Merge branch 'master' into renovate/github-codeql-action-3.x

Vagrantfile

@@ -9,6 +9,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "bullseye_vlan" do |bullseye_vlan|
     bullseye_vlan.vm.box = "debian/bullseye64"
     bullseye_vlan.ssh.insert_key = true
+    bullseye_vlan.ssh.key_type = "ed25519"
     bullseye_vlan.vm.hostname = "bullseye-vlan"
     bullseye_vlan.vm.boot_timeout = 600
     bullseye_vlan.vm.provision "shell",
@@ -33,6 +34,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "bullseye" do |bullseye|
     bullseye.vm.box = "debian/bullseye64"
     bullseye.ssh.insert_key = true
+    bullseye.ssh.key_type = "ed25519"
     bullseye.vm.hostname = "bullseye"
     bullseye.vm.boot_timeout = 600
     bullseye.vm.provision "shell",
@@ -54,6 +56,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "bookworm" do |bookworm|
     bookworm.vm.box = "debian/bookworm64"
     bookworm.ssh.insert_key = true
+    bookworm.ssh.key_type = "ed25519"
     bookworm.vm.hostname = "bookworm"
     bookworm.vm.boot_timeout = 600
     bookworm.vm.provision "shell",
@@ -76,6 +79,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "jammy" do |jammy|
     jammy.vm.box = "bento/ubuntu-22.04"
     jammy.ssh.insert_key = true
+    jammy.ssh.key_type = "ed25519"
     jammy.vm.hostname = "jammy"
     jammy.vm.boot_timeout = 600
     jammy.vm.provision "shell",
@@ -95,6 +99,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "noble" do |noble|
     noble.vm.box = "bento/ubuntu-24.04"
     noble.ssh.insert_key = true
+    noble.ssh.key_type = "ed25519"
     noble.vm.hostname = "noble"
     noble.vm.boot_timeout = 600
     noble.vm.provision "shell",
@@ -115,6 +120,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "almalinux" do |almalinux|
     almalinux.vm.box = "almalinux/9"
     almalinux.ssh.insert_key = true
+    almalinux.ssh.key_type = "ed25519"
     almalinux.vm.provider "virtualbox" do |c|
       c.default_nic_type = "82543GC"
       c.memory = 2048

defaults/main/sshd.yml

@@ -15,13 +15,10 @@ sshd_authentication_methods: any
 sshd_authorized_principals_file: /etc/ssh/auth_principals/%u
 sshd_banner: /etc/issue.net
 sshd_ca_signature_algorithms:
-  - ecdsa-sha2-nistp256
   - ecdsa-sha2-nistp384
   - ecdsa-sha2-nistp521
   - ssh-ed25519
-  - rsa-sha2-256
   - rsa-sha2-512
-  - ssh-rsa
 sshd_kbd_interactive_authentication: false
 sshd_ciphers:
   - [email protected]
@@ -40,13 +37,10 @@ sshd_host_key_algorithms:
   - [email protected]
   - [email protected]
   - ssh-ed25519
-  - ssh-rsa
   - [email protected]
   - [email protected]
-  - [email protected]
   - ecdsa-sha2-nistp521
   - ecdsa-sha2-nistp384
-  - ecdsa-sha2-nistp256
 sshd_host_keys_files: []
 sshd_host_keys_group: root
 sshd_host_keys_mode: "0600"
@@ -57,10 +51,10 @@ sshd_ignore_user_known_hosts: true
 sshd_kerberos_authentication: false
 sshd_kex_algorithms:
   - [email protected]
+  - diffie-hellman-group16-sha512
+  - diffie-hellman-group18-sha512
   - ecdh-sha2-nistp521
   - ecdh-sha2-nistp384
-  - ecdh-sha2-nistp256
-  - diffie-hellman-group-exchange-sha256
 sshd_listen:
   - 0.0.0.0
 sshd_log_level: VERBOSE

handlers/main.yml

@@ -7,8 +7,6 @@
   when:
     - ansible_os_family == "Debian"
     - ansible_virtualization_type not in ["container", "docker", "podman"]
-  tags:
-    - CCE-80872-5
 
 # https://github.com/ansible/ansible/issues/22171
 - name: Restart RedHat auditd # noqa command-instead-of-module
@@ -20,8 +18,6 @@
   when:
     - ansible_os_family == "RedHat"
     - ansible_virtualization_type not in ["container", "docker", "podman"]
-  tags:
-    - CCE-80872-5
 
 - name: Generate auditd rules
   become: true

molecule/default/molecule.yml

@@ -98,18 +98,22 @@ platforms:
     box: almalinux/9
     config_options:
       vm.boot_timeout: 600
+      ssh.key_type: ed25519
     instance_raw_config_args:
       - vbguest.auto_update = false
     memory: 2048
   - name: bookworm
     box: debian/bookworm64
+    config_options:
+      ssh.key_type: ed25519
     instance_raw_config_args:
       - vbguest.auto_update = false
     memory: 1024
   - name: jammy
     box: bento/ubuntu-22.04
     config_options:
       vm.boot_timeout: 600
+      ssh.key_type: ed25519
       synced_folder: false
     provider_raw_config_args:
       - customize ['modifyvm', :id, '--uart1', '0x3F8', '4']

requirements.yml

@@ -1,7 +1,7 @@
 ---
 collections:
   - name: ansible.posix
-    version: 1.6.2
+    version: 2.0.0
     source: https://github.com/ansible-collections/ansible.posix.git
     type: git
   - name: community.crypto

tasks/auditd.yml

@@ -2,6 +2,13 @@
 - name: Configure auditd
   become: true
   block:
+    - name: Install initscripts
+      ansible.builtin.package:
+        name: initscripts
+        state: present
+      when:
+        - ansible_os_family == "RedHat"
+
     - name: Configure Debian auditd GRUB cmdline
       ansible.builtin.lineinfile:
         line: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX {{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}"