mirror of https://github.com/easzlab/kubeasz.git
update: os-hardening 7.0.0
parent
e51aa3603d
commit
5ae78116f6
|
@ -1,13 +1,12 @@
|
||||||
############################
|
############################
|
||||||
# role:prepare
|
# prepare
|
||||||
############################
|
############################
|
||||||
# 可选离线安装系统软件包 (offline|online)
|
# 可选离线安装系统软件包 (offline|online)
|
||||||
INSTALL_SOURCE: "online"
|
INSTALL_SOURCE: "online"
|
||||||
|
|
||||||
|
# 可选进行系统安全加固 github.com/dev-sec/ansible-collection-hardening
|
||||||
|
OS_HARDEN: false
|
||||||
|
|
||||||
############################
|
|
||||||
# role:chrony
|
|
||||||
############################
|
|
||||||
# 设置时间源服务器【重要:集群内机器时间必须同步】
|
# 设置时间源服务器【重要:集群内机器时间必须同步】
|
||||||
ntp_servers:
|
ntp_servers:
|
||||||
- "ntp1.aliyun.com"
|
- "ntp1.aliyun.com"
|
||||||
|
|
2
ezdown
2
ezdown
|
@ -14,7 +14,7 @@ set -o errexit
|
||||||
|
|
||||||
# default settings, can be overridden by cmd line options, see usage
|
# default settings, can be overridden by cmd line options, see usage
|
||||||
DOCKER_VER=19.03.14
|
DOCKER_VER=19.03.14
|
||||||
KUBEASZ_VER=3.0.0-rc
|
KUBEASZ_VER=3.0.0
|
||||||
K8S_BIN_VER=v1.20.2
|
K8S_BIN_VER=v1.20.2
|
||||||
EXT_BIN_VER=0.8.1
|
EXT_BIN_VER=0.8.1
|
||||||
SYS_PKG_VER=0.3.3
|
SYS_PKG_VER=0.3.3
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
- ex_lb
|
- ex_lb
|
||||||
- chrony
|
- chrony
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||||
|
|
||||||
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
|
|
||||||
- hosts: harbor
|
- hosts: harbor
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
|
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
|
||||||
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
|
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
|
||||||
- { role: docker, when: "NEW_INSTALL == 'yes'" }
|
- { role: docker, when: "NEW_INSTALL == 'yes'" }
|
||||||
|
|
|
@ -39,6 +39,7 @@
|
||||||
vars:
|
vars:
|
||||||
CLUSTER_STATE: existing
|
CLUSTER_STATE: existing
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||||
- prepare
|
- prepare
|
||||||
- etcd
|
- etcd
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
- hosts: "{{ NODE_TO_ADD }}"
|
- hosts: "{{ NODE_TO_ADD }}"
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||||
- prepare
|
- prepare
|
||||||
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
- hosts: "{{ NODE_TO_ADD }}"
|
- hosts: "{{ NODE_TO_ADD }}"
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||||
- prepare
|
- prepare
|
||||||
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
- ex_lb
|
- ex_lb
|
||||||
- chrony
|
- chrony
|
||||||
roles:
|
roles:
|
||||||
|
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||||
|
|
||||||
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
||||||
|
|
|
@ -0,0 +1,495 @@
|
||||||
|
# Changelog
|
||||||
|
|
||||||
|
## [6.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.3.0) (2020-10-28)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.2.0...6.3.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Breaking change in ansible-lint - set file permissions explicitly [\#299](https://github.com/dev-sec/ansible-os-hardening/issues/299)
|
||||||
|
- Improve Documentation [\#315](https://github.com/dev-sec/ansible-os-hardening/pull/315) ([schurzi](https://github.com/schurzi))
|
||||||
|
- Arch support [\#303](https://github.com/dev-sec/ansible-os-hardening/pull/303) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- fix linting for molecule [\#301](https://github.com/dev-sec/ansible-os-hardening/pull/301) ([schurzi](https://github.com/schurzi))
|
||||||
|
- file permissions explicitly defined [\#300](https://github.com/dev-sec/ansible-os-hardening/pull/300) ([danielkubat](https://github.com/danielkubat))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode [\#313](https://github.com/dev-sec/ansible-os-hardening/issues/313)
|
||||||
|
- use touch for 10.hardcore.conf to avoid problems with dry-run [\#314](https://github.com/dev-sec/ansible-os-hardening/pull/314) ([schurzi](https://github.com/schurzi))
|
||||||
|
- use touch with no date changes [\#310](https://github.com/dev-sec/ansible-os-hardening/pull/310) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- do not touch sysctl file to avoid idempotency problems [\#309](https://github.com/dev-sec/ansible-os-hardening/pull/309) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Any planned support for RHEL/CentOS 8? [\#298](https://github.com/dev-sec/ansible-os-hardening/issues/298)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- prettier markdown files action added [\#322](https://github.com/dev-sec/ansible-os-hardening/pull/322) ([danielkubat](https://github.com/danielkubat))
|
||||||
|
- adjust permissions on shadow file on suse [\#311](https://github.com/dev-sec/ansible-os-hardening/pull/311) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-17)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha))
|
||||||
|
- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat))
|
||||||
|
- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284)
|
||||||
|
- replace module parameter fixed [\#297](https://github.com/dev-sec/ansible-os-hardening/pull/297) ([danielkubat](https://github.com/danielkubat))
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293)
|
||||||
|
- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292)
|
||||||
|
- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288)
|
||||||
|
- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
|
||||||
|
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
|
||||||
|
|
||||||
|
## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
|
||||||
|
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
|
||||||
|
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
|
||||||
|
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
|
||||||
|
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg))
|
||||||
|
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
|
||||||
|
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
|
||||||
|
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
|
||||||
|
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
|
||||||
|
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||||
|
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||||
|
- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
|
||||||
|
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
|
||||||
|
- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
|
||||||
|
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
|
||||||
|
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
|
||||||
|
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
|
||||||
|
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
|
||||||
|
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
|
||||||
|
- Invalid Conditionals in user_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
|
||||||
|
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
|
||||||
|
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
|
||||||
|
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
|
||||||
|
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
|
||||||
|
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
|
||||||
|
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
|
||||||
|
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
|
||||||
|
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost))
|
||||||
|
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
|
||||||
|
|
||||||
|
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
|
||||||
|
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
|
||||||
|
|
||||||
|
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
|
||||||
|
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
|
||||||
|
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
|
||||||
|
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
|
||||||
|
- Pass package list directly to apt and yum modules without using with_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
|
||||||
|
- 'sysctl_rhel_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
|
||||||
|
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
|
||||||
|
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
|
||||||
|
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
|
||||||
|
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
|
||||||
|
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
|
||||||
|
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
|
||||||
|
|
||||||
|
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
|
||||||
|
- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
|
||||||
|
- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
|
||||||
|
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
|
||||||
|
|
||||||
|
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-os-hardening/issues/131)
|
||||||
|
- fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-os-hardening/pull/190) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- added os_hardening_enabled flag [\#186](https://github.com/dev-sec/ansible-os-hardening/pull/186) ([jcheroske](https://github.com/jcheroske))
|
||||||
|
- add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-os-hardening/pull/183) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-os-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-os-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-os-hardening/pull/176) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-os-hardening/pull/174) ([carchrae](https://github.com/carchrae))
|
||||||
|
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
|
||||||
|
- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
|
||||||
|
- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
|
||||||
|
- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
|
||||||
|
- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Remove deprecated include for static tasks and use instead import_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-os-hardening/issues/171)
|
||||||
|
- wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-os-hardening/issues/170)
|
||||||
|
- Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-os-hardening/issues/166)
|
||||||
|
- Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-os-hardening/issues/162)
|
||||||
|
- System completely unresponsive after role execution [\#145](https://github.com/dev-sec/ansible-os-hardening/issues/145)
|
||||||
|
- do not install passwdqc on amazon linux [\#189](https://github.com/dev-sec/ansible-os-hardening/pull/189) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add back run opts for debian 8 in travis [\#184](https://github.com/dev-sec/ansible-os-hardening/pull/184) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Fix core dump config file creation when core dumps are disabled [\#182](https://github.com/dev-sec/ansible-os-hardening/pull/182) ([Normo](https://github.com/Normo))
|
||||||
|
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155)
|
||||||
|
- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129)
|
||||||
|
- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1))
|
||||||
|
- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz))
|
||||||
|
- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz))
|
||||||
|
- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault))
|
||||||
|
- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- bug in ufw.j2 template [\#151](https://github.com/dev-sec/ansible-os-hardening/issues/151)
|
||||||
|
- replace single ticks with double ticks. fix \#151 [\#152](https://github.com/dev-sec/ansible-os-hardening/pull/152) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- fixed tag [\#149](https://github.com/dev-sec/ansible-os-hardening/pull/149) ([martinbydefault](https://github.com/martinbydefault))
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined [\#147](https://github.com/dev-sec/ansible-os-hardening/issues/147)
|
||||||
|
- Enhancement: Test with TestInfra and Molecule [\#128](https://github.com/dev-sec/ansible-os-hardening/issues/128)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- os_security_kernel_enable_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
|
||||||
|
|
||||||
|
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- style update [\#134](https://github.com/dev-sec/ansible-os-hardening/pull/134) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Fix ansible.cfg and use comment filter [\#130](https://github.com/dev-sec/ansible-os-hardening/pull/130) ([fazlearefin](https://github.com/fazlearefin))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Why is rsync removed? [\#141](https://github.com/dev-sec/ansible-os-hardening/issues/141)
