- Compatibility for Puppet version 8
- fix CI: use docker driver for transferring files (#290)
- Disable new check 'os-14' for automated testing (#291)
- Restore ability to override /etc/shadow file permissions and group owner (#293)
- move to CentOS 8 Stream from quay.io (#295)
- fix(pam_passwdqc): remove accidental paste from
pam_passwdqc.erb(#299)
- Backwards incompatible breaking change in PR279 #284
- Backwards incompatible breaking change in PR279 (#284) #285 (earthgecko)
v2.3.2 (2021-07-22)
Implemented enhancements:
- Add Puppet 7 tests + new versions #282 (mcgege)
- Remove Puppet v5 support + tests #281 (mcgege)
- update to PDK template 2.1.1 #278 (mcgege)
- Add documentation on hiera usage (see #248) #274 (mcgege)
- Update to PDK 2.0 template #273 (mcgege)
- Fix: Dead links result in an error #271 #272 (LooOOooM)
- move to github actions #264 (schurzi)
- fixed alignment of properties and indentation #263 (hp197)
- Added manage_system_users option and formatted properties #262 (hp197)
- use new syntax for stub in rspec #259 (schurzi)
- Fix + switch for arp_ignore #256 (mcgege)
- Move from inspec to cinc #238 (mcgege)
Fixed bugs:
- Backwards incompatible breaking change in PR279 #284
- Backwards incompatible breaking change in PR279 (#284) #285 (earthgecko)
- Activate manage_cron_permissions to satisfy cron tests #269 (mcgege)
- Solve bundle problem on automated tests #268 (mcgege)
- add source for chef-utils gem (bundle confusion) #265 (mcgege)
- Revert "secure_redirects should be set to 1 (default)" #260 (mcgege)
- Switch to Inspec 4 to break bundler loop #257 (mcgege)
Merged pull requests:
- Add ignore_max_files_warnings (#279) #280 (earthgecko)
- Disable sysctl configuration #253 (Tahitibob35)
2.3.1 (2021-07-19)
Implemented enhancements:
- Add support for Puppet 7 #267
- allow defining parameters in hiera #248
- Add integration tests for current platforms #172
Closed issues:
- New warning - max_files - exceeds the default soft limit 1000 #279
- enable_log_martians to false are logged #277
- Dead links result in an error #271
- Duplicate declaration #270
- Using relative file modes can result very wrong in some cases #222
2.3.0 (2021-02-10)
Implemented enhancements:
- Use CINC (instead of InSpec 4) #212
Fixed bugs:
- Fix Travis tests #255
Closed issues:
- Fix broken tests in Travis CI #123
2.2.11 (2021-01-27)
Closed issues:
- Default $arp_restricted=true breaks Calico overlay network #254
2.2.10 (2020-12-28)
Closed issues:
- os_hardening failing on centos7 #241
2.2.9 (2020-12-03)
Implemented enhancements:
- More secure kernel settings #250 (mcgege)
- Set SHA_CRYPT_*_ROUNDS (Telekom security req linux-10) #249 (mcgege)
- Update to PDK 1.18.1 #242 (mcgege)
- Updates from pdk template 1.17.0 #236 (mcgege)
- If disabled service should also be stopped #226 (mcgege)
- Manage files /etc/anacrontab and crontab equally #225 (mcgege)
- Proxy support / SUSE fixes #217 (mcgege)
- Updates from pdk template 1.11.1 #215 (mcgege)
- Metadata / Travis fixes #211 (mcgege)
- CIS: Fix permissions on home cron and log dirs #203 (PenguinFreeDom)
- Adjust .travis.yml to PDK template #197 (mcgege)
- Integration tests with DigitalOcean (see #180) #194 (mcgege)
- Update to PDK 1.9.1 #191 (mcgege)
- Update to PDK 1.9.0 #190 (mcgege)
- Readme updates #188 (mcgege)
- Replace sysctl module #183 (mcgege)
- Add version tag on puppetforge #182 (mcgege)
- New option rpfilter_loose to enable loose mode (rp_filter = 2) #163 (mcgege)
- Easy add and remove packages, disable services #138 (timstoop)
Fixed bugs:
- Fix for integration tests (apt-transport-https missing) #237 (mcgege)
- Travis-CI fix (kitchen / faraday broken?) #228 (mcgege)
- Augeas sysctl needs explicit string value #207 (mcgege)
- Add dirs to exclude to .pdkignore #196 (mcgege)
- Add missing dependency #184 (theosotr)
Merged pull requests:
- Adapt Travis to puppetlabs standard #247 (mcgege)
- Small fixes #243 (mcgege)
- patch-cumuluslinux-support #239 (mdklapwijk)
- Update to PDK 1.15 #233 (mcgege)
- Small fix on kitchen.yml #232 (mcgege)
- CentOS 8 support #229 (mcgege)
- Updates from pdk template 1.13.0 #227 (mcgege)
