Skip to content

Os immutable fs #864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 453 commits into
base: master
Choose a base branch
from
Open

Os immutable fs #864

wants to merge 453 commits into from

Conversation

millerthegorilla
Copy link

I have made minimal changes to the ssh_hardening role and the os_hardening role to add the option to allow the roles to be used with rpm-ostree based systems.

schurzi and others added 28 commits April 13, 2025 12:25
@schurzi @millerthegorilla
Use Python3 for OpenBSD tests
ab23d14 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
Always update Vagrant Boxes before using
47da0b4 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
Skip update if box is not present
3ba5c5a 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
Skip update if box is not present
4e986b8 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
Block kernel update
f9923a0 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
use loop for package names
258d69e 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
add more excluded packages
c7d70c6 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
remove update tasks, since we use updated images
f67899a 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
free space on /boot
ab02662 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@schurzi @millerthegorilla
add comment
84ac0bc 
Signed-off-by: Martin Schurz <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
3a9d6cc 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
Update ansible/ansible-lint action to v24 (dev-sec#745)
0ae800f 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
4bbac6d 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
Update dependency ansible-core to v2.16.4
4b71f7e 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
59a7a10 
Signed-off-by: James Miller <[email protected]>
@debbabi @millerthegorilla
add ssh_pubkey_authentication variable (dev-sec#749)
a649027 
Signed-off-by: debbabi <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
afdc3dd 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
Update dependency ansible-core to v2.16.5
c44d05f 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
a968990 
Signed-off-by: James Miller <[email protected]>
@fgreinacher @millerthegorilla
ci: define permissions for enforce-labels workflow
a8c43e6 
Explicitely stating required permissions is considered best practice.
This case was detected by Poutine, see
https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md.

Signed-off-by: Florian Greinacher <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
365dce4 
Signed-off-by: James Miller <[email protected]>
@rndmh3ro @millerthegorilla
fix spelling
0ae5b90 
Signed-off-by: Sebastian Gumprich <[email protected]>
Signed-off-by: James Miller <[email protected]>
@rndmh3ro @millerthegorilla
fix spelling
db4a7df 
Signed-off-by: Sebastian Gumprich <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
1e7bc3c 
Signed-off-by: James Miller <[email protected]>
@rndmh3ro @millerthegorilla
centos7 is eol, remove it (dev-sec#767)
b97fc29 
* centos7 is eol, remove it

Signed-off-by: Sebastian Gumprich <[email protected]>

* change workflow to update readmes when meta/main.yml is changed

Signed-off-by: Sebastian Gumprich <[email protected]>

* remove mention of centos 7 from readme

Signed-off-by: Sebastian Gumprich <[email protected]>

---------

Signed-off-by: Sebastian Gumprich <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update mysql_hardening readme
aee10f6 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update os_hardening readme
25b49d4 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update ssh_hardening readme
3a0daa8 
Signed-off-by: James Miller <[email protected]>
millerthegorilla and others added 27 commits April 13, 2025 12:28
@millerthegorilla
debugging rpm_ostree_pgks_installed
6d1b73c 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging os_hardening immutable
08ade92 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging os_hardening immutable
3b9851b 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging os_hardening immutable
6f5e7a4 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugged check for reboot in ssh_hardening
03328f9 
Signed-off-by: James Miller <[email protected]>
@AliMehraji @millerthegorilla
Fix: ForwardAgent j2 template space in roles/ssh_hardening/templates/…
fd9d38d 
…openssh.conf.j2 (dev-sec#856)

Signed-off-by: Ali Mehraji <[email protected]>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
59c7c79 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
finished os_hardening and ssh_hardening for immutable systems
6385535 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
updated ssh_hardening readme
b1b2112 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging ssh_hardening
87d7586 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging ssh_hardening
922e43c 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging os_hardening
aa3ff10 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugging
ca241e6 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
changed variable names and added ostree_reboot tag
b2dc3cc 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
changed variable names
552f348 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
debugged the user_accounts.yml code for os_immutable_fs
7b9e110 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
chore(deps): update ansible/ansible-lint digest to 6a4fcdb
5756885 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
95920ef 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
chore(deps): update ansible/ansible-lint digest to c16f018
88bd71c 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
65bf233 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
chore(deps): update actions/setup-python digest to 8d9ed9a
ae60142 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
7f05b68 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
chore(deps): update dependency ansible-core to v2.18.4 (dev-sec#860)
57add77 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
ebf9c73 
Signed-off-by: James Miller <[email protected]>
@renovate @millerthegorilla
chore(deps): update dependency aar-doc to v2.1.0 (dev-sec#861)
de0d05c 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
update changelog
83bcd83 
Signed-off-by: James Miller <[email protected]>
@millerthegorilla
fixed failed merge of roles/os_hardening/README.md
98a6655
@millerthegorilla
Copy link
Author

I haven't made any changes to CHANGELOG.md. I presume that is done after a successful merge.

@millerthegorilla
Copy link
Author

I am having an issue which I am debugging at the moment, where the os_hardening roles 'minimise_access.yml' performs some task and the system's user cgroupManager is no longer systemd, but is set to cgroupfs. This is largely unacceptable for rpm-ostree systems as they are designed to use podman by default, and require cgroups to be managed by systemd.

@millerthegorilla millerthegorilla mentioned this pull request Apr 19, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
os_hardening ssh_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.