|
||||||
|
- playbook makes OS undetectable [\#124](https://github.com/dev-sec/ansible-os-hardening/issues/124)
|
||||||
|
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf [\#118](https://github.com/dev-sec/ansible-os-hardening/issues/118)
|
||||||
|
- Remove rsync from package blacklist [\#142](https://github.com/dev-sec/ansible-os-hardening/pull/142) ([duk3luk3](https://github.com/duk3luk3))
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-os-hardening/issues/125)
|
||||||
|
- Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-os-hardening/issues/116)
|
||||||
|
- The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-os-hardening/issues/111)
|
||||||
|
- Deprecation warning always_run [\#103](https://github.com/dev-sec/ansible-os-hardening/issues/103)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Enhancement: Pin python dependencies for development and testing [\#127](https://github.com/dev-sec/ansible-os-hardening/issues/127)
|
||||||
|
- Update readme to include baselines [\#122](https://github.com/dev-sec/ansible-os-hardening/issues/122)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- Converts set to JSON-serializable list [\#126](https://github.com/dev-sec/ansible-os-hardening/pull/126) ([pestaa](https://github.com/pestaa))
|
||||||
|
|
||||||
|
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Description of the Ansible roles of dev-sec says "This Ansible playbook" [\#97](https://github.com/dev-sec/ansible-os-hardening/issues/97)
|
||||||
|
- install initramfs-tools [\#114](https://github.com/dev-sec/ansible-os-hardening/pull/114) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Error running on RHEL 7 due to syntax issues [\#112](https://github.com/dev-sec/ansible-os-hardening/issues/112)
|
||||||
|
- disable password age [\#109](https://github.com/dev-sec/ansible-os-hardening/issues/109)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- change shadow owner in debian systems [\#117](https://github.com/dev-sec/ansible-os-hardening/pull/117) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Rhel7 [\#113](https://github.com/dev-sec/ansible-os-hardening/pull/113) ([tyrken](https://github.com/tyrken))
|
||||||
|
- use new Docker images [\#110](https://github.com/dev-sec/ansible-os-hardening/pull/110) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Don’t refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
|
||||||
|
|
||||||
|
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-os-hardening/issues/102)
|
||||||
|
- ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-os-hardening/issues/99)
|
||||||
|
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-os-hardening/issues/98)
|
||||||
|
- Enable pam_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-os-hardening/issues/73)
|
||||||
|
- "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-os-hardening/issues/53)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- update template [\#101](https://github.com/dev-sec/ansible-os-hardening/pull/101) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- fix deprecation warning for undefined error. \#99 [\#100](https://github.com/dev-sec/ansible-os-hardening/pull/100) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add rhel7 pam_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
|
||||||
|
|
||||||
|
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- Supports --check mode [\#93](https://github.com/dev-sec/ansible-os-hardening/pull/93) ([conorsch](https://github.com/conorsch))
|
||||||
|
- Adds support for CentOS 7 [\#91](https://github.com/dev-sec/ansible-os-hardening/pull/91) ([conorsch](https://github.com/conorsch))
|
||||||
|
- Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
|
||||||
|
- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
|
||||||
|
- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-os-hardening/issues/74)
|
||||||
|
- Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-os-hardening/issues/71)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
|
||||||
|
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
|
||||||
|
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- Fix a formatting issue in readme. [\#92](https://github.com/dev-sec/ansible-os-hardening/pull/92) ([vivekagr](https://github.com/vivekagr))
|
||||||
|
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
|
||||||
|
|
||||||
|
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
|
||||||
|
|
||||||
|
**Implemented enhancements:**
|
||||||
|
|
||||||
|
- update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-os-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-os-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-os-hardening/pull/67) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- make sys_uid and sys_gid configurable [\#62](https://github.com/dev-sec/ansible-os-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-os-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- use inspec as test framework [\#58](https://github.com/dev-sec/ansible-os-hardening/pull/58) ([chris-rock](https://github.com/chris-rock))
|
||||||
|
- Packages as attributes [\#57](https://github.com/dev-sec/ansible-os-hardening/pull/57) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Change categories to tags for upcoming ansible 2.0 [\#56](https://github.com/dev-sec/ansible-os-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add SINGLE and PROMPT parameters. [\#55](https://github.com/dev-sec/ansible-os-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- add changelog generator [\#54](https://github.com/dev-sec/ansible-os-hardening/pull/54) ([chris-rock](https://github.com/chris-rock))
|
||||||
|
|
||||||
|
**Fixed bugs:**
|
||||||
|
|
||||||
|
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
|
||||||
|
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' [\#72](https://github.com/dev-sec/ansible-os-hardening/issues/72)
|
||||||
|
- ansible 2.0 | "remove suid/sgid" task fails [\#64](https://github.com/dev-sec/ansible-os-hardening/issues/64)
|
||||||
|
- Custom sysctl [\#50](https://github.com/dev-sec/ansible-os-hardening/issues/50)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- Fix directory structure. [\#48](https://github.com/dev-sec/ansible-os-hardening/issues/48)
|
||||||
|
- pam auth update error [\#47](https://github.com/dev-sec/ansible-os-hardening/issues/47)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- Add explicit role-path to kitchen.yml [\#52](https://github.com/dev-sec/ansible-os-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Fix pam passwdqc template [\#51](https://github.com/dev-sec/ansible-os-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- New dir layout [\#49](https://github.com/dev-sec/ansible-os-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- remove duplicate "update pam" task [\#46](https://github.com/dev-sec/ansible-os-hardening/pull/46) ([fitz123](https://github.com/fitz123))
|
||||||
|
- Fix stuck in case pam files was updated before by force update [\#45](https://github.com/dev-sec/ansible-os-hardening/pull/45) ([fitz123](https://github.com/fitz123))
|
||||||
|
- Fix nologin shell path [\#44](https://github.com/dev-sec/ansible-os-hardening/pull/44) ([fitz123](https://github.com/fitz123))
|
||||||
|
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
|
||||||
|
|
||||||
|
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
|
||||||
|
|
||||||
|
**Closed issues:**
|
||||||
|
|
||||||
|
- ansible-os-hardening/tasks/minimize_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
|
||||||
|
- Role configuration. vars/main.yml? [\#34](https://github.com/dev-sec/ansible-os-hardening/issues/34)
|
||||||
|
- Sysctl reloading [\#18](https://github.com/dev-sec/ansible-os-hardening/issues/18)
|
||||||
|
- Add conditions for disabling of ip forwarding [\#15](https://github.com/dev-sec/ansible-os-hardening/issues/15)
|
||||||
|
- Disable System Accounts [\#6](https://github.com/dev-sec/ansible-os-hardening/issues/6)
|
||||||
|
|
||||||
|
**Merged pull requests:**
|
||||||
|
|
||||||
|
- Update kitchen-ansible, remove separate debian install [\#40](https://github.com/dev-sec/ansible-os-hardening/pull/40) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add mode to su-binary task. Fix \#38 [\#39](https://github.com/dev-sec/ansible-os-hardening/pull/39) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#37](https://github.com/dev-sec/ansible-os-hardening/pull/37) ([chris-rock](https://github.com/chris-rock))
|
||||||
|
- Change oneliner if-statements to be more readable [\#36](https://github.com/dev-sec/ansible-os-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Separate system-vars from editable vars. Fix \#34 [\#35](https://github.com/dev-sec/ansible-os-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Create limits.d-directory if it does not exist. [\#33](https://github.com/dev-sec/ansible-os-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add correct CONTRIB-file [\#32](https://github.com/dev-sec/ansible-os-hardening/pull/32) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add Ansible Galaxy badge [\#31](https://github.com/dev-sec/ansible-os-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Update readme, todo, changelog, vars [\#30](https://github.com/dev-sec/ansible-os-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- List-cleanup and follow symlinks added [\#29](https://github.com/dev-sec/ansible-os-hardening/pull/29) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add module configuration [\#28](https://github.com/dev-sec/ansible-os-hardening/pull/28) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Fix two sysctl-settings [\#27](https://github.com/dev-sec/ansible-os-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add meta-files for Ansible Galaxy [\#26](https://github.com/dev-sec/ansible-os-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Disable System Accounts. Fix \#6 [\#25](https://github.com/dev-sec/ansible-os-hardening/pull/25) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Use changed_when to avoid changed tasks [\#24](https://github.com/dev-sec/ansible-os-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Delete authconfig-task on rhel-systems [\#23](https://github.com/dev-sec/ansible-os-hardening/pull/23) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add missing rhosts-include task [\#21](https://github.com/dev-sec/ansible-os-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Change sysctl-task. Fix \#18 [\#20](https://github.com/dev-sec/ansible-os-hardening/pull/20) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add travis-support [\#17](https://github.com/dev-sec/ansible-os-hardening/pull/17) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add conditions for various tasks. Fix \#15 [\#16](https://github.com/dev-sec/ansible-os-hardening/pull/16) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- fix configuration of playbook path [\#14](https://github.com/dev-sec/ansible-os-hardening/pull/14) ([chris-rock](https://github.com/chris-rock))
|
||||||
|
- Make tasks clearer [\#13](https://github.com/dev-sec/ansible-os-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add remove suid/sgid function [\#12](https://github.com/dev-sec/ansible-os-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add task to remove unused repos and pkgs [\#11](https://github.com/dev-sec/ansible-os-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Edit README to fit to os-hardening [\#10](https://github.com/dev-sec/ansible-os-hardening/pull/10) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- ignore RAs on Ipv6 [\#9](https://github.com/dev-sec/ansible-os-hardening/pull/9) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
|
||||||
|
- Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
- Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||||
|
|
||||||
|
\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
|
|
@ -1,8 +1,10 @@
|
||||||
# os-hardening (Ansible Role)
|
# devsec.os_hardening
|
||||||
|
|
||||||
[![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1]
|
![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg)
|
||||||
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
|
|
||||||
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3]
|
## Looking for the old ansible-os-hardening role?
|
||||||
|
|
||||||
|
This role is now part of the hardening-collection. You can find the old role in the branch `legacy`.
