mirror of https://github.com/easzlab/kubeasz.git
update: os-hardening 7.0.0
parent
e51aa3603d
commit
5ae78116f6
|
@ -1,13 +1,12 @@
|
|||
############################
|
||||
# role:prepare
|
||||
# prepare
|
||||
############################
|
||||
# 可选离线安装系统软件包 (offline|online)
|
||||
INSTALL_SOURCE: "online"
|
||||
|
||||
# 可选进行系统安全加固 github.com/dev-sec/ansible-collection-hardening
|
||||
OS_HARDEN: false
|
||||
|
||||
############################
|
||||
# role:chrony
|
||||
############################
|
||||
# 设置时间源服务器【重要:集群内机器时间必须同步】
|
||||
ntp_servers:
|
||||
- "ntp1.aliyun.com"
|
||||
|
|
2
ezdown
2
ezdown
|
@ -14,7 +14,7 @@ set -o errexit
|
|||
|
||||
# default settings, can be overridden by cmd line options, see usage
|
||||
DOCKER_VER=19.03.14
|
||||
KUBEASZ_VER=3.0.0-rc
|
||||
KUBEASZ_VER=3.0.0
|
||||
K8S_BIN_VER=v1.20.2
|
||||
EXT_BIN_VER=0.8.1
|
||||
SYS_PKG_VER=0.3.3
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
- ex_lb
|
||||
- chrony
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||
|
||||
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
|
||||
- hosts: harbor
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "NEW_INSTALL == 'yes' and groups['chrony']|length > 0" }
|
||||
- { role: prepare, when: "NEW_INSTALL == 'yes'" }
|
||||
- { role: docker, when: "NEW_INSTALL == 'yes'" }
|
||||
|
|
|
@ -39,6 +39,7 @@
|
|||
vars:
|
||||
CLUSTER_STATE: existing
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||
- prepare
|
||||
- etcd
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
- hosts: "{{ NODE_TO_ADD }}"
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||
- prepare
|
||||
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
- hosts: "{{ NODE_TO_ADD }}"
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||
- prepare
|
||||
- { role: docker, when: "CONTAINER_RUNTIME == 'docker'" }
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
- ex_lb
|
||||
- chrony
|
||||
roles:
|
||||
- { role: os-harden, when: "OS_HARDEN|bool" }
|
||||
- { role: chrony, when: "groups['chrony']|length > 0" }
|
||||
|
||||
# to create CA, kubeconfig, kube-proxy.kubeconfig etc.
|
||||
|
|
|
@ -0,0 +1,495 @@
|
|||
# Changelog
|
||||
|
||||
## [6.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.3.0) (2020-10-28)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.2.0...6.3.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Breaking change in ansible-lint - set file permissions explicitly [\#299](https://github.com/dev-sec/ansible-os-hardening/issues/299)
|
||||
- Improve Documentation [\#315](https://github.com/dev-sec/ansible-os-hardening/pull/315) ([schurzi](https://github.com/schurzi))
|
||||
- Arch support [\#303](https://github.com/dev-sec/ansible-os-hardening/pull/303) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix linting for molecule [\#301](https://github.com/dev-sec/ansible-os-hardening/pull/301) ([schurzi](https://github.com/schurzi))
|
||||
- file permissions explicitly defined [\#300](https://github.com/dev-sec/ansible-os-hardening/pull/300) ([danielkubat](https://github.com/danielkubat))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode [\#313](https://github.com/dev-sec/ansible-os-hardening/issues/313)
|
||||
- use touch for 10.hardcore.conf to avoid problems with dry-run [\#314](https://github.com/dev-sec/ansible-os-hardening/pull/314) ([schurzi](https://github.com/schurzi))
|
||||
- use touch with no date changes [\#310](https://github.com/dev-sec/ansible-os-hardening/pull/310) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- do not touch sysctl file to avoid idempotency problems [\#309](https://github.com/dev-sec/ansible-os-hardening/pull/309) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Any planned support for RHEL/CentOS 8? [\#298](https://github.com/dev-sec/ansible-os-hardening/issues/298)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- prettier markdown files action added [\#322](https://github.com/dev-sec/ansible-os-hardening/pull/322) ([danielkubat](https://github.com/danielkubat))
|
||||
- adjust permissions on shadow file on suse [\#311](https://github.com/dev-sec/ansible-os-hardening/pull/311) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-17)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha))
|
||||
- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat))
|
||||
- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284)
|
||||
- replace module parameter fixed [\#297](https://github.com/dev-sec/ansible-os-hardening/pull/297) ([danielkubat](https://github.com/danielkubat))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293)
|
||||
- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292)
|
||||
- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288)
|
||||
- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
|
||||
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
|
||||
|
||||
## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
|
||||
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
|
||||
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
|
||||
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
|
||||
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg))
|
||||
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
|
||||
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
|
||||
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
|
||||
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
|
||||
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
|
||||
- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
|
||||
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
|
||||
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
|
||||
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
|
||||
- Invalid Conditionals in user_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
|
||||
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
|
||||
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
|
||||
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
|
||||
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
|
||||
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
|
||||
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
|
||||
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
|
||||
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost))
|
||||
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
|
||||
|
||||
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
|
||||
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
|
||||
|
||||
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
|
||||
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
|
||||
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
|
||||
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
|
||||
- Pass package list directly to apt and yum modules without using with_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
|
||||
- 'sysctl_rhel_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
|
||||
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
|
||||
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
|
||||
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
|
||||
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
|
||||
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
|
||||
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
|
||||
|
||||
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
|
||||
- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
|
||||
- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
|
||||
