hardening and sysconfig

ansible/playbooks/init-rocky-system-config.yml

@@ -17,9 +17,15 @@
         msg: "/etc/no-ansible exists - skipping run on this node"
 
   tasks:
+    - name: Loading Variables from OS Common
+      include: tasks/variable_loader_common.yml
+
     - name: Configure SSH
       include: tasks/ssh-config.yml
 
+    - name: Configure harden settings
+      include: tasks/harden.yml
+
   post_tasks:
     - name: Touching run file that ansible has ran here
       file:

ansible/playbooks/tasks/harden.yml

@@ -0,0 +1,135 @@
+---
+# Initial hardening ideas from CIS
+- name: create combined sysctl-dict if overwrites are defined
+  set_fact:
+    sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
+  when: sysctl_overwrite | default()
+
+- name: sysctl hardening
+  sysctl:
+    name: '{{ item.key }}'
+    value: '{{ item.value }}'
+    state: present
+    ignoreerrors: yes
+    sysctl_set: yes
+    sysctl_file: /etc/sysctl.d/99-ansible.conf
+  with_dict: '{{ sysctl_config }}'
+  tags:
+    - harden
+    - kernel
+
+- name: security limits
+  copy:
+    dest: "/etc/security/limits.d/cis.conf"
+    content: |
+      * hard core 0
+
+- name: Standard login settings
+  block:
+    - name: useradd defaults
+      lineinfile:
+        line: "INACTIVE=30"
+        regexp: "^INACTIVE=.*"
+        path: "/etc/login.defs"
+      tags:
+        - harden
+
+    - name: login defs maximum days
+      replace:
+        path: /etc/login.defs
+        regexp: '(PASS_MAX_DAYS).*\d+'
+        replace: '\1\t{{ login_max_days }}'
+      tags:
+        - harden
+
+    - name: login defs minimum days
+      replace:
+        path: /etc/login.defs
+        regexp: '(PASS_MIN_DAYS).*\d+'
+        replace: '\1\t{{ login_min_days }}'
+      tags:
+        - harden
+
+    - name: login defs minimum length
+      replace:
+        path: /etc/login.defs
+        regexp: '(PASS_MIN_LEN).*\d+'
+        replace: '\1\t{{ login_min_len }}'
+      tags:
+        - harden
+
+    - name: login defs warn age
+      replace:
+        path: /etc/login.defs
+        regexp: '(PASS_WARN_AGE).*\d+'
+        replace: '\1\t{{ login_warn_age }}'
+      tags:
+        - harden
+
+    - name: cron directories permissions
+      file:
+        path: '{{ item }}'
+        owner: root
+        group: root
+        mode: '0700'
+        state: directory
+      loop: '{{ login_cron_directories }}'
+      tags:
+        - harden
+
+    - name: Create cron/at allows
+      file:
+        path: '{{ item }}'
+        owner: root
+        group: root
+        mode: '0600'
+        state: touch
+      loop: '{{ login_cron_allows }}'
+      tags:
+        - harden
+
+    - name: Remove cron/at denies
+      file:
+        path: '{{ item }}'
+        state: absent
+      loop: '{{ login_cron_denies }}'
+      tags:
+        - harden
+
+- name: Remove packages not allowed by CIS
+  package:
+    name: "{{ remove_packages }}"
+    state: absent
+
+- name: Auditd
+  block:
+    - name: Ensure auditd is installed
+      package:
+        name: audit
+        state: present
+      tags:
+        - harden
+    
+    - name: Ensure auditd buffer is OK
+      replace:
+        path: /etc/audit/rules.d/audit.rules
+        regexp: '-b \d+'
+        replace: '-b {{ audit_buffer }}'
+      notify:
+        - regenerate auditd rules
+      tags:
+        - harden
+    
+    - name: Ensure collection audit rules are available
+      template:
+        src: "etc/audit/rules.d/collection.rules.j2"
+        dest: "/etc/audit/rules.d/collection.rules"
+        owner: root
+        group: root
+        backup: yes
+      notify:
+        - regenerate auditd rules
+        - restart auditd
+      tags:
+        - harden
+

ansible/playbooks/tasks/variable_loader_common.yml

@@ -0,0 +1,21 @@
+---
+- name: Standard System Configuration Variables
+  block:
+    - name: Loading Variables from OS Common
+      include_vars: "{{ item }}"
+      with_items:
+        - "{{ ansible_distribution }}.yml"
+
+    - name: Create overrides if we're an IPA Replica
+      include_vars: "{{ item }}"
+      with_first_found:
+        - "ipaserver.yml"
+      when: "'ipaservers' in group_names"
+
+    - name: Check if system is EFI
+      stat:
+        path: "/sys/firmware/efi"
+      register: efi_installed
+
+  always:
+    - debug: msg="Variables are now loaded"

