Releases: dev-sec/ansible-collection-hardening
Releases · dev-sec/ansible-collection-hardening
10.5.2
Changelog
10.5.2 (2026-03-28)
Fixed bugs:
- do not update apt cache when installing libpam-passwdqc #939 [os_hardening] (eikesauer)
Merged pull requests:
- chore(deps): update hugo19941994/delete-draft-releases action to v3 #940 (renovate[bot])
- chore(deps): pin dependencies #938 (renovate[bot])
- chore(deps): update actions/checkout digest to de0fac2 #932 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.5.1
Changelog
10.5.1 (2026-03-20)
Fixed bugs:
- fix flaky failures on Ubuntu 24.04 and newer by disabling sshd socket activation first #931 [ssh_hardening] (kuglimon)
Closed issues:
- SSH issue after running devsec.hardening.ssh_hardening role #854
Merged pull requests:
- chore(deps): update juliangruber/read-file-action digest to 271ff31 #937 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 8ba9595 #934 (renovate[bot])
- chore(deps): update artis3n/ansible_galaxy_collection action to v3 #933 (renovate[bot])
- Improve VM based testing of SSH hardening #878 [ssh_hardening] (schurzi)
10.5.0
Changelog
10.5.0 (2026-01-22)
Implemented enhancements:
- fix: replace deprecated community.general.yaml callback plugin #918 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (Normo)
- Consistently access facts via the ansible_facts.* namespace #917 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (Normo)
- disable systemd audit logging #902 [os_hardening] (z-bsod)
Fixed bugs:
- /etc/sysctl.conf is no longer honored in Debian 13 #905
Merged pull requests:
- chore(deps): update dependency jmespath to v1.1.0 #930 (renovate[bot])
- chore(deps): update actions/setup-python digest to a309ff8 #929 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update ansible/ansible-lint action to v26 #928 (renovate[bot])
- chore(deps): update artis3n/ansible_galaxy_collection digest to 415a92b - autoclosed #927 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to a2bc8b8 #924 (renovate[bot])
- chore(deps): update actions/setup-python digest to 83679a8 #920 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update actions/checkout action to v6 #919 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency molecule to v25.12.0 #914 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 40f24c2 #913 (renovate[bot])
- Update test environments to current Ansible version #909 [mysql_hardening] (schurzi)
- chore(deps): update ansible/ansible-lint digest to d7cd7cf #903 (renovate[bot])
10.4.0
Changelog
10.4.0 (2025-10-22)
Implemented enhancements:
- Support Debian 13 #891
- Support EL10 #870
- Add support for current versions of Debian and EL #893 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Add SSH config for EL/AlmaLinux 10 #888 [ssh_hardening] (jonathanspw)
Fixed bugs:
- /etc/sysctl.conf is no longer honored in Debian 13 #905
- Write sysctl config to separate file #907 [os_hardening] (schurzi)
Closed issues:
- sysctl-34 - fs.protected_regular not set #536
Merged pull requests:
- Update ArchLinux test environment before testing #908 [os_hardening] (schurzi)
- chore(deps): update actions/setup-python action to v6 #901 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update actions/labeler action to v6 #900 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 8861a73 #899 (renovate[bot])
- chore(deps): update actions/checkout action to v5 #895 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency python to 3.13 #892 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency aar-doc to v2.3.0 #890 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 9765b87 #889 (renovate[bot])
- Improve OS support accuracy #887 (jonathanspw)
- chore(deps): update hugo19941994/delete-draft-releases action to v2 #885 (renovate[bot])
10.3.1
Changelog
10.3.1 (2025-07-24)
Fixed bugs:
- Readme states Ansible >= 2.9.10, but it uses password_expire_warn from 2.16 #871
Merged pull requests:
- Use fixed test env for BSD VMs #884 [ssh_hardening] (schurzi)
- Downgrade community.crypto for rocky8 #882 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- chore(deps): update dependency aar-doc to v2.2.0 #877 (renovate[bot])
- chore(deps): update creyd/prettier_action action to v4.6 #876 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 06f616d #873 [ssh_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.6 #872 (renovate[bot])
- chore(deps): update creyd/prettier_action action to v4.5 #869 (renovate[bot])
- chore(ssh_hardening): ansible 2.19 compatibility #868 [ssh_hardening] (Nemental)
- chore(deps): update ansible/ansible-lint digest to e98f9b3 #867 (renovate[bot])
