mirror of
https://github.com/rocky-linux/infrastructure
synced 2025-01-08 18:30:55 +00:00
300 lines
6.9 KiB
YAML
300 lines
6.9 KiB
YAML
---
|
|
# Initial hardening ideas from CIS
|
|
- name: sysctl hardening and limits
|
|
block:
|
|
- name: create combined sysctl-dict if overwrites are defined
|
|
set_fact:
|
|
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
|
when: sysctl_overwrite | default()
|
|
|
|
- name: Kernel parameters
|
|
sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
ignoreerrors: true
|
|
sysctl_set: true
|
|
sysctl_file: /etc/sysctl.d/99-ansible.conf
|
|
with_dict: "{{ sysctl_config }}"
|
|
tags:
|
|
- harden
|
|
- kernel
|
|
|
|
- name: Security limits
|
|
pam_limits:
|
|
dest: "/etc/security/limits.d/cis.conf"
|
|
domain: "{{ item.domain }}"
|
|
limit_type: "{{ item.limit_type }}"
|
|
limit_item: "{{ item.limit_item }}"
|
|
value: "{{ item.value }}"
|
|
with_items: "{{ limits }}"
|
|
tags:
|
|
- harden
|
|
|
|
- name: Standard login settings
|
|
block:
|
|
- name: useradd defaults
|
|
lineinfile:
|
|
line: "INACTIVE=30"
|
|
regexp: "^INACTIVE=.*"
|
|
path: "/etc/login.defs"
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs maximum days
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MAX_DAYS).*\d+'
|
|
replace: '\1\t{{ login_max_days }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs minimum days
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MIN_DAYS).*\d+'
|
|
replace: '\1\t{{ login_min_days }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs minimum length
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MIN_LEN).*\d+'
|
|
replace: '\1\t{{ login_min_len }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs warn age
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_WARN_AGE).*\d+'
|
|
replace: '\1\t{{ login_warn_age }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: cron directories permissions
|
|
file:
|
|
path: '{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0700'
|
|
state: directory
|
|
loop: '{{ login_cron_directories }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Create cron/at allows
|
|
file:
|
|
path: '{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
state: touch
|
|
loop: '{{ login_cron_allows }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Remove cron/at denies
|
|
file:
|
|
path: '{{ item }}'
|
|
state: absent
|
|
loop: '{{ login_cron_denies }}'
|
|
tags:
|
|
- harden
|
|
|
|
# TODO: Use pamd module to establish password policy
|
|
- name: pwquality - minlen
|
|
lineinfile:
|
|
line: "minlen = 14"
|
|
regexp: "^# minlen =.*"
|
|
path: "/etc/security/pwquality.conf"
|
|
tags:
|
|
- harden
|
|
|
|
- name: pwquality - dcredit
|
|
lineinfile:
|
|
line: "dcredit = -1"
|
|
regexp: "^# dcredit =.*"
|
|
path: "/etc/security/pwquality.conf"
|
|
tags:
|
|
- harden
|
|
|
|
- name: pwquality - ucredit
|
|
lineinfile:
|
|
line: "ucredit = -1"
|
|
regexp: "^# ucredit =.*"
|
|
path: "/etc/security/pwquality.conf"
|
|
tags:
|
|
- harden
|
|
|
|
- name: pwquality - lcredit
|
|
lineinfile:
|
|
line: "lcredit = -1"
|
|
regexp: "^# lcredit =.*"
|
|
path: "/etc/security/pwquality.conf"
|
|
tags:
|
|
- harden
|
|
|
|
- name: pwquality - ocredit
|
|
lineinfile:
|
|
line: "ocredit = -1"
|
|
regexp: "^# ocredit =.*"
|
|
path: "/etc/security/pwquality.conf"
|
|
tags:
|
|
- harden
|
|
|
|
- name: Remove packages not allowed by CIS
|
|
package:
|
|
name: "{{ remove_packages }}"
|
|
state: absent
|
|
tags:
|
|
- harden
|
|
|
|
- name: Auditd
|
|
block:
|
|
- name: Ensure auditd is installed
|
|
package:
|
|
name: audit
|
|
state: present
|
|
tags:
|
|
- harden
|
|
|
|
- name: Ensure auditd buffer is OK
|
|
replace:
|
|
path: /etc/audit/rules.d/audit.rules
|
|
regexp: '-b \d+'
|
|
replace: '-b {{ audit_buffer }}'
|
|
notify:
|
|
- regenerate_auditd_rules
|
|
tags:
|
|
- harden
|
|
|
|
- name: Ensure collection audit rules are available
|
|
template:
|
|
src: "etc/audit/rules.d/collection.rules.j2"
|
|
dest: "/etc/audit/rules.d/collection.rules"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
backup: true
|
|
notify:
|
|
- regenerate_auditd_rules
|
|
- restart_auditd
|
|
tags:
|
|
- harden
|
|
|
|
- name: Disable Services
|
|
service:
|
|
name: "{{ item }}"
|
|
enabled: false
|
|
state: stopped
|
|
loop: "{{ disable_svc }}"
|
|
register: service_check
|
|
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
|
|
tags:
|
|
- services
|
|
- harden
|
|
|
|
- name: modprobe settings
|
|
block:
|
|
- name: remove vfat from filesystem list if we are EFI
|
|
set_fact:
|
|
modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
|
|
when:
|
|
- efi_installed.stat.isdir is defined
|
|
- efi_installed.stat.isdir
|
|
tags:
|
|
- efi
|
|
|
|
- name: disable unused filesystems
|
|
template:
|
|
src: "etc/modprobe.d/cis.conf.j2"
|
|
dest: "/etc/modprobe.d/cis.conf"
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0644'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Set init umask
|
|
lineinfile:
|
|
dest: /etc/sysconfig/init
|
|
state: present
|
|
regexp: ^umask
|
|
line: "umask 027"
|
|
create: true
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
when: ansible_distribution_major_version == '7'
|
|
tags:
|
|
- harden
|
|
|
|
- name: CIS sudoers configuration
|
|
copy:
|
|
src: "etc/sudoers.d/cis"
|
|
dest: "/etc/sudoers.d/cis"
|
|
owner: root
|
|
group: root
|
|
mode: '0440'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Remove packages not allowed by CIS
|
|
package:
|
|
name: "{{ remove_packages }}"
|
|
state: absent
|
|
tags:
|
|
- harden
|
|
|
|
- name: grub and kernel
|
|
block:
|
|
- name: Reset grub link if we are EFI
|
|
set_fact:
|
|
grub_config_path_link: "{{ grub_config_path_efi }}"
|
|
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined
|
|
tags:
|
|
- efi
|
|
|
|
- name: grub.d directory
|
|
file:
|
|
name: /etc/default/grub.d
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
state: directory
|
|
recurse: true
|
|
tags:
|
|
- grub
|
|
- kernel
|
|
- harden
|
|
|
|
- name: Append /etc/default/grub file
|
|
lineinfile:
|
|
path: /etc/default/grub
|
|
line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done
|
|
state: present
|
|
tags:
|
|
- grub
|
|
- kernel
|
|
- harden
|
|
|
|
- name: Grub command line defaults
|
|
copy:
|
|
dest: "/etc/default/grub.d/99-rocky.cfg"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"'
|
|
tags:
|
|
- grub
|
|
- kernel
|
|
- harden
|
|
|
|
- name: rebuild grub
|
|
command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }}
|
|
tags:
|
|
- grub
|
|
- kernel
|
|
- harden
|