardening In addition to Puppet 4, we still test our implementation against Puppet 2.7 & Puppet 3.6. This enables you to smoothly upgrade the Hardening Framwork. Read More »

Ansible joins Hardening Framework

Thursday, Apr 30, 2015 The Hardening Framework provides best-practice security for DevOps by implementing server hardening with DevOps tools. We are happy to announce that with help of Sebastian Gumprich we were able to implement our first Ansible role: ansible-ssh-hardening. Over the last weeks, we worked hard to release version 1.0: Implement ssh hardening to meet our tests Setup test infrastructure with kitchen-ansible Implement travis tests#7 Add handlers to restart sshd only when necessary #6 Add support for Oracle Linux #2 The module is available via Ansible Galaxy, now. Read More »

Managing your Security Baseline

Thursday, Apr 23, 2015 Despite many advancements in the field of security, two fundamental issues have stayed at the core of many attacks over the last 20 years. They preveil despite firewalls, SIEMs, or scanners. They are: Misconfiguration and unpatched software with known vulnerabilities. Both problems have been addressed with processes and strong governance. While improving the situation considerably, failures are still unavoidable and often unmitigated. I have seen various companies with great risk and security management, that still suffer from severe configuration issues and unpatched machines. Read More »

A New Era at the Hardening Framework Project

Wednesday, Apr 15, 2015 Next We are happy to announce, that the Hardening Framework moved to its new home. As a vendor neutral project we aim to provide best-practice system hardening for various industries. We are now actively searching for supporters to build up the next level of this project. Get in touch with us. Retrospection About a year ago the Hardening Framework has started as a small challenge to proof if server hardening can be done with configuration management tools like Puppet, Chef, SaltStack or Ansible. Read More »