update ansible-os-hardening 5.0.0

roles/os-harden/README.md

@@ -27,8 +27,7 @@ It will not:
 
 ## Requirements
 
-* Ansible 2.4.2
-
+* Ansible 2.5.0
 
 ## Warning
 
@@ -108,7 +107,7 @@ If you want to override sysctl-variables, you can use the `sysctl_overwrite` var
         - dev-sec.os-hardening
       vars:
         sysctl_overwrite:
-          # Disable IPv4 traffic forwarding.
+          # Enable IPv4 traffic forwarding.
           net.ipv4.ip_forward: 1
 ```
 

roles/os-harden/defaults/main.yml

@@ -1,6 +1,6 @@
 os_desktop_enable: false
 os_env_extra_user_paths: []
-os_auth_pw_max_age: 99999 # 密码过期天数 
+os_auth_pw_max_age: 60
 os_auth_pw_min_age: 7 # discourage password cycling
 os_auth_retries: 5
 os_auth_lockout_time: 600 # 10min
@@ -35,7 +35,7 @@ os_security_init_prompt: true
 os_security_init_single: false
 
 # Apply ufw defaults
-ufw_manage_defaults: false 
+ufw_manage_defaults: true
 
 # Empty variable disables IPT_SYSCTL in /etc/default/ufw
 # by default in Ubuntu it set to: /etc/ufw/sysctl.conf
@@ -53,7 +53,7 @@ ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
 
 sysctl_config:
   # Disable IPv4 traffic forwarding. | sysctl-01
-  net.ipv4.ip_forward: 1
+  net.ipv4.ip_forward: 0
 
   # Disable IPv6 traffic forwarding. | sysctl-19
   net.ipv6.conf.all.forwarding: 0
@@ -243,3 +243,7 @@ os_unused_filesystems:
 
 # whitelist for used filesystems
 os_filesystem_whitelist: []
+
+# Set to false to turn the role into a no-op. Useful when using
+# the Ansible role dependency mechanism.
+os_hardening_enabled: true

roles/os-harden/meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
   company: Hardening Framework Team
   license: Apache License 2.0
-  min_ansible_version: '2.4.2'
+  min_ansible_version: '2.5'
   platforms:
     - name: EL
       versions:

roles/os-harden/os-harden.yml

@@ -1,5 +1,46 @@
 # [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
 - hosts: all
+  vars:
+    os_security_users_allow: change_user
+    os_auth_pam_passwdqc_enable: false
+    os_security_suid_sgid_blacklist: ['/bin/umount']
+    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
+    os_filesystem_whitelist: ['vfat']
+    sysctl_config:
+      net.ipv4.ip_forward: 0
+      net.ipv6.conf.all.forwarding: 0
+      net.ipv6.conf.all.accept_ra: 0
+      net.ipv6.conf.default.accept_ra: 0
+      net.ipv4.conf.all.rp_filter: 1
+      net.ipv4.conf.default.rp_filter: 1
+      net.ipv4.icmp_echo_ignore_broadcasts: 1
+      net.ipv4.icmp_ignore_bogus_error_responses: 1
+      net.ipv4.icmp_ratelimit: 100
+      net.ipv4.icmp_ratemask: 88089
+      net.ipv6.conf.all.disable_ipv6: 1
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
+      net.ipv4.conf.all.shared_media: 1
+      net.ipv4.conf.default.shared_media: 1
+      net.ipv4.conf.all.accept_source_route: 0
+      net.ipv4.conf.default.accept_source_route: 0
+      net.ipv4.conf.default.accept_redirects: 0
+      net.ipv4.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.secure_redirects: 0
+      net.ipv4.conf.default.secure_redirects: 0
+      net.ipv6.conf.default.accept_redirects: 0