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
|
@ -10,183 +12,231 @@ This role provides numerous security-related configurations, providing all-round
|
||||||
|
|
||||||
It configures:
|
It configures:
|
||||||
|
|
||||||
* Configures package management e.g. allows only signed packages
|
- Remove unused yum repositories and enable GPG key-checking
|
||||||
* Remove packages with known issues
|
- Remove packages with known issues
|
||||||
* Configures `pam` and `pam_limits` module
|
- Configures pam for strong password checks
|
||||||
* Shadow password suite configuration
|
- Installs and configures auditd
|
||||||
* Configures system path permissions
|
- Disable core dumps via soft limits
|
||||||
* Disable core dumps via soft limits
|
- sets a restrictive umask
|
||||||
* Restrict Root Logins to System Console
|
- Configures execute permissions of files in system paths
|
||||||
* Set SUIDs
|
- Hardens access to shadow and passwd files
|
||||||
* Configures kernel parameters via sysctl
|
- Disables unused filesystems
|
||||||
|
- Disables rhosts
|
||||||
|
- Configures secure ttys
|
||||||
|
- Configures kernel parameters via sysctl
|
||||||
|
- Enables selinux on EL-based systems
|
||||||
|
- Remove SUIDs and GUIDs
|
||||||
|
- Configures login and passwords of system accounts
|
||||||
|
|
||||||
It will not:
|
It will not:
|
||||||
|
|
||||||
* Update system packages
|
- Update system packages
|
||||||
* Install security patches
|
- Install security patches
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
* Ansible 2.5.0
|
- Ansible 2.9.0
|
||||||
|
|
||||||
## Warning
|
## Known Limitations
|
||||||
|
|
||||||
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
|
### Docker support
|
||||||
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
|
|
||||||
|
|
||||||
## Variables
|
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
|
||||||
|
|
||||||
| Name | Default Value | Description |
|
```yaml
|
||||||
| -------------- | ------------- | -----------------------------------|
|
- hosts: localhost
|
||||||
| `os_desktop_enable`| false | true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc|
|
collections:
|
||||||
| `os_env_extra_user_paths`| [] | add additional paths to the user's `PATH` variable (default is empty).|
|
- devsec.hardening
|
||||||
| `os_env_umask`| 027| set default permissions for new files to `750` |
|
|
||||||
| `os_auth_pw_max_age`| 60 | maximum password age (set to `99999` to effectively disable it) |
|
|
||||||
| `os_auth_pw_min_age`| 7 | minimum password age (before allowing any other password change)|
|
|
||||||
| `os_auth_retries`| 5 | the maximum number of authentication attempts, before the account is locked for some time|
|
|
||||||
| `os_auth_lockout_time`| 600 | time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts|
|
|
||||||
| `os_auth_timeout`| 60 | authentication timeout in seconds, so login will exit if this time passes|
|
|
||||||
| `os_auth_allow_homeless`| false | true if to allow users without home to login|
|
|
||||||
| `os_auth_pam_passwdqc_enable`| true | true if you want to use strong password checking in PAM using passwdqc|
|
|
||||||
| `os_auth_pam_passwdqc_options`| "min=disabled,disabled,16,12,8" | set to any option line (as a string) that you want to pass to passwdqc|
|
|
||||||
| `os_security_users_allow`| [] | list of things, that a user is allowed to do. May contain `change_user`.
|
|
||||||
| `os_security_kernel_enable_module_loading`| true | true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)|
|
|
||||||
| `os_security_kernel_enable_core_dump`| false | kernel is crashing or otherwise misbehaving and a kernel core dump is created |
|
|
||||||
| `os_security_suid_sgid_enforce`| true | true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own|
|
|
||||||
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
|
|
||||||
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
|
|
||||||
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
|
|
||||||
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.|
|
|
||||||
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
|
|
||||||
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
|
|
||||||
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
|
|
||||||
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
|
|
||||||
| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
|
|
||||||
|
|
||||||
## Packages
|
|
||||||
|
|
||||||
We remove the following packages:
|
|
||||||
|
|
||||||
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
|
||||||
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
|
||||||
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
|
|
||||||
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
|
|
||||||
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
|
|
||||||
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
|
|
||||||
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
|
||||||
|
|
||||||
## Disabled filesystems
|
|
||||||
|
|
||||||
We disable the following filesystems, because they're most likely not used:
|
|
||||||
|
|
||||||
* "cramfs"
|
|
||||||
* "freevxfs"
|
|
||||||
* "jffs2"
|
|
||||||
* "hfs"
|
|
||||||
* "hfsplus"
|
|
||||||
* "squashfs"
|
|
||||||
* "udf"
|
|
||||||
* "vfat"
|
|
||||||
|
|
||||||
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
|
|
||||||
|
|
||||||
## Example Playbook
|
|
||||||
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
roles:
|
||||||
- dev-sec.os-hardening
|
- devsec.hardening.os_hardening
|
||||||
|
|
||||||
|
|
||||||
## Changing sysctl variables
|
|
||||||
If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`).
|
|
||||||
+So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
|
|
||||||
|
|
||||||
```
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- dev-sec.os-hardening
|
|
||||||
vars:
|
vars:
|
||||||
sysctl_overwrite:
|
sysctl_overwrite:
|
||||||
# Enable IPv4 traffic forwarding.
|
# Enable IPv4 traffic forwarding.
|
||||||
net.ipv4.ip_forward: 1
|
net.ipv4.ip_forward: 1
|
||||||
```
|
```
|
||||||
|
|
||||||
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
### sysctl - vm.mmap_rnd_bits
|
||||||
|
|
||||||
## Local Testing
|
We are setting this sysctl to a default of `32`, some systems only support smaller values and this will generate an error. Unfortunately we cannot determine the correct applicable maximum. If you encounter this error you have to override this sysctl in your playbook.
|
||||||
|
|
||||||
The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system.
|
```yaml
|
||||||
|
- hosts: localhost
|
||||||
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
|
collections:
|
||||||
|
- devsec.hardening
|
||||||
Next install test-kitchen:
|
roles:
|
||||||
|
- devsec.hardening.os_hardening
|
||||||
```bash
|
vars:
|
||||||
# Install dependencies
|
sysctl_overwrite:
|
||||||
gem install bundler
|
vm.mmap_rnd_bits: 16
|
||||||
bundle install
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Testing with Docker
|
### Testing with inspec
|
||||||
```
|
|
||||||
# fast test on one machine
|
|
||||||
bundle exec kitchen test default-ubuntu-1404
|
|
||||||
|
|
||||||
# test on all machines
|
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
|
||||||
bundle exec kitchen test
|
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
|
||||||
|
|
||||||
# for development
|
We know that this is the case on Raspberry Pi.
|
||||||
bundle exec kitchen create default-ubuntu-1404
|
|
||||||
bundle exec kitchen converge default-ubuntu-1404
|
## Variables
|
||||||
|
|
||||||
|
- `os_desktop_enable`
|
||||||
|
- Default: `false`
|
||||||
|
- Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
|
||||||
|
- `os_env_extra_user_paths`
|
||||||
|
- Default: `[]`
|
||||||
|
- Description: add additional paths to the user's `PATH` variable (default is empty).
|
||||||
|
- `os_env_umask`
|
||||||
|
- Default: `027`
|
||||||
|
- Description: set default permissions for new files to `750`
|
||||||
|
- `os_auth_pw_max_age`
|
||||||
|
- Default: `60`
|
||||||
|
- Description: maximum password age (set to `99999` to effectively disable it)
|
||||||
|
- `os_auth_pw_min_age`
|
||||||
|
- Default: `7`
|
||||||
|
- Description: minimum password age (before allowing any other password change)
|
||||||
|
- `os_auth_retries`
|
||||||
|
- Default: `5`
|
||||||
|
- Description: the maximum number of authentication attempts, before the account is locked for some time
|
||||||
|
- `os_auth_lockout_time`
|
||||||
|
- Default: `600`
|
||||||
|
- Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts
|
||||||
|
- `os_auth_timeout`
|
||||||
|
- Default: `60`
|
||||||
|
- Description: authentication timeout in seconds, so login will exit if this time passes
|
||||||
|
- `os_auth_allow_homeless`
|
||||||
|
- Default: `false`
|
||||||
|
- Description: true if to allow users without home to login
|
||||||
|
- `os_auth_pam_passwdqc_enable`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: true if you want to use strong password checking in PAM using passwdqc
|
||||||
|
- `os_auth_pam_passwdqc_options`
|
||||||
|
- Default: `min=disabled,disabled,16,12,8`
|
||||||
|
- Description: set to any option line (as a string) that you want to pass to passwdqc
|
||||||
|
- `os_security_users_allow`
|
||||||
|
- Default: `[]`
|
||||||
|
- Description: list of things, that a user is allowed to do. May contain `change_user`.
|
||||||
|
- `os_security_kernel_enable_module_loading`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
|
||||||
|
- `os_security_kernel_enable_core_dump`
|
||||||
|
- Default: `false`
|
||||||
|
- Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created
|
||||||
|
- `os_security_suid_sgid_enforce`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
|
||||||
|
- `os_security_suid_sgid_blacklist`
|
||||||
|
- Default: `[]`
|
||||||
|
- Description: a list of paths which should have their SUID/SGID bits removed
|
||||||
|
- `os_security_suid_sgid_whitelist`
|
||||||
|
- Default: `[]`
|
||||||
|
- Description: a list of paths which should not have their SUID/SGID bits altered
|
||||||
|
- `os_security_suid_sgid_remove_from_unknown`
|
||||||
|
- Default: `false`
|
||||||
|
- Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
|
||||||
|
- `os_security_packages_clean`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: removes packages with known issues. See section packages.
|
||||||
|
- `os_selinux_state`
|
||||||
|
- Default: `enforcing`
|
||||||
|
- Description: Set the SELinux state, can be either disabled, permissive, or enforcing.
|
||||||
|
- `os_selinux_policy`
|
||||||
|
- Default: `targeted`
|
||||||
|
- Description: Set the SELinux polixy.
|
||||||
|
- `ufw_manage_defaults`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: true means apply all settings with `ufw_` prefix
|
||||||
|
- `ufw_ipt_sysctl`
|
||||||
|
- Default: `''`
|
||||||
|
- Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
|
||||||
|
- `ufw_default_input_policy`
|
||||||
|
- Default: `DROP`
|
||||||
|
- Description: set default input policy of ufw to `DROP`
|
||||||
|
- `ufw_default_output_policy`
|
||||||
|
- Default: `ACCEPT`
|
||||||
|
- Description: set default output policy of ufw to `ACCEPT`
|
||||||
|
- `ufw_default_forward_policy`
|
||||||
|
- Default: `DROP`
|
||||||
|
- Description: set default forward policy of ufw to `DROP`
|
||||||
|
- `os_auditd_enabled`
|
||||||
|
- Default: `true`
|
||||||
|
- Description: Set to false to disable installing and configuring auditd.
|
||||||
|
- `os_auditd_max_log_file_action`
|
||||||
|
- Default: `keep_logs`
|
||||||
|
- Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
|
||||||
|
- `hidepid_option`
|
||||||
|
- Default: `2`
|
||||||
|
- Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
|
||||||
|
- `proc_mnt_options`
|
||||||
|
- Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
|
||||||
|
- Description: Mount proc with hardenized options, including `hidepid` with variable value.
