ansible-ops-management/tasks/harden.yml

218 lines
5.2 KiB
YAML
Raw Normal View History

2022-02-27 03:19:20 +00:00
---
# Initial hardening ideas from CIS
- name: sysctl hardening and limits
block:
- name: create combined sysctl-dict if overwrites are defined
2022-03-28 05:01:23 +00:00
ansible.builtin.set_fact:
2022-02-27 03:19:20 +00:00
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: Kernel parameters
2023-04-22 01:28:46 +00:00
ansible.posix.sysctl:
2022-02-27 03:19:20 +00:00
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
ignoreerrors: true
sysctl_set: true
sysctl_file: /etc/sysctl.d/99-ansible.conf
with_dict: "{{ sysctl_config }}"
tags:
- harden
- kernel
- name: Security limits
2023-04-22 01:28:46 +00:00
community.general.pam_limits:
2022-02-27 03:19:20 +00:00
dest: "/etc/security/limits.d/cis.conf"
domain: "{{ item.domain }}"
limit_type: "{{ item.limit_type }}"
limit_item: "{{ item.limit_item }}"
value: "{{ item.value }}"
with_items: "{{ limits }}"
tags:
- harden
- name: Standard login settings
block:
- name: useradd defaults
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "INACTIVE=30"
regexp: "^INACTIVE=.*"
path: "/etc/login.defs"
tags:
- harden
- name: login defs maximum days
2022-03-28 05:01:23 +00:00
ansible.builtin.replace:
2022-02-27 03:19:20 +00:00
path: /etc/login.defs
regexp: '(PASS_MAX_DAYS).*\d+'
replace: '\1\t{{ login_max_days }}'
tags:
- harden
- name: login defs minimum days
2022-03-28 05:01:23 +00:00
ansible.builtin.replace:
2022-02-27 03:19:20 +00:00
path: /etc/login.defs
regexp: '(PASS_MIN_DAYS).*\d+'
replace: '\1\t{{ login_min_days }}'
tags:
- harden
- name: login defs minimum length
2022-03-28 05:01:23 +00:00
ansible.builtin.replace:
2022-02-27 03:19:20 +00:00
path: /etc/login.defs
regexp: '(PASS_MIN_LEN).*\d+'
replace: '\1\t{{ login_min_len }}'
tags:
- harden
- name: login defs warn age
2022-03-28 05:01:23 +00:00
ansible.builtin.replace:
2022-02-27 03:19:20 +00:00
path: /etc/login.defs
regexp: '(PASS_WARN_AGE).*\d+'
replace: '\1\t{{ login_warn_age }}'
tags:
- harden
- name: cron directories permissions
2022-03-28 05:01:23 +00:00
ansible.builtin.file:
2022-02-27 03:19:20 +00:00
path: '{{ item }}'
owner: root
group: root
mode: '0700'
state: directory
loop: '{{ login_cron_directories }}'
tags:
- harden
- name: Create cron/at allows
2022-03-28 05:01:23 +00:00
ansible.builtin.file:
2022-02-27 03:19:20 +00:00
path: '{{ item }}'
owner: root
group: root
mode: '0600'
state: touch
loop: '{{ login_cron_allows }}'
tags:
- harden
- name: Remove cron/at denies
2022-03-28 05:01:23 +00:00
ansible.builtin.file:
2022-02-27 03:19:20 +00:00
path: '{{ item }}'
state: absent
loop: '{{ login_cron_denies }}'
tags:
- harden
- name: pwquality - minlen
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "minlen = 14"
regexp: "^# minlen =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - dcredit
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "dcredit = -1"
regexp: "^# dcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ucredit
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "ucredit = -1"
regexp: "^# ucredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - lcredit
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "lcredit = -1"
regexp: "^# lcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ocredit
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
line: "ocredit = -1"
regexp: "^# ocredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
2024-04-08 18:50:53 +00:00
- name: account lock configuration
ansible.builtin.template:
src: "etc/security/faillock.conf.j2"
dest: /etc/security/faillock.conf
owner: root
group: root
mode: '0644'
tags:
- harden
2022-02-27 03:19:20 +00:00
- name: Remove packages not allowed by CIS
2022-03-28 05:01:23 +00:00
ansible.builtin.package:
2022-02-27 03:19:20 +00:00
name: "{{ remove_packages }}"
state: absent
tags:
- harden
- name: Disable Services
2022-03-28 05:01:23 +00:00
ansible.builtin.service:
2022-02-27 03:19:20 +00:00
name: "{{ item }}"
enabled: false
state: stopped
loop: "{{ disable_svc }}"
register: service_check
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
tags:
- services
- harden
- name: modprobe settings
block:
- name: disable unused filesystems
2022-03-28 05:01:23 +00:00
ansible.builtin.template:
2022-02-27 03:19:20 +00:00
src: "etc/modprobe.d/cis.conf.j2"
dest: "/etc/modprobe.d/cis.conf"
owner: 'root'
group: 'root'
mode: '0644'
tags:
- harden
- name: Set init umask
2022-03-28 05:01:23 +00:00
ansible.builtin.lineinfile:
2022-02-27 03:19:20 +00:00
dest: /etc/sysconfig/init
state: present
regexp: ^umask
line: "umask 027"
create: true
owner: root
group: root
mode: '0644'
when: ansible_distribution_major_version == '7'
tags:
- harden
- name: CIS sudoers configuration
2022-03-28 05:01:23 +00:00
ansible.builtin.copy:
2022-02-27 03:19:20 +00:00
src: "etc/sudoers.d/cis"
dest: "/etc/sudoers.d/cis"
owner: root
group: root
mode: '0440'
tags:
- harden
- name: Remove packages not allowed by CIS
2022-03-28 05:01:23 +00:00
ansible.builtin.package:
2022-02-27 03:19:20 +00:00
name: "{{ remove_packages }}"
state: absent
tags:
- harden
...