chore(deps): update dependency konstruktoid.hardening to v2.2.0 (jdal…

…n#29) * chore(deps): update dependency konstruktoid.hardening to v2.2.0 * Update konstruktoid.hardening version in use to version v2.2.0 * adjustments for latest release test --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <[email protected]> Co-authored-by: Julien D <[email protected]>
HBPMedical · Nov 1, 2024 · 9072daa · 9072daa
1 parent e89ac28
commit 9072daa
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 5 deletions.
diff --git a/ansible.cfg b/ansible.cfg
@@ -2,6 +2,7 @@
 callbacks_enabled = ansible.posix.profile_tasks,ansible.posix.timer
 remote_tmp = /var/tmp/${USER}/ansible
 roles_path = ~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:../roles:./roles:./
+timeout=90
 
 [galaxy]
 url = https://galaxy.ansible.com/
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-ansible~=10.3.0
-ansible-lint~=24.9.2
+ansible~=8.7.0
+ansible-lint~=6.22.2
 passlib~=1.7.4
 jmespath~=1.0.1
diff --git a/setup-playbook.yml b/setup-playbook.yml
@@ -31,7 +31,7 @@
       ansible.builtin.git:
         repo: https://github.com/konstruktoid/ansible-role-hardening.git
         dest: "{{ lookup('env', 'HOME') }}/.ansible/roles/konstruktoid.hardening"
-        version: 'v2.1.1'
+        version: 'v2.2.0'
       delegate_to: localhost
       run_once: true
 
@@ -40,16 +40,19 @@
         name: konstruktoid.hardening
       vars:
         # noqa: var-naming[no-role-prefix]
-        automatic_updates: true
+        automatic_updates: "{{ AUTO_UPDATES_OPTIONS }}"
+        logind: "{{ LOGIND_HARDENING }}"
         auditd_action_mail_acct: "{{ AUDITD_ACTION_MAIL_ACCT }}"
         manage_ufw: "{{ MANAGE_UFW }}"
         ufw_outgoing_traffic: "{{ UFW_OUTGOING_TRAFFIC }}"
         disable_wireless: "{{ DISABLE_WIRELESS }}"
         reboot_ubuntu: "{{ REBOOT_UBUNTU }}"
+        session_timeout: "{{ SESSION_TIMEOUT | default(900) }}"
         sshd_admin_net: "{{ SSHD_ADMIN_NET }}"
         sshd_allow_users: "{{ SSH_USERLIST | map(attribute='username') | list }}"
         sshd_allow_groups: "{{ SSH_USERLIST | map(attribute='username') | list }}"
         sshd_login_grace_time: "{{ SSHD_LOGIN_GRACE_TIME }}"
         sshd_max_auth_tries: "{{ SSHD_MAX_AUTH_TRIES }}"
         suid_sgid_permissions: "{{ SUID_SGID_PERMISSIONS }}"
         sshd_allow_tcp_forwarding: "{{ SSHD_ALLOW_TCP_FORWARDING | default(false) }}"
+        sshd_client_alive_interval: "{{ SSHD_TIMEOUT_SECS | default(600) }}"
diff --git a/testing/requirements.yml b/testing/requirements.yml
@@ -1,6 +1,6 @@
 ---
 roles:
   - name: konstruktoid.hardening
-    version: 'v2.1.1'
+    version: 'v2.2.0'
     src: https://github.com/konstruktoid/ansible-role-hardening.git
     scm: git
diff --git a/testing/vars.yml b/testing/vars.yml
@@ -24,3 +24,17 @@ SSHD_ADMIN_NET:
 SSHD_LOGIN_GRACE_TIME: 60
 SSHD_MAX_AUTH_TRIES: 5
 SUID_SGID_PERMISSIONS: true
+AUTO_UPDATES_OPTIONS:
+  enabled: true
+  only_security: true
+  reboot: true
+  reboot_from_time: "2:00"
+  reboot_time_margin_mins: "20" # Random interval for reboot to avoid overloading hypervisors
+LOGIND_HARDENING:
+  killuserprocesses: true
+  killexcludeusers:
+    - root
+    - vagrant
+  idleaction: lock
+  idleactionsec: 15min
+  removeipc: true