|
||||||
|
|
||||||
|
## Packages
|
||||||
|
|
||||||
|
We remove the following packages:
|
||||||
|
|
||||||
|
- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||||
|
- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||||
|
- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
|
||||||
|
- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
|
||||||
|
- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
|
||||||
|
- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
|
||||||
|
- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
||||||
|
|
||||||
|
## Disabled filesystems
|
||||||
|
|
||||||
|
We disable the following filesystems, because they're most likely not used:
|
||||||
|
|
||||||
|
- "cramfs"
|
||||||
|
- "freevxfs"
|
||||||
|
- "jffs2"
|
||||||
|
- "hfs"
|
||||||
|
- "hfsplus"
|
||||||
|
- "squashfs"
|
||||||
|
- "udf"
|
||||||
|
- "vfat" # only if uefi is not in use
|
||||||
|
|
||||||
|
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
|
||||||
|
|
||||||
|
## Example Playbook
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- hosts: localhost
|
||||||
|
collections:
|
||||||
|
- devsec.hardening
|
||||||
|
roles:
|
||||||
|
- devsec.hardening.os_hardening
|
||||||
```
|
```
|
||||||
|
|
||||||
### Testing with Virtualbox
|
## Changing sysctl variables
|
||||||
|
|
||||||
|
If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`).
|
||||||
|
So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- hosts: localhost
|
||||||
|
collections:
|
||||||
|
- devsec.hardening
|
||||||
|
roles:
|
||||||
|
- devsec.hardening.os_hardening
|
||||||
|
vars:
|
||||||
|
sysctl_overwrite:
|
||||||
|
# Enable IPv4 traffic forwarding.
|
||||||
|
net.ipv4.ip_forward: 1
|
||||||
```
|
```
|
||||||
# fast test on one machine
|
|
||||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404
|
|
||||||
|
|
||||||
# test on all machines
|
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
||||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
|
|
||||||
|
|
||||||
# for development
|
## Improving Kernel Audit logging
|
||||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404
|
|
||||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404
|
|
||||||
```
|
|
||||||
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)
|
|
||||||
|
|
||||||
## Contributors + Kudos
|
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
|
||||||
|
|
||||||
...
|
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
|
||||||
|
|
||||||
|
## More information
|
||||||
|
|
||||||
This role is mostly based on guides by:
|
This role is mostly based on guides by:
|
||||||
|
|
||||||
* [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
|
- [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
|
||||||
* [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
|
- [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
|
||||||
* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
|
- [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
|
||||||
* [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
|
- [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
|
||||||
|
|
||||||
Thanks to all of you!
|
|
||||||
## Contributing
|
|
||||||
|
|
||||||
See [contributor guideline](CONTRIBUTING.md).
|
|
||||||
|
|
||||||
## License and Author
|
|
||||||
|
|
||||||
* Author:: Sebastian Gumprich
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
[1]: http://travis-ci.org/dev-sec/ansible-os-hardening
|
|
||||||
[2]: https://gitter.im/dev-sec/general
|
|
||||||
[3]: https://galaxy.ansible.com/dev-sec/os-hardening
|
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
os_desktop_enable: false
|
os_desktop_enable: false
|
||||||
os_env_extra_user_paths: []
|
os_env_extra_user_paths: []
|
||||||
os_auth_pw_max_age: 60
|
os_auth_pw_max_age: 60
|
||||||
|
@ -27,7 +28,7 @@ os_security_suid_sgid_remove_from_unknown: false
|
||||||
|
|
||||||
# remove packages with known issues
|
# remove packages with known issues
|
||||||
os_security_packages_clean: true
|
os_security_packages_clean: true
|
||||||
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink']
|
os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
|
||||||
|
|
||||||
# Allow interactive startup (rhel, centos)
|
# Allow interactive startup (rhel, centos)
|
||||||
os_security_init_prompt: true
|
os_security_init_prompt: true
|
||||||
|
@ -175,17 +176,6 @@ sysctl_config:
|
||||||
|
|
||||||
kernel.core_uses_pid: 1
|
kernel.core_uses_pid: 1
|
||||||
|
|
||||||
# When an attacker is trying to exploit the local kernel, it is often
|
|
||||||
# helpful to be able to examine where in memory the kernel, modules,
|
|
||||||
# and data structures live. As such, kernel addresses should be treated
|
|
||||||
# as sensitive information.
|
|
||||||
#
|
|
||||||
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
|
||||||
# /proc/modules, etc), and this setting can censor the addresses. A value
|
|
||||||
# of "0" allows all users to see the kernel addresses. A value of "1"
|
|
||||||
# limits visibility to the root user, and "2" blocks even the root user.
|
|
||||||
kernel.kptr_restrict: 1
|
|
||||||
|
|
||||||
# The PTRACE system is used for debugging. With it, a single user process
|
# The PTRACE system is used for debugging. With it, a single user process
|
||||||
# can attach to any other dumpable process owned by the same user. In the
|
# can attach to any other dumpable process owned by the same user. In the
|
||||||
# case of malicious software, it is possible to use PTRACE to access
|
# case of malicious software, it is possible to use PTRACE to access
|
||||||
|
@ -226,9 +216,40 @@ sysctl_config:
|
||||||
fs.protected_hardlinks: 1
|
fs.protected_hardlinks: 1
|
||||||
fs.protected_symlinks: 1
|
fs.protected_symlinks: 1
|
||||||
|
|
||||||
|
# These settings are set to the maximum supported value in order to
|
||||||
|
# improve ASLR effectiveness for mmap, at the cost of increased
|
||||||
|
# address-space fragmentation. | Tail-1
|
||||||
|
vm.mmap_rnd_bits: 32
|
||||||
|
vm.mmap_rnd_compat_bits: 16
|
||||||
|
|
||||||
|
# When an attacker is trying to exploit the local kernel, it is often
|
||||||
|
# helpful to be able to examine where in memory the kernel, modules,
|
||||||
|
# and data structures live. As such, kernel addresses should be treated
|
||||||
|
# as sensitive information.
|
||||||
|
#
|
||||||
|
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
||||||
|
# /proc/modules, etc), and this setting can censor the addresses. A value
|
||||||
|
# of "0" allows all users to see the kernel addresses. A value of "1"
|
||||||
|
# limits visibility to the root user, and "2" blocks even the root user.
|
||||||
|
#
|
||||||
|
# Some off-the-shelf malware exploit kernel addresses exposed
|
||||||
|
# via /proc/kallsyms so by not making these addresses easily available
|
||||||
|
# we increase the cost of such attack some what; now such malware has
|
||||||
|
# to check which kernel Tails is running and then fetch the corresponding
|
||||||
|
# kernel address map from some external source. This is not hard,
|
||||||
|
# but certainly not all malware has such functionality. | Tails-2
|
||||||
|
kernel.kptr_restrict: 2
|
||||||
|
|
||||||
|
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
|
||||||
|
kernel.kexec_load_disabled: 1
|
||||||
|
|
||||||
# Do not delete the following line or otherwise the playbook will fail
|
# Do not delete the following line or otherwise the playbook will fail
|
||||||
# at task 'create a combined sysctl-dict if overwrites are defined'
|
# at task 'create a combined sysctl-dict if overwrites are defined'
|
||||||
sysctl_overwrite:
|
sysctl_overwrite:
|
||||||
|
net.ipv4.ip_forward: 1
|
||||||
|
net.bridge.bridge-nf-call-iptables: 1
|
||||||
|
net.bridge.bridge-nf-call-ip6tables: 1
|
||||||
|
net.bridge.bridge-nf-call-arptables: 1
|
||||||
|
|
||||||
# disable unused filesystems
|
# disable unused filesystems
|
||||||
os_unused_filesystems:
|
os_unused_filesystems:
|
||||||
|
@ -240,6 +261,12 @@ os_unused_filesystems:
|
||||||
- "squashfs"
|
- "squashfs"
|
||||||
- "udf"
|
- "udf"
|
||||||
- "vfat"
|
- "vfat"
|
||||||
|
# Obsolete network protocols that should be disabled
|
||||||
|
# per CIS Oracle Linux 6 Benchmark (2016)
|
||||||
|
- "tipc" # CIS 3.5.4
|
||||||
|
- "sctp" # CIS 3.5.2
|
||||||
|
- "dccp" # CIS 3.5.1
|
||||||
|
- "rds" # CIS 3.5.3
|
||||||
|
|
||||||
# whitelist for used filesystems
|
# whitelist for used filesystems
|
||||||
os_filesystem_whitelist: []
|
os_filesystem_whitelist: []
|
||||||
|
@ -247,3 +274,15 @@ os_filesystem_whitelist: []
