valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
resist-vpn-infra/CHANGELOG.md
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

3.6 KiB
Raw Permalink Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

2.0.0 - 2025-01-26

Added

CIS Compliance

  • CIS Ubuntu 24.04 Level 1 benchmark compliance
  • AppArmor mandatory access control (CIS 1.3.x)
  • Comprehensive audit rules (CIS 4.1.6-17)
  • Enhanced sysctl parameters (CIS 3.1.x, 3.2.x)
  • Uncommon network protocols disabled (CIS 3.3.x)
  • Core dumps restricted (CIS 1.5.1)
  • Security banners (CIS 1.4.x)

SSH User Management

  • New ssh_users role for admin user management
  • Automatic SSH key pair generation on control node
  • Password policy enforcement (CIS 5.4.x, 5.5.x)
  • PAM configuration for password complexity (CIS 5.5.1)
  • Account lockout policies (CIS 5.5.2)
  • Password reuse prevention (CIS 5.5.3)
  • Sudo configuration with logging (CIS 5.3.x)
  • Root SSH login disabled by default
  • Root account locking option

Playbooks

  • users.yml - User management playbook
  • add_user.yml - Interactive user addition
  • remove_user.yml - Interactive user removal
  • validate.yml - Pre-deployment configuration validation

Documentation

  • CIS_REQUIREMENTS.md - CIS compliance details
  • TWO_TIER_DEPLOYMENT.md - Two-tier architecture guide
  • Updated README with v2.0 features
  • SSH key usage instructions

Changed

Firewall Role

  • BREAKING: vpn_network replaced with management_allowed_sources (list)
  • Now supports multiple management sources (IPs and CIDRs)
  • Better validation and error messages
  • Improved two-tier architecture support

System Hardening Role

  • Enhanced with CIS-specific tasks
  • New sysctl_cis.yml for CIS network parameters
  • New apparmor.yml for mandatory access control
  • New disable_protocols.yml for uncommon protocols
  • New core_dumps.yml for core dump restriction
  • Updated audit.yml with comprehensive CIS rules

Inventory

  • Added admin_users configuration examples
  • Added management_allowed_sources configuration
  • Added CIS-specific variables
  • Better documentation and comments

Site Playbook

  • Integrated ssh_users role
  • Enhanced deployment summary with user info
  • CIS compliance status in summary

Fixed

  • SSH hardening now properly disables root login
  • Audit rules now immutable after loading
  • Firewall rules properly handle multiple management sources
  • Sudo logging configured correctly

Security

  • Root SSH login disabled by default
  • Password authentication disabled
  • Strong SSH ciphers enforced
  • AppArmor profiles enforcing
  • Comprehensive audit logging
  • Account lockout after 5 failed attempts
  • Password complexity requirements
  • Automatic security updates

1.1.0 - 2025-01-26

Added

  • Two-tier architecture support
  • management_allowed_sources for firewall
  • Validation playbook
  • Host-specific variables for VPN networks

Changed

  • Firewall role supports multiple management sources
  • Updated documentation for two-tier architecture

1.0.0 - 2025-01-26

Added

  • Initial release
  • System hardening role
  • WireGuard server role
  • Secure firewall role
  • Basic playbooks (site, hardening, wireguard, firewall)
  • Documentation

Security

  • SSH hardening
  • Sysctl parameters
  • Fail2ban
  • Auditd
  • Automatic updates
  • UFW firewall