Merge pull request #783 from dev-sec/fed40

schurzi · web-flow · commit 7fd8a195aa80 · 2024-07-30T08:47:47.000+02:00
diff --git a/.github/workflows/os_hardening.yml b/.github/workflows/os_hardening.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora38
           - fedora39
+          - fedora40
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
diff --git a/.github/workflows/os_hardening_vm.yml b/.github/workflows/os_hardening_vm.yml
@@ -39,8 +39,8 @@ jobs:
           - generic/centos9s
           - generic/rocky8
           - generic/rocky9
-          - fedora/38-cloud-base
           - fedora/39-cloud-base
+          - fedora/40-cloud-base
           - generic/ubuntu1804
           - generic/ubuntu2004
           - generic/ubuntu2204
diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora38
           - fedora39
+          - fedora40
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml
@@ -39,8 +39,8 @@ jobs:
           - centosstream9
           - rocky8
           - rocky9
-          - fedora38
           - fedora39
+          - fedora40
           - ubuntu1804
           - ubuntu2004
           - ubuntu2204
diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ This collection provides battle tested hardening for:
   - Ubuntu 18.04/20.04/22.04
   - Amazon Linux (some roles supported)
   - Arch Linux (some roles supported)
-  - Fedora 37/38 (some roles supported)
+  - Fedora 39/40 (some roles supported)
   - Suse Tumbleweed (some roles supported)
 - MySQL
   - MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
diff --git a/molecule/os_hardening_vm/converge.yml b/molecule/os_hardening_vm/converge.yml
@@ -14,12 +14,24 @@
         os_mnt_tmp_src: tmpfs
         os_mnt_tmp_filesystem: tmpfs
       when: ansible_facts.os_family == 'Archlinux'
+
     - name: Overrides for Fedora image
       ansible.builtin.set_fact:
         os_mnt_tmp_enabled: true
         os_mnt_tmp_src: tmpfs
         os_mnt_tmp_filesystem: tmpfs
       when: ansible_facts.distribution == 'Fedora'
+
+    - name: Overrides for Fedora 40 image
+      ansible.builtin.set_fact:
+        os_mnt_var_enabled: true
+        os_mnt_var_src: UUID=282c6d73-afc2-4113-9856-c7679ad51920
+        os_mnt_var_filesystem: btrfs
+        os_mnt_var_options: rw,nosuid,nodev,compress=zstd:1,subvol=var
+      when:
+        - ansible_facts.distribution == 'Fedora'
+        - ansible_distribution_major_version|int == 40
+
     - name: Include os_hardening role
       ansible.builtin.include_role:
         name: devsec.hardening.os_hardening
diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
@@ -62,6 +62,7 @@
           - python
           - findutils
           - procps-ng
+          - python3-libselinux
       when: ansible_facts.distribution == 'Fedora'
 
     - name: Install required tools on Arch