|
||||||
# Set to false to turn the role into a no-op. Useful when using
|
# Set to false to turn the role into a no-op. Useful when using
|
||||||
# the Ansible role dependency mechanism.
|
# the Ansible role dependency mechanism.
|
||||||
os_hardening_enabled: true
|
os_hardening_enabled: true
|
||||||
|
|
||||||
|
# Set to false to disable installing and configuring auditd.
|
||||||
|
os_auditd_enabled: false
|
||||||
|
os_auditd_max_log_file_action: keep_logs
|
||||||
|
|
||||||
|
# Set the SELinux state, can be either disabled, permissive, or enforcing.
|
||||||
|
os_selinux_state: disabled
|
||||||
|
# Set the SELinux polixy.
|
||||||
|
os_selinux_policy: targeted
|
||||||
|
|
||||||
|
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||||
|
proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
- name: update-initramfs
|
||||||
|
command: 'update-initramfs -u'
|
|
@ -1,25 +1,28 @@
|
||||||
---
|
---
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
author: "Sebastian Gumprich"
|
author: "Sebastian Gumprich"
|
||||||
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
|
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
|
||||||
company: Hardening Framework Team
|
company: Hardening Framework Team
|
||||||
license: Apache License 2.0
|
license: Apache License 2.0
|
||||||
min_ansible_version: '2.5'
|
min_ansible_version: '2.5'
|
||||||
platforms:
|
platforms:
|
||||||
- name: EL
|
- name: EL
|
||||||
versions:
|
versions:
|
||||||
- 6
|
|
||||||
- 7
|
- 7
|
||||||
|
- 8
|
||||||
- name: Ubuntu
|
- name: Ubuntu
|
||||||
versions:
|
versions:
|
||||||
- precise
|
|
||||||
- trusty
|
|
||||||
- xenial
|
- xenial
|
||||||
|
- bionic
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- wheezy
|
- stretch
|
||||||
- jessie
|
- buster
|
||||||
- name: Amazon
|
- name: Amazon
|
||||||
|
- name: Fedora
|
||||||
|
- name: Archlinux
|
||||||
|
- name: SmartOS
|
||||||
|
- name: openSUSE
|
||||||
galaxy_tags:
|
galaxy_tags:
|
||||||
- system
|
- system
|
||||||
- security
|
- security
|
||||||
|
|
|
@ -1,51 +0,0 @@
|
||||||
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
|
|
||||||
- hosts:
|
|
||||||
- kube_master
|
|
||||||
- kube_node
|
|
||||||
- etcd
|
|
||||||
- ex_lb
|
|
||||||
- chrony
|
|
||||||
vars:
|
|
||||||
os_security_users_allow: change_user
|
|
||||||
os_auth_pam_passwdqc_enable: false
|
|
||||||
os_security_suid_sgid_blacklist: ['/bin/umount']
|
|
||||||
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
|
|
||||||
os_filesystem_whitelist: ['vfat']
|
|
||||||
sysctl_config:
|
|
||||||
net.ipv4.ip_forward: 1
|
|
||||||
net.ipv6.conf.all.forwarding: 1
|
|
||||||
net.ipv6.conf.all.accept_ra: 0
|
|
||||||
net.ipv6.conf.default.accept_ra: 0
|
|
||||||
net.ipv4.conf.all.rp_filter: 1
|
|
||||||
net.ipv4.conf.default.rp_filter: 1
|
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
|
||||||
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
|
||||||
net.ipv4.icmp_ratelimit: 100
|
|
||||||
net.ipv4.icmp_ratemask: 88089
|
|
||||||
net.ipv6.conf.all.disable_ipv6: 1
|
|
||||||
net.ipv4.conf.all.arp_ignore: 1
|
|
||||||
net.ipv4.conf.all.arp_announce: 2
|
|
||||||
net.ipv4.conf.all.shared_media: 1
|
|
||||||
net.ipv4.conf.default.shared_media: 1
|
|
||||||
net.ipv4.conf.all.accept_source_route: 0
|
|
||||||
net.ipv4.conf.default.accept_source_route: 0
|
|
||||||
net.ipv4.conf.default.accept_redirects: 0
|
|
||||||
net.ipv4.conf.all.accept_redirects: 0
|
|
||||||
net.ipv4.conf.all.secure_redirects: 0
|
|
||||||
net.ipv4.conf.default.secure_redirects: 0
|
|
||||||
net.ipv6.conf.default.accept_redirects: 0
|
|
||||||
net.ipv6.conf.all.accept_redirects: 0
|
|
||||||
net.ipv4.conf.all.send_redirects: 0
|
|
||||||
net.ipv4.conf.default.send_redirects: 0
|
|
||||||
net.ipv4.conf.all.log_martians: 1
|
|
||||||
net.ipv6.conf.default.router_solicitations: 0
|
|
||||||
net.ipv6.conf.default.accept_ra_rtr_pref: 0
|
|
||||||
net.ipv6.conf.default.accept_ra_pinfo: 0
|
|
||||||
net.ipv6.conf.default.accept_ra_defrtr: 0
|
|
||||||
net.ipv6.conf.default.autoconf: 0
|
|
||||||
net.ipv6.conf.default.dad_transmits: 0
|
|
||||||
net.ipv6.conf.default.max_addresses: 1
|
|
||||||
roles:
|
|
||||||
- os-harden
|
|
||||||
#- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
|
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||||
apt:
|
apt:
|
||||||
name: '{{ item }}'
|
name: '{{ os_security_packages_list }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
with_items:
|
purge: 'yes'
|
||||||
- '{{ os_security_packages_list }}'
|
when: os_security_packages_clean | bool
|
||||||
when: 'os_security_packages_clean'
|
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: install auditd package | package-08
|
- name: install auditd package | package-08
|
||||||
package:
|
package:
|
||||||
name: '{{ auditd_package }}'
|
name: '{{ auditd_package }}'
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
- name: find directories for minimizing access
|
|
||||||
find:
|
|
||||||
paths: '{{ outer_item }}'
|
|
||||||
recurse: yes
|
|
||||||
register: minimize_access_directories
|
|
||||||
|
|
||||||
- name: minimize access on found files
|
|
||||||
file:
|
|
||||||
path: '{{ item.path }}'
|
|
||||||
mode: 'go-w'
|
|
||||||
state: file
|
|
||||||
with_items: '{{ minimize_access_directories.files }}'
|
|
|
@ -1,20 +1,21 @@
|
||||||
---
|
---
|
||||||
- name: Set OS family dependent variables
|
- name: Set OS family dependent variables
|
||||||
include_vars: '{{ ansible_os_family }}.yml'
|
include_vars: '{{ ansible_facts.os_family }}.yml'
|
||||||
tags: always
|
tags: always
|
||||||
|
|
||||||
- name: Set OS dependent variables
|
- name: Set OS dependent variables
|
||||||
include_vars: '{{ item }}'
|
include_vars: '{{ item }}'
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- files:
|
- files:
|
||||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
- '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||||
- '{{ ansible_distribution }}.yml'
|
- '{{ ansible_facts.distribution }}.yml'
|
||||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
|
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||||
skip: true
|
skip: true
|
||||||
tags: always
|
tags: always
|
||||||
|
|
||||||
- import_tasks: auditd.yml
|
- import_tasks: auditd.yml
|
||||||
tags: auditd
|
tags: auditd
|
||||||
|
when: os_auditd_enabled | bool
|
||||||
|
|
||||||
- import_tasks: limits.yml
|
- import_tasks: limits.yml
|
||||||
tags: limits
|
tags: limits
|
||||||
|
@ -38,7 +39,7 @@
|
||||||
tags: securetty
|
tags: securetty
|
||||||
|
|
||||||
- import_tasks: suid_sgid.yml
|
- import_tasks: suid_sgid.yml
|
||||||
when: os_security_suid_sgid_enforce
|
when: os_security_suid_sgid_enforce | bool
|
||||||
tags: suid_sgid
|
tags: suid_sgid
|
||||||
|
|
||||||
- import_tasks: sysctl.yml
|
- import_tasks: sysctl.yml
|
||||||
|
@ -51,9 +52,13 @@
|
||||||
tags: rhosts
|
tags: rhosts
|
||||||
|
|
||||||
- import_tasks: yum.yml
|
- import_tasks: yum.yml
|
||||||
when: ansible_os_family == 'RedHat'
|
when: ansible_facts.os_family == 'RedHat'
|
||||||
tags: yum
|
tags: yum
|
||||||
|
|
||||||
- import_tasks: apt.yml
|
- import_tasks: apt.yml
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
tags: apt
|
tags: apt
|
||||||
|
|
||||||
|
- import_tasks: selinux.yml
|
||||||
|
tags: selinux
|
||||||
|
when: ansible_facts.selinux.status == 'enabled'
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
|
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
|
||||||
file:
|
file:
|
||||||
|
@ -9,14 +8,14 @@
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
state: 'directory'
|
state: 'directory'
|
||||||
|
|
||||||
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
||||||
pam_limits:
|
pam_limits:
|
||||||
dest: '/etc/security/limits.d/10.hardcore.conf'
|
dest: '/etc/security/limits.d/10.hardcore.conf'
|
||||||
domain: '*'
|
domain: '*'
|
||||||
limit_type: hard
|
limit_type: hard
|
||||||
limit_item: core
|
limit_item: core
|
||||||
value: 0
|
value: '0'
|
||||||
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
|
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
|
||||||
|
|
||||||
- name: set 10.hardcore.conf perms to 0400 and root ownership
|
- name: set 10.hardcore.conf perms to 0400 and root ownership
|
||||||
file:
|
file:
|
||||||
|
@ -24,11 +23,14 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
|
state: touch
|
||||||
|
modification_time: preserve
|
||||||
|
access_time: preserve
|
||||||
|
|
||||||
when: 'not os_security_kernel_enable_core_dump'
|
when: not os_security_kernel_enable_core_dump | bool
|
||||||
|
|
||||||
- name: remove 10.hardcore.conf config file
|
- name: remove 10.hardcore.conf config file
|
||||||
file:
|
file:
|
||||||
path: /etc/security/limits.d/10.hardcore.conf
|
path: /etc/security/limits.d/10.hardcore.conf
|
||||||
state: absent
|
state: absent
|
||||||
when: 'os_security_kernel_enable_core_dump'
|
when: os_security_kernel_enable_core_dump | bool
|
||||||
|
|
|
@ -6,4 +6,3 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0444'
|
mode: '0444'
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,3 @@
|
||||||
---
|
---
|
||||||
|
- import_tasks: hardening.yml
|
||||||
- include_tasks: hardening.yml
|
when: os_hardening_enabled | bool
|
||||||
when: os_hardening_enabled
|
|
||||||
|
|
|
@ -1,16 +1,31 @@
|
||||||
---
|
---
|
||||||
# Using a two-pass approach for checking directories in order to support symlinks.
|
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
|
||||||
- include_tasks: find_files.yml
|
# the other files inside /usr/bin (and all other directories) are
|
||||||
loop_control:
