mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-12-22 10:58:29 +00:00
hardening and sysconfig
This commit is contained in:
parent
523d673038
commit
d80300602d
@ -17,9 +17,15 @@
|
||||
msg: "/etc/no-ansible exists - skipping run on this node"
|
||||
|
||||
tasks:
|
||||
- name: Loading Variables from OS Common
|
||||
include: tasks/variable_loader_common.yml
|
||||
|
||||
- name: Configure SSH
|
||||
include: tasks/ssh-config.yml
|
||||
|
||||
- name: Configure harden settings
|
||||
include: tasks/harden.yml
|
||||
|
||||
post_tasks:
|
||||
- name: Touching run file that ansible has ran here
|
||||
file:
|
||||
|
135
ansible/playbooks/tasks/harden.yml
Normal file
135
ansible/playbooks/tasks/harden.yml
Normal file
@ -0,0 +1,135 @@
|
||||
---
|
||||
# Initial hardening ideas from CIS
|
||||
- name: create combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
|
||||
- name: sysctl hardening
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
ignoreerrors: yes
|
||||
sysctl_set: yes
|
||||
sysctl_file: /etc/sysctl.d/99-ansible.conf
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
tags:
|
||||
- harden
|
||||
- kernel
|
||||
|
||||
- name: security limits
|
||||
copy:
|
||||
dest: "/etc/security/limits.d/cis.conf"
|
||||
content: |
|
||||
* hard core 0
|
||||
|
||||
- name: Standard login settings
|
||||
block:
|
||||
- name: useradd defaults
|
||||
lineinfile:
|
||||
line: "INACTIVE=30"
|
||||
regexp: "^INACTIVE=.*"
|
||||
path: "/etc/login.defs"
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: login defs maximum days
|
||||
replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MAX_DAYS).*\d+'
|
||||
replace: '\1\t{{ login_max_days }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: login defs minimum days
|
||||
replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MIN_DAYS).*\d+'
|
||||
replace: '\1\t{{ login_min_days }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: login defs minimum length
|
||||
replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_MIN_LEN).*\d+'
|
||||
replace: '\1\t{{ login_min_len }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: login defs warn age
|
||||
replace:
|
||||
path: /etc/login.defs
|
||||
regexp: '(PASS_WARN_AGE).*\d+'
|
||||
replace: '\1\t{{ login_warn_age }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: cron directories permissions
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0700'
|
||||
state: directory
|
||||
loop: '{{ login_cron_directories }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Create cron/at allows
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
state: touch
|
||||
loop: '{{ login_cron_allows }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Remove cron/at denies
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
state: absent
|
||||
loop: '{{ login_cron_denies }}'
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Remove packages not allowed by CIS
|
||||
package:
|
||||
name: "{{ remove_packages }}"
|
||||
state: absent
|
||||
|
||||
- name: Auditd
|
||||
block:
|
||||
- name: Ensure auditd is installed
|
||||
package:
|
||||
name: audit
|
||||
state: present
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Ensure auditd buffer is OK
|
||||
replace:
|
||||
path: /etc/audit/rules.d/audit.rules
|
||||
regexp: '-b \d+'
|
||||
replace: '-b {{ audit_buffer }}'
|
||||
notify:
|
||||
- regenerate auditd rules
|
||||
tags:
|
||||
- harden
|
||||
|
||||
- name: Ensure collection audit rules are available
|
||||
template:
|
||||
src: "etc/audit/rules.d/collection.rules.j2"
|
||||
dest: "/etc/audit/rules.d/collection.rules"
|
||||
owner: root
|
||||
group: root
|
||||
backup: yes
|
||||
notify:
|
||||
- regenerate auditd rules
|
||||
- restart auditd
|
||||
tags:
|
||||
- harden
|
||||
|
21
ansible/playbooks/tasks/variable_loader_common.yml
Normal file
21
ansible/playbooks/tasks/variable_loader_common.yml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
- name: Standard System Configuration Variables
|
||||
block:
|
||||
- name: Loading Variables from OS Common
|
||||
include_vars: "{{ item }}"
|
||||
with_items:
|
||||
- "{{ ansible_distribution }}.yml"
|
||||
|
||||
- name: Create overrides if we're an IPA Replica
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "ipaserver.yml"
|
||||
when: "'ipaservers' in group_names"
|
||||
|
||||
- name: Check if system is EFI
|
||||
stat:
|
||||
path: "/sys/firmware/efi"
|
||||
register: efi_installed
|
||||
|
||||
always:
|
||||
