mono-infrastructure/ansible/playbooks/tasks/harden.yml

---
# Initial hardening ideas from CIS
- name: create combined sysctl-dict if overwrites are defined
  set_fact:
    sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
  when: sysctl_overwrite | default()

- name: sysctl hardening
  sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
    state: present
    ignoreerrors: true
    sysctl_set: true
    sysctl_file: /etc/sysctl.d/99-ansible.conf
  with_dict: '{{ sysctl_config }}'
  tags:
    - harden
    - kernel

- name: security limits
  copy:
    dest: "/etc/security/limits.d/cis.conf"
    user: root
    group: root
    mode: '0644'
    content: |
      * hard core 0

- name: Standard login settings
  block:
    - name: useradd defaults
      lineinfile:
        line: "INACTIVE=30"
        regexp: "^INACTIVE=.*"
        path: "/etc/login.defs"
      tags:
        - harden

    - name: login defs maximum days
      replace:
        path: /etc/login.defs
        regexp: '(PASS_MAX_DAYS).*\d+'
        replace: '\1\t{{ login_max_days }}'
      tags:
        - harden

    - name: login defs minimum days
      replace:
        path: /etc/login.defs
        regexp: '(PASS_MIN_DAYS).*\d+'
        replace: '\1\t{{ login_min_days }}'
      tags:
        - harden

    - name: login defs minimum length
      replace:
        path: /etc/login.defs
        regexp: '(PASS_MIN_LEN).*\d+'
        replace: '\1\t{{ login_min_len }}'
      tags:
        - harden

    - name: login defs warn age
      replace:
        path: /etc/login.defs
        regexp: '(PASS_WARN_AGE).*\d+'
        replace: '\1\t{{ login_warn_age }}'
      tags:
        - harden

    - name: cron directories permissions
      file:
        path: '{{ item }}'
        owner: root
        group: root
        mode: '0700'
        state: directory
      loop: '{{ login_cron_directories }}'
      tags:
        - harden

    - name: Create cron/at allows
      file:
        path: '{{ item }}'
        owner: root
        group: root
        mode: '0600'
        state: touch
      loop: '{{ login_cron_allows }}'
      tags:
        - harden

    - name: Remove cron/at denies
      file:
        path: '{{ item }}'
        state: absent
      loop: '{{ login_cron_denies }}'
      tags:
        - harden

- name: Remove packages not allowed by CIS
  package:
    name: "{{ remove_packages }}"
    state: absent

- name: Auditd
  block:
    - name: Ensure auditd is installed
      package:
        name: audit
        state: present
      tags:
        - harden

    - name: Ensure auditd buffer is OK
      replace:
        path: /etc/audit/rules.d/audit.rules
        regexp: '-b \d+'
        replace: '-b {{ audit_buffer }}'
      notify:
        - regenerate_auditd_rules
      tags:
        - harden

# Leaving this out for now as we don't know the implications of the audit rules
# on build systems yet.
#    - name: Ensure collection audit rules are available
#      template:
#        src: "etc/audit/rules.d/collection.rules.j2"
#        dest: "/etc/audit/rules.d/collection.rules"
#        owner: root
#        group: root
#        backup: yes
#      notify:
#        - regenerate_auditd rules
#        - restart_auditd
#      tags:
#        - harden
hardening and sysconfig 2020-12-10 19:59:59 +00:00			`---`
			`# Initial hardening ideas from CIS`
			`- name: create combined sysctl-dict if overwrites are defined`
			`set_fact:`
			`sysctl_config: '{{ sysctl_config \| combine(sysctl_overwrite) }}'`
			`when: sysctl_overwrite \| default()`

			`- name: sysctl hardening`
			`sysctl:`
			`name: '{{ item.key }}'`
			`value: '{{ item.value }}'`
			`state: present`
yaml and ansible linting 2020-12-11 07:39:15 +00:00			`ignoreerrors: true`
			`sysctl_set: true`
hardening and sysconfig 2020-12-10 19:59:59 +00:00			`sysctl_file: /etc/sysctl.d/99-ansible.conf`
			`with_dict: '{{ sysctl_config }}'`
			`tags:`
			`- harden`
			`- kernel`

