dev-sec · rndmh3ro · Nov 16, 2023 · Nov 10, 2023 · Nov 10, 2023 · Nov 14, 2023
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora37
           - fedora38
+          - fedora39
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
@@ -34,21 +34,21 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
-          - centos7
-          - centos8s
-          - centos9s
-          - rocky8
-          - rocky9
-          - fedora37
-          - fedora38
-          - ubuntu1804
-          - ubuntu2004
-          - ubuntu2204
-          - debian10
-          - debian11
-          - debian12
-          - opensuse15
-          # - arch  # needs fix for audit
+          - generic/centos7
+          - generic/centos8s
+          - generic/centos9s
+          - generic/rocky8
+          - generic/rocky9
+          - fedora/38-cloud-base
+          - fedora/39-cloud-base
+          - generic/ubuntu1804
+          - generic/ubuntu2004
+          - generic/ubuntu2204
+          - generic/debian10
+          - generic/debian11
+          - generic/debian12
+          - generic/opensuse15
+          # - generic/arch  # needs fix for audit
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora37
           - fedora38
+          - fedora39
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

diff --git a/.github/workflows/ssh_hardening_bsd.yml b/.github/workflows/ssh_hardening_bsd.yml
@@ -36,6 +36,8 @@ jobs:
         molecule_distro:
           - openbsd7
           - freebsd12
+          - freebsd13
+          - freebsd14
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4

diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora37
           - fedora38
+          - fedora39
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204

diff --git a/molecule/os_hardening_vm/converge.yml b/molecule/os_hardening_vm/converge.yml
@@ -13,11 +13,18 @@
       set_fact: 
         os_mnt_boot_enabled: false
       when: ansible_facts.os_family == 'Archlinux'
+    - name: overrides for Fedora image
+      set_fact: 
+        os_mnt_tmp_enabled: true
+        os_mnt_tmp_src: "tmpfs"
+        os_mnt_tmp_filesystem: "tmpfs"
+      when: ansible_facts.distribution == 'Fedora'
     - include_role:
         name: os_hardening
   vars:
     os_auth_pam_passwdqc_enable: false
     os_auth_lockout_time: 15
     os_yum_repo_file_whitelist: ['foo.repo']
     os_mnt_boot_enabled: true
+    os_mnt_home_enabled: true
     os_mnt_boot_src: "/dev/vda1"
diff --git a/molecule/os_hardening_vm/molecule.yml b/molecule/os_hardening_vm/molecule.yml
@@ -12,7 +12,7 @@ platforms:
   # since we also need to use different OS users to run the tests because of how molecule operates,
   # the VM names must be predictable by OS user (to clean up canceled runs)
   - name: "${USER}"
-    box: "generic/${MOLECULE_DISTRO}"
+    box: "${MOLECULE_DISTRO}"
     memory: 1024
     cpus: 2
 provisioner:

diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
@@ -51,6 +51,12 @@
       shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
       changed_when: false
 
+    - name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
+      ansible.posix.mount:
+        path: /boot/efi
+        state: unmounted
+      when: ansible_facts.distribution == 'Fedora'
+
     - name: include YUM prepare tasks
       include_tasks: prepare_tasks/yum.yml
       when: ansible_facts.os_family == 'RedHat'
diff --git a/molecule/ssh_hardening_bsd/waivers_freebsd13.yaml b/molecule/ssh_hardening_bsd/waivers_freebsd13.yaml
@@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
diff --git a/molecule/ssh_hardening_bsd/waivers_freebsd14.yaml b/molecule/ssh_hardening_bsd/waivers_freebsd14.yaml
@@ -0,0 +1,3 @@
+sshd-45:
+  run: false
+  justification: "PrintLastLog is broken on FreeBSD. see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441"
diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml
@@ -93,7 +93,7 @@
 
 - name: Append special devices list to valid mountpoint list
   ansible.builtin.set_fact:
-    mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run'] }}"
+    mountpoints_list: "{{ mountpoints_list + ['/dev', '/dev/shm', '/run', '/tmp'] }}"
 
 - name: Minimize access for filesystems
   ansible.builtin.include_tasks: minimize_access_fs.yml

diff --git a/roles/ssh_hardening/meta/main.yml b/roles/ssh_hardening/meta/main.yml
@@ -27,6 +27,8 @@ galaxy_info:
     - name: FreeBSD
       versions:
         - "12.2"
+        - "13.2"
+        - "14.0"
     - name: OpenBSD
       versions:
         - "7.0"