mirror of https://github.com/easzlab/kubeasz.git
update ansible-os-hardening 5.0.0
parent
b6d99ce217
commit
57ace894e1
|
@ -27,8 +27,7 @@ It will not:
|
|||
|
||||
## Requirements
|
||||
|
||||
* Ansible 2.4.2
|
||||
|
||||
* Ansible 2.5.0
|
||||
|
||||
## Warning
|
||||
|
||||
|
@ -108,7 +107,7 @@ If you want to override sysctl-variables, you can use the `sysctl_overwrite` var
|
|||
- dev-sec.os-hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Disable IPv4 traffic forwarding.
|
||||
# Enable IPv4 traffic forwarding.
|
||||
net.ipv4.ip_forward: 1
|
||||
```
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
os_desktop_enable: false
|
||||
os_env_extra_user_paths: []
|
||||
os_auth_pw_max_age: 99999 # 密码过期天数
|
||||
os_auth_pw_max_age: 60
|
||||
os_auth_pw_min_age: 7 # discourage password cycling
|
||||
os_auth_retries: 5
|
||||
os_auth_lockout_time: 600 # 10min
|
||||
|
@ -35,7 +35,7 @@ os_security_init_prompt: true
|
|||
os_security_init_single: false
|
||||
|
||||
# Apply ufw defaults
|
||||
ufw_manage_defaults: false
|
||||
ufw_manage_defaults: true
|
||||
|
||||
# Empty variable disables IPT_SYSCTL in /etc/default/ufw
|
||||
# by default in Ubuntu it set to: /etc/ufw/sysctl.conf
|
||||
|
@ -53,7 +53,7 @@ ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
|
|||
|
||||
sysctl_config:
|
||||
# Disable IPv4 traffic forwarding. | sysctl-01
|
||||
net.ipv4.ip_forward: 1
|
||||
net.ipv4.ip_forward: 0
|
||||
|
||||
# Disable IPv6 traffic forwarding. | sysctl-19
|
||||
net.ipv6.conf.all.forwarding: 0
|
||||
|
@ -243,3 +243,7 @@ os_unused_filesystems:
|
|||
|
||||
# whitelist for used filesystems
|
||||
os_filesystem_whitelist: []
|
||||
|
||||
# Set to false to turn the role into a no-op. Useful when using
|
||||
# the Ansible role dependency mechanism.
|
||||
os_hardening_enabled: true
|
||||
|
|
|
@ -4,7 +4,7 @@ galaxy_info:
|
|||
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
|
||||
company: Hardening Framework Team
|
||||
license: Apache License 2.0
|
||||
min_ansible_version: '2.4.2'
|
||||
min_ansible_version: '2.5'
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
|
|
|
@ -1,5 +1,46 @@
|
|||
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
|
||||
- hosts: all
|
||||
vars:
|
||||
os_security_users_allow: change_user
|
||||
os_auth_pam_passwdqc_enable: false
|
||||
os_security_suid_sgid_blacklist: ['/bin/umount']
|
||||
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
|
||||
os_filesystem_whitelist: ['vfat']
|
||||
sysctl_config:
|
||||
net.ipv4.ip_forward: 0
|
||||
net.ipv6.conf.all.forwarding: 0
|
||||
net.ipv6.conf.all.accept_ra: 0
|
||||
net.ipv6.conf.default.accept_ra: 0
|
||||
net.ipv4.conf.all.rp_filter: 1
|
||||
net.ipv4.conf.default.rp_filter: 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
||||
net.ipv4.icmp_ratelimit: 100
|
||||
net.ipv4.icmp_ratemask: 88089
|
||||
net.ipv6.conf.all.disable_ipv6: 1
|
||||
net.ipv4.conf.all.arp_ignore: 1
|
||||
net.ipv4.conf.all.arp_announce: 2
|
||||
net.ipv4.conf.all.shared_media: 1
|
||||
net.ipv4.conf.default.shared_media: 1
|
||||
net.ipv4.conf.all.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_redirects: 0
|
||||
net.ipv4.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.secure_redirects: 0
|
||||
net.ipv4.conf.default.secure_redirects: 0
|
||||
net.ipv6.conf.default.accept_redirects: 0
|
||||
net.ipv6.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.send_redirects: 0
|
||||
net.ipv4.conf.default.send_redirects: 0
|
||||
net.ipv4.conf.all.log_martians: 1