- chore(deps): update actions/setup-python digest to a26af69 #866 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.5 #865 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to c16f018 #863 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 6a4fcdb #862 (renovate[bot])
- chore(deps): update dependency aar-doc to v2.1.0 #861 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.4 #860 (renovate[bot])
- chore(deps): update actions/setup-python digest to 8d9ed9a #859 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- Fix: ForwardAgent j2 template space #856 [ssh_hardening] (AliMehraji)
- chore(deps): update artis3n/ansible_galaxy_collection digest to f6110ae #853 (renovate[bot])
10.3.0
Changelog
10.3.0 (2025-02-25)
Implemented enhancements:
- Password expiry for users without password should not block SSH key based login #681
- Set number of warning days before password expires for existing users #839 [os_hardening] (Normo)
- Allow to override settings for sftponly users #794 [ssh_hardening] (mib1185)
Closed issues:
- os_hardening & sysctl_overwrite with host_vars #837
Merged pull requests:
- chore(deps): update dependency ansible-core to v2.18.3 #852 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 49ded6a #851 (renovate[bot])
- Pin runner image to specific version to decouple from GitHub updates #847 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Refactor: combine multiple set_fact into single jinja filter #846 [os_hardening] (Tinyblargon)
- chore(deps): update actions/setup-python digest to 4237552 #844 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.2 #843 (renovate[bot])
- chore(deps): update dependency molecule to v25 #841 (renovate[bot])
- chore(deps): update ansible/ansible-lint action to v25 #840 (renovate[bot])
10.2.0
Changelog
10.2.0 (2024-12-23)
Implemented enhancements:
- Re-enable OpenBSD tests #826 [ssh_hardening]
- Allow configuring the name_format variable in auditd config #796 [os_hardening]
- Password expiry for users without password should not block SSH key based login #681
- Modify PAM to allow SSH key based logins with locked passwords #835 [os_hardening] (schurzi)
- adding switch for ForwardAgent in ssh_config #818 [ssh_hardening] (Shizzlebix)
Fixed bugs:
- File system loop detected; ‘/bin/X11’ is part of the same file system loop as ‘/bin’." #815 [os_hardening]
- Not working ssh_hardening on Centos 7 #813 [ssh_hardening]
Merged pull requests:
- chore(deps): update dependency molecule-plugins to v23.6.0 #834 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 4ce8e49 #832 (renovate[bot])
- chore(deps): update dependency molecule to v24.12.0 #831 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.18.1 #829 (renovate[bot])
- Change installation source for OpenBSD tests #828 (schurzi)
- chore(deps): update ansible/ansible-lint digest to 44be233 #825 (renovate[bot])
- Bump ansible-core from 2.17.5 to 2.17.6 #820 (dependabot[bot])
- chore(deps): update dependency ansible-core to v2.18.0 #819 (renovate[bot])
- chore(deps): update dependency aar-doc to v2.0.1 #817 (renovate[bot])
- Update actions/setup-python digest to 0b93645 #814 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update actions/checkout digest to 11bd719 #812 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.1.0
Changelog
10.1.0 (2024-10-22)
Implemented enhancements:
- Allow configuring the name_format variable in auditd config #796
- Ubuntu 24.04 support #764
- Add variable to set name_format for auditd #810 [os_hardening] (schurzi)
- feat(ssh): add alpine support #809 [ssh_hardening] (rndmh3ro)
- Provide granular noop for ssh configuration #789 [ssh_hardening] (seven-beep)
Fixed bugs:
- molecule scenario ssh_hardening if failing due to missing docker image #790
- getent_shadow empty #787
- Error: Missing privilege separation directory: /run/sshd #752
- fix(ssh_hardening): test setting kex to false, remove wrong default #808 [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Pin python dependencies and optimize GitHub Actions #811 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix(cicd): test idempotence on ssh custom tests #807 [ssh_hardening] (rndmh3ro)
- Document correct quotes for ssh_permit_tunnel parameter #806 [ssh_hardening] (vmpr)
- fix(docs): add 'become: true' to example playbooks. fix #787 #804 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- chore(deps): update dependency ansible-core to v2.17.5 #802 (renovate[bot])
- Don't run tests if the environment is not correct #801 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- chore(deps): update actions/checkout digest to eef6144 #800 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- feat: Corrected package name #799 [ssh_hardening] (PapaPeskwo)
