Hey friends,

We released new versions of ansible-os-hardening, ansible-ssh-hardening and ansible-mysql-hardening!

These releases are important to us in multiple ways:

As always, they provide new features and configuration possibilities for you to use! More on that below.

Complete tests in TravisCI

Furthermore we now leverage the full possibilities of TravisCI for the os-hardening, ssh-hardening and mysql-hardening roles. This means that all supported operating systems are now tested and verified online. For that we use customized docker-images that have Ansible pre-installed, as well as our InSpec-tests to verify the roles!

However some operating systems are still missing for mysql-hardening because we’re facing some issues that hopefully will be resolved soon!

We’re always looking for help! Join us on GitHub or Gitter chatroom.

Breaking Changes

One more important thing to note are the breaking changes.

All roles

We removed support for Ansible 1.9 in all three roles, so we can leverage the new modules and functions of Ansible 2.0!

ssh-hardening

• Change the ssh_client_ports list variable into a simple non-list variable named ssh_client_port. #84 (fullyint)

Before:

{% for port in ssh_client_ports -%}
Port {{port}}
{% endfor %}

After:

Port {{ ssh_client_port }}

• Fix ssh config to handle custom options per Host #83 (fullyint)

Before:

    # one or more hosts, to which ssh-client can connect to.
# Default is empty, but should be configured for security reasons!
    ssh_remote_hosts: []           # ssh

After:

# Hosts with custom options.            # ssh
# Example:
# ssh_remote_hosts:
#   - names: ['example.com', 'example2.com']
#     options: ['Port 2222', 'ForwardAgent yes']
#   - names: ['example3.com']
#     options: ['StrictHostKeyChecking no']
ssh_remote_hosts: []

mysql-hardening

• Renamed variables in #22 (agno01) and #26
  • renamed mysql_hardening_mysql_conf var to mysql_hardening_mysql_conf_file
  • introduced mysql_hardening_mysql_conf_dir variable
  • introduced mysql_cnf_owner as variable for owner of configuration files
  • set default value of mysql_hardening_mysql_conf_dir variable for RedHat, OracleLinux, Debian
  • changed default hardcoded full path in mysql_hardening_hardening_conf var to be based on mysql_hardening_mysql_conf_dir var

Improvements

Of course we were productive in fixing bugs, improving the code and adding more features. All with the help of our awesome contributors!

os-hardening

• Install initramfs-tools #114 (rndmh3ro)
• Omit empty variables #106 (rndmh3ro)

Full Changelog

ssh-hardening

• Use different Hostkeys according to installed ssh version #99 (rndmh3ro)
• Remove small dh primes #97 (rndmh3ro)
• Add Ed25519 SSH host key to match ssh-baseline #96 (techraf)
• Add support for FreeBSD OpenSSH server and client #95 (jbenden)
• Defaults: Remove DSA from SSH host keys to match ssh-baseline profile #92 (techraf)
• Make ChallengeResponseAuthentication configurable #85 (rndmh3ro)

Full Changelog

mysql-hardening

• Add CentOS7 with MariaDB support #27 (chrispoupart)
• Add follow=yes to my.cnf protect task, in case its a symlink. #21 (rndmh3ro)

Full Changelog

You can follow us on Twitter.

Thanks and have a nice and secure day!

Sebastian