mono-infrastructure/ansible/playbooks/tasks/harden.yml

302 lines
6.9 KiB
YAML
Raw Normal View History

2020-12-10 19:59:59 +00:00
---
# Initial hardening ideas from CIS
- name: sysctl hardening and limits
block:
- name: create combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
2020-12-10 19:59:59 +00:00
- name: sysctl
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
ignoreerrors: true
sysctl_set: true
sysctl_file: /etc/sysctl.d/99-ansible.conf
with_dict: '{{ sysctl_config }}'
tags:
- harden
- kernel
2020-12-12 01:52:30 +00:00
- name: Security limits
pam_limits:
dest: "/etc/security/limits.d/cis.conf"
2020-12-12 01:52:30 +00:00
domain: "{{ item.domain }}"
limit_type: "{{ item.limit_type }}"
limit_item: "{{ item.limit_item }}"
value: "{{ item.value }}"
with_items: "{{ limits }}"
tags:
- harden
2020-12-10 19:59:59 +00:00
- name: Standard login settings
block:
2020-12-11 22:20:26 +00:00
- name: useradd defaults
2020-12-10 19:59:59 +00:00
lineinfile:
line: "INACTIVE=30"
regexp: "^INACTIVE=.*"
path: "/etc/login.defs"
tags:
- harden
- name: login defs maximum days
replace:
path: /etc/login.defs
regexp: '(PASS_MAX_DAYS).*\d+'
replace: '\1\t{{ login_max_days }}'
tags:
- harden
- name: login defs minimum days
replace:
path: /etc/login.defs
regexp: '(PASS_MIN_DAYS).*\d+'
replace: '\1\t{{ login_min_days }}'
tags:
- harden
- name: login defs minimum length
replace:
path: /etc/login.defs
regexp: '(PASS_MIN_LEN).*\d+'
replace: '\1\t{{ login_min_len }}'
tags:
- harden
- name: login defs warn age
replace:
path: /etc/login.defs
regexp: '(PASS_WARN_AGE).*\d+'
replace: '\1\t{{ login_warn_age }}'
tags:
- harden
- name: cron directories permissions
file:
path: '{{ item }}'
owner: root
group: root
mode: '0700'
state: directory
loop: '{{ login_cron_directories }}'
tags:
- harden
- name: Create cron/at allows
file:
path: '{{ item }}'
owner: root
group: root
mode: '0600'
state: touch
loop: '{{ login_cron_allows }}'
tags:
- harden
- name: Remove cron/at denies
file:
path: '{{ item }}'
state: absent
loop: '{{ login_cron_denies }}'
tags:
- harden
- name: pwquality - minlen
lineinfile:
line: "minlen = 14"
regexp: "^# minlen =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - dcredit
lineinfile:
line: "dcredit = -1"
regexp: "^# dcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ucredit
lineinfile:
line: "ucredit = -1"
regexp: "^# ucredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - lcredit
lineinfile:
line: "lcredit = -1"
regexp: "^# lcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ocredit
lineinfile:
line: "ocredit = -1"
regexp: "^# ocredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
2020-12-10 19:59:59 +00:00
- name: Remove packages not allowed by CIS
package:
name: "{{ remove_packages }}"
state: absent
tags:
- harden
2020-12-10 19:59:59 +00:00
- name: Auditd
block:
- name: Ensure auditd is installed
package:
name: audit
state: present
tags:
- harden
2020-12-10 23:40:49 +00:00
2020-12-10 19:59:59 +00:00
- name: Ensure auditd buffer is OK
replace:
path: /etc/audit/rules.d/audit.rules
regexp: '-b \d+'
replace: '-b {{ audit_buffer }}'
notify:
2020-12-10 23:40:49 +00:00
- regenerate_auditd_rules
2020-12-10 19:59:59 +00:00
tags:
- harden
- name: Ensure collection audit rules are available
template:
src: "etc/audit/rules.d/collection.rules.j2"
dest: "/etc/audit/rules.d/collection.rules"
owner: root
group: root
2020-12-12 01:12:11 +00:00
mode: '0600'
backup: true
notify:
2020-12-11 22:20:26 +00:00
- regenerate_auditd_rules
- restart_auditd
tags:
- harden
- name: Disable Services
service:
name: "{{ item }}"
enabled: false
state: stopped
with_items: "{{ disable_svc }}"
register: service_check
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
tags:
- services
- harden
- name: modprobe settings
block:
- name: remove vfat from filesystem list if we are EFI
set_fact:
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
tags:
- efi
- name: disable unused filesystems
template:
src: "etc/modprobe.d/cis.conf.j2"
dest: "/etc/modprobe.d/cis.conf"
owner: 'root'
group: 'root'
2020-12-11 23:07:58 +00:00
mode: '0644'
tags:
- harden
- name: Set init umask
lineinfile:
dest: /etc/sysconfig/init
state: present
regexp: ^umask
line: "umask 027"
2020-12-12 00:31:21 +00:00
create: true
2020-12-11 23:54:32 +00:00
owner: root
group: root
mode: '0644'
when: ansible_distribution_major_version == '7'
tags:
- harden
- name: cis sudoers configuration
copy:
dest: /etc/sudoers.d/cis
owner: root
group: root
mode: '0440'
content: |
Defaults use_pty
Defaults logfile="/var/log/sudo.log"
2020-12-12 00:31:21 +00:00
tags:
- harden
- name: Remove packages not allowed by CIS
package:
name: "{{ remove_packages }}"
state: absent
tags:
- harden
- name: grub and kernel
block:
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
tags:
- efi
- name: grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Grub command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: rebuild grub
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
tags:
- grub
- kernel
- harden