- Use Python venv for VM tests #798 (schurzi)
- Remove unused files and variables #797 [os_hardening] (schurzi)
- chore(deps): update ansible/ansible-lint digest to 3b5bee1 #795 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 25f783c #792 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.4 #791 (renovate[bot])
- chore(deps): update actions/setup-python digest to f677139 #788 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.3 #786 (renovate[bot])
- chore(deps): update dependency ansible-core to v2.17.2 #756 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
10.0.0
Changelog
10.0.0 (2024-08-06)
Implemented enhancements:
- option to disable regeneration of ssh private key #772
- Ubuntu 24.04 support #764
- Support systemd socket activation for sshd #763 [ssh_hardening]
- Release 9.0.2 #758
- Make Publickey authentication configurable #750
- Ansible Linting #747
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Ensure that ssh is installed (cf #771) #774 [ssh_hardening] (Byh0ki)
- ssh: explicitly enable or disable the service at boot #771 [ssh_hardening] (Byh0ki)
- disable systemd socket activation #769 [ssh_hardening] (rndmh3ro)
- Add ssh_pubkey_authentication variable to ssh hardening #749 [ssh_hardening] (debbabi)
Fixed bugs:
- ssh hardening role fails when
ssh_permit_root_loginvar is set on ubuntu 24.04 #768 - os_hardening fails when setting vm.mmap_rnd_bits #757
ssh_gateway_portsis documented to accept 'clientspecified' string, but only accepts bools #755- Error: Missing privilege separation directory: /run/sshd #752
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #741
- Update Debian compatibility #784 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- do not force type of ssh_gateway_ports #765 [mysql_hardening] [os_hardening] [ssh_hardening] (rndmh3ro)
Merged pull requests:
- Update to current Fedora releases #783 [os_hardening] [ssh_hardening] (schurzi)
- Remove deprecated rebuild of initrd #782 [os_hardening] (schurzi)
- chore(deps): update patrickjahns/version-drafter-action digest to 2076fa4 #781 (renovate[bot])
- chore(deps): update ansible/ansible-lint digest to 95382d3 #779 (renovate[bot])
- chore(deps): update actions/setup-python digest to 39cd149 #778 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- remove tests for FreeBSD12 since it's out of support #777 [ssh_hardening] (schurzi)
- chore(deps): pin dependencies #776 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- Use best-practice preset for renovate #775 (schurzi)
- Deprecate Centos Stream 8 #770 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- centos7 is eol, remove it #767 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- fix spelling #766 [os_hardening] [ssh_hardening] (rndmh3ro)
- ci: define permissions for enforce-labels workflow #760 (fgreinacher)
- Update dependency ansible-core to v2.16.5 #754 (renovate[bot])
- Update dependency ansible-core to v2.16.4 #751 (renovate[bot])
- Update ansible/ansible-lint action to v24 #745 (renovate[bot])
- Always update Vagrant Boxes before using #744 (schurzi)
- Remove Docker containers on self-hosted runner after tests #743 (schurzi)
- Update dependency ansible-core to v2.16.3 #742 (renovate[bot])
9.0.1
Changelog
9.0.1 (2024-01-15)
Implemented enhancements:
- Extend ansible-lint testing to cover our test cases #731
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
- Complete tests for OS hardening #660
- support restarts of audit service on Arch linux #722 [os_hardening] (schurzi)
Fixed bugs:
- Fails to install #735
- Amazon Linux gpg check fails #734
- ssh_hardening ipv6 #719
- boolean variable inconsistency? #330
- Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #718 [os_hardening] (akikanellis)
Closed issues:
Merged pull requests:
- restructure readme to move known limitations up top #739 [os_hardening] [ssh_hardening] (rndmh3ro)
- release only on releases, not pre-releases #738 (rndmh3ro)
- Update dependency ansible-core to v2.16.2 #737 (renovate[bot])
- fix linting for github config #736 (rndmh3ro)
- Update actions/setup-python action to v5 #733 (renovate[bot])
- Update ansible-lint action and revise configuration to scan all Ansible code #732 (schurzi)
- update labeler to new config format #730 [ssh_hardening] (schurzi)
- Update dependency ansible-core to v2.16.1 #728 [os_hardening] (renovate[bot])
- pin Ansible to always let Renovate update to the most current version in our tests #721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)