|
# still getting found and the permissions minimized in the next task.
|
||||||
loop_var: outer_item
|
# This is also the reason why there's ignore_errors: true on the task.
|
||||||
loop:
|
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
|
||||||
|
- name: find files with write-permissions for group
|
||||||
|
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
|
||||||
|
with_flattened:
|
||||||
- '/usr/local/sbin'
|
- '/usr/local/sbin'
|
||||||
- '/usr/local/bin'
|
- '/usr/local/bin'
|
||||||
- '/usr/sbin'
|
- '/usr/sbin'
|
||||||
- '/usr/bin'
|
- '/usr/bin'
|
||||||
- '/sbin'
|
- '/sbin'
|
||||||
- '/bin'
|
- '/bin'
|
||||||
- '{{ os_env_extra_user_paths }}'
|
- "{{ os_env_extra_user_paths }}" # noqa 104
|
||||||
|
register: minimize_access_directories
|
||||||
|
ignore_errors: true
|
||||||
|
changed_when: false
|
||||||
|
|
||||||
|
- name: minimize access on found files
|
||||||
|
file:
|
||||||
|
path: '{{ item.1 }}'
|
||||||
|
mode: 'go-w'
|
||||||
|
state: file
|
||||||
|
with_subelements:
|
||||||
|
- "{{ minimize_access_directories.results }}"
|
||||||
|
- stdout_lines
|
||||||
|
|
||||||
- name: change shadow ownership to root and mode to 0600 | os-02
|
- name: change shadow ownership to root and mode to 0600 | os-02
|
||||||
file:
|
file:
|
||||||
|
@ -32,4 +47,12 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0750'
|
mode: '0750'
|
||||||
when: os_security_users_allow != None
|
when: '"change_user" not in os_security_users_allow'
|
||||||
|
|
||||||
|
- name: set option hidepid for proc filesystem
|
||||||
|
mount:
|
||||||
|
path: /proc
|
||||||
|
src: proc
|
||||||
|
fstype: proc
|
||||||
|
opts: '{{ proc_mnt_options }}'
|
||||||
|
state: present
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: install modprobe to disable filesystems | os-10
|
- name: install modprobe to disable filesystems | os-10
|
||||||
package:
|
package:
|
||||||
name: '{{modprobe_package}}'
|
name: '{{ modprobe_package }}'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
|
|
||||||
- name: check if efi is installed
|
- name: check if efi is installed
|
||||||
|
@ -12,7 +12,15 @@
|
||||||
- name: remove vfat from fs-list if efi is used
|
- name: remove vfat from fs-list if efi is used
|
||||||
set_fact:
|
set_fact:
|
||||||
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
|
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
|
||||||
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
|
when:
|
||||||
|
- efi_installed.stat.isdir is defined
|
||||||
|
- efi_installed.stat.isdir
|
||||||
|
|
||||||
|
- name: remove used filesystems from fs-list
|
||||||
|
set_fact:
|
||||||
|
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
|
||||||
|
# we cannot do this on el6 and below, because these systems don't support the map function
|
||||||
|
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||||
|
|
||||||
- name: disable unused filesystems | os-10
|
- name: disable unused filesystems | os-10
|
||||||
template:
|
template:
|
||||||
|
@ -20,5 +28,4 @@
|
||||||
dest: '/etc/modprobe.d/dev-sec.conf'
|
dest: '/etc/modprobe.d/dev-sec.conf'
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0640'
|
mode: '0644'
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: update pam on Debian systems
|
- name: update pam on Debian systems
|
||||||
command: 'pam-auth-update --package'
|
command: 'pam-auth-update --package'
|
||||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
changed_when: False
|
changed_when: false
|
||||||
environment:
|
environment:
|
||||||
DEBIAN_FRONTEND: noninteractive
|
DEBIAN_FRONTEND: noninteractive
|
||||||
|
|
||||||
|
@ -14,19 +14,25 @@
|
||||||
package:
|
package:
|
||||||
name: '{{ os_packages_pam_ccreds }}'
|
name: '{{ os_packages_pam_ccreds }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
|
when:
|
||||||
|
- ansible_facts.os_family != 'Archlinux'
|
||||||
|
|
||||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||||
apt:
|
apt:
|
||||||
name: '{{ os_packages_pam_cracklib }}'
|
name: '{{ os_packages_pam_cracklib }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: install the package for strong password checking
|
- name: install the package for strong password checking
|
||||||
apt:
|
apt:
|
||||||
name: '{{ os_packages_pam_passwdqc }}'
|
name: '{{ os_packages_pam_passwdqc }}'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
update_cache: 'yes'
|
update_cache: 'yes'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: configure passwdqc
|
- name: configure passwdqc
|
||||||
template:
|
template:
|
||||||
|
@ -35,19 +41,26 @@
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: remove passwdqc
|
- name: remove passwdqc
|
||||||
apt:
|
apt:
|
||||||
name: '{{ os_packages_pam_passwdqc }}'
|
name: '{{ os_packages_pam_passwdqc }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- not os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: install tally2
|
- name: install tally2
|
||||||
apt:
|
apt:
|
||||||
name: 'libpam-modules'
|
name: 'libpam-modules'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- not os_auth_pam_passwdqc_enable
|
||||||
|
- os_auth_retries > 0
|
||||||
|
|
||||||
- name: configure tally2
|
- name: configure tally2
|
||||||
template:
|
template:
|
||||||
|
@ -56,31 +69,47 @@
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- not os_auth_pam_passwdqc_enable
|
||||||
|
- os_auth_retries > 0
|
||||||
|
|
||||||
- name: delete tally2 when retries is 0
|
- name: delete tally2 when retries is 0
|
||||||
file:
|
file:
|
||||||
path: '{{ tally2_path }}'
|
path: '{{ tally2_path }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
|
when:
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
|
- not os_auth_pam_passwdqc_enable
|
||||||
|
- os_auth_retries == 0
|
||||||
|
|
||||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||||
yum:
|
yum:
|
||||||
name: '{{ os_packages_pam_cracklib }}'
|
name: '{{ os_packages_pam_cracklib }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.os_family == 'RedHat'
|
||||||
|
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||||
|
- ansible_facts.distribution != 'Amazon'
|
||||||
|
- os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: install the package for strong password checking
|
- name: install the package for strong password checking
|
||||||
yum:
|
yum:
|
||||||
name: '{{ os_packages_pam_passwdqc }}'
|
name: '{{ os_packages_pam_passwdqc }}'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.os_family == 'RedHat'
|
||||||
|
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||||
|
- ansible_facts.distribution != 'Amazon'
|
||||||
|
- os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: remove passwdqc
|
- name: remove passwdqc
|
||||||
yum:
|
yum:
|
||||||
name: '{{ os_packages_pam_passwdqc }}'
|
name: '{{ os_packages_pam_passwdqc }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
|
when:
|
||||||
|
- ansible_facts.os_family == 'RedHat'
|
||||||
|
- not os_auth_pam_passwdqc_enable
|
||||||
|
|
||||||
- name: configure passwdqc and tally via central system-auth confic
|
- name: configure passwdqc and tally via central system-auth confic
|
||||||
template:
|
template:
|
||||||
|
@ -89,11 +118,23 @@
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
|
when: ansible_facts.os_family == 'RedHat'
|
||||||
|
|
||||||
|
- name: Gather package facts
|
||||||
|
package_facts:
|
||||||
|
manager: auto
|
||||||
|
when:
|
||||||
|
- ansible_facts.os_family != 'Suse'
|
||||||
|
- ansible_facts.os_family != 'Archlinux'
|
||||||
|
|
||||||
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
||||||
template:
|
template:
|
||||||
src: 'etc/rhel_libuser.conf.j2'
|
src: 'etc/libuser.conf.j2'
|
||||||
dest: '/etc/libuser.conf'
|
dest: '/etc/libuser.conf'
|
||||||
mode: '0640'
|
mode: '0640'
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
|
when:
|
||||||
|
- ansible_facts.os_family != 'Suse'
|
||||||
|
- ansible_facts.os_family != 'Archlinux'
|
||||||
|
- "'libuser' in ansible_facts.packages"
|
||||||
|
|
|
@ -6,10 +6,10 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0750'
|
mode: '0750'
|
||||||
when: not os_security_kernel_enable_core_dump
|
when: not os_security_kernel_enable_core_dump | bool
|
||||||
|
|
||||||
- name: remove pinerolo_profile.sh from profile.d
|
- name: remove pinerolo_profile.sh from profile.d
|
||||||
file:
|
file:
|
||||||
path: /etc/profile.d/pinerolo_profile.sh
|
path: /etc/profile.d/pinerolo_profile.sh
|
||||||
state: absent
|
state: absent
|
||||||
when: os_security_kernel_enable_core_dump
|
when: os_security_kernel_enable_core_dump | bool
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
- name: Get user accounts | os-09
|
- name: Get user accounts | os-09
|
||||||
command: "awk -F: '{print $1}' /etc/passwd"
|
command: "awk -F: '{print $1}' /etc/passwd"
|
||||||
changed_when: False
|
changed_when: false
|
||||||
check_mode: False
|
check_mode: false
|
||||||
register: users
|
register: users_accounts
|
||||||
|
|
||||||
- name: delete rhosts-files from system | os-09
|
- name: delete rhosts-files from system | os-09
|
||||||
file:
|
file:
|
||||||
dest: '~{{ item }}/.rhosts'
|
dest: '~{{ item }}/.rhosts'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||||
|
|
||||||
- name: delete hosts.equiv from system | os-01
|
- name: delete hosts.equiv from system | os-01
|
||||||
file:
|
file:
|
||||||
|
@ -20,4 +20,4 @@
|
||||||
file:
|
file:
|
||||||
dest: '~{{ item }}/.netrc'
|
dest: '~{{ item }}/.netrc'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: configure selinux | selinux-01
|
||||||
|
selinux:
|
||||||
|
policy: "{{ os_selinux_policy }}"
|
||||||
|
state: "{{ os_selinux_state }}"
|
|
@ -13,13 +13,13 @@
|
||||||
- name: find binaries with suid/sgid set | os-06
|
- name: find binaries with suid/sgid set | os-06
|
||||||
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
||||||
register: sbit_binaries
|
register: sbit_binaries
|
||||||
when: os_security_suid_sgid_remove_from_unknown
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||||
changed_when: False
|
changed_when: false
|
||||||
|
|
||||||
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
||||||
set_fact:
|
set_fact:
|
||||||
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
||||||
when: os_security_suid_sgid_remove_from_unknown
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||||
|
|
||||||
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
||||||
file:
|
file:
|
||||||
|
@ -29,4 +29,4 @@
|
||||||
follow: 'yes'
|
follow: 'yes'
|
||||||
with_flattened:
|
with_flattened:
|
||||||
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
||||||
when: os_security_suid_sgid_remove_from_unknown
|
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||||
|
|
|