- Updates from pdk template 1.12.0 #221 (mcgege)
- allow puppet-stdlib v6 #219 (mcgege)
- OpenSUSE 42.3 docker image correction #214 (mcgege)
- Kitchen fix #206 (mcgege)
- Some applications require different setting for icmp_ratelimit #204 (tuxmea)
- Update to PDK 1.10.0 #193 (mcgege)
- Replace Gitter with mailing lists #185 (mcgege)
- Bugfix script to change file + dir permissions for Puppet Forge build #176 (mcgege)
- Also works with current puppetlabs/stdlib (5.1.0 tested) #168 (mcgege)
- Do not disable vfat. Fixes #165. #166 (timstoop)
- Add support for Ubuntu 18.04 and SLES 15 in metadata.json #162 (mcgege)
- Update issue templates #158 (rndmh3ro)
- rework README #155 (mcgege)
- Create license file #154 (mcgege)
- Create license file #153 (mcgege)
- Add 'MANAGED BY PUPPET' header #150 (hdep)
- Fix missing Requirements in Readme #149 (hdep)
- Add OpenSUSE 15 to the supported distributions #148 (mcgege)
2.2.8 (2020-06-01)
Fixed bugs:
- Minimize_access to File [/usr/bin] issue #234
Closed issues:
- Conflicts with apache module #231
2.2.7 (2019-10-04)
Closed issues:
- disabled_services should be stopped too #224
- os_hardening::minimize_access should treat anacrontab the same as crontab #223
2.2.6 (2019-07-24)
Fixed bugs:
- Approve stdlib v6 + resolve librarian-puppet problem #213
Closed issues:
- Error: no implicit conversion of Integer into String #199
2.2.5 (2019-06-01)
2.2.4 (2019-05-01)
2.2.3 (2019-05-01)
2.2.2 (2019-02-28)
Fixed bugs:
- Wrong permission on module files #175
2.2.1 (2019-01-28)
2.2.0 (2019-01-27)
Implemented enhancements:
- Test / Update for Puppet 6 #156
- Convert module into "standardized PDK module" #107
- Update to verify the module against https://github.com/dev-sec/linux-baseline #79
- Update test mechanisms #169 (mcgege)
- Support os umask #152 (hdep)
Fixed bugs:
- Rhel 7 won't boot on physical server #165
Closed issues:
- Wrong permission on git project files ? #164
- module on the forge is not in sync with version of github #160
- Fix broken tests in Travis CI #123
2.1.3 (2018-11-12)
Closed issues:
- user resource conflict with puppetlabs/apache: Duplicate declaration: User[www-data] is already declared #157
- Missing comments in managed file : file managed by puppet #146
- Missing requirements in readme file #145
2.1.2 (2018-08-15)
Implemented enhancements:
- Deploy GRUB hardening #137 (timstoop)
- Only allow root and members of group wheel to use su #134 (timstoop)
- Fix permissions on /etc/gshadow, based on CIS DIL Benchmark 6.1.5. #133 (timstoop)
Merged pull requests:
2.1.1 (2018-05-17)
Implemented enhancements:
- Adding new param to specify maildir path. Updated nologin path for Re… #127 (hundredacres)
- converted module to pdk #107 #120 (enemarke)
Closed issues:
- net.ipv4.tcp_rfc1337 not a valid sysctl key #124
Merged pull requests:
- Add password_warn_age parameter for login.defs #128 (claw-real)
- CI: switch testing to DigitalOcean #126 (artem-sidorenko)
- Refactoring and new spec test #121 (enemarke)
2.1.0 (2018-01-17)
Implemented enhancements:
- Use type checking by defining data types #114 (mcgege)
- Make parameter USERGROUPS_ENAB in login.defs configurable #113 (mcgege)
Fixed bugs:
Closed issues:
- Minimize access needs a better way of removing +w on system folders #60
- login.defs for different OS #57
- Adduser consistency #49
- Cleanup headers / copyright #111
- Update some RH settings in this module #102
Merged pull requests:
- Get CI tests running on azure #115 (artem-sidorenko)
- Correct header comments in sysctl.pp #69 (Zordrak)
- Skip entropy tests and disable auditd tests #117 (artem-sidorenko)
- Making test-kitchen work again #112 (artem-sidorenko)
- Implement new RH defaults (see issue #102) #103 (mcgege)
2.0.0 (2017-12-19)
Closed issues:
- SLES and OEL errors when ipv6 is disabled #82
- Failed to generate additional resources #75
- Multiple conflicts with Puppet Enterprise #74
- Conflict with Puppet Enterprise 2016.1.1 #71
- allow_core_dump set to true still ends up setting /etc/security/limits.d/10.hardcore.conf and /etc/profile.d/pinerolo_profile.sh files #68
- IPv6 setting problem #67
- Log martian packets #66
- Merge #64 #65