+      net.ipv6.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.send_redirects: 0
+      net.ipv4.conf.default.send_redirects: 0
+      net.ipv4.conf.all.log_martians: 1
+      net.ipv6.conf.default.router_solicitations: 0
+      net.ipv6.conf.default.accept_ra_rtr_pref: 0
+      net.ipv6.conf.default.accept_ra_pinfo: 0
+      net.ipv6.conf.default.accept_ra_defrtr: 0
+      net.ipv6.conf.default.autoconf: 0
+      net.ipv6.conf.default.dad_transmits: 0
+      net.ipv6.conf.default.max_addresses: 1
   roles:
-  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
+  - os-harden 
+  #- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
 

roles/os-harden/tasks/auditd.yml

@@ -0,0 +1,14 @@
+---
+
+- name: install auditd package | package-08
+  package:
+    name: '{{ auditd_package }}'
+    state: 'present'
+
+- name: configure auditd | package-08
+  template:
+    src: 'etc/audit/auditd.conf.j2'
+    dest: '/etc/audit/auditd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0640'

roles/os-harden/tasks/find_files.yml

@@ -0,0 +1,12 @@
+- name: find directories for minimizing access
+  find:
+    paths: '{{ outer_item }}'
+    recurse: yes
+  register: minimize_access_directories
+
+- name: minimize access on found files
+  file:
+    path: '{{ item.path }}'
+    mode: 'go-w'
+    state: file
+  with_items: '{{ minimize_access_directories.files }}'

roles/os-harden/tasks/hardening.yml

@@ -0,0 +1,59 @@
+---
+- name: Set OS family dependent variables
+  include_vars: '{{ ansible_os_family }}.yml'
+  tags: always
+
+- name: Set OS dependent variables
+  include_vars: '{{ item }}'
+  with_first_found:
+    - files:
+      - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+      - '{{ ansible_distribution }}.yml'
+      - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
+      skip: true
+  tags: always
+
+- import_tasks: auditd.yml
+  tags: auditd
+
+- import_tasks: limits.yml
+  tags: limits
+
+- import_tasks: login_defs.yml
+  tags: login_defs
+
+- import_tasks: minimize_access.yml
+  tags: minimize_access
+
+- import_tasks: pam.yml
+  tags: pam
+
+- import_tasks: modprobe.yml
+  tags: modprobe
+
+- import_tasks: profile.yml
+  tags: profile
+
+- import_tasks: securetty.yml
+  tags: securetty
+
+- import_tasks: suid_sgid.yml
+  when: os_security_suid_sgid_enforce
+  tags: suid_sgid
+
+- import_tasks: sysctl.yml
+  tags: sysctl
+
+- import_tasks: user_accounts.yml
+  tags: user_accounts
+
+- import_tasks: rhosts.yml
+  tags: rhosts
+
+- import_tasks: yum.yml
+  when: ansible_os_family == 'RedHat'
+  tags: yum
+
+- import_tasks: apt.yml
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+  tags: apt

roles/os-harden/tasks/limits.yml

@@ -31,5 +31,4 @@
   file:
     path: /etc/security/limits.d/10.hardcore.conf
     state: absent
-
   when: 'os_security_kernel_enable_core_dump'

roles/os-harden/tasks/login_defs.yml

@@ -1,7 +1,7 @@
 ---
 - name: create login.defs | os-05, os-05b
   template:
-    src: 'login.defs.j2'
+    src: 'etc/login.defs.j2'
     dest: '/etc/login.defs'
     owner: 'root'
     group: 'root'

roles/os-harden/tasks/main.yml

@@ -1,60 +1,4 @@
 ---
-- name: apt更新缓存刷新
