From b7feb6e65846efe0fc6eee0285f88627c6b006f6 Mon Sep 17 00:00:00 2001 From: Michael Geiger Date: Tue, 19 Dec 2017 16:26:32 +0100 Subject: [PATCH] Prepare module for v2.0.0 Implement github-changelog-generator (parameters in Rakefile should be changed after this release) Bump version to 2.0.0 Signed-off-by: Michael Geiger --- CHANGELOG.md | 53 +++++++++++++++++++++++++++++++++++++- Gemfile | 1 + HISTORY.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++ Rakefile | 9 +++++++ metadata.json | 2 +- 5 files changed, 134 insertions(+), 2 deletions(-) create mode 100644 HISTORY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a8eecd..1b8735c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,52 @@ -# Changelog +# Change Log + +## [2.0.0](https://github.com/dev-sec/puppet-os-hardening/tree/2.0.0) (2017-12-19) +[Full Changelog](https://github.com/dev-sec/puppet-os-hardening/compare/1.1.2...2.0.0) + +**Closed issues:** + +- SLES and OEL errors when ipv6 is disabled [\#82](https://github.com/dev-sec/puppet-os-hardening/issues/82) +- Failed to generate additional resources [\#75](https://github.com/dev-sec/puppet-os-hardening/issues/75) +- Multiple conflicts with Puppet Enterprise [\#74](https://github.com/dev-sec/puppet-os-hardening/issues/74) +- Conflict with Puppet Enterprise 2016.1.1 [\#71](https://github.com/dev-sec/puppet-os-hardening/issues/71) +- allow\_core\_dump set to true still ends up setting /etc/security/limits.d/10.hardcore.conf and /etc/profile.d/pinerolo\_profile.sh files [\#68](https://github.com/dev-sec/puppet-os-hardening/issues/68) +- IPv6 setting problem [\#67](https://github.com/dev-sec/puppet-os-hardening/issues/67) +- Log martian packets [\#66](https://github.com/dev-sec/puppet-os-hardening/issues/66) +- Merge \#64 [\#65](https://github.com/dev-sec/puppet-os-hardening/issues/65) +- net.ipv6.conf.default.accept\_ra [\#56](https://github.com/dev-sec/puppet-os-hardening/issues/56) + +**Merged pull requests:** + +- Update links + contributors in README [\#108](https://github.com/dev-sec/puppet-os-hardening/pull/108) ([mcgege](https://github.com/mcgege)) +- Avoid picking up users retrieved from SSSD or other domain services. [\#101](https://github.com/dev-sec/puppet-os-hardening/pull/101) ([tprobinson](https://github.com/tprobinson)) +- Implement linux-baseline os-10 [\#100](https://github.com/dev-sec/puppet-os-hardening/pull/100) ([mcgege](https://github.com/mcgege)) +- Style Guide corrections [\#98](https://github.com/dev-sec/puppet-os-hardening/pull/98) ([mcgege](https://github.com/mcgege)) +- Update module metadata [\#97](https://github.com/dev-sec/puppet-os-hardening/pull/97) ([mcgege](https://github.com/mcgege)) +- Baseline sysctl-17: Enable logging of martian packets [\#96](https://github.com/dev-sec/puppet-os-hardening/pull/96) ([mcgege](https://github.com/mcgege)) +- One single coredump parameter [\#95](https://github.com/dev-sec/puppet-os-hardening/pull/95) ([mcgege](https://github.com/mcgege)) +- Fix for Linux Baseline os-02 [\#94](https://github.com/dev-sec/puppet-os-hardening/pull/94) ([mcgege](https://github.com/mcgege)) +- Baseline os-05b: set SYS\_\[GU\]ID\_\[MIN|MAX\] in /etc/login.defs [\#92](https://github.com/dev-sec/puppet-os-hardening/pull/92) ([mcgege](https://github.com/mcgege)) +- Remove config/scripts to prevent core dumps if function is disabled… [\#91](https://github.com/dev-sec/puppet-os-hardening/pull/91) ([mcgege](https://github.com/mcgege)) +- DevSec Linux Baseline os-05 [\#90](https://github.com/dev-sec/puppet-os-hardening/pull/90) ([mcgege](https://github.com/mcgege)) +- Corrected handling of /bin/su \(via allow\_change\_user\) [\#89](https://github.com/dev-sec/puppet-os-hardening/pull/89) ([mcgege](https://github.com/mcgege)) +- Documentation update [\#88](https://github.com/dev-sec/puppet-os-hardening/pull/88) ([mcgege](https://github.com/mcgege)) +- added switch manage\_ipv6, so people could disable managing of ipv6 co… [\#87](https://github.com/dev-sec/puppet-os-hardening/pull/87) ([STetzel](https://github.com/STetzel)) +- CentOS7 issue - revert "Remove link following in minimize\_access file resource" [\#86](https://github.com/dev-sec/puppet-os-hardening/pull/86) ([mcgege](https://github.com/mcgege)) +- Making rubocop happy [\#85](https://github.com/dev-sec/puppet-os-hardening/pull/85) ([artem-sidorenko](https://github.com/artem-sidorenko)) +- Make the sysctl setting 'rp\_filter' configurable [\#84](https://github.com/dev-sec/puppet-os-hardening/pull/84) ([mcgege](https://github.com/mcgege)) +- Quick fix for issue \#71: remove '/usr/local/bin' from managed folders [\#83](https://github.com/dev-sec/puppet-os-hardening/pull/83) ([mcgege](https://github.com/mcgege)) +- Puppet-lint done for sysctl.pp [\#81](https://github.com/dev-sec/puppet-os-hardening/pull/81) ([bitvijays](https://github.com/bitvijays)) +- Fix the CI [\#80](https://github.com/dev-sec/puppet-os-hardening/pull/80) ([artem-sidorenko](https://github.com/artem-sidorenko)) +- Adopt Puppet style guide - remove dynamic variable lookup [\#70](https://github.com/dev-sec/puppet-os-hardening/pull/70) ([tuxmea](https://github.com/tuxmea)) +- Remove link following in minimize\_access file resource [\#64](https://github.com/dev-sec/puppet-os-hardening/pull/64) ([rooprob](https://github.com/rooprob)) +- update common kitchen.yml platforms [\#63](https://github.com/dev-sec/puppet-os-hardening/pull/63) ([chris-rock](https://github.com/chris-rock)) +- add support for limiting password re-use. [\#61](https://github.com/dev-sec/puppet-os-hardening/pull/61) ([igoraj](https://github.com/igoraj)) +- add local testing section to readme [\#59](https://github.com/dev-sec/puppet-os-hardening/pull/59) ([chris-rock](https://github.com/chris-rock)) +- add net.ipv6.conf.default.accept\_ra. closes \#56 [\#58](https://github.com/dev-sec/puppet-os-hardening/pull/58) ([igoraj](https://github.com/igoraj)) +- Disable System Accounts [\#54](https://github.com/dev-sec/puppet-os-hardening/pull/54) ([igoraj](https://github.com/igoraj)) +- common files: add centos 7 [\#53](https://github.com/dev-sec/puppet-os-hardening/pull/53) ([arlimus](https://github.com/arlimus)) + +# OLD Changelog ## 1.1.2 @@ -69,3 +117,6 @@ ## 0.1.0 * port from chef-os-hardening and monolithic puppet implementation + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* diff --git a/Gemfile b/Gemfile index 1817070..e0f930a 100644 --- a/Gemfile +++ b/Gemfile @@ -8,6 +8,7 @@ else end group :test do + gem 'github_changelog_generator', :require => false gem 'puppet-lint' # avoid NoMethodError: private method `clone' called for # gem 'puppetlabs_spec_helper', :git => 'https://github.com/ehaselwanter/puppetlabs_spec_helper' diff --git a/HISTORY.md b/HISTORY.md new file mode 100644 index 0000000..a2841d3 --- /dev/null +++ b/HISTORY.md @@ -0,0 +1,71 @@ +# OLD Changelog + +## 1.1.2 + +* bugfix: ruby1.8+puppet+rspec interplay +* bugfix: use scoped resource for puppet 4 + +## 1.1.1 + +* feature: add stack protection configuration via sysctl (enabled) +* bugfix: replace non-ascii char in login.defs +* bugfix: follow links for RHEL7 /bin and /sbin +* bugfix: fixed tty newlines +* bugfix: minor log typos + +## 1.1.0 + +**API-change**: renamed module to `hardening-os_hardening` + +* improvement: linting + +## 1.0.2 + +* improvement: only run 'update-pam' when needed + +## 1.0.1 + +* bugfix: add missing colon for user-defined paths in PATH env +* adjust login.defs template to not log user logins (as per Debian defaults) + +## 1.0.0 + +* add verified support for puppet 3.6, remove support for puppet 3.0 and 3.4 +* improvement: streamlined rubocop and puppet-lint +* improvement: remove stdlib fixed version dependency +* improvement: loosened thias/sysctl dependency +* bugfix: get puppet version in gemfile from ENV: `PUPPET_VERSION` + +## 0.1.3 + +**API-change**: `dry_run_on_unkown` is now `dry_run_on_unknown` + +* feature: allow configuration of custom modules (if module loading is disabled) +* improvement: only remove SUID/SGID if necessary +* improvement: clarify SUID/SGID options +* improvement: use thias/sysctl to configure sysctls (also fixes previous bugs with the template) +* improvement: add spec tests for sysctl options +* improvement: puppet-lint everything +* improvement: add travis testing for lint+specs +* improvement: use file resource instead of exec for access minimization +* bugfix: fix typo dry_run_on_unkown -> dry_run_on_unknown +* bugfix: don't run update initramfs on each run, only when requiered +* bugfix: deactivation of kernel module loading wasn't implemented +* bugfix: ip_forwarding wasn't activated correctly + +## 0.1.2 + +* feature: add additional ipv6 hardening to sysctl +* feature: add test kitchen +* improvement: remove unnecessary attributes from os_hardening::pam +* bugfix: remove cracklib if passwdqc is used + +## 0.1.1 + +* feature: add configurable system environment +* feature: remove suid/sgid bits from blacklist +* feature: remove suid/sgid bits from unknown files + +## 0.1.0 + +* port from chef-os-hardening and monolithic puppet implementation diff --git a/Rakefile b/Rakefile index f3bc160..dba8dca 100644 --- a/Rakefile +++ b/Rakefile @@ -2,6 +2,7 @@ require 'puppet-lint/tasks/puppet-lint' require 'puppetlabs_spec_helper/rake_tasks' +require 'github_changelog_generator/task' PuppetLint.configuration.send('disable_autoloader_layout') PuppetLint.configuration.send('disable_80chars') @@ -23,6 +24,14 @@ if RUBY_VERSION > '1.9.2' task :default => [:run_all_linters, :spec] + # Changelog Generator + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + config.future_release = '2.0.0' + config.since_tag = '1.1.1' + config.user = 'dev-sec' + config.project = 'puppet-os-hardening' + end + else desc 'Run all linters: rubocop and puppet-lint' task :run_all_linters => [:lint] diff --git a/metadata.json b/metadata.json index 14d79a7..8620f95 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "hardening-os_hardening", - "version": "1.1.2", + "version": "2.0.0", "author": "Dominik Richter", "summary": "Configures the base OS with hardening", "license": "Apache-2.0",