			`- name: security limits`
			`copy:`
			`dest: "/etc/security/limits.d/cis.conf"`
linting 2020-12-10 23:40:49 +00:00			`user: root`
			`group: root`
			`mode: '0644'`
hardening and sysconfig 2020-12-10 19:59:59 +00:00			`content: \|`
			`* hard core 0`

			`- name: Standard login settings`
			`block:`
			`- name: useradd defaults`
			`lineinfile:`
			`line: "INACTIVE=30"`
			`regexp: "^INACTIVE=.*"`
			`path: "/etc/login.defs"`
			`tags:`
			`- harden`

			`- name: login defs maximum days`
			`replace:`
			`path: /etc/login.defs`
			`regexp: '(PASS_MAX_DAYS).*\d+'`
			`replace: '\1\t{{ login_max_days }}'`
			`tags:`
			`- harden`

			`- name: login defs minimum days`
			`replace:`
			`path: /etc/login.defs`
			`regexp: '(PASS_MIN_DAYS).*\d+'`
			`replace: '\1\t{{ login_min_days }}'`
			`tags:`
			`- harden`

			`- name: login defs minimum length`
			`replace:`
			`path: /etc/login.defs`
			`regexp: '(PASS_MIN_LEN).*\d+'`
			`replace: '\1\t{{ login_min_len }}'`
			`tags:`
			`- harden`

			`- name: login defs warn age`
			`replace:`
			`path: /etc/login.defs`
			`regexp: '(PASS_WARN_AGE).*\d+'`
			`replace: '\1\t{{ login_warn_age }}'`
			`tags:`
			`- harden`

			`- name: cron directories permissions`
			`file:`
			`path: '{{ item }}'`
			`owner: root`
			`group: root`
			`mode: '0700'`
			`state: directory`
			`loop: '{{ login_cron_directories }}'`
			`tags:`
			`- harden`

			`- name: Create cron/at allows`
			`file:`
			`path: '{{ item }}'`
			`owner: root`
			`group: root`
			`mode: '0600'`
			`state: touch`
			`loop: '{{ login_cron_allows }}'`
			`tags:`
			`- harden`

			`- name: Remove cron/at denies`
			`file:`
			`path: '{{ item }}'`
			`state: absent`
			`loop: '{{ login_cron_denies }}'`
			`tags:`
			`- harden`

			`- name: Remove packages not allowed by CIS`
			`package:`
			`name: "{{ remove_packages }}"`
			`state: absent`

			`- name: Auditd`
			`block:`
			`- name: Ensure auditd is installed`
			`package:`
			`name: audit`
			`state: present`
			`tags:`
			`- harden`
linting 2020-12-10 23:40:49 +00:00
hardening and sysconfig 2020-12-10 19:59:59 +00:00			`- name: Ensure auditd buffer is OK`
			`replace:`
			`path: /etc/audit/rules.d/audit.rules`
			`regexp: '-b \d+'`
			`replace: '-b {{ audit_buffer }}'`
			`notify:`
linting 2020-12-10 23:40:49 +00:00			`- regenerate_auditd_rules`
hardening and sysconfig 2020-12-10 19:59:59 +00:00			`tags:`
			`- harden`

linting 2020-12-10 23:40:49 +00:00			`# Leaving this out for now as we don't know the implications of the audit rules`
yaml and ansible linting 2020-12-11 07:39:15 +00:00			`# on build systems yet.`
linting 2020-12-10 23:40:49 +00:00			`# - name: Ensure collection audit rules are available`
			`# template:`
			`# src: "etc/audit/rules.d/collection.rules.j2"`
			`# dest: "/etc/audit/rules.d/collection.rules"`
			`# owner: root`
			`# group: root`
			`# backup: yes`
			`# notify:`
			`# - regenerate_auditd rules`
			`# - restart_auditd`
			`# tags:`
			`# - harden`