-  apt: update_cache=yes cache_valid_time=72000
-  when: ansible_os_family == 'Debian'
 
-- name: Set OS family dependent variables
-  include_vars: '{{ ansible_os_family }}.yml'
-  tags: always
-
-- name: Set OS dependent variables
-  include_vars: '{{ item }}'
-  with_first_found:
-    - files:
-      - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
-      - '{{ ansible_distribution }}.yml'
-      - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
-      skip: true
-  tags: always
-
-- import_tasks: limits.yml
-  tags: limits
-
-- import_tasks: login_defs.yml
-  tags: login_defs
-
-- include_tasks: minimize_access.yml
-  tags: minimize_access
-
-- import_tasks: pam.yml
-  tags: pam
-
-- import_tasks: modprobe.yml
-  tags: modprobe
-
-- import_tasks: profile.yml
-  tags: profile
-
-- import_tasks: securetty.yml
-  tags: securetty
-
-- import_tasks: suid_sgid.yml
-  when: os_security_suid_sgid_enforce
-  tags: suid_sgid
-
-- import_tasks: sysctl.yml
-  tags: sysctl
-
-- import_tasks: user_accounts.yml
-  tags: user_accounts
-
-- import_tasks: rhosts.yml
-  tags: rhosts
-
-- import_tasks: yum.yml
-  when: ansible_os_family == 'RedHat'
-  tags: yum
-
-- import_tasks: apt.yml
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
-  tags: apt
+- include_tasks: hardening.yml
+  when: os_hardening_enabled

roles/os-harden/tasks/minimize_access.yml

@@ -1,10 +1,9 @@
 ---
 # Using a two-pass approach for checking directories in order to support symlinks.
-- name: find directories for minimizing access
-  stat:
-    path: '{{ item }}'
-  register: minimize_access_directories
-  with_items:
+- include_tasks: find_files.yml
+  loop_control:
+    loop_var: outer_item
+  loop:
     - '/usr/local/sbin'
     - '/usr/local/bin'
     - '/usr/sbin'
@@ -13,14 +12,6 @@
     - '/bin'
     - '{{ os_env_extra_user_paths }}'
 
-- name: minimize access
-  file:
-    path: '{{ item.stat.path }}'
-    mode: 'go-w'
-    recurse: 'yes'
-  when: item.stat.isdir
-  with_items: '{{ minimize_access_directories.results }}'
-
 - name: change shadow ownership to root and mode to 0600 | os-02
   file:
     dest: '/etc/shadow'

roles/os-harden/tasks/modprobe.yml

@@ -4,9 +4,19 @@
     name: '{{modprobe_package}}'
     state: 'present'
 
+- name: check if efi is installed
+  stat:
+    path: "/sys/firmware/efi"
+  register: efi_installed
+
+- name: remove vfat from fs-list if efi is used
+  set_fact:
+    os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
+  when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
+
 - name: disable unused filesystems | os-10
   template:
-    src: 'modprobe.j2'
+    src: 'etc/modprobe.d/modprobe.j2'
     dest: '/etc/modprobe.d/dev-sec.conf'
     owner: 'root'
     group: 'root'

roles/os-harden/tasks/pam.yml

@@ -6,17 +6,14 @@
   environment:
     DEBIAN_FRONTEND: noninteractive
 
-- name: remove pam ccreds on Debian systems
-  apt:
+# the reason for this is so a user cannot connect to a server,
+# that isn't connected to an LDAP server anymore.
+# normally caching credentials shouldn't be necessary for most machines.
+# removing it provides some more security while not removing usability.
+- name: remove pam ccreds to disable password caching
+  package:
     name: '{{ os_packages_pam_ccreds }}'
     state: 'absent'
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
-
-- name: remove pam ccreds on Redhat systems
-  yum:
-    name: '{{ os_packages_pam_ccreds }}'
-    state: 'absent'
-  when: ansible_os_family == 'RedHat'
 
 - name: remove pam_cracklib, because it does not play nice with passwdqc
   apt:
@@ -33,9 +30,9 @@
 
 - name: configure passwdqc
   template:
-    src: 'pam_passwdqd.j2'
+    src: 'usr/share/pam-configs/pam_passwdqd.j2'
     dest: '{{ passwdqc_path }}'
-    mode: '0640'
+    mode: '0644'
     owner: 'root'
     group: 'root'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
@@ -54,9 +51,9 @@
 
 - name: configure tally2
   template:
-    src: 'pam_tally2.j2'
+    src: 'usr/share/pam-configs/pam_tally2.j2'
     dest: '{{ tally2_path }}'
-    mode: '0640'
+    mode: '0644'
     owner: 'root'
     group: 'root'
   when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
@@ -71,13 +68,13 @@
   yum:
     name: '{{ os_packages_pam_cracklib }}'
     state: 'absent'
-  when: ((ansible_os_family == 'RedHat' and ansible_distribution_version < '7') or ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
 
 - name: install the package for strong password checking
   yum:
     name: '{{ os_packages_pam_passwdqc }}'
     state: 'present'
-  when: ((ansible_os_family == 'RedHat' and ansible_distribution_version < '7') or ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
+  when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
 
 - name: remove passwdqc
   yum:
@@ -87,7 +84,7 @@
 
 - name: configure passwdqc and tally via central system-auth confic
   template:
-    src: 'rhel_system_auth.j2'
+    src: 'etc/pam.d/rhel_system_auth.j2'
     dest: '/etc/pam.d/system-auth-ac'
     mode: '0640'
     owner: 'root'
@@ -95,7 +92,7 @@
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   template:
-    src: 'rhel_libuser.conf.j2'
+    src: 'etc/rhel_libuser.conf.j2'
     dest: '/etc/libuser.conf'
     mode: '0640'
     owner: 'root'

roles/os-harden/tasks/profile.yml

@@ -1,7 +1,7 @@
 ---
 - name: add pinerolo_profile.sh to profile.d
   template:
-    src: 'profile.conf.j2'
+    src: 'etc/profile.d/profile.conf.j2'
     dest: '/etc/profile.d/pinerolo_profile.sh'
     owner: 'root'
     group: 'root'

roles/os-harden/tasks/securetty.yml

@@ -1,7 +1,7 @@
 ---
 - name: create securetty
   template:
-    src: 'securetty.j2'
+    src: 'etc/securetty.j2'
     dest: '/etc/securetty'
     owner: 'root'
     group: 'root'

roles/os-harden/tasks/sysctl.yml

@@ -8,7 +8,7 @@
 
 - name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
   template:
-    src: 'rhel_sysconfig_init.j2'
+    src: 'etc/sysconfig/rhel_sysconfig_init.j2'
     dest: '/etc/sysconfig/init'
     owner: 'root'
     group: 'root'
@@ -24,7 +24,7 @@
 
 - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
   template:
-    src: 'modules.j2'
+    src: 'etc/initramfs-tools/modules.j2'
     dest: '/etc/initramfs-tools/modules'
     owner: 'root'
     group: 'root'
@@ -63,7 +63,7 @@
 
 - name: Apply ufw defaults
   template:
-    src: 'ufw.j2'
+    src: 'etc/default/ufw.j2'
     dest: '/etc/default/ufw'
   when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
   tags: ufw

roles/os-harden/templates/etc/audit/auditd.conf.j2

@@ -0,0 +1,28 @@
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6
+max_log_file_action = keep_logs
+space_left = 75
+space_left_action = SYSLOG
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+##tcp_listen_port =
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key

roles/os-harden/vars/Debian.yml

@@ -5,6 +5,7 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc'
 tally2_path: '/usr/share/pam-configs/tally2'
 os_nologin_shell_path: '/usr/sbin/nologin'
 
+auditd_package: 'auditd'
 modprobe_package: 'kmod'
 
 # Different distros use different standards for /etc/shadow perms, e.g.

roles/os-harden/vars/RedHat.yml

@@ -1,6 +1,7 @@
 ---
 
 modprobe_package: 'module-init-tools'
+auditd_package: 'audit'
 
 os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'