|
||||
net.ipv6.conf.default.router_solicitations: 0
|
||||
net.ipv6.conf.default.accept_ra_rtr_pref: 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo: 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr: 0
|
||||
net.ipv6.conf.default.autoconf: 0
|
||||
net.ipv6.conf.default.dad_transmits: 0
|
||||
net.ipv6.conf.default.max_addresses: 1
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
|
||||
- os-harden
|
||||
#- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
|
||||
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: install auditd package | package-08
|
||||
package:
|
||||
name: '{{ auditd_package }}'
|
||||
state: 'present'
|
||||
|
||||
- name: configure auditd | package-08
|
||||
template:
|
||||
src: 'etc/audit/auditd.conf.j2'
|
||||
dest: '/etc/audit/auditd.conf'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0640'
|
|
@ -0,0 +1,12 @@
|
|||
- name: find directories for minimizing access
|
||||
find:
|
||||
paths: '{{ outer_item }}'
|
||||
recurse: yes
|
||||
register: minimize_access_directories
|
||||
|
||||
- name: minimize access on found files
|
||||
file:
|
||||
path: '{{ item.path }}'
|
||||
mode: 'go-w'
|
||||
state: file
|
||||
with_items: '{{ minimize_access_directories.files }}'
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- name: Set OS family dependent variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
tags: always
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- files:
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_distribution }}.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
|
||||
skip: true
|
||||
tags: always
|
||||
|
||||
- import_tasks: auditd.yml
|
||||
tags: auditd
|
||||
|
||||
- import_tasks: limits.yml
|
||||
tags: limits
|
||||
|
||||
- import_tasks: login_defs.yml
|
||||
tags: login_defs
|
||||
|
||||
- import_tasks: minimize_access.yml
|
||||
tags: minimize_access
|
||||
|
||||
- import_tasks: pam.yml
|
||||
tags: pam
|
||||
|
||||
- import_tasks: modprobe.yml
|
||||
tags: modprobe
|
||||
|
||||
- import_tasks: profile.yml
|
||||
tags: profile
|
||||
|
||||
- import_tasks: securetty.yml
|
||||
tags: securetty
|
||||
|
||||
- import_tasks: suid_sgid.yml
|
||||
when: os_security_suid_sgid_enforce
|
||||
tags: suid_sgid
|
||||
|
||||
- import_tasks: sysctl.yml
|
||||
tags: sysctl
|
||||
|
||||
- import_tasks: user_accounts.yml
|
||||
tags: user_accounts
|
||||
|
||||
- import_tasks: rhosts.yml
|
||||
tags: rhosts
|
||||
|
||||
- import_tasks: yum.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
tags: yum
|
||||
|
||||
- import_tasks: apt.yml
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
tags: apt
|
|
@ -31,5 +31,4 @@
|
|||
file:
|
||||
path: /etc/security/limits.d/10.hardcore.conf
|
||||
state: absent
|
||||
|
||||
when: 'os_security_kernel_enable_core_dump'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: create login.defs | os-05, os-05b
|
||||
template:
|
||||
src: 'login.defs.j2'
|
||||
src: 'etc/login.defs.j2'
|
||||
dest: '/etc/login.defs'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
|
|
@ -1,60 +1,4 @@
|
|||
---
|
||||
- name: apt更新缓存刷新
|
||||
apt: update_cache=yes cache_valid_time=72000
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: Set OS family dependent variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
tags: always
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- files:
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_distribution }}.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
|
||||
skip: true
|
||||
tags: always
|
||||
|
||||
- import_tasks: limits.yml
|
||||
tags: limits
|
||||
|
||||
- import_tasks: login_defs.yml
|
||||
tags: login_defs
|
||||
|
||||
- include_tasks: minimize_access.yml
|
||||
tags: minimize_access
|
||||
|
||||
- import_tasks: pam.yml
|
||||
tags: pam
|
||||
|
||||
- import_tasks: modprobe.yml
|
||||
tags: modprobe
|
||||
|
||||
- import_tasks: profile.yml
|
||||
tags: profile
|
||||
|
||||
- import_tasks: securetty.yml
|
||||
tags: securetty
|
||||
|
||||
- import_tasks: suid_sgid.yml
|
||||
when: os_security_suid_sgid_enforce
|
||||
tags: suid_sgid
|
||||
|
||||
- import_tasks: sysctl.yml
|
||||
tags: sysctl
|
||||
|
||||
- import_tasks: user_accounts.yml
|
||||
tags: user_accounts
|
||||
|
||||
- import_tasks: rhosts.yml
|
||||
tags: rhosts
|
||||
|
||||
- import_tasks: yum.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
tags: yum
|
||||
|
||||
- import_tasks: apt.yml
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
tags: apt
|
||||
- include_tasks: hardening.yml
|
||||
when: os_hardening_enabled
|
||||
|
|
|
@ -1,10 +1,9 @@
|
|||
---
|
||||
# Using a two-pass approach for checking directories in order to support symlinks.
|
||||
- name: find directories for minimizing access
|
||||
stat:
|
||||
path: '{{ item }}'
|
||||
register: minimize_access_directories
|
||||
with_items:
|
||||
- include_tasks: find_files.yml
|
||||
loop_control:
|
||||
loop_var: outer_item
|
||||
loop:
|
||||
- '/usr/local/sbin'
|
||||
- '/usr/local/bin'
|
||||
- '/usr/sbin'
|
||||
|
@ -13,14 +12,6 @@
|
|||
- '/bin'
|
||||
- '{{ os_env_extra_user_paths }}'
|
||||
|
||||
- name: minimize access
|
||||
file:
|
||||
path: '{{ item.stat.path }}'
|
||||
mode: 'go-w'
|
||||
recurse: 'yes'
|
||||
when: item.stat.isdir
|
||||
with_items: '{{ minimize_access_directories.results }}'
|
||||
|
||||
- name: change shadow ownership to root and mode to 0600 | os-02
|
||||
file:
|
||||
dest: '/etc/shadow'
|
||||
|
|
|
@ -4,9 +4,19 @@
|
|||
name: '{{modprobe_package}}'
|
||||
state: 'present'
|
||||
|
||||
- name: check if efi is installed
|
||||
stat:
|
||||
path: "/sys/firmware/efi"
|
||||
register: efi_installed
|
||||
|
||||
- name: remove vfat from fs-list if efi is used
|
||||
set_fact:
|
||||
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
|
||||
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
|
||||
|
||||
- name: disable unused filesystems | os-10
|
||||
template:
|
||||
src: 'modprobe.j2'
|
||||
src: 'etc/modprobe.d/modprobe.j2'
|
||||
dest: '/etc/modprobe.d/dev-sec.conf'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
|
|
@ -6,17 +6,14 @@
|
|||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
|
||||
- name: remove pam ccreds on Debian systems
|
||||
apt:
|
||||
# the reason for this is so a user cannot connect to a server,
|
||||
# that isn't connected to an LDAP server anymore.
|
||||
# normally caching credentials shouldn't be necessary for most machines.
|
||||
# removing it provides some more security while not removing usability.
|
||||
- name: remove pam ccreds to disable password caching
|
||||
package:
|
||||
name: '{{ os_packages_pam_ccreds }}'
|
||||
state: 'absent'
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
|
||||
- name: remove pam ccreds on Redhat systems
|
||||
yum:
|
||||
name: '{{ os_packages_pam_ccreds }}'
|
||||
state: 'absent'
|
||||
when: ansible_os_family == 'RedHat'
|
||||
|
||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||
apt:
|
||||
|
@ -33,9 +30,9 @@
|
|||
|
||||
- name: configure passwdqc
|
||||
template:
|
||||
src: 'pam_passwdqd.j2'
|
||||
src: 'usr/share/pam-configs/pam_passwdqd.j2'
|
||||
dest: '{{ passwdqc_path }}'
|
||||
mode: '0640'
|
||||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
|
@ -54,9 +51,9 @@
|
|||
|
||||
- name: configure tally2
|
||||
template:
|
||||
src: 'pam_tally2.j2'
|
||||
src: 'usr/share/pam-configs/pam_tally2.j2'
|
||||
dest: '{{ tally2_path }}'
|
||||
mode: '0640'
|
||||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
|
@ -71,13 +68,13 @@
|
|||
yum:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: ((ansible_os_family == 'RedHat' and ansible_distribution_version < '7') or ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
when: ((ansible_os_family == 'RedHat' and ansible_distribution_version < '7') or ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
yum:
|
||||
|
@ -87,7 +84,7 @@
|
|||
|
||||
- name: configure passwdqc and tally via central system-auth confic
|
||||
template:
|
||||
src: 'rhel_system_auth.j2'
|
||||
src: 'etc/pam.d/rhel_system_auth.j2'
|
||||
dest: '/etc/pam.d/system-auth-ac'
|
||||
mode: '0640'
|
||||
owner: 'root'
|
||||
|
@ -95,7 +92,7 @@
|
|||
|
||||
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
||||
template:
|
||||
src: 'rhel_libuser.conf.j2'
|
||||
src: 'etc/rhel_libuser.conf.j2'
|
||||
dest: '/etc/libuser.conf'
|
||||
mode: '0640'
|
||||
owner: 'root'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: add pinerolo_profile.sh to profile.d
|
||||
template:
|
||||
src: 'profile.conf.j2'
|
||||
src: 'etc/profile.d/profile.conf.j2'
|
||||
dest: '/etc/profile.d/pinerolo_profile.sh'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: create securetty
|
||||
template:
|
||||
src: 'securetty.j2'
|
||||
src: 'etc/securetty.j2'
|
||||
dest: '/etc/securetty'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
|
||||
template:
|
||||
src: 'rhel_sysconfig_init.j2'
|
||||
src: 'etc/sysconfig/rhel_sysconfig_init.j2'
|
||||
dest: '/etc/sysconfig/init'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
@ -24,7 +24,7 @@
|
|||
|
||||
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
||||
template:
|
||||
src: 'modules.j2'
|
||||
src: 'etc/initramfs-tools/modules.j2'
|
||||
dest: '/etc/initramfs-tools/modules'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
|
@ -63,7 +63,7 @@
|
|||
|
||||
- name: Apply ufw defaults
|
||||
template:
|
||||
src: 'ufw.j2'
|
||||
src: 'etc/default/ufw.j2'
|
||||
dest: '/etc/default/ufw'
|
||||
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
||||
tags: ufw
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
log_file = /var/log/audit/audit.log
|
||||
log_format = RAW
|
||||
log_group = root
|
||||
priority_boost = 4
|
||||
flush = INCREMENTAL
|
||||
freq = 20
|
||||
num_logs = 5
|
||||
disp_qos = lossy
|
||||
dispatcher = /sbin/audispd
|
||||
name_format = NONE
|
||||
##name = mydomain
|
||||
max_log_file = 6
|
||||
max_log_file_action = keep_logs
|
||||
space_left = 75
|
||||
space_left_action = SYSLOG
|
||||
action_mail_acct = root
|
||||
admin_space_left = 50
|
||||
admin_space_left_action = SUSPEND
|
||||
disk_full_action = SUSPEND
|
||||
disk_error_action = SUSPEND
|
||||
##tcp_listen_port =
|
||||
tcp_listen_queue = 5
|
||||
tcp_max_per_addr = 1
|
||||
##tcp_client_ports = 1024-65535
|
||||
tcp_client_max_idle = 0
|
||||
enable_krb5 = no
|
||||
krb5_principal = auditd
|
||||
##krb5_key_file = /etc/audit/audit.key
|
|
@ -5,6 +5,7 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
|||
tally2_path: '/usr/share/pam-configs/tally2'
|
||||
os_nologin_shell_path: '/usr/sbin/nologin'
|
||||
|
||||
auditd_package: 'auditd'
|
||||
modprobe_package: 'kmod'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
|
|
Loading…
Reference in New Issue