Add support for current versions of Debian and EL (#893)

* Add support for current versions of Debian and EL

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Add conditions for EL8

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Fix Audit in AlmaLinux

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Fix broken SSH host key config in rhel/almalinux 10

Signed-off-by: Jonathan Wright <jonathan@almalinux.org>

* Generate SSH Keys on EL10

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Generate SSH Keys for tests via Systemd

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Fixup tests

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Remove auditd conditions

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Add path to audit handler

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Install init scripts

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Update main README

---------

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
Signed-off-by: Jonathan Wright <jonathan@almalinux.org>
Co-authored-by: Jonathan Wright <jonathan@almalinux.org>

Author: schurzi

.github/workflows/mysql_hardening.yml

@@ -37,14 +37,19 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          # - almalinux10  # problem with baseline
           - centosstream9
           - rocky8
           - rocky9
+          # - rocky10 # problem with baseline
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # geerlingguy.mysql does not support arch
           - opensuse_tumbleweed
@@ -71,7 +76,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       # that was a hard one to fix. robert did it thankfully
       # https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212

.github/workflows/nginx_hardening.yml

@@ -36,14 +36,19 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           # - arch  # needs to be fixed
           # - opensuse_tumbleweed  # needs to be fixed
@@ -70,7 +75,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       # Molecule has problems detecting the proper location for installing roles
       # https://github.com/ansible/molecule/issues/3806

.github/workflows/os_hardening.yml

@@ -39,16 +39,21 @@ jobs:
           - molecule_distro: opensuse_tumbleweed
             molecule_docker_command: "/usr/lib/systemd/systemd"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -75,7 +80,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s os_hardening

.github/workflows/os_hardening_vm.yml

@@ -36,6 +36,9 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
+          - almalinux/8
+          - almalinux/9
+          # - almalinux/10  # boot loop
           - generic/centos9s
           - generic/rocky8
           - generic/rocky9
@@ -69,7 +72,10 @@ jobs:
           pip install "ansible-core<2.17"
           ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'generic/rocky8' || matrix.molecule_distro == 'generic/opensuse15'
+        if: >
+          matrix.molecule_distro == 'generic/rocky8' ||
+          matrix.molecule_distro == 'almalinux/8' ||
+          matrix.molecule_distro == 'generic/opensuse15'
 
       - name: Update Vagrant Box
         run: |

.github/workflows/ssh_hardening.yml

@@ -42,16 +42,21 @@ jobs:
           - molecule_distro: alpine
             molecule_docker_command: "/sbin/init"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -78,7 +83,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s ssh_hardening

.github/workflows/ssh_hardening_custom_tests.yml

@@ -42,16 +42,21 @@ jobs:
           - molecule_distro: alpine
             molecule_docker_command: "/sbin/init"
         molecule_distro:
+          - almalinux8
+          - almalinux9
+          - almalinux10
           - centosstream9
           - rocky8
           - rocky9
+          - rocky10
           - fedora39
           - fedora40
           - ubuntu2004
           - ubuntu2204
           - ubuntu2404
           - debian11
           - debian12
+          - debian13
           - amazon2023
           - arch
         molecule_docker_command:
@@ -78,7 +83,7 @@ jobs:
             pip install "ansible-core<2.17"
             ansible-galaxy collection install 'community.crypto:<3.0.0'
         working-directory: ansible_collections/devsec/hardening
-        if: matrix.molecule_distro == 'rocky8'
+        if: matrix.molecule_distro == 'rocky8' || matrix.molecule_distro == 'almalinux8'
 
       - name: Test with molecule
         run: molecule test -s ssh_hardening_custom_tests

README.md

@@ -14,9 +14,9 @@ This collection provides battle tested hardening for:
 
 - Linux operating systems:
   - CentOS Stream 9
-  - AlmaLinux 8/9
-  - Rocky Linux 8/9
-  - Debian 11/12
+  - AlmaLinux 8/9/10
+  - Rocky Linux 8/9/10
+  - Debian 11/12/13
   - Ubuntu 20.04/22.04/24.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)

molecule/os_hardening_vm/prepare.yml

@@ -59,6 +59,12 @@
           - python3-libselinux
       when: ansible_facts.distribution == 'Fedora'
 
+    - name: Install required tools on AlmaLinux
+      ansible.builtin.dnf:
+        name:
+          - initscripts
+      when: ansible_facts.distribution == 'AlmaLinux'
+
     - name: Install required tools on Arch
       community.general.pacman:
         name:
@@ -84,7 +90,6 @@
       ansible.posix.mount:
         path: /boot/efi
         state: unmounted
-      when: ansible_facts.distribution == 'Fedora'
 
     - name: Include YUM prepare tasks
       ansible.builtin.include_tasks: prepare_tasks/yum.yml

molecule/ssh_hardening/prepare.yml

@@ -75,11 +75,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Archlinux'
 
-    - name: Create ssh host keys # noqa ignore-errors
+    - name: Create ssh host keys # noqa ignore-errors no-changed-when
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon"
-        or ansible_facts.os_family == "Suse"
-      changed_when: false
       ignore_errors: true

molecule/ssh_hardening_custom_tests/prepare.yml

@@ -75,11 +75,6 @@
         update_cache: true
       when: ansible_facts.os_family == 'Alpine'
 
-    - name: Create ssh host keys # noqa ignore-errors
+    - name: Create ssh host keys # noqa ignore-errors no-changed-when
       ansible.builtin.command: ssh-keygen -A
-      when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
-        or ansible_facts.distribution == "Fedora"
-        or ansible_facts.distribution == "Amazon"
-        or ansible_facts.os_family == "Suse"
-      changed_when: false
       ignore_errors: true