additional hardening - preparing for test

This commit is contained in:
nazunalika 2020-12-11 12:15:17 -07:00
parent b0c2eb1abb
commit 085c9ae83e
3 changed files with 230 additions and 44 deletions

View File

@ -97,6 +97,10 @@ At a minimum, there should be `pre_tasks` and `post_tasks` that can judge whethe
Each playbook should have comments or a name descriptor that explains what the playbook does or how it is used. If not available, README-... files can be used in place, especially in the case of adhoc playbooks that take input. Documentation for each playbook/role does not have to be on this wiki. Comments or README's should be sufficient. Each playbook should have comments or a name descriptor that explains what the playbook does or how it is used. If not available, README-... files can be used in place, especially in the case of adhoc playbooks that take input. Documentation for each playbook/role does not have to be on this wiki. Comments or README's should be sufficient.
### Tags
Ensure that you use relevant tags where necessary for your tasks.
### Roles ### Roles
If you are using roles that are not part of this repository in the `roles` directory, you will need to list them in the `requirements.yml`. For example, we use the IPA role. If you are using roles that are not part of this repository in the `roles` directory, you will need to list them in the `requirements.yml`. For example, we use the IPA role.

View File

@ -1,35 +1,39 @@
--- ---
# Initial hardening ideas from CIS # Initial hardening ideas from CIS
- name: create combined sysctl-dict if overwrites are defined - name: sysctl hardening and limits
set_fact: block:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' - name: create combined sysctl-dict if overwrites are defined
when: sysctl_overwrite | default() set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: sysctl hardening - name: sysctl
sysctl: sysctl:
name: '{{ item.key }}' name: '{{ item.key }}'
value: '{{ item.value }}' value: '{{ item.value }}'
state: present state: present
ignoreerrors: true ignoreerrors: true
sysctl_set: true sysctl_set: true
sysctl_file: /etc/sysctl.d/99-ansible.conf sysctl_file: /etc/sysctl.d/99-ansible.conf
with_dict: '{{ sysctl_config }}' with_dict: '{{ sysctl_config }}'
tags: tags:
- harden - harden
- kernel - kernel
- name: security limits - name: security limits
copy: copy:
dest: "/etc/security/limits.d/cis.conf" dest: "/etc/security/limits.d/cis.conf"
user: root owner: root
group: root group: root
mode: '0644' mode: '0644'
content: | content: |
* hard core 0 * hard core 0
tags:
- harden
- name: Standard login settings - name: Standard login settings
block: block:
- name: useradd defaults - name: owneradd defaults
lineinfile: lineinfile:
line: "INACTIVE=30" line: "INACTIVE=30"
regexp: "^INACTIVE=.*" regexp: "^INACTIVE=.*"
@ -99,10 +103,52 @@
tags: tags:
- harden - harden
- name: pwquality - minlen
lineinfile:
line: "minlen = 14"
regexp: "^# minlen =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - dcredit
lineinfile:
line: "dcredit = -1"
regexp: "^# dcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ucredit
lineinfile:
line: "ucredit = -1"
regexp: "^# ucredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - lcredit
lineinfile:
line: "lcredit = -1"
regexp: "^# lcredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: pwquality - ocredit
lineinfile:
line: "ocredit = -1"
regexp: "^# ocredit =.*"
path: "/etc/security/pwquality.conf"
tags:
- harden
- name: Remove packages not allowed by CIS - name: Remove packages not allowed by CIS
package: package:
name: "{{ remove_packages }}" name: "{{ remove_packages }}"
state: absent state: absent
tags:
- harden
- name: Auditd - name: Auditd
block: block:
@ -123,17 +169,151 @@
tags: tags:
- harden - harden
# Leaving this out for now as we don't know the implications of the audit rules - name: Ensure collection audit rules are available
# on build systems yet. template:
# - name: Ensure collection audit rules are available src: "etc/audit/rules.d/collection.rules.j2"
# template: dest: "/etc/audit/rules.d/collection.rules"
# src: "etc/audit/rules.d/collection.rules.j2" owner: root
# dest: "/etc/audit/rules.d/collection.rules" group: root
# owner: root backup: true
# group: root notify:
# backup: yes - regenerate_auditd rules
# notify: - restart_auditd
# - regenerate_auditd rules tags:
# - restart_auditd - harden
# tags:
# - harden - name: Disable Services
service:
name: "{{ item }}"
enabled: false
state: stopped
with_items: "{{ disable_svc }}"
register: service_check
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
tags:
- services
- harden
- name: modprobe settings
block:
- name: remove vfat from filesystem list if we are EFI
set_fact:
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
tags:
- efi
- name: disable unused filesystems
lineinfile:
dest: "/etc/modprobe.d/cis.conf"
owner: root
group: root
mode: "0644"
line: "install {{ item }} /bin/true"
with_items: "{{ modprobe_unused_filesystems }}"
tags:
- harden
- name: Set init umask
lineinfile:
dest: /etc/sysconfig/init
state: present
regexp: ^umask
line: "umask 027"
tags:
- harden
- name: cis sudoers configuration
copy:
dest: /etc/sudoers.d/cis
owner: root
group: root
mode: '0440'
content: |
Defaults use_pty
Defaults logfile="/var/log/sudo.log"
tags:
- harden
- name: Remove packages not allowed by CIS
package:
name: "{{ remove_packages }}"
state: absent
tags:
- harden
- name: grub and kernel
block:
- name: Reset grub link if we are EFI
set_fact:
grub_config_path_link: "{{ grub_config_path_efi }}"
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
tags:
- efi
- name: grub.d directory
file:
name: /etc/default/grub.d
owner: root
group: root
mode: '0755'
state: directory
recurse: true
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Append /etc/default/grub file
lineinfile:
path: /etc/default/grub
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
state: present
tags:
- grub
- kernel
- harden
- name: Grub command line defaults
copy:
dest: "/etc/default/grub.d/99-rocky.cfg"
owner: root
group: root
mode: '0644'
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
tags:
- grub
- kernel
- harden
- name: Grub command line defaults
template:
src: etc/default/grub.d/99-aoc.cfg.j2
dest: /etc/default/grub.d/99-aoc.cfg
owner: root
group: root
mode: '0644'
backup: true
tags:
- grub
- kernel
- harden
- name: rebuild grub
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
tags:
- grub
- kernel
- harden

View File

@ -1,6 +1,13 @@
# Variables for our common module for RedHat # Variables for our common module for RedHat
--- ---
bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo
kernel_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg
# Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages: remove_packages:
- nc - nc
- wireshark - wireshark
@ -8,8 +15,6 @@ remove_packages:
- talk - talk
- talk-server - talk-server
- rsh - rsh
- tftp
- tftp-server
- lftp - lftp
# sysctl settings # sysctl settings
@ -149,6 +154,3 @@ syslog_packages:
ntp_packages: ntp_packages:
- chrony - chrony
bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo