easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update: os-hardening 7.0.0

pull/992/head
gjmzj 2021-01-19 23:35:31 +08:00
parent e51aa3603d
commit 5ae78116f6
50 changed files with 1178 additions and 433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
example/config.yml
View File

@ -1,13 +1,12 @@
############################
# role:prepare
# prepare
############################
# 可选离线安装系统软件包 (offline|online)
INSTALL_SOURCE: "online"
# 可选进行系统安全加固 github.com/dev-sec/ansible-collection-hardening
OS_HARDEN: false
############################
# role:chrony
############################
# 设置时间源服务器【重要:集群内机器时间必须同步】
ntp_servers:
- "ntp1.aliyun.com"

2
ezdown
View File

@ -14,7 +14,7 @@ set -o errexit
# default settings, can be overridden by cmd line options, see usage
DOCKER_VER=19.03.14
KUBEASZ_VER=3.0.0-rc
KUBEASZ_VER=3.0.0
K8S_BIN_VER=v1.20.2
EXT_BIN_VER=0.8.1
SYS_PKG_VER=0.3.3

1
playbooks/01.prepare.yml
View File

@ -6,6 +6,7 @@
- ex_lb
- chrony
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "groups['chrony']|length > 0" }
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.

1
playbooks/11.harbor.yml
View File

@ -3,6 +3,7 @@
- hosts: harbor
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
- { role: docker, when: "NEW_INSTALL == 'yes'" }

1
playbooks/21.addetcd.yml
View File

@ -39,6 +39,7 @@
vars:
CLUSTER_STATE: existing
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "groups['chrony']|length > 0" }
- prepare
- etcd

1
playbooks/22.addnode.yml
View File

@ -2,6 +2,7 @@
- hosts: "{{ NODE_TO_ADD }}"
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "groups['chrony']|length > 0" }
- prepare
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }

1
playbooks/23.addmaster.yml
View File

@ -2,6 +2,7 @@
- hosts: "{{ NODE_TO_ADD }}"
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "groups['chrony']|length > 0" }
- prepare
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }

1
playbooks/90.setup.yml
View File

@ -6,6 +6,7 @@
- ex_lb
- chrony
roles:
- { role: os-harden, when: "OS_HARDEN|bool" }
- { role: chrony, when: "groups['chrony']|length > 0" }
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.

495
roles/os-harden/CHANGELOG.md 100644
View File

@ -0,0 +1,495 @@
# Changelog
## [6.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.3.0) (2020-10-28)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.2.0...6.3.0)
**Implemented enhancements:**
- Breaking change in ansible-lint - set file permissions explicitly [\#299](https://github.com/dev-sec/ansible-os-hardening/issues/299)
- Improve Documentation [\#315](https://github.com/dev-sec/ansible-os-hardening/pull/315) ([schurzi](https://github.com/schurzi))
- Arch support [\#303](https://github.com/dev-sec/ansible-os-hardening/pull/303) ([rndmh3ro](https://github.com/rndmh3ro))
- fix linting for molecule [\#301](https://github.com/dev-sec/ansible-os-hardening/pull/301) ([schurzi](https://github.com/schurzi))
- file permissions explicitly defined [\#300](https://github.com/dev-sec/ansible-os-hardening/pull/300) ([danielkubat](https://github.com/danielkubat))
**Fixed bugs:**
- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode [\#313](https://github.com/dev-sec/ansible-os-hardening/issues/313)
- use touch for 10.hardcore.conf to avoid problems with dry-run [\#314](https://github.com/dev-sec/ansible-os-hardening/pull/314) ([schurzi](https://github.com/schurzi))
- use touch with no date changes [\#310](https://github.com/dev-sec/ansible-os-hardening/pull/310) ([rndmh3ro](https://github.com/rndmh3ro))
- do not touch sysctl file to avoid idempotency problems [\#309](https://github.com/dev-sec/ansible-os-hardening/pull/309) ([rndmh3ro](https://github.com/rndmh3ro))
**Closed issues:**
- Any planned support for RHEL/CentOS 8? [\#298](https://github.com/dev-sec/ansible-os-hardening/issues/298)
**Merged pull requests:**
- prettier markdown files action added [\#322](https://github.com/dev-sec/ansible-os-hardening/pull/322) ([danielkubat](https://github.com/danielkubat))
- adjust permissions on shadow file on suse [\#311](https://github.com/dev-sec/ansible-os-hardening/pull/311) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-17)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0)
**Implemented enhancements:**
- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha))
- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat))
- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi))
**Fixed bugs:**
- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284)
- replace module parameter fixed [\#297](https://github.com/dev-sec/ansible-os-hardening/pull/297) ([danielkubat](https://github.com/danielkubat))
**Closed issues:**
- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293)
- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292)
- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288)
- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249)
**Merged pull requests:**
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0)
**Implemented enhancements:**
- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
**Fixed bugs:**
- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281)
**Closed issues:**
- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269)
**Merged pull requests:**
- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3)
**Implemented enhancements:**
- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2)
**Implemented enhancements:**
- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1)
**Implemented enhancements:**
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
**Implemented enhancements:**
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg))
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
**Fixed bugs:**
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
- Invalid Conditionals in user_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost))
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
**Implemented enhancements:**
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
**Implemented enhancements:**
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
- Pass package list directly to apt and yum modules without using with_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
**Fixed bugs:**
- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
- 'sysctl_rhel_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
**Implemented enhancements:**
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
**Implemented enhancements:**
- Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-os-hardening/issues/131)
- fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-os-hardening/pull/190) ([rndmh3ro](https://github.com/rndmh3ro))
- added os_hardening_enabled flag [\#186](https://github.com/dev-sec/ansible-os-hardening/pull/186) ([jcheroske](https://github.com/jcheroske))
- add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-os-hardening/pull/183) ([rndmh3ro](https://github.com/rndmh3ro))
- use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-os-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
- add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-os-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
- fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-os-hardening/pull/176) ([rndmh3ro](https://github.com/rndmh3ro))
- ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-os-hardening/pull/174) ([carchrae](https://github.com/carchrae))
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove deprecated include for static tasks and use instead import_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
**Fixed bugs:**
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-os-hardening/issues/171)
- wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-os-hardening/issues/170)
- Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-os-hardening/issues/166)
- Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-os-hardening/issues/162)
- System completely unresponsive after role execution [\#145](https://github.com/dev-sec/ansible-os-hardening/issues/145)
- do not install passwdqc on amazon linux [\#189](https://github.com/dev-sec/ansible-os-hardening/pull/189) ([rndmh3ro](https://github.com/rndmh3ro))
- add back run opts for debian 8 in travis [\#184](https://github.com/dev-sec/ansible-os-hardening/pull/184) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix core dump config file creation when core dumps are disabled [\#182](https://github.com/dev-sec/ansible-os-hardening/pull/182) ([Normo](https://github.com/Normo))
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
**Implemented enhancements:**
- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155)
- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129)
- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1))
- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz))
- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz))
- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault))
- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro))
- update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- bug in ufw.j2 template [\#151](https://github.com/dev-sec/ansible-os-hardening/issues/151)
- replace single ticks with double ticks. fix \#151 [\#152](https://github.com/dev-sec/ansible-os-hardening/pull/152) ([rndmh3ro](https://github.com/rndmh3ro))
- fixed tag [\#149](https://github.com/dev-sec/ansible-os-hardening/pull/149) ([martinbydefault](https://github.com/martinbydefault))
**Closed issues:**
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined [\#147](https://github.com/dev-sec/ansible-os-hardening/issues/147)
- Enhancement: Test with TestInfra and Molecule [\#128](https://github.com/dev-sec/ansible-os-hardening/issues/128)
**Merged pull requests:**
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
**Fixed bugs:**
- os_security_kernel_enable_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
**Implemented enhancements:**
- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro))
- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro))
- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro))
- style update [\#134](https://github.com/dev-sec/ansible-os-hardening/pull/134) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix ansible.cfg and use comment filter [\#130](https://github.com/dev-sec/ansible-os-hardening/pull/130) ([fazlearefin](https://github.com/fazlearefin))
**Fixed bugs:**
- Why is rsync removed? [\#141](https://github.com/dev-sec/ansible-os-hardening/issues/141)
- playbook makes OS undetectable [\#124](https://github.com/dev-sec/ansible-os-hardening/issues/124)
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf [\#118](https://github.com/dev-sec/ansible-os-hardening/issues/118)
- Remove rsync from package blacklist [\#142](https://github.com/dev-sec/ansible-os-hardening/pull/142) ([duk3luk3](https://github.com/duk3luk3))
**Merged pull requests:**
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
**Fixed bugs:**
- Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-os-hardening/issues/125)
- Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-os-hardening/issues/116)
- The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-os-hardening/issues/111)
- Deprecation warning always_run [\#103](https://github.com/dev-sec/ansible-os-hardening/issues/103)
**Closed issues:**
- Enhancement: Pin python dependencies for development and testing [\#127](https://github.com/dev-sec/ansible-os-hardening/issues/127)
- Update readme to include baselines [\#122](https://github.com/dev-sec/ansible-os-hardening/issues/122)
**Merged pull requests:**
- Converts set to JSON-serializable list [\#126](https://github.com/dev-sec/ansible-os-hardening/pull/126) ([pestaa](https://github.com/pestaa))
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
**Implemented enhancements:**
- Description of the Ansible roles of dev-sec says "This Ansible playbook" [\#97](https://github.com/dev-sec/ansible-os-hardening/issues/97)
- install initramfs-tools [\#114](https://github.com/dev-sec/ansible-os-hardening/pull/114) ([rndmh3ro](https://github.com/rndmh3ro))
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
**Closed issues:**
- Error running on RHEL 7 due to syntax issues [\#112](https://github.com/dev-sec/ansible-os-hardening/issues/112)
- disable password age [\#109](https://github.com/dev-sec/ansible-os-hardening/issues/109)
**Merged pull requests:**
- change shadow owner in debian systems [\#117](https://github.com/dev-sec/ansible-os-hardening/pull/117) ([rndmh3ro](https://github.com/rndmh3ro))
- Rhel7 [\#113](https://github.com/dev-sec/ansible-os-hardening/pull/113) ([tyrken](https://github.com/tyrken))
- use new Docker images [\#110](https://github.com/dev-sec/ansible-os-hardening/pull/110) ([rndmh3ro](https://github.com/rndmh3ro))
- Dont refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
**Fixed bugs:**
- CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-os-hardening/issues/102)
- ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-os-hardening/issues/99)
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-os-hardening/issues/98)
- Enable pam_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-os-hardening/issues/73)
- "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-os-hardening/issues/53)
**Merged pull requests:**
- update template [\#101](https://github.com/dev-sec/ansible-os-hardening/pull/101) ([rndmh3ro](https://github.com/rndmh3ro))
- fix deprecation warning for undefined error. \#99 [\#100](https://github.com/dev-sec/ansible-os-hardening/pull/100) ([rndmh3ro](https://github.com/rndmh3ro))
- add rhel7 pam_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
**Implemented enhancements:**
- Supports --check mode [\#93](https://github.com/dev-sec/ansible-os-hardening/pull/93) ([conorsch](https://github.com/conorsch))
- Adds support for CentOS 7 [\#91](https://github.com/dev-sec/ansible-os-hardening/pull/91) ([conorsch](https://github.com/conorsch))
- Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
- debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))
**Fixed bugs:**
- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-os-hardening/issues/74)
- Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-os-hardening/issues/71)
**Closed issues:**
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
**Merged pull requests:**
- Fix a formatting issue in readme. [\#92](https://github.com/dev-sec/ansible-os-hardening/pull/92) ([vivekagr](https://github.com/vivekagr))
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
**Implemented enhancements:**
- update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-os-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
- add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-os-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro))
- Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-os-hardening/pull/67) ([rndmh3ro](https://github.com/rndmh3ro))
- make sys_uid and sys_gid configurable [\#62](https://github.com/dev-sec/ansible-os-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro))
- Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-os-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
- use inspec as test framework [\#58](https://github.com/dev-sec/ansible-os-hardening/pull/58) ([chris-rock](https://github.com/chris-rock))
- Packages as attributes [\#57](https://github.com/dev-sec/ansible-os-hardening/pull/57) ([rndmh3ro](https://github.com/rndmh3ro))
- Change categories to tags for upcoming ansible 2.0 [\#56](https://github.com/dev-sec/ansible-os-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
- Add SINGLE and PROMPT parameters. [\#55](https://github.com/dev-sec/ansible-os-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro))
- add changelog generator [\#54](https://github.com/dev-sec/ansible-os-hardening/pull/54) ([chris-rock](https://github.com/chris-rock))
**Fixed bugs:**
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
**Closed issues:**
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' [\#72](https://github.com/dev-sec/ansible-os-hardening/issues/72)
- ansible 2.0 | "remove suid/sgid" task fails [\#64](https://github.com/dev-sec/ansible-os-hardening/issues/64)
- Custom sysctl [\#50](https://github.com/dev-sec/ansible-os-hardening/issues/50)
**Merged pull requests:**
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
**Closed issues:**
- Fix directory structure. [\#48](https://github.com/dev-sec/ansible-os-hardening/issues/48)
- pam auth update error [\#47](https://github.com/dev-sec/ansible-os-hardening/issues/47)
**Merged pull requests:**
- Add explicit role-path to kitchen.yml [\#52](https://github.com/dev-sec/ansible-os-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix pam passwdqc template [\#51](https://github.com/dev-sec/ansible-os-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
- New dir layout [\#49](https://github.com/dev-sec/ansible-os-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro))
- remove duplicate "update pam" task [\#46](https://github.com/dev-sec/ansible-os-hardening/pull/46) ([fitz123](https://github.com/fitz123))
- Fix stuck in case pam files was updated before by force update [\#45](https://github.com/dev-sec/ansible-os-hardening/pull/45) ([fitz123](https://github.com/fitz123))
- Fix nologin shell path [\#44](https://github.com/dev-sec/ansible-os-hardening/pull/44) ([fitz123](https://github.com/fitz123))
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
**Closed issues:**
- ansible-os-hardening/tasks/minimize_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
- Role configuration. vars/main.yml? [\#34](https://github.com/dev-sec/ansible-os-hardening/issues/34)
- Sysctl reloading [\#18](https://github.com/dev-sec/ansible-os-hardening/issues/18)
- Add conditions for disabling of ip forwarding [\#15](https://github.com/dev-sec/ansible-os-hardening/issues/15)
- Disable System Accounts [\#6](https://github.com/dev-sec/ansible-os-hardening/issues/6)
**Merged pull requests:**
- Update kitchen-ansible, remove separate debian install [\#40](https://github.com/dev-sec/ansible-os-hardening/pull/40) ([rndmh3ro](https://github.com/rndmh3ro))
- Add mode to su-binary task. Fix \#38 [\#39](https://github.com/dev-sec/ansible-os-hardening/pull/39) ([rndmh3ro](https://github.com/rndmh3ro))
- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#37](https://github.com/dev-sec/ansible-os-hardening/pull/37) ([chris-rock](https://github.com/chris-rock))
- Change oneliner if-statements to be more readable [\#36](https://github.com/dev-sec/ansible-os-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro))
- Separate system-vars from editable vars. Fix \#34 [\#35](https://github.com/dev-sec/ansible-os-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
- Create limits.d-directory if it does not exist. [\#33](https://github.com/dev-sec/ansible-os-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro))
- Add correct CONTRIB-file [\#32](https://github.com/dev-sec/ansible-os-hardening/pull/32) ([rndmh3ro](https://github.com/rndmh3ro))
- Add Ansible Galaxy badge [\#31](https://github.com/dev-sec/ansible-os-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro))
- Update readme, todo, changelog, vars [\#30](https://github.com/dev-sec/ansible-os-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
- List-cleanup and follow symlinks added [\#29](https://github.com/dev-sec/ansible-os-hardening/pull/29) ([rndmh3ro](https://github.com/rndmh3ro))
- Add module configuration [\#28](https://github.com/dev-sec/ansible-os-hardening/pull/28) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix two sysctl-settings [\#27](https://github.com/dev-sec/ansible-os-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro))
- Add meta-files for Ansible Galaxy [\#26](https://github.com/dev-sec/ansible-os-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro))
- Disable System Accounts. Fix \#6 [\#25](https://github.com/dev-sec/ansible-os-hardening/pull/25) ([rndmh3ro](https://github.com/rndmh3ro))
- Use changed_when to avoid changed tasks [\#24](https://github.com/dev-sec/ansible-os-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
- Delete authconfig-task on rhel-systems [\#23](https://github.com/dev-sec/ansible-os-hardening/pull/23) ([rndmh3ro](https://github.com/rndmh3ro))
- Add missing rhosts-include task [\#21](https://github.com/dev-sec/ansible-os-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
- Change sysctl-task. Fix \#18 [\#20](https://github.com/dev-sec/ansible-os-hardening/pull/20) ([rndmh3ro](https://github.com/rndmh3ro))
- Add travis-support [\#17](https://github.com/dev-sec/ansible-os-hardening/pull/17) ([rndmh3ro](https://github.com/rndmh3ro))
- Add conditions for various tasks. Fix \#15 [\#16](https://github.com/dev-sec/ansible-os-hardening/pull/16) ([rndmh3ro](https://github.com/rndmh3ro))
- fix configuration of playbook path [\#14](https://github.com/dev-sec/ansible-os-hardening/pull/14) ([chris-rock](https://github.com/chris-rock))
- Make tasks clearer [\#13](https://github.com/dev-sec/ansible-os-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro))
- Add remove suid/sgid function [\#12](https://github.com/dev-sec/ansible-os-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
- Add task to remove unused repos and pkgs [\#11](https://github.com/dev-sec/ansible-os-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro))
- Edit README to fit to os-hardening [\#10](https://github.com/dev-sec/ansible-os-hardening/pull/10) ([rndmh3ro](https://github.com/rndmh3ro))
- ignore RAs on Ipv6 [\#9](https://github.com/dev-sec/ansible-os-hardening/pull/9) ([rndmh3ro](https://github.com/rndmh3ro))
- Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
- Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
- Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
- treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
- Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
- Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_

338
roles/os-harden/README.md
View File

@ -1,192 +1,242 @@
# os-hardening (Ansible Role)
# devsec.os_hardening
[![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1]
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3]
![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg)
## Looking for the old ansible-os-hardening role?
This role is now part of the hardening-collection. You can find the old role in the branch `legacy`.
## Description
This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline).
This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline).
It configures:
* Configures package management e.g. allows only signed packages
* Remove packages with known issues
* Configures `pam` and `pam_limits` module
* Shadow password suite configuration
* Configures system path permissions
* Disable core dumps via soft limits
* Restrict Root Logins to System Console
* Set SUIDs
* Configures kernel parameters via sysctl
- Remove unused yum repositories and enable GPG key-checking
- Remove packages with known issues
- Configures pam for strong password checks
- Installs and configures auditd
- Disable core dumps via soft limits
- sets a restrictive umask
- Configures execute permissions of files in system paths
- Hardens access to shadow and passwd files
- Disables unused filesystems
- Disables rhosts
- Configures secure ttys
- Configures kernel parameters via sysctl
- Enables selinux on EL-based systems
- Remove SUIDs and GUIDs
- Configures login and passwords of system accounts
It will not:
* Update system packages
* Install security patches
- Update system packages
- Install security patches
## Requirements
* Ansible 2.5.0
- Ansible 2.9.0
## Warning
## Known Limitations
### Docker support
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
```yaml
- hosts: localhost
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
vars:
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
```
### sysctl - vm.mmap_rnd_bits
We are setting this sysctl to a default of `32`, some systems only support smaller values and this will generate an error. Unfortunately we cannot determine the correct applicable maximum. If you encounter this error you have to override this sysctl in your playbook.
```yaml
- hosts: localhost
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
vars:
sysctl_overwrite:
vm.mmap_rnd_bits: 16
```
### Testing with inspec
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
We know that this is the case on Raspberry Pi.
## Variables
| Name | Default Value | Description |
| -------------- | ------------- | -----------------------------------|
| `os_desktop_enable`| false | true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc|
| `os_env_extra_user_paths`| [] | add additional paths to the user's `PATH` variable (default is empty).|
| `os_env_umask`| 027| set default permissions for new files to `750` |
| `os_auth_pw_max_age`| 60 | maximum password age (set to `99999` to effectively disable it) |
| `os_auth_pw_min_age`| 7 | minimum password age (before allowing any other password change)|
| `os_auth_retries`| 5 | the maximum number of authentication attempts, before the account is locked for some time|
| `os_auth_lockout_time`| 600 | time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts|
| `os_auth_timeout`| 60 | authentication timeout in seconds, so login will exit if this time passes|
| `os_auth_allow_homeless`| false | true if to allow users without home to login|
| `os_auth_pam_passwdqc_enable`| true | true if you want to use strong password checking in PAM using passwdqc|
| `os_auth_pam_passwdqc_options`| "min=disabled,disabled,16,12,8" | set to any option line (as a string) that you want to pass to passwdqc|
| `os_security_users_allow`| [] | list of things, that a user is allowed to do. May contain `change_user`.
| `os_security_kernel_enable_module_loading`| true | true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)|
| `os_security_kernel_enable_core_dump`| false | kernel is crashing or otherwise misbehaving and a kernel core dump is created |
| `os_security_suid_sgid_enforce`| true | true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own|
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.|
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
- `os_desktop_enable`
- Default: `false`
- Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
- `os_env_extra_user_paths`
- Default: `[]`
- Description: add additional paths to the user's `PATH` variable (default is empty).
- `os_env_umask`
- Default: `027`
- Description: set default permissions for new files to `750`
- `os_auth_pw_max_age`
- Default: `60`
- Description: maximum password age (set to `99999` to effectively disable it)
- `os_auth_pw_min_age`
- Default: `7`
- Description: minimum password age (before allowing any other password change)
- `os_auth_retries`
- Default: `5`
- Description: the maximum number of authentication attempts, before the account is locked for some time
- `os_auth_lockout_time`
- Default: `600`
- Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts
- `os_auth_timeout`
- Default: `60`
- Description: authentication timeout in seconds, so login will exit if this time passes
- `os_auth_allow_homeless`
- Default: `false`
- Description: true if to allow users without home to login
- `os_auth_pam_passwdqc_enable`
- Default: `true`
- Description: true if you want to use strong password checking in PAM using passwdqc
- `os_auth_pam_passwdqc_options`
- Default: `min=disabled,disabled,16,12,8`
- Description: set to any option line (as a string) that you want to pass to passwdqc
- `os_security_users_allow`
- Default: `[]`
- Description: list of things, that a user is allowed to do. May contain `change_user`.
- `os_security_kernel_enable_module_loading`
- Default: `true`
- Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
- `os_security_kernel_enable_core_dump`
- Default: `false`
- Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created
- `os_security_suid_sgid_enforce`
- Default: `true`
- Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
- `os_security_suid_sgid_blacklist`
- Default: `[]`
- Description: a list of paths which should have their SUID/SGID bits removed
- `os_security_suid_sgid_whitelist`
- Default: `[]`
- Description: a list of paths which should not have their SUID/SGID bits altered
- `os_security_suid_sgid_remove_from_unknown`
- Default: `false`
- Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
- `os_security_packages_clean`
- Default: `true`
- Description: removes packages with known issues. See section packages.
- `os_selinux_state`
- Default: `enforcing`
- Description: Set the SELinux state, can be either disabled, permissive, or enforcing.
- `os_selinux_policy`
- Default: `targeted`
- Description: Set the SELinux polixy.
- `ufw_manage_defaults`
- Default: `true`
- Description: true means apply all settings with `ufw_` prefix
- `ufw_ipt_sysctl`
- Default: `''`
- Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
- `ufw_default_input_policy`
- Default: `DROP`
- Description: set default input policy of ufw to `DROP`
- `ufw_default_output_policy`
- Default: `ACCEPT`
- Description: set default output policy of ufw to `ACCEPT`
- `ufw_default_forward_policy`
- Default: `DROP`
- Description: set default forward policy of ufw to `DROP`
- `os_auditd_enabled`
- Default: `true`
- Description: Set to false to disable installing and configuring auditd.
- `os_auditd_max_log_file_action`
- Default: `keep_logs`
- Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
- `hidepid_option`
- Default: `2`
- Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
- `proc_mnt_options`
- Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
- Description: Mount proc with hardenized options, including `hidepid` with variable value.
## Packages
We remove the following packages:
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
## Disabled filesystems
We disable the following filesystems, because they're most likely not used:
* "cramfs"
* "freevxfs"
* "jffs2"
* "hfs"
* "hfsplus"
* "squashfs"
* "udf"
* "vfat"
- "cramfs"
- "freevxfs"
- "jffs2"
- "hfs"
- "hfsplus"
- "squashfs"
- "udf"
- "vfat" # only if uefi is not in use
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
## Example Playbook
- hosts: localhost
roles:
- dev-sec.os-hardening
```yaml
- hosts: localhost
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
```
## Changing sysctl variables
If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`).
+So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
```
- hosts: localhost
roles:
- dev-sec.os-hardening
vars:
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
```yaml
- hosts: localhost
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
vars:
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
```
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
## Local Testing
## Improving Kernel Audit logging
The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system.
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
Next install test-kitchen:
```bash
# Install dependencies
gem install bundler
bundle install
```
### Testing with Docker
```
# fast test on one machine
bundle exec kitchen test default-ubuntu-1404
# test on all machines
bundle exec kitchen test
# for development
bundle exec kitchen create default-ubuntu-1404
bundle exec kitchen converge default-ubuntu-1404
```
### Testing with Virtualbox
```
# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404
# test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
# for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404
```
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)
## Contributors + Kudos
...
## More information
This role is mostly based on guides by:
* [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
* [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
* [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
Thanks to all of you!
## Contributing
See [contributor guideline](CONTRIBUTING.md).
## License and Author
* Author:: Sebastian Gumprich
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
[1]: http://travis-ci.org/dev-sec/ansible-os-hardening
[2]: https://gitter.im/dev-sec/general
[3]: https://galaxy.ansible.com/dev-sec/os-hardening
- [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
- [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
- [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
- [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)

71
roles/os-harden/defaults/main.yml
View File

@ -1,14 +1,15 @@
---
os_desktop_enable: false
os_env_extra_user_paths: []
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_retries: 5
os_auth_lockout_time: 600 # 10min
os_auth_lockout_time: 600 # 10min
os_auth_timeout: 60
os_auth_allow_homeless: false
os_auth_pam_passwdqc_enable: true
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
os_chfn_restrict: ''
@ -27,7 +28,7 @@ os_security_suid_sgid_remove_from_unknown: false
# remove packages with known issues
os_security_packages_clean: true
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink']
os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
# Allow interactive startup (rhel, centos)
os_security_init_prompt: true
@ -175,17 +176,6 @@ sysctl_config:
kernel.core_uses_pid: 1
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
kernel.kptr_restrict: 1
# The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access
@ -226,9 +216,40 @@ sysctl_config:
fs.protected_hardlinks: 1
fs.protected_symlinks: 1
# These settings are set to the maximum supported value in order to
# improve ASLR effectiveness for mmap, at the cost of increased
# address-space fragmentation. | Tail-1
vm.mmap_rnd_bits: 32
vm.mmap_rnd_compat_bits: 16
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
#
# Some off-the-shelf malware exploit kernel addresses exposed
# via /proc/kallsyms so by not making these addresses easily available
# we increase the cost of such attack some what; now such malware has
# to check which kernel Tails is running and then fetch the corresponding
# kernel address map from some external source. This is not hard,
# but certainly not all malware has such functionality. | Tails-2
kernel.kptr_restrict: 2
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
kernel.kexec_load_disabled: 1
# Do not delete the following line or otherwise the playbook will fail
# at task 'create a combined sysctl-dict if overwrites are defined'
sysctl_overwrite:
net.ipv4.ip_forward: 1
net.bridge.bridge-nf-call-iptables: 1
net.bridge.bridge-nf-call-ip6tables: 1
net.bridge.bridge-nf-call-arptables: 1
# disable unused filesystems
os_unused_filesystems:
@ -240,6 +261,12 @@ os_unused_filesystems:
- "squashfs"
- "udf"
- "vfat"
# Obsolete network protocols that should be disabled
# per CIS Oracle Linux 6 Benchmark (2016)
- "tipc" # CIS 3.5.4
- "sctp" # CIS 3.5.2
- "dccp" # CIS 3.5.1
- "rds" # CIS 3.5.3
# whitelist for used filesystems
os_filesystem_whitelist: []
@ -247,3 +274,15 @@ os_filesystem_whitelist: []
# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
os_hardening_enabled: true
# Set to false to disable installing and configuring auditd.
os_auditd_enabled: false
os_auditd_max_log_file_action: keep_logs
# Set the SELinux state, can be either disabled, permissive, or enforcing.
os_selinux_state: disabled
# Set the SELinux polixy.
os_selinux_policy: targeted
hidepid_option: '2' # allowed values: 0, 1, 2
proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'

3
roles/os-harden/handlers/main.yml 100644
View File

@ -0,0 +1,3 @@
---
- name: update-initramfs
command: 'update-initramfs -u'

15
roles/os-harden/meta/main.yml
View File

@ -1,25 +1,28 @@
---
galaxy_info:
author: "Sebastian Gumprich"
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
company: Hardening Framework Team
license: Apache License 2.0
min_ansible_version: '2.5'
platforms:
- name: EL
versions:
- 6
- 7
- 8
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
- name: Amazon
- name: Fedora
- name: Archlinux
- name: SmartOS
- name: openSUSE
galaxy_tags:
- system
- security

51
roles/os-harden/os-harden.yml
View File

@ -1,51 +0,0 @@
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
- hosts:
- kube_master
- kube_node
- etcd
- ex_lb
- chrony
vars:
os_security_users_allow: change_user
os_auth_pam_passwdqc_enable: false
os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat']
sysctl_config:
net.ipv4.ip_forward: 1
net.ipv6.conf.all.forwarding: 1
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.icmp_ratelimit: 100
net.ipv4.icmp_ratemask: 88089
net.ipv6.conf.all.disable_ipv6: 1
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
net.ipv4.conf.all.shared_media: 1
net.ipv4.conf.default.shared_media: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.log_martians: 1
net.ipv6.conf.default.router_solicitations: 0
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
roles:
- os-harden
#- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }

7
roles/os-harden/tasks/apt.yml
View File

@ -1,8 +1,7 @@
---
- name: remove deprecated or insecure packages | package-01 - package-09
apt:
name: '{{ item }}'
name: '{{ os_security_packages_list }}'
state: 'absent'
with_items:
- '{{ os_security_packages_list }}'
when: 'os_security_packages_clean'
purge: 'yes'
when: os_security_packages_clean | bool

1
roles/os-harden/tasks/auditd.yml
View File

@ -1,5 +1,4 @@
---
- name: install auditd package | package-08
package:
name: '{{ auditd_package }}'

12
roles/os-harden/tasks/find_files.yml
View File

@ -1,12 +0,0 @@
- name: find directories for minimizing access
find:
paths: '{{ outer_item }}'
recurse: yes
register: minimize_access_directories
- name: minimize access on found files
file:
path: '{{ item.path }}'
mode: 'go-w'
state: file
with_items: '{{ minimize_access_directories.files }}'

19
roles/os-harden/tasks/hardening.yml
View File

@ -1,20 +1,21 @@
---
- name: Set OS family dependent variables
include_vars: '{{ ansible_os_family }}.yml'
include_vars: '{{ ansible_facts.os_family }}.yml'
tags: always
- name: Set OS dependent variables
include_vars: '{{ item }}'
with_first_found:
- files:
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_distribution }}.yml'
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
skip: true
tags: always
- import_tasks: auditd.yml
tags: auditd
when: os_auditd_enabled | bool
- import_tasks: limits.yml
tags: limits
@ -38,7 +39,7 @@
tags: securetty
- import_tasks: suid_sgid.yml
when: os_security_suid_sgid_enforce
when: os_security_suid_sgid_enforce | bool
tags: suid_sgid
- import_tasks: sysctl.yml
@ -51,9 +52,13 @@
tags: rhosts
- import_tasks: yum.yml
when: ansible_os_family == 'RedHat'
when: ansible_facts.os_family == 'RedHat'
tags: yum
- import_tasks: apt.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
tags: apt
- import_tasks: selinux.yml
tags: selinux
when: ansible_facts.selinux.status == 'enabled'

14
roles/os-harden/tasks/limits.yml
View File

@ -1,5 +1,4 @@
---
- block:
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
file:
@ -9,14 +8,14 @@
mode: '0755'
state: 'directory'
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
pam_limits:
dest: '/etc/security/limits.d/10.hardcore.conf'
domain: '*'
limit_type: hard
limit_item: core
value: 0
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
value: '0'
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
- name: set 10.hardcore.conf perms to 0400 and root ownership
file:
@ -24,11 +23,14 @@
owner: 'root'
group: 'root'
mode: '0440'
state: touch
modification_time: preserve
access_time: preserve
when: 'not os_security_kernel_enable_core_dump'
when: not os_security_kernel_enable_core_dump | bool
- name: remove 10.hardcore.conf config file
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
when: 'os_security_kernel_enable_core_dump'
when: os_security_kernel_enable_core_dump | bool

1
roles/os-harden/tasks/login_defs.yml
View File

@ -6,4 +6,3 @@
owner: 'root'
group: 'root'
mode: '0444'

5
roles/os-harden/tasks/main.yml
View File

@ -1,4 +1,3 @@
---
- include_tasks: hardening.yml
when: os_hardening_enabled
- import_tasks: hardening.yml
when: os_hardening_enabled | bool

37
roles/os-harden/tasks/minimize_access.yml
View File

@ -1,16 +1,31 @@
---
# Using a two-pass approach for checking directories in order to support symlinks.
- include_tasks: find_files.yml
loop_control:
loop_var: outer_item
loop:
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
# the other files inside /usr/bin (and all other directories) are
# still getting found and the permissions minimized in the next task.
# This is also the reason why there's ignore_errors: true on the task.
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
with_flattened:
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
- '{{ os_env_extra_user_paths }}'
- "{{ os_env_extra_user_paths }}" # noqa 104
register: minimize_access_directories
ignore_errors: true
changed_when: false
- name: minimize access on found files
file:
path: '{{ item.1 }}'
mode: 'go-w'
state: file
with_subelements:
- "{{ minimize_access_directories.results }}"
- stdout_lines
- name: change shadow ownership to root and mode to 0600 | os-02
file:
@ -32,4 +47,12 @@
owner: 'root'
group: 'root'
mode: '0750'
when: os_security_users_allow != None
when: '"change_user" not in os_security_users_allow'
- name: set option hidepid for proc filesystem
mount:
path: /proc
src: proc
fstype: proc
opts: '{{ proc_mnt_options }}'
state: present

15
roles/os-harden/tasks/modprobe.yml
View File

@ -1,7 +1,7 @@
---
- name: install modprobe to disable filesystems | os-10
package:
name: '{{modprobe_package}}'
name: '{{ modprobe_package }}'
state: 'present'
- name: check if efi is installed
@ -12,7 +12,15 @@
- name: remove vfat from fs-list if efi is used
set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- name: remove used filesystems from fs-list
set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
# we cannot do this on el6 and below, because these systems don't support the map function
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
- name: disable unused filesystems | os-10
template:
@ -20,5 +28,4 @@
dest: '/etc/modprobe.d/dev-sec.conf'
owner: 'root'
group: 'root'
mode: '0640'
mode: '0644'

67
roles/os-harden/tasks/pam.yml
View File

@ -1,8 +1,8 @@
---
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
changed_when: False
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
changed_when: false
environment:
DEBIAN_FRONTEND: noninteractive
@ -14,19 +14,25 @@
package:
name: '{{ os_packages_pam_ccreds }}'
state: 'absent'
when:
- ansible_facts.os_family != 'Archlinux'
- name: remove pam_cracklib, because it does not play nice with passwdqc
apt:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
update_cache: 'yes'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: configure passwdqc
template:
@ -35,19 +41,26 @@
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- name: install tally2
apt:
name: 'libpam-modules'
state: 'present'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: configure tally2
template:
@ -56,31 +69,47 @@
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: delete tally2 when retries is 0
file:
path: '{{ tally2_path }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries == 0
- name: remove pam_cracklib, because it does not play nice with passwdqc
yum:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic
template:
@ -89,11 +118,23 @@
mode: '0640'
owner: 'root'
group: 'root'
when: ansible_facts.os_family == 'RedHat'
- name: Gather package facts
package_facts:
manager: auto
when:
- ansible_facts.os_family != 'Suse'
- ansible_facts.os_family != 'Archlinux'
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template:
src: 'etc/rhel_libuser.conf.j2'
src: 'etc/libuser.conf.j2'
dest: '/etc/libuser.conf'
mode: '0640'
owner: 'root'
group: 'root'
when:
- ansible_facts.os_family != 'Suse'
- ansible_facts.os_family != 'Archlinux'
- "'libuser' in ansible_facts.packages"

6
roles/os-harden/tasks/profile.yml
View File

@ -6,10 +6,10 @@
owner: 'root'
group: 'root'
mode: '0750'
when: not os_security_kernel_enable_core_dump
when: not os_security_kernel_enable_core_dump | bool
- name: remove pinerolo_profile.sh from profile.d
file:
path: /etc/profile.d/pinerolo_profile.sh
state: absent
when: os_security_kernel_enable_core_dump
when: os_security_kernel_enable_core_dump | bool

10
roles/os-harden/tasks/rhosts.yml
View File

@ -1,15 +1,15 @@
---
- name: Get user accounts | os-09
command: "awk -F: '{print $1}' /etc/passwd"
changed_when: False
check_mode: False
register: users
changed_when: false
check_mode: false
register: users_accounts
- name: delete rhosts-files from system | os-09
file:
dest: '~{{ item }}/.rhosts'
state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
- name: delete hosts.equiv from system | os-01
file:
@ -20,4 +20,4 @@
file:
dest: '~{{ item }}/.netrc'
state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'

5
roles/os-harden/tasks/selinux.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: configure selinux | selinux-01
selinux:
policy: "{{ os_selinux_policy }}"
state: "{{ os_selinux_state }}"

8
roles/os-harden/tasks/suid_sgid.yml
View File

@ -13,13 +13,13 @@
- name: find binaries with suid/sgid set | os-06
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
register: sbit_binaries
when: os_security_suid_sgid_remove_from_unknown
changed_when: False
when: os_security_suid_sgid_remove_from_unknown | bool
changed_when: false
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
set_fact:
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown
when: os_security_suid_sgid_remove_from_unknown | bool
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
file:
@ -29,4 +29,4 @@
follow: 'yes'
with_flattened:
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown
when: os_security_suid_sgid_remove_from_unknown | bool

71
roles/os-harden/tasks/sysctl.yml
View File

@ -5,6 +5,9 @@
owner: 'root'
group: 'root'
mode: '0440'
state: touch
modification_time: preserve
access_time: preserve
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
template:
@ -13,14 +16,16 @@
owner: 'root'
group: 'root'
mode: '0544'
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat']
- name: install initramfs-tools
apt:
name: 'initramfs-tools'
state: 'present'
update_cache: true
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
template:
@ -29,41 +34,49 @@
owner: 'root'
group: 'root'
mode: '0440'
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
notify:
- update-initramfs
when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading
register: initramfs
- name: update-initramfs
command: 'update-initramfs -u'
when: initramfs.changed
- name: change sysctls
block:
- name: create a combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: create a combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
sysctl_set: true
state: present
reload: true
ignoreerrors: true
with_dict: '{{ sysctl_config }}'
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_config }}'
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
reload: true
ignoreerrors: true
with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
- name: Apply ufw defaults
template:
src: 'etc/default/ufw.j2'
dest: '/etc/default/ufw'
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
mode: '0644'
when:
- ufw_manage_defaults
- ansible_facts.distribution in ['Debian', 'Ubuntu']
tags: ufw

20
roles/os-harden/tasks/user_accounts.yml
View File

@ -4,42 +4,44 @@
args:
removes: /etc/login.defs
register: uid_min
check_mode: False
changed_when: False
check_mode: false
changed_when: false
- name: calculate UID_MAX from UID_MIN by substracting 1
set_fact:
uid_max: '{{ uid_min.stdout | int - 1 }}'
when: uid_min is defined
when: uid_min.stdout|int > 0
- name: set UID_MAX on Debian-systems if no login.defs exist
set_fact:
uid_max: '999'
when: ansible_os_family == 'Debian' and not uid_min
when:
- ansible_facts.os_family == 'Debian'
- uid_max is not defined
- name: set UID_MAX on other systems if no login.defs exist
set_fact:
uid_max: '499'
when: not uid_min
when: uid_max is not defined
- name: get all system accounts
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
args:
removes: /etc/passwd
changed_when: False
check_mode: False
changed_when: false
check_mode: false
register: sys_accs
- name: remove always ignored system accounts from list
set_fact:
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
check_mode: False
check_mode: false
- name: change system accounts not on the user provided ignore-list
user:
name: '{{ item }}'
shell: '{{ os_nologin_shell_path }}'
password: '*'
createhome: False
createhome: false
with_flattened:
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'

61
roles/os-harden/tasks/yum.yml
View File

@ -3,45 +3,48 @@
file:
name: '/etc/yum.repos.d/{{ item }}.repo'
state: 'absent'
with_items:
loop:
- 'CentOS-Debuginfo'
- 'CentOS-Media'
- 'CentOS-Vault'
when: os_security_packages_clean
when: os_security_packages_clean | bool
- name: get yum-repository-files
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
changed_when: False
find:
paths: '/etc/yum.repos.d'
patterns: '*.repo'
register: yum_repos
- name: check if rhnplugin.conf exists
stat:
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
register: rhnplugin_file
# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repos
# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repository-files
replace:
dest: '{{ item }}'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
with_flattened:
path: '{{ item.path }}'
regexp: '^\s*gpgcheck.*'
replace: 'gpgcheck=1'
mode: '0644'
with_items:
- '{{ yum_repos.files | default([]) }}'
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files
replace:
path: '{{ item }}'
regexp: '^\s*gpgcheck\W.*'
replace: 'gpgcheck=1'
mode: '0644'
register: status
failed_when: status.rc is defined and status.rc != 257
loop:
- '/etc/yum.conf'
- '{{ yum_repos.stdout_lines| default([]) }}'
- name: activate gpg-check for yum rhn if it exists
replace:
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
when: rhnplugin_file.stat.exists
- '/etc/dnf/dnf.conf'
- '/etc/yum/pluginconf.d/rhnplugin.conf'
- name: remove deprecated or insecure packages | package-01 - package-09
yum:
name: '{{ item }}'
name: '{{ os_security_packages_list }}'
state: 'absent'
with_items:
- '{{ os_security_packages_list }}'
when: os_security_packages_clean
when: os_security_packages_clean | bool

4
roles/os-harden/templates/etc/audit/auditd.conf.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = keep_logs
max_log_file_action = {{ os_auditd_max_log_file_action }}
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root

3
roles/os-harden/templates/etc/default/ufw.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# /etc/default/ufw
#

7
roles/os-harden/templates/etc/initramfs-tools/modules.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
#
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
@ -10,7 +11,7 @@
#
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
{% if ansible_architecture == 'x86_64' %}
{% if ansible_facts.architecture == 'x86_64' %}
# Optimize for x86_64 cryptographic features
twofish-x86_64-3way
twofish-x86_64
@ -19,7 +20,7 @@ salsa20-x86_64
blowfish-x86_64
{% endif %}
{% if 'amd' in ansible_processor %}
{% if 'amd' in ansible_facts.processor %}
# AMD-specific optimizations
kvm-amd
{% else %}

4
roles/os-harden/templates/etc/rhel_libuser.conf.j2 → roles/os-harden/templates/etc/libuser.conf.j2
View File

@ -1,6 +1,6 @@
# See libuser.conf(5) for more information.
{{ ansible_managed | comment }}
# {{ ansible_managed | comment }}
# See libuser.conf(5) for more information.
# Do not modify the default module list if you care about unattended calls
# to programs (i.e., scripts) working!

101
roles/os-harden/templates/etc/login.defs.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# Configuration control definitions for the login package.
#
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
@ -7,6 +8,7 @@
#
#-- Modified for Linux. --marekm
{% if os_useradd_mail_dir is defined %}
# *REQUIRED for useradd/userdel/usermod*
#
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
@ -19,136 +21,141 @@
#
# See default PAM configuration files provided for login, su, etc.
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
MAIL_DIR {{ os_useradd_mail_dir }}
{% endif %}
{% if os_useradd_create_home is defined %}
# If useradd should create home directories for users by default
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
{% endif %}
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
FAILLOG_ENAB yes
FAILLOG_ENAB yes
# Enable display of unknown usernames when login failures are recorded.
#
# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
LOG_UNKFAIL_ENAB no
LOG_UNKFAIL_ENAB no
# Enable logging of successful logins
LOG_OK_LOGINS yes
LOG_OK_LOGINS yes
# Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SU_ENAB yes
SYSLOG_SU_ENAB yes
# Enable "syslog" logging of newgrp and sg.
SYSLOG_SG_ENAB yes
SYSLOG_SG_ENAB yes
# If defined, all su activity is logged to this file.
#SULOG_FILE /var/log/sulog
#SULOG_FILE /var/log/sulog
# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
#TTYTYPE_FILE /etc/ttytype
#TTYTYPE_FILE /etc/ttytype
# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
FTMP_FILE /var/log/btmp
FTMP_FILE /var/log/btmp
# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
SU_NAME su
SU_NAME su
# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
#HUSHLOGIN_FILE /etc/hushlogins
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
HUSHLOGIN_FILE .hushlogin
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }}
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
# Terminal permissions
# --------------------
# Login tty will be assigned this group ownership.
# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
TTYGROUP tty
TTYGROUP tty
# Login tty will be set to this permission.
# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing the `mesg y` command.
TTYPERM 0600
TTYPERM 0600
# Login conf initializations
# --------------------------
# Terminal ERASE character ('\010' = backspace). Only used on System V.
ERASECHAR 0177
ERASECHAR 0177
# Terminal KILL character ('\025' = CTRL/U). Only used on System V.
KILLCHAR 025
KILLCHAR 025
# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
# `022` is the "historical" value in Debian for UMASK
# `027`, or even `077`, could be considered better for privacy.
UMASK {{ os_env_umask }}
UMASK {{ os_env_umask }}
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
USERGROUPS_ENAB yes
USERGROUPS_ENAB yes
# Password aging controls
# -----------------------
# Maximum number of days a password may be used.
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
# Minimum number of days allowed between password changes.
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
# Number of days warning given before a password expires.
PASS_WARN_AGE 7
PASS_WARN_AGE 7
# Min/max values for automatic uid selection in useradd
UID_MIN {{ os_auth_uid_min }}
UID_MAX 60000
UID_MIN {{ os_auth_uid_min }}
UID_MAX 60000
# System accounts
SYS_UID_MIN {{ os_auth_sys_uid_min }}
SYS_UID_MAX {{ os_auth_sys_uid_max }}
SYS_UID_MIN {{ os_auth_sys_uid_min }}
SYS_UID_MAX {{ os_auth_sys_uid_max }}
# Min/max values for automatic gid selection in groupadd
GID_MIN {{ os_auth_gid_min }}
GID_MAX 60000
GID_MIN {{ os_auth_gid_min }}
GID_MAX 60000
# System accounts
SYS_GID_MIN {{ os_auth_sys_gid_min }}
SYS_GID_MAX {{ os_auth_sys_gid_max }}
SYS_GID_MIN {{ os_auth_sys_gid_min }}
SYS_GID_MAX {{ os_auth_sys_gid_max }}
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
LOGIN_RETRIES {{ os_auth_retries }}
LOGIN_RETRIES {{ os_auth_retries }}
# Max time in seconds for login
LOGIN_TIMEOUT {{ os_auth_timeout }}
LOGIN_TIMEOUT {{ os_auth_timeout }}
# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
{% if os_chfn_restrict %}
CHFN_RESTRICT {{ os_chfn_restrict }}
CHFN_RESTRICT {{ os_chfn_restrict }}
{% endif %}
# Should login be allowed if we can't cd to the home directory?
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#USERDEL_CMD /usr/sbin/userdel_local
#USERDEL_CMD /usr/sbin/userdel_local
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
#FAKE_SHELL /bin/fakeshell
#FAKE_SHELL /bin/fakeshell
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
# This variable is used by login and su.
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
# This variable is used by login and su.
#CONSOLE_GROUPS floppy:audio:cdrom
#CONSOLE_GROUPS floppy:audio:cdrom
# If set to `MD5`, MD5-based algorithm will be used for encrypting password
# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
MD5_CRYPT_ENAB no
ENCRYPT_METHOD SHA512
MD5_CRYPT_ENAB no
ENCRYPT_METHOD SHA512
# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
# Obsoleted by PAM
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no

4
roles/os-harden/templates/etc/pam.d/rhel_system_auth.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
#%PAM-1.0
{% if os_auth_retries > 0 %}
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
{% if (os_auth_pam_passwdqc_enable|bool) %}
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %}
{%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
{%- else %}
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}

2
roles/os-harden/templates/etc/profile.d/profile.conf.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
ulimit -S -c 0 > /dev/null 2>&1

3
roles/os-harden/templates/etc/securetty.j2
View File

@ -1,5 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# A list of TTYs, from which root can log in
# see `man securetty` for reference

2
roles/os-harden/templates/etc/sysconfig/rhel_sysconfig_init.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# color => new RH6.0 bootup
# verbose => old-style bootup

2
roles/os-harden/templates/usr/share/pam-configs/pam_passwdqd.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: passwdqc password strength enforcement
Default: yes
Priority: 1024

2
roles/os-harden/templates/usr/share/pam-configs/pam_tally2.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: tally2 lockout after failed attempts enforcement
Default: yes
Priority: 1024

2
roles/os-harden/vars/Amazon.yml
View File

@ -1,6 +1,6 @@
---
# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user']
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
sysctl_rhel_config:
# ExecShield protection against buffer overflows

25
roles/os-harden/vars/Archlinux.yml 100644
View File

@ -0,0 +1,25 @@
---
os_nologin_shell_path: '/sbin/nologin'
os_shadow_perms:
owner: root
group: root
mode: '0600'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 500
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 500
os_auth_sys_gid_max: 999
modprobe_package: 'kmod'
auditd_package: 'audit'

16
roles/os-harden/vars/Debian.yml
View File

@ -1,13 +1,10 @@
---
os_packages_pam_ccreds: 'libpam-ccreds'
os_packages_pam_passwdqc: 'libpam-passwdqc'
os_packages_pam_cracklib: 'libpam-cracklib'
passwdqc_path: '/usr/share/pam-configs/passwdqc'
tally2_path: '/usr/share/pam-configs/tally2'
os_nologin_shell_path: '/usr/sbin/nologin'
auditd_package: 'auditd'
modprobe_package: 'kmod'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/mail
modprobe_package: 'kmod'
auditd_package: 'auditd'
tally2_path: '/usr/share/pam-configs/tally2'
passwdqc_path: '/usr/share/pam-configs/passwdqc'

31
roles/os-harden/vars/Fedora.yml 100644
View File

@ -0,0 +1,31 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: root
mode: '0000'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

8
roles/os-harden/vars/Oracle Linux.yml
View File

@ -1,6 +1,8 @@
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.

10
roles/os-harden/vars/RedHat.yml
View File

@ -1,8 +1,5 @@
---
modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
os_useradd_create_home: true
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

34
roles/os-harden/vars/Suse.yml 100644
View File

@ -0,0 +1,34 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: shadow
mode: '0640'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 499
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 499
# defaults for useradd
os_useradd_create_home: false
modprobe_package: 'kmod-compat'
auditd_package: 'audit'

4
roles/os-harden/vars/main.yml
View File

@ -1,3 +1,4 @@
---
# SYSTEM CONFIGURATION
# ====================
# These are not meant to be modified by the user
@ -43,6 +44,7 @@ os_security_suid_sgid_system_whitelist:
- '/bin/mount'
- '/bin/ping'
- '/bin/su'
- '/usr/bin/su'
- '/bin/umount'
- '/sbin/pam_timestamp_check'
- '/sbin/unix_chkpwd'
@ -107,4 +109,4 @@ os_security_suid_sgid_system_whitelist:
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt']
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']