- debug: msg="Variables are now loaded"
|
1
ansible/playbooks/vars/CentOS.yml
Symbolic link
1
ansible/playbooks/vars/CentOS.yml
Symbolic link
@ -0,0 +1 @@
|
||||
RedHat.yml
|
154
ansible/playbooks/vars/RedHat.yml
Normal file
154
ansible/playbooks/vars/RedHat.yml
Normal file
@ -0,0 +1,154 @@
|
||||
# Variables for our common module for RedHat
|
||||
---
|
||||
|
||||
remove_packages:
|
||||
- nc
|
||||
- wireshark
|
||||
- prelink
|
||||
- talk
|
||||
- talk-server
|
||||
- rsh
|
||||
- tftp
|
||||
- tftp-server
|
||||
- lftp
|
||||
|
||||
# sysctl settings
|
||||
sysctl_config:
|
||||
net.ipv4.ip_forward: 0
|
||||
net.ipv4.conf.all.rp_filter: 1
|
||||
net.ipv4.conf.default.rp_filter: 1
|
||||
net.ipv4.conf.all.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_source_route: 0
|
||||
net.ipv4.conf.all.log_martians: 1
|
||||
net.ipv4.conf.default.log_martians: 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
||||
net.ipv4.tcp_syncookies: 1
|
||||
net.ipv4.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.default.accept_redirects: 0
|
||||
net.ipv4.conf.all.send_redirects: 0
|
||||
net.ipv4.conf.default.send_redirects: 0
|
||||
net.ipv4.conf.all.secure_redirects: 0
|
||||
net.ipv4.conf.default.secure_redirects: 0
|
||||
net.ipv6.conf.all.accept_redirects: 0
|
||||
net.ipv6.conf.default.accept_redirects: 0
|
||||
net.ipv6.conf.all.forwarding: 0
|
||||
net.ipv6.conf.all.accept_ra: 0
|
||||
net.ipv6.conf.default.accept_ra: 0
|
||||
net.ipv6.conf.all.accept_source_route: 0
|
||||
net.ipv6.conf.default.accept_source_route: 0
|
||||
kernel.randomize_va_space: 2
|
||||
fs.suid_dumpable: 0
|
||||
|
||||
# login.defs
|
||||
login_umask: 077
|
||||
login_create_home: "yes"
|
||||
login_encrypt_method: SHA512
|
||||
login_md5_crypt_enab: "no"
|
||||
login_max_days: 84
|
||||
login_min_days: 7
|
||||
login_min_len: 14
|
||||
login_warn_age: 7
|
||||
login_dcredit: -1
|
||||
login_lcredit: -1
|
||||
login_ucredit: -1
|
||||
login_ocredit: -1
|
||||
login_cron_directories:
|
||||
- /etc/cron.hourly
|
||||
- /etc/cron.daily
|
||||
- /etc/cron.weekly
|
||||
- /etc/cron.monthly
|
||||
- /etc/cron.d
|
||||
login_cron_allows:
|
||||
- /etc/cron.allow
|
||||
- /etc/at.allow
|
||||
login_cron_denies:
|
||||
- /etc/cron.deny
|
||||
- /etc/at.deny
|
||||
|
||||
# modprobe
|
||||
modprobe_unused_filesystems:
|
||||
- dccp
|
||||
- sctp
|
||||
- bluetooth
|
||||
- freevxfs
|
||||
- cramfs
|
||||
- jffs2
|
||||
- hfs
|
||||
- hfsplus
|
||||
- squashfs
|
||||
- udf
|
||||
- tipc
|
||||
- usb_storage
|
||||
- vfat
|
||||
|
||||
# auditd
|
||||
audit_package: audit
|
||||
audit_auid: 1000
|
||||
audit_buffer: 8192
|
||||
audit_identity_list:
|
||||
- /etc/group
|
||||
- /etc/passwd
|
||||
- /etc/gshadow
|
||||
- /etc/shadow
|
||||
- /etc/security/opasswd
|
||||
audit_logins:
|
||||
- /var/log/faillog
|
||||
- /var/log/lastlog
|
||||
- /var/log/tallylog
|
||||
- /var/log/faillock/
|
||||
- /var/log/wtmp
|
||||
- /var/log/btmp
|
||||
audit_session:
|
||||
- /var/run/utmp
|
||||
audit_suid_list:
|
||||
- /usr/libexec/sssd/proxy_child
|
||||
- /usr/libexec/sssd/ldap_child
|
||||
- /usr/libexec/sssd/krb5_child
|
||||
- /usr/libexec/sssd/selinux_child
|
||||
- /usr/libexec/dbus-1/dbus-daemon-launch-helper
|
||||
- /usr/libexec/utempter/utempter
|
||||
- /usr/libexec/openssh/ssh-keysign
|
||||
- /usr/lib/polkit-1/polkit-agent-helper-1
|
||||
- /usr/sbin/usernetctl
|
||||
- /usr/sbin/postqueue
|
||||
- /usr/sbin/unix_chkpwd
|
||||
- /usr/sbin/postdrop
|
||||
- /usr/sbin/pam_timestamp_check
|
||||
- /usr/sbin/netreport
|
||||
- /usr/sbin/mount.nfs
|
||||
- /usr/bin/su
|
||||
- /usr/bin/ksu
|
||||
- /usr/bin/write
|
||||
- /usr/bin/newgrp
|
||||
- /usr/bin/chage
|
||||
- /usr/bin/mount
|
||||
- /usr/bin/ssh-agent
|
||||
- /usr/bin/sudo
|
||||
- /usr/bin/passwd
|
||||
- /usr/bin/gpasswd
|
||||
- /usr/bin/at
|
||||
- /usr/bin/wall
|
||||
- /usr/bin/chsh
|
||||
- /usr/bin/locate
|
||||
- /usr/bin/chfn
|
||||
- /usr/bin/umount
|
||||
- /usr/bin/crontab
|
||||
- /usr/bin/pkexec
|
||||
|
||||
disable_svc:
|
||||
- cups
|
||||
- nfs-server
|
||||
- avahi-daemon
|
||||
|
||||
enable_svc:
|
||||
- postfix
|
||||
|
||||
syslog_packages:
|
||||
- rsyslog
|
||||
|
||||
ntp_packages:
|
||||
- chrony
|
||||
|
||||
legacy_ntp_packages:
|
||||
- ntp
|
2
ansible/playbooks/vars/ipaserver.yml
Normal file
2
ansible/playbooks/vars/ipaserver.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
ipatype: server
|
Loading…
Reference in New Issue
Block a user