ansible/playbooks/vars/CentOS.yml

@@ -0,0 +1 @@
+RedHat.yml

ansible/playbooks/vars/RedHat.yml

@@ -0,0 +1,154 @@
+# Variables for our common module for RedHat
+---
+
+remove_packages:
+  - nc
+  - wireshark
+  - prelink
+  - talk
+  - talk-server
+  - rsh
+  - tftp
+  - tftp-server
+  - lftp
+
+# sysctl settings
+sysctl_config:
+  net.ipv4.ip_forward: 0
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+  net.ipv4.conf.all.accept_source_route: 0
+  net.ipv4.conf.default.accept_source_route: 0
+  net.ipv4.conf.all.log_martians: 1
+  net.ipv4.conf.default.log_martians: 1
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+  net.ipv4.tcp_syncookies: 1
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.send_redirects: 0
+  net.ipv4.conf.default.send_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+  net.ipv6.conf.all.accept_redirects: 0
+  net.ipv6.conf.default.accept_redirects: 0
+  net.ipv6.conf.all.forwarding: 0
+  net.ipv6.conf.all.accept_ra: 0
+  net.ipv6.conf.default.accept_ra: 0
+  net.ipv6.conf.all.accept_source_route: 0
+  net.ipv6.conf.default.accept_source_route: 0
+  kernel.randomize_va_space: 2
+  fs.suid_dumpable: 0
+
+# login.defs
+login_umask: 077
+login_create_home: "yes"
+login_encrypt_method: SHA512
+login_md5_crypt_enab: "no"
+login_max_days: 84
+login_min_days: 7
+login_min_len: 14
+login_warn_age: 7
+login_dcredit: -1
+login_lcredit: -1
+login_ucredit: -1
+login_ocredit: -1
+login_cron_directories:
+  - /etc/cron.hourly
+  - /etc/cron.daily
+  - /etc/cron.weekly
+  - /etc/cron.monthly
+  - /etc/cron.d
+login_cron_allows:
+  - /etc/cron.allow
+  - /etc/at.allow
+login_cron_denies:
+  - /etc/cron.deny
+  - /etc/at.deny
+
+# modprobe
+modprobe_unused_filesystems:
+  - dccp
+  - sctp
+  - bluetooth
+  - freevxfs
+  - cramfs
+  - jffs2
+  - hfs
+  - hfsplus
+  - squashfs
+  - udf
+  - tipc
+  - usb_storage
+  - vfat
+
+# auditd
+audit_package: audit
+audit_auid: 1000
+audit_buffer: 8192
+audit_identity_list:
+  - /etc/group
+  - /etc/passwd
+  - /etc/gshadow
+  - /etc/shadow
+  - /etc/security/opasswd
+audit_logins:
+  - /var/log/faillog
+  - /var/log/lastlog
+  - /var/log/tallylog
+  - /var/log/faillock/
+  - /var/log/wtmp
+  - /var/log/btmp
+audit_session:
+  - /var/run/utmp
+audit_suid_list:
+  - /usr/libexec/sssd/proxy_child
+  - /usr/libexec/sssd/ldap_child
+  - /usr/libexec/sssd/krb5_child
+  - /usr/libexec/sssd/selinux_child
+  - /usr/libexec/dbus-1/dbus-daemon-launch-helper
+  - /usr/libexec/utempter/utempter
+  - /usr/libexec/openssh/ssh-keysign
+  - /usr/lib/polkit-1/polkit-agent-helper-1
+  - /usr/sbin/usernetctl
+  - /usr/sbin/postqueue
+  - /usr/sbin/unix_chkpwd
+  - /usr/sbin/postdrop
+  - /usr/sbin/pam_timestamp_check
+  - /usr/sbin/netreport
+  - /usr/sbin/mount.nfs
+  - /usr/bin/su
+  - /usr/bin/ksu
+  - /usr/bin/write
+  - /usr/bin/newgrp
+  - /usr/bin/chage
+  - /usr/bin/mount
+  - /usr/bin/ssh-agent
+  - /usr/bin/sudo
+  - /usr/bin/passwd
+  - /usr/bin/gpasswd
+  - /usr/bin/at
+  - /usr/bin/wall
+  - /usr/bin/chsh
+  - /usr/bin/locate
+  - /usr/bin/chfn
+  - /usr/bin/umount
+  - /usr/bin/crontab
+  - /usr/bin/pkexec
+
+disable_svc:
+  - cups
+  - nfs-server
+  - avahi-daemon
+
+enable_svc:
+  - postfix
+
+syslog_packages:
+  - rsyslog
+
+ntp_packages:
+  - chrony
+
+legacy_ntp_packages:
+  - ntp

ansible/playbooks/vars/ipaserver.yml

@@ -0,0 +1,2 @@
+---
+ipatype: server