diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml index b652021..598a65a 100644 --- a/ansible/playbooks/init-rocky-system-config.yml +++ b/ansible/playbooks/init-rocky-system-config.yml @@ -17,9 +17,15 @@ msg: "/etc/no-ansible exists - skipping run on this node" tasks: + - name: Loading Variables from OS Common + include: tasks/variable_loader_common.yml + - name: Configure SSH include: tasks/ssh-config.yml + - name: Configure harden settings + include: tasks/harden.yml + post_tasks: - name: Touching run file that ansible has ran here file: diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml new file mode 100644 index 0000000..dccbad7 --- /dev/null +++ b/ansible/playbooks/tasks/harden.yml @@ -0,0 +1,135 @@ +--- +# Initial hardening ideas from CIS +- name: create combined sysctl-dict if overwrites are defined + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' + when: sysctl_overwrite | default() + +- name: sysctl hardening + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + state: present + ignoreerrors: yes + sysctl_set: yes + sysctl_file: /etc/sysctl.d/99-ansible.conf + with_dict: '{{ sysctl_config }}' + tags: + - harden + - kernel + +- name: security limits + copy: + dest: "/etc/security/limits.d/cis.conf" + content: | + * hard core 0 + +- name: Standard login settings + block: + - name: useradd defaults + lineinfile: + line: "INACTIVE=30" + regexp: "^INACTIVE=.*" + path: "/etc/login.defs" + tags: + - harden + + - name: login defs maximum days + replace: + path: /etc/login.defs + regexp: '(PASS_MAX_DAYS).*\d+' + replace: '\1\t{{ login_max_days }}' + tags: + - harden + + - name: login defs minimum days + replace: + path: /etc/login.defs + regexp: '(PASS_MIN_DAYS).*\d+' + replace: '\1\t{{ login_min_days }}' + tags: + - harden + + - name: login defs minimum length + replace: + path: /etc/login.defs + regexp: '(PASS_MIN_LEN).*\d+' + replace: '\1\t{{ login_min_len }}' + tags: + - harden + + - name: login defs warn age + replace: + path: /etc/login.defs + regexp: '(PASS_WARN_AGE).*\d+' + replace: '\1\t{{ login_warn_age }}' + tags: + - harden + + - name: cron directories permissions + file: + path: '{{ item }}' + owner: root + group: root + mode: '0700' + state: directory + loop: '{{ login_cron_directories }}' + tags: + - harden + + - name: Create cron/at allows + file: + path: '{{ item }}' + owner: root + group: root + mode: '0600' + state: touch + loop: '{{ login_cron_allows }}' + tags: + - harden + + - name: Remove cron/at denies + file: + path: '{{ item }}' + state: absent + loop: '{{ login_cron_denies }}' + tags: + - harden + +- name: Remove packages not allowed by CIS + package: + name: "{{ remove_packages }}" + state: absent + +- name: Auditd + block: + - name: Ensure auditd is installed + package: + name: audit + state: present + tags: + - harden + + - name: Ensure auditd buffer is OK + replace: + path: /etc/audit/rules.d/audit.rules + regexp: '-b \d+' + replace: '-b {{ audit_buffer }}' + notify: + - regenerate auditd rules + tags: + - harden + + - name: Ensure collection audit rules are available + template: + src: "etc/audit/rules.d/collection.rules.j2" + dest: "/etc/audit/rules.d/collection.rules" + owner: root + group: root + backup: yes + notify: + - regenerate auditd rules + - restart auditd + tags: + - harden + diff --git a/ansible/playbooks/tasks/variable_loader_common.yml b/ansible/playbooks/tasks/variable_loader_common.yml new file mode 100644 index 0000000..a60f7b0 --- /dev/null +++ b/ansible/playbooks/tasks/variable_loader_common.yml @@ -0,0 +1,21 @@ +--- +- name: Standard System Configuration Variables + block: + - name: Loading Variables from OS Common + include_vars: "{{ item }}" + with_items: + - "{{ ansible_distribution }}.yml" + + - name: Create overrides if we're an IPA Replica + include_vars: "{{ item }}" + with_first_found: + - "ipaserver.yml" + when: "'ipaservers' in group_names" + + - name: Check if system is EFI + stat: + path: "/sys/firmware/efi" + register: efi_installed + + always: + - debug: msg="Variables are now loaded" diff --git a/ansible/playbooks/vars/CentOS.yml b/ansible/playbooks/vars/CentOS.yml new file mode 120000 index 0000000..f802000 --- /dev/null +++ b/ansible/playbooks/vars/CentOS.yml @@ -0,0 +1 @@ +RedHat.yml \ No newline at end of file diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml new file mode 100644 index 0000000..d281606 --- /dev/null +++ b/ansible/playbooks/vars/RedHat.yml @@ -0,0 +1,154 @@ +# Variables for our common module for RedHat +--- + +remove_packages: + - nc + - wireshark + - prelink + - talk + - talk-server + - rsh + - tftp + - tftp-server + - lftp + +# sysctl settings +sysctl_config: + net.ipv4.ip_forward: 0 + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + net.ipv4.conf.all.accept_source_route: 0 + net.ipv4.conf.default.accept_source_route: 0 + net.ipv4.conf.all.log_martians: 1 + net.ipv4.conf.default.log_martians: 1 + net.ipv4.icmp_echo_ignore_broadcasts: 1 + net.ipv4.icmp_ignore_bogus_error_responses: 1 + net.ipv4.tcp_syncookies: 1 + net.ipv4.conf.all.accept_redirects: 0 + net.ipv4.conf.default.accept_redirects: 0 + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + net.ipv4.conf.all.secure_redirects: 0 + net.ipv4.conf.default.secure_redirects: 0 + net.ipv6.conf.all.accept_redirects: 0 + net.ipv6.conf.default.accept_redirects: 0 + net.ipv6.conf.all.forwarding: 0 + net.ipv6.conf.all.accept_ra: 0 + net.ipv6.conf.default.accept_ra: 0 + net.ipv6.conf.all.accept_source_route: 0 + net.ipv6.conf.default.accept_source_route: 0 + kernel.randomize_va_space: 2 + fs.suid_dumpable: 0 + +# login.defs +login_umask: 077 +login_create_home: "yes" +login_encrypt_method: SHA512 +login_md5_crypt_enab: "no" +login_max_days: 84 +login_min_days: 7 +login_min_len: 14 +login_warn_age: 7 +login_dcredit: -1 +login_lcredit: -1 +login_ucredit: -1 +login_ocredit: -1 +login_cron_directories: + - /etc/cron.hourly + - /etc/cron.daily + - /etc/cron.weekly + - /etc/cron.monthly + - /etc/cron.d +login_cron_allows: + - /etc/cron.allow + - /etc/at.allow +login_cron_denies: + - /etc/cron.deny + - /etc/at.deny + +# modprobe +modprobe_unused_filesystems: + - dccp + - sctp + - bluetooth + - freevxfs + - cramfs + - jffs2 + - hfs + - hfsplus + - squashfs + - udf + - tipc + - usb_storage + - vfat + +# auditd +audit_package: audit +audit_auid: 1000 +audit_buffer: 8192 +audit_identity_list: + - /etc/group + - /etc/passwd + - /etc/gshadow + - /etc/shadow + - /etc/security/opasswd +audit_logins: + - /var/log/faillog + - /var/log/lastlog + - /var/log/tallylog + - /var/log/faillock/ + - /var/log/wtmp + - /var/log/btmp +audit_session: + - /var/run/utmp +audit_suid_list: + - /usr/libexec/sssd/proxy_child + - /usr/libexec/sssd/ldap_child + - /usr/libexec/sssd/krb5_child + - /usr/libexec/sssd/selinux_child + - /usr/libexec/dbus-1/dbus-daemon-launch-helper + - /usr/libexec/utempter/utempter + - /usr/libexec/openssh/ssh-keysign + - /usr/lib/polkit-1/polkit-agent-helper-1 + - /usr/sbin/usernetctl + - /usr/sbin/postqueue + - /usr/sbin/unix_chkpwd + - /usr/sbin/postdrop + - /usr/sbin/pam_timestamp_check + - /usr/sbin/netreport + - /usr/sbin/mount.nfs + - /usr/bin/su + - /usr/bin/ksu + - /usr/bin/write + - /usr/bin/newgrp + - /usr/bin/chage + - /usr/bin/mount + - /usr/bin/ssh-agent + - /usr/bin/sudo + - /usr/bin/passwd + - /usr/bin/gpasswd + - /usr/bin/at + - /usr/bin/wall + - /usr/bin/chsh + - /usr/bin/locate + - /usr/bin/chfn + - /usr/bin/umount + - /usr/bin/crontab + - /usr/bin/pkexec + +disable_svc: + - cups + - nfs-server + - avahi-daemon + +enable_svc: + - postfix + +syslog_packages: + - rsyslog + +ntp_packages: + - chrony + +legacy_ntp_packages: + - ntp diff --git a/ansible/playbooks/vars/ipaserver.yml b/ansible/playbooks/vars/ipaserver.yml new file mode 100644 index 0000000..b6854f0 --- /dev/null +++ b/ansible/playbooks/vars/ipaserver.yml @@ -0,0 +1,2 @@ +--- +ipatype: server