- net.ipv6.conf.default.accept_ra #56
- Publish new release on Puppet Forge #104
Merged pull requests:
- Update links + contributors in README #108 (mcgege)
- Avoid picking up users retrieved from SSSD or other domain services. #101 (tprobinson)
- Implement linux-baseline os-10 #100 (mcgege)
- Style Guide corrections #98 (mcgege)
- Update module metadata #97 (mcgege)
- Baseline sysctl-17: Enable logging of martian packets #96 (mcgege)
- One single coredump parameter #95 (mcgege)
- Fix for Linux Baseline os-02 #94 (mcgege)
- Baseline os-05b: set SYS_[GU]ID_[MIN|MAX] in /etc/login.defs #92 (mcgege)
- Remove config/scripts to prevent core dumps if function is disabled… #91 (mcgege)
- DevSec Linux Baseline os-05 #90 (mcgege)
- Corrected handling of /bin/su (via allow_change_user) #89 (mcgege)
- Documentation update #88 (mcgege)
- added switch manage_ipv6, so people could disable managing of ipv6 co… #87 (STetzel)
- CentOS7 issue - revert "Remove link following in minimize_access file resource" #86 (mcgege)
- Making rubocop happy #85 (artem-sidorenko)
- Make the sysctl setting 'rp_filter' configurable #84 (mcgege)
- Quick fix for issue #71: remove '/usr/local/bin' from managed folders #83 (mcgege)
- Puppet-lint done for sysctl.pp #81 (bitvijays)
- Fix the CI #80 (artem-sidorenko)
- Adopt Puppet style guide - remove dynamic variable lookup #70 (tuxmea)
- Remove link following in minimize_access file resource #64 (rooprob)
- update common kitchen.yml platforms #63 (chris-rock)
- add support for limiting password reuse. #61 (igoraj)
- add local testing section to readme #59 (chris-rock)
- add net.ipv6.conf.default.accept_ra. closes #56 #58 (igoraj)
- Disable System Accounts #54 (igoraj)
- common files: add centos 7 #53 (arlimus)
- Prepare module for v2.0.0 #109 (mcgege)
1.1.2 (2015-05-09)
Merged pull requests:
- Update common readme badges + contributors + rubocop #52 (arlimus)
- update common travis.yml, kitchen.yml platforms #51 (arlimus)
- bugfix: use scoped resource for puppet 4 #50 (arlimus)
- bugfix: ruby1.8+puppet+rspec interplay
- bugfix: use scoped resource for puppet 4
- feature: add stack protection configuration via sysctl (enabled)
- bugfix: replace non-ascii char in login.defs
- bugfix: follow links for RHEL7 /bin and /sbin
- bugfix: fixed tty newlines
- bugfix: minor log typos
API-change: renamed module to hardening-os_hardening
- improvement: linting
- improvement: only run 'update-pam' when needed
- bugfix: add missing colon for user-defined paths in PATH env
- adjust login.defs template to not log user logins (as per Debian defaults)
- add verified support for puppet 3.6, remove support for puppet 3.0 and 3.4
- improvement: streamlined rubocop and puppet-lint
- improvement: remove stdlib fixed version dependency
- improvement: loosened thias/sysctl dependency
- bugfix: get puppet version in gemfile from ENV:
PUPPET_VERSION
API-change: dry_run_on_unkown is now dry_run_on_unknown
- feature: allow configuration of custom modules (if module loading is disabled)
- improvement: only remove SUID/SGID if necessary
- improvement: clarify SUID/SGID options
- improvement: use thias/sysctl to configure sysctls (also fixes previous bugs with the template)
- improvement: add spec tests for sysctl options
- improvement: puppet-lint everything
- improvement: add travis testing for lint+specs
- improvement: use file resource instead of exec for access minimization
- bugfix: fix typo dry_run_on_unkown -> dry_run_on_unknown
- bugfix: don't run update initramfs on each run, only when required
- bugfix: deactivation of kernel module loading wasn't implemented
- bugfix: ip_forwarding wasn't activated correctly
- feature: add additional ipv6 hardening to sysctl
- feature: add test kitchen
- improvement: remove unnecessary attributes from os_hardening::pam
- bugfix: remove cracklib if passwdqc is used
- feature: add configurable system environment
- feature: remove suid/sgid bits from blacklist
- feature: remove suid/sgid bits from unknown files
- port from chef-os-hardening and monolithic puppet implementation
* This Changelog was automatically generated by github_changelog_generator