mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-11 00:11:25 +00:00
141 lines
3.1 KiB
YAML
141 lines
3.1 KiB
YAML
---
|
|
# Initial hardening ideas from CIS
|
|
- name: create combined sysctl-dict if overwrites are defined
|
|
set_fact:
|
|
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
|
when: sysctl_overwrite | default()
|
|
|
|
- name: sysctl hardening
|
|
sysctl:
|
|
name: '{{ item.key }}'
|
|
value: '{{ item.value }}'
|
|
state: present
|
|
ignoreerrors: yes
|
|
sysctl_set: yes
|
|
sysctl_file: /etc/sysctl.d/99-ansible.conf
|
|
with_dict: '{{ sysctl_config }}'
|
|
tags:
|
|
- harden
|
|
- kernel
|
|
|
|
- name: security limits
|
|
copy:
|
|
dest: "/etc/security/limits.d/cis.conf"
|
|
user: root
|
|
group: root
|
|
mode: '0644'
|
|
content: |
|
|
* hard core 0
|
|
|
|
- name: Standard login settings
|
|
block:
|
|
- name: useradd defaults
|
|
lineinfile:
|
|
line: "INACTIVE=30"
|
|
regexp: "^INACTIVE=.*"
|
|
path: "/etc/login.defs"
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs maximum days
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MAX_DAYS).*\d+'
|
|
replace: '\1\t{{ login_max_days }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs minimum days
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MIN_DAYS).*\d+'
|
|
replace: '\1\t{{ login_min_days }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs minimum length
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_MIN_LEN).*\d+'
|
|
replace: '\1\t{{ login_min_len }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: login defs warn age
|
|
replace:
|
|
path: /etc/login.defs
|
|
regexp: '(PASS_WARN_AGE).*\d+'
|
|
replace: '\1\t{{ login_warn_age }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: cron directories permissions
|
|
file:
|
|
path: '{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0700'
|
|
state: directory
|
|
loop: '{{ login_cron_directories }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Create cron/at allows
|
|
file:
|
|
path: '{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
state: touch
|
|
loop: '{{ login_cron_allows }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Remove cron/at denies
|
|
file:
|
|
path: '{{ item }}'
|
|
state: absent
|
|
loop: '{{ login_cron_denies }}'
|
|
tags:
|
|
- harden
|
|
|
|
- name: Remove packages not allowed by CIS
|
|
package:
|
|
name: "{{ remove_packages }}"
|
|
state: absent
|
|
|
|
- name: Auditd
|
|
block:
|
|
- name: Ensure auditd is installed
|
|
package:
|
|
name: audit
|
|
state: present
|
|
tags:
|
|
- harden
|
|
|
|
- name: Ensure auditd buffer is OK
|
|
replace:
|
|
path: /etc/audit/rules.d/audit.rules
|
|
regexp: '-b \d+'
|
|
replace: '-b {{ audit_buffer }}'
|
|
notify:
|
|
- regenerate_auditd_rules
|
|
tags:
|
|
- harden
|
|
|
|
# Leaving this out for now as we don't know the implications of the audit rules
|
|
# on build systems yet.
|
|
# - name: Ensure collection audit rules are available
|
|
# template:
|
|
# src: "etc/audit/rules.d/collection.rules.j2"
|
|
# dest: "/etc/audit/rules.d/collection.rules"
|
|
# owner: root
|
|
# group: root
|
|
# backup: yes
|
|
# notify:
|
|
# - regenerate_auditd rules
|
|
# - restart_auditd
|
|
# tags:
|
|
# - harden
|
|
|