valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8434e5fe8c
resist-vpn-infra/CHANGELOG.md
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

120 lines
3.6 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [2.0.0] - 2025-01-26
### Added
#### CIS Compliance
- **CIS Ubuntu 24.04 Level 1** benchmark compliance
- AppArmor mandatory access control (CIS 1.3.x)
- Comprehensive audit rules (CIS 4.1.6-17)
- Enhanced sysctl parameters (CIS 3.1.x, 3.2.x)
- Uncommon network protocols disabled (CIS 3.3.x)
- Core dumps restricted (CIS 1.5.1)
- Security banners (CIS 1.4.x)
#### SSH User Management
- New `ssh_users` role for admin user management
- Automatic SSH key pair generation on control node
- Password policy enforcement (CIS 5.4.x, 5.5.x)
- PAM configuration for password complexity (CIS 5.5.1)
- Account lockout policies (CIS 5.5.2)
- Password reuse prevention (CIS 5.5.3)
- Sudo configuration with logging (CIS 5.3.x)
- Root SSH login disabled by default
- Root account locking option
#### Playbooks
- `users.yml` - User management playbook
- `add_user.yml` - Interactive user addition
- `remove_user.yml` - Interactive user removal
- `validate.yml` - Pre-deployment configuration validation
#### Documentation
- `CIS_REQUIREMENTS.md` - CIS compliance details
- `TWO_TIER_DEPLOYMENT.md` - Two-tier architecture guide
- Updated README with v2.0 features
- SSH key usage instructions
### Changed
#### Firewall Role
- **BREAKING**: `vpn_network` replaced with `management_allowed_sources` (list)
- Now supports multiple management sources (IPs and CIDRs)
- Better validation and error messages
- Improved two-tier architecture support
#### System Hardening Role
- Enhanced with CIS-specific tasks
- New `sysctl_cis.yml` for CIS network parameters
- New `apparmor.yml` for mandatory access control
- New `disable_protocols.yml` for uncommon protocols
- New `core_dumps.yml` for core dump restriction
- Updated `audit.yml` with comprehensive CIS rules
#### Inventory
- Added `admin_users` configuration examples
- Added `management_allowed_sources` configuration
- Added CIS-specific variables
- Better documentation and comments
#### Site Playbook
- Integrated `ssh_users` role
- Enhanced deployment summary with user info
- CIS compliance status in summary
### Fixed
- SSH hardening now properly disables root login
- Audit rules now immutable after loading
- Firewall rules properly handle multiple management sources
- Sudo logging configured correctly
### Security
- Root SSH login disabled by default
- Password authentication disabled
- Strong SSH ciphers enforced
- AppArmor profiles enforcing
- Comprehensive audit logging
- Account lockout after 5 failed attempts
- Password complexity requirements
- Automatic security updates
## [1.1.0] - 2025-01-26
### Added
- Two-tier architecture support
- `management_allowed_sources` for firewall
- Validation playbook
- Host-specific variables for VPN networks
### Changed
- Firewall role supports multiple management sources
- Updated documentation for two-tier architecture
## [1.0.0] - 2025-01-26
### Added
- Initial release
- System hardening role
- WireGuard server role
- Secure firewall role
- Basic playbooks (site, hardening, wireguard, firewall)
- Documentation
### Security
- SSH hardening
- Sysctl parameters
- Fail2ban
- Auditd
- Automatic updates
- UFW firewall
[2.0.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/compare/v1.1.0...v2.0.0
[1.1.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/compare/v1.0.0...v1.1.0
[1.0.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/releases/tag/v1.0.0
Reference in New Issue View Git Blame Copy Permalink