@ -5,6 +5,9 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
|
state: touch
|
||||||
|
modification_time: preserve
|
||||||
|
access_time: preserve
|
||||||
|
|
||||||
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
|
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
|
||||||
template:
|
template:
|
||||||
|
@ -13,14 +16,16 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0544'
|
mode: '0544'
|
||||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
|
when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat']
|
||||||
|
|
||||||
- name: install initramfs-tools
|
- name: install initramfs-tools
|
||||||
apt:
|
apt:
|
||||||
name: 'initramfs-tools'
|
name: 'initramfs-tools'
|
||||||
state: 'present'
|
state: 'present'
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
when:
|
||||||
|
- ansible_facts.os_family == 'Debian'
|
||||||
|
- os_security_kernel_enable_module_loading
|
||||||
|
|
||||||
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
||||||
template:
|
template:
|
||||||
|
@ -29,41 +34,49 @@
|
||||||
owner: 'root'
|
owner: 'root'
|
||||||
group: 'root'
|
group: 'root'
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
notify:
|
||||||
|
- update-initramfs
|
||||||
|
when:
|
||||||
|
- ansible_facts.os_family == 'Debian'
|
||||||
|
- os_security_kernel_enable_module_loading
|
||||||
register: initramfs
|
register: initramfs
|
||||||
|
|
||||||
- name: update-initramfs
|
- name: change sysctls
|
||||||
command: 'update-initramfs -u'
|
block:
|
||||||
when: initramfs.changed
|
- name: create a combined sysctl-dict if overwrites are defined
|
||||||
|
|
||||||
- name: create a combined sysctl-dict if overwrites are defined
|
|
||||||
set_fact:
|
set_fact:
|
||||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||||
when: sysctl_overwrite | default()
|
when: sysctl_overwrite | default()
|
||||||
|
|
||||||
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
||||||
sysctl:
|
sysctl:
|
||||||
name: '{{ item.key }}'
|
name: '{{ item.key }}'
|
||||||
value: '{{ item.value }}'
|
value: '{{ item.value }}'
|
||||||
sysctl_set: yes
|
sysctl_set: true
|
||||||
state: present
|
state: present
|
||||||
reload: yes
|
reload: true
|
||||||
ignoreerrors: yes
|
ignoreerrors: true
|
||||||
with_dict: '{{ sysctl_config }}'
|
with_dict: '{{ sysctl_config }}'
|
||||||
|
|
||||||
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
||||||
sysctl:
|
sysctl:
|
||||||
name: '{{ item.key }}'
|
name: '{{ item.key }}'
|
||||||
value: '{{ item.value }}'
|
value: '{{ item.value }}'
|
||||||
state: present
|
state: present
|
||||||
reload: yes
|
reload: true
|
||||||
ignoreerrors: yes
|
ignoreerrors: true
|
||||||
with_dict: '{{ sysctl_rhel_config }}'
|
with_dict: '{{ sysctl_rhel_config }}'
|
||||||
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
|
when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
|
||||||
|
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
|
||||||
|
|
||||||
|
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
|
||||||
|
|
||||||
- name: Apply ufw defaults
|
- name: Apply ufw defaults
|
||||||
template:
|
template:
|
||||||
src: 'etc/default/ufw.j2'
|
src: 'etc/default/ufw.j2'
|
||||||
dest: '/etc/default/ufw'
|
dest: '/etc/default/ufw'
|
||||||
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
mode: '0644'
|
||||||
|
when:
|
||||||
|
- ufw_manage_defaults
|
||||||
|
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||||
tags: ufw
|
tags: ufw
|
||||||
|
|
|
@ -4,42 +4,44 @@
|
||||||
args:
|
args:
|
||||||
removes: /etc/login.defs
|
removes: /etc/login.defs
|
||||||
register: uid_min
|
register: uid_min
|
||||||
check_mode: False
|
check_mode: false
|
||||||
changed_when: False
|
changed_when: false
|
||||||
|
|
||||||
- name: calculate UID_MAX from UID_MIN by substracting 1
|
- name: calculate UID_MAX from UID_MIN by substracting 1
|
||||||
set_fact:
|
set_fact:
|
||||||
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
||||||
when: uid_min is defined
|
when: uid_min.stdout|int > 0
|
||||||
|
|
||||||
- name: set UID_MAX on Debian-systems if no login.defs exist
|
- name: set UID_MAX on Debian-systems if no login.defs exist
|
||||||
set_fact:
|
set_fact:
|
||||||
uid_max: '999'
|
uid_max: '999'
|
||||||
when: ansible_os_family == 'Debian' and not uid_min
|
when:
|
||||||
|
- ansible_facts.os_family == 'Debian'
|
||||||
|
- uid_max is not defined
|
||||||
|
|
||||||
- name: set UID_MAX on other systems if no login.defs exist
|
- name: set UID_MAX on other systems if no login.defs exist
|
||||||
set_fact:
|
set_fact:
|
||||||
uid_max: '499'
|
uid_max: '499'
|
||||||
when: not uid_min
|
when: uid_max is not defined
|
||||||
|
|
||||||
- name: get all system accounts
|
- name: get all system accounts
|
||||||
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
||||||
args:
|
args:
|
||||||
removes: /etc/passwd
|
removes: /etc/passwd
|
||||||
changed_when: False
|
changed_when: false
|
||||||
check_mode: False
|
check_mode: false
|
||||||
register: sys_accs
|
register: sys_accs
|
||||||
|
|
||||||
- name: remove always ignored system accounts from list
|
- name: remove always ignored system accounts from list
|
||||||
set_fact:
|
set_fact:
|
||||||
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
|
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
|
||||||
check_mode: False
|
check_mode: false
|
||||||
|
|
||||||
- name: change system accounts not on the user provided ignore-list
|
- name: change system accounts not on the user provided ignore-list
|
||||||
user:
|
user:
|
||||||
name: '{{ item }}'
|
name: '{{ item }}'
|
||||||
shell: '{{ os_nologin_shell_path }}'
|
shell: '{{ os_nologin_shell_path }}'
|
||||||
password: '*'
|
password: '*'
|
||||||
createhome: False
|
createhome: false
|
||||||
with_flattened:
|
with_flattened:
|
||||||
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
|
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
|
||||||
|
|
|
@ -3,45 +3,48 @@
|
||||||
file:
|
file:
|
||||||
name: '/etc/yum.repos.d/{{ item }}.repo'
|
name: '/etc/yum.repos.d/{{ item }}.repo'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
with_items:
|
loop:
|
||||||
- 'CentOS-Debuginfo'
|
- 'CentOS-Debuginfo'
|
||||||
- 'CentOS-Media'
|
- 'CentOS-Media'
|
||||||
- 'CentOS-Vault'
|
- 'CentOS-Vault'
|
||||||
when: os_security_packages_clean
|
when: os_security_packages_clean | bool
|
||||||
|
|
||||||
- name: get yum-repository-files
|
- name: get yum-repository-files
|
||||||
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
|
find:
|
||||||
changed_when: False
|
paths: '/etc/yum.repos.d'
|
||||||
|
patterns: '*.repo'
|
||||||
register: yum_repos
|
register: yum_repos
|
||||||
|
|
||||||
- name: check if rhnplugin.conf exists
|
# for the 'default([])' see here:
|
||||||
stat:
|
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
|
||||||
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
|
||||||
register: rhnplugin_file
|
- name: activate gpg-check for yum-repository-files
|
||||||
|
|
||||||
# for the 'default([])' see here:
|
|
||||||
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
|
|
||||||
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
|
|
||||||
- name: activate gpg-check for yum-repos
|
|
||||||
replace:
|
replace:
|
||||||
dest: '{{ item }}'
|
path: '{{ item.path }}'
|
||||||
regexp: '^\s*gpgcheck: 0'
|
regexp: '^\s*gpgcheck.*'
|
||||||
replace: 'gpgcheck: 1'
|
replace: 'gpgcheck=1'
|
||||||
with_flattened:
|
mode: '0644'
|
||||||
|
with_items:
|
||||||
|
- '{{ yum_repos.files | default([]) }}'
|
||||||
|
|
||||||
|
# failed_when is needed because by default replace module will fail if the file doesn't exists.
|
||||||
|
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
|
||||||
|
# All other errors will still be raised.
|
||||||
|
- name: activate gpg-check for config files
|
||||||
|
replace:
|
||||||
|
path: '{{ item }}'
|
||||||
|
regexp: '^\s*gpgcheck\W.*'
|
||||||
|
replace: 'gpgcheck=1'
|
||||||
|
mode: '0644'
|
||||||
|
register: status
|
||||||
|
failed_when: status.rc is defined and status.rc != 257
|
||||||
|
loop:
|
||||||
- '/etc/yum.conf'
|
- '/etc/yum.conf'
|
||||||
- '{{ yum_repos.stdout_lines| default([]) }}'
|
- '/etc/dnf/dnf.conf'
|
||||||
|
- '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||||
- name: activate gpg-check for yum rhn if it exists
|
|
||||||
replace:
|
|
||||||
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
|
||||||
regexp: '^\s*gpgcheck: 0'
|
|
||||||
replace: 'gpgcheck: 1'
|
|
||||||
when: rhnplugin_file.stat.exists
|
|
||||||
|
|
||||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||||
yum:
|
yum:
|
||||||
name: '{{ item }}'
|
name: '{{ os_security_packages_list }}'
|
||||||
state: 'absent'
|
state: 'absent'
|
||||||
with_items:
|
when: os_security_packages_clean | bool
|
||||||
- '{{ os_security_packages_list }}'
|
|
||||||
when: os_security_packages_clean
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
log_file = /var/log/audit/audit.log
|
log_file = /var/log/audit/audit.log
|
||||||
log_format = RAW
|
log_format = RAW
|
||||||
log_group = root
|
log_group = root
|
||||||
|
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
|
||||||
name_format = NONE
|
name_format = NONE
|
||||||
##name = mydomain
|
##name = mydomain
|
||||||
max_log_file = 6
|
max_log_file = 6
|
||||||
max_log_file_action = keep_logs
|
max_log_file_action = {{ os_auditd_max_log_file_action }}
|
||||||
space_left = 75
|
space_left = 75
|
||||||
space_left_action = SYSLOG
|
space_left_action = SYSLOG
|
||||||
action_mail_acct = root
|
action_mail_acct = root
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# /etc/default/ufw
|
# /etc/default/ufw
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
|
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
|
||||||
#
|
#
|
||||||
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
|
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
|
||||||
|
@ -10,7 +11,7 @@
|
||||||
#
|
#
|
||||||
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
|
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
|
||||||
|
|
||||||
{% if ansible_architecture == 'x86_64' %}
|
{% if ansible_facts.architecture == 'x86_64' %}
|
||||||
# Optimize for x86_64 cryptographic features
|
# Optimize for x86_64 cryptographic features
|
||||||
twofish-x86_64-3way
|
twofish-x86_64-3way
|
||||||
twofish-x86_64
|
twofish-x86_64
|
||||||
|
@ -19,7 +20,7 @@ salsa20-x86_64
|
||||||
blowfish-x86_64
|
blowfish-x86_64
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if 'amd' in ansible_processor %}
|
{% if 'amd' in ansible_facts.processor %}
|
||||||
# AMD-specific optimizations
|
# AMD-specific optimizations
|
||||||
kvm-amd
|
kvm-amd
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# See libuser.conf(5) for more information.
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# {{ ansible_managed | comment }}
|
# See libuser.conf(5) for more information.
|
||||||
|
|
||||||
# Do not modify the default module list if you care about unattended calls
|
# Do not modify the default module list if you care about unattended calls
|
||||||
# to programs (i.e., scripts) working!
|
# to programs (i.e., scripts) working!
|
|
@ -1,4 +1,5 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# Configuration control definitions for the login package.
|
# Configuration control definitions for the login package.
|
||||||
#
|
#
|
||||||
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
|
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
|
||||||
|
@ -7,6 +8,7 @@
|
||||||
#
|
#
|
||||||
#-- Modified for Linux. --marekm
|
#-- Modified for Linux. --marekm
|
||||||
|
|
||||||
|
{% if os_useradd_mail_dir is defined %}
|
||||||
# *REQUIRED for useradd/userdel/usermod*
|
# *REQUIRED for useradd/userdel/usermod*
|
||||||
#
|
#
|
||||||
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
|
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
|
||||||
|
@ -19,9 +21,14 @@
|
||||||
#
|
#
|
||||||
# See default PAM configuration files provided for login, su, etc.
|
# See default PAM configuration files provided for login, su, etc.
|
||||||
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
|
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
|
||||||
MAIL_DIR /var/mail
|
MAIL_DIR {{ os_useradd_mail_dir }}
|
||||||
#MAIL_FILE .mail
|
{% endif %}
|
||||||
|
|
||||||
|
{% if os_useradd_create_home is defined %}
|
||||||
|
# If useradd should create home directories for users by default
|
||||||
|
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
|
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
|
||||||
FAILLOG_ENAB yes
|
FAILLOG_ENAB yes
|
||||||
|
|
||||||
|
@ -57,7 +64,7 @@ HUSHLOGIN_FILE .hushlogin
|
||||||
|
|
||||||
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
|
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
|
||||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }}
|
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
|
||||||
|
|
||||||
# Terminal permissions
|
# Terminal permissions
|
||||||
# --------------------
|
# --------------------
|
||||||
|
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
|
||||||
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
||||||
#
|
#
|
||||||
#MD5_CRYPT_ENAB no
|
#MD5_CRYPT_ENAB no
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
{% if os_auth_retries > 0 %}
|
{% if os_auth_retries > 0 %}
|
||||||
|
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
|
||||||
account required pam_permit.so
|
account required pam_permit.so
|
||||||
|
|
||||||
{% if (os_auth_pam_passwdqc_enable|bool) %}
|
{% if (os_auth_pam_passwdqc_enable|bool) %}
|
||||||
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %}
|
{%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
|
||||||
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
|
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
|
||||||
{%- else %}
|
{%- else %}
|
||||||
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}
|
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
|
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
|
||||||
ulimit -S -c 0 > /dev/null 2>&1
|
ulimit -S -c 0 > /dev/null 2>&1
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
|
||||||
# A list of TTYs, from which root can log in
|
# A list of TTYs, from which root can log in
|
||||||
# see `man securetty` for reference
|
# see `man securetty` for reference
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# {{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
# color => new RH6.0 bootup
|
# color => new RH6.0 bootup
|
||||||
# verbose => old-style bootup
|
# verbose => old-style bootup
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
Name: passwdqc password strength enforcement
|
Name: passwdqc password strength enforcement
|
||||||
Default: yes
|
Default: yes
|
||||||
Priority: 1024
|
Priority: 1024
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
Name: tally2 lockout after failed attempts enforcement
|
Name: tally2 lockout after failed attempts enforcement
|
||||||
Default: yes
|
Default: yes
|
||||||
Priority: 1024
|
Priority: 1024
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
# system accounts that do not get their login disabled and pasword changed
|
# system accounts that do not get their login disabled and pasword changed
|
||||||
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user']
|
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
|
||||||
|
|
||||||
sysctl_rhel_config:
|
sysctl_rhel_config:
|
||||||
# ExecShield protection against buffer overflows
|
# ExecShield protection against buffer overflows
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
os_nologin_shell_path: '/sbin/nologin'
|
||||||
|
|
||||||
|
os_shadow_perms:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
os_passwd_perms:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
os_env_umask: '027'
|
||||||
|
|
||||||
|
os_auth_uid_min: 1000
|
||||||
|
os_auth_gid_min: 1000
|
||||||
|
os_auth_sys_uid_min: 500
|
||||||
|
os_auth_sys_uid_max: 999
|
||||||
|
os_auth_sys_gid_min: 500
|
||||||
|
os_auth_sys_gid_max: 999
|
||||||
|
|
||||||
|
modprobe_package: 'kmod'
|
||||||
|
auditd_package: 'audit'
|
|
@ -1,13 +1,10 @@
|
||||||
|
---
|
||||||
|
|
||||||
os_packages_pam_ccreds: 'libpam-ccreds'
|
os_packages_pam_ccreds: 'libpam-ccreds'
|
||||||
os_packages_pam_passwdqc: 'libpam-passwdqc'
|
os_packages_pam_passwdqc: 'libpam-passwdqc'
|
||||||
os_packages_pam_cracklib: 'libpam-cracklib'
|
os_packages_pam_cracklib: 'libpam-cracklib'
|
||||||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
|
||||||
tally2_path: '/usr/share/pam-configs/tally2'
|
|
||||||
os_nologin_shell_path: '/usr/sbin/nologin'
|
os_nologin_shell_path: '/usr/sbin/nologin'
|
||||||
|
|
||||||
auditd_package: 'auditd'
|
|
||||||
modprobe_package: 'kmod'
|
|
||||||
|
|
||||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||||
|
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
|
||||||
os_auth_sys_uid_max: 999
|
os_auth_sys_uid_max: 999
|
||||||
os_auth_sys_gid_min: 100
|
os_auth_sys_gid_min: 100
|
||||||
os_auth_sys_gid_max: 999
|
os_auth_sys_gid_max: 999
|
||||||
|
|
||||||
|
# defaults for useradd
|
||||||
|
os_useradd_mail_dir: /var/mail
|
||||||
|
|
||||||
|
modprobe_package: 'kmod'
|
||||||
|
auditd_package: 'auditd'
|
||||||
|
|
||||||
|
tally2_path: '/usr/share/pam-configs/tally2'
|
||||||
|
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
os_packages_pam_ccreds: 'pam_ccreds'
|
||||||
|
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||||
|
os_packages_pam_cracklib: 'pam_cracklib'
|
||||||
|
os_nologin_shell_path: '/sbin/nologin'
|
||||||
|
|
||||||
|
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||||
|
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||||
|
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||||
|
os_shadow_perms:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0000'
|
||||||
|
|
||||||
|
os_passwd_perms:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
os_env_umask: '027'
|
||||||
|
|
||||||
|
os_auth_uid_min: 1000
|
||||||
|
os_auth_gid_min: 1000
|
||||||
|
os_auth_sys_uid_min: 201
|
||||||
|
os_auth_sys_uid_max: 999
|
||||||
|
os_auth_sys_gid_min: 201
|
||||||
|
os_auth_sys_gid_max: 999
|
||||||
|
|
||||||
|
modprobe_package: 'module-init-tools'
|
||||||
|
auditd_package: 'audit'
|
|
@ -1,3 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
os_packages_pam_ccreds: 'pam_ccreds'
|
os_packages_pam_ccreds: 'pam_ccreds'
|
||||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||||
os_packages_pam_cracklib: 'pam_cracklib'
|
os_packages_pam_cracklib: 'pam_cracklib'
|
||||||
|
|
|
@ -1,8 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
modprobe_package: 'module-init-tools'
|
|
||||||
auditd_package: 'audit'
|
|
||||||
|
|
||||||
os_packages_pam_ccreds: 'pam_ccreds'
|
os_packages_pam_ccreds: 'pam_ccreds'
|
||||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||||
os_packages_pam_cracklib: 'pam_cracklib'
|
os_packages_pam_cracklib: 'pam_cracklib'
|
||||||
|
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
|
||||||
os_auth_sys_uid_max: 999
|
os_auth_sys_uid_max: 999
|
||||||
os_auth_sys_gid_min: 201
|
os_auth_sys_gid_min: 201
|
||||||
os_auth_sys_gid_max: 999
|
os_auth_sys_gid_max: 999
|
||||||
|
|
||||||
|
# defaults for useradd
|
||||||
|
os_useradd_mail_dir: /var/spool/mail
|
||||||
|
os_useradd_create_home: true
|
||||||
|
|
||||||
|
modprobe_package: 'module-init-tools'
|
||||||
|
auditd_package: 'audit'
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
os_packages_pam_ccreds: 'pam_ccreds'
|
||||||
|
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||||
|
os_packages_pam_cracklib: 'cracklib'
|
||||||
|
os_nologin_shell_path: '/sbin/nologin'
|
||||||
|
|
||||||
|
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||||
|
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||||
|
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||||
|
os_shadow_perms:
|
||||||
|
owner: root
|
||||||
|
group: shadow
|
||||||
|
mode: '0640'
|
||||||
|
|
||||||
|
os_passwd_perms:
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
|
||||||
|
os_env_umask: '027'
|
||||||
|
|
||||||
|
os_auth_uid_min: 1000
|
||||||
|
os_auth_gid_min: 1000
|
||||||
|
os_auth_sys_uid_min: 100
|
||||||
|
os_auth_sys_uid_max: 499
|
||||||
|
os_auth_sys_gid_min: 100
|
||||||
|
os_auth_sys_gid_max: 499
|
||||||
|
|
||||||
|
# defaults for useradd
|
||||||
|
os_useradd_create_home: false
|
||||||
|
|
||||||
|
modprobe_package: 'kmod-compat'
|
||||||
|
auditd_package: 'audit'
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
# SYSTEM CONFIGURATION
|
# SYSTEM CONFIGURATION
|
||||||
# ====================
|
# ====================
|
||||||
# These are not meant to be modified by the user
|
# These are not meant to be modified by the user
|
||||||
|
@ -43,6 +44,7 @@ os_security_suid_sgid_system_whitelist:
|
||||||
- '/bin/mount'
|
- '/bin/mount'
|
||||||
- '/bin/ping'
|
- '/bin/ping'
|
||||||
- '/bin/su'
|
- '/bin/su'
|
||||||
|
- '/usr/bin/su'
|
||||||
- '/bin/umount'
|
- '/bin/umount'
|
||||||
- '/sbin/pam_timestamp_check'
|
- '/sbin/pam_timestamp_check'
|
||||||
- '/sbin/unix_chkpwd'
|
- '/sbin/unix_chkpwd'
|
||||||
|
@ -107,4 +109,4 @@ os_security_suid_sgid_system_whitelist:
|
||||||
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
|
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
|
||||||
|
|
||||||
# system accounts that do not get their login disabled and pasword changed
|
# system accounts that do not get their login disabled and pasword changed
|
||||||
os_always_ignore_users: ['root','sync','shutdown','halt']
|
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']
|
||||||
|
|
Loading…
Reference in New Issue