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
|
||||
|
||||
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-os-hardening/issues/131)
|
||||
- fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-os-hardening/pull/190) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- added os_hardening_enabled flag [\#186](https://github.com/dev-sec/ansible-os-hardening/pull/186) ([jcheroske](https://github.com/jcheroske))
|
||||
- add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-os-hardening/pull/183) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-os-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-os-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-os-hardening/pull/176) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-os-hardening/pull/174) ([carchrae](https://github.com/carchrae))
|
||||
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
|
||||
- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
|
||||
- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
|
||||
- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
|
||||
- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Remove deprecated include for static tasks and use instead import_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-os-hardening/issues/171)
|
||||
- wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-os-hardening/issues/170)
|
||||
- Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-os-hardening/issues/166)
|
||||
- Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-os-hardening/issues/162)
|
||||
- System completely unresponsive after role execution [\#145](https://github.com/dev-sec/ansible-os-hardening/issues/145)
|
||||
- do not install passwdqc on amazon linux [\#189](https://github.com/dev-sec/ansible-os-hardening/pull/189) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add back run opts for debian 8 in travis [\#184](https://github.com/dev-sec/ansible-os-hardening/pull/184) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix core dump config file creation when core dumps are disabled [\#182](https://github.com/dev-sec/ansible-os-hardening/pull/182) ([Normo](https://github.com/Normo))
|
||||
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155)
|
||||
- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129)
|
||||
- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1))
|
||||
- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz))
|
||||
- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz))
|
||||
- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault))
|
||||
- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- bug in ufw.j2 template [\#151](https://github.com/dev-sec/ansible-os-hardening/issues/151)
|
||||
- replace single ticks with double ticks. fix \#151 [\#152](https://github.com/dev-sec/ansible-os-hardening/pull/152) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fixed tag [\#149](https://github.com/dev-sec/ansible-os-hardening/pull/149) ([martinbydefault](https://github.com/martinbydefault))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined [\#147](https://github.com/dev-sec/ansible-os-hardening/issues/147)
|
||||
- Enhancement: Test with TestInfra and Molecule [\#128](https://github.com/dev-sec/ansible-os-hardening/issues/128)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- os_security_kernel_enable_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
|
||||
|
||||
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- style update [\#134](https://github.com/dev-sec/ansible-os-hardening/pull/134) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix ansible.cfg and use comment filter [\#130](https://github.com/dev-sec/ansible-os-hardening/pull/130) ([fazlearefin](https://github.com/fazlearefin))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Why is rsync removed? [\#141](https://github.com/dev-sec/ansible-os-hardening/issues/141)
|
||||
- playbook makes OS undetectable [\#124](https://github.com/dev-sec/ansible-os-hardening/issues/124)
|
||||
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf [\#118](https://github.com/dev-sec/ansible-os-hardening/issues/118)
|
||||
- Remove rsync from package blacklist [\#142](https://github.com/dev-sec/ansible-os-hardening/pull/142) ([duk3luk3](https://github.com/duk3luk3))
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-os-hardening/issues/125)
|
||||
- Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-os-hardening/issues/116)
|
||||
- The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-os-hardening/issues/111)
|
||||
- Deprecation warning always_run [\#103](https://github.com/dev-sec/ansible-os-hardening/issues/103)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Enhancement: Pin python dependencies for development and testing [\#127](https://github.com/dev-sec/ansible-os-hardening/issues/127)
|
||||
- Update readme to include baselines [\#122](https://github.com/dev-sec/ansible-os-hardening/issues/122)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Converts set to JSON-serializable list [\#126](https://github.com/dev-sec/ansible-os-hardening/pull/126) ([pestaa](https://github.com/pestaa))
|
||||
|
||||
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Description of the Ansible roles of dev-sec says "This Ansible playbook" [\#97](https://github.com/dev-sec/ansible-os-hardening/issues/97)
|
||||
- install initramfs-tools [\#114](https://github.com/dev-sec/ansible-os-hardening/pull/114) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Error running on RHEL 7 due to syntax issues [\#112](https://github.com/dev-sec/ansible-os-hardening/issues/112)
|
||||
- disable password age [\#109](https://github.com/dev-sec/ansible-os-hardening/issues/109)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- change shadow owner in debian systems [\#117](https://github.com/dev-sec/ansible-os-hardening/pull/117) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Rhel7 [\#113](https://github.com/dev-sec/ansible-os-hardening/pull/113) ([tyrken](https://github.com/tyrken))
|
||||
- use new Docker images [\#110](https://github.com/dev-sec/ansible-os-hardening/pull/110) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Don’t refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
|
||||
|
||||
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-os-hardening/issues/102)
|
||||
- ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-os-hardening/issues/99)
|
||||
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-os-hardening/issues/98)
|
||||
- Enable pam_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-os-hardening/issues/73)
|
||||
- "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-os-hardening/issues/53)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- update template [\#101](https://github.com/dev-sec/ansible-os-hardening/pull/101) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix deprecation warning for undefined error. \#99 [\#100](https://github.com/dev-sec/ansible-os-hardening/pull/100) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add rhel7 pam_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
|
||||
|
||||
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Supports --check mode [\#93](https://github.com/dev-sec/ansible-os-hardening/pull/93) ([conorsch](https://github.com/conorsch))
|
||||
- Adds support for CentOS 7 [\#91](https://github.com/dev-sec/ansible-os-hardening/pull/91) ([conorsch](https://github.com/conorsch))
|
||||
- Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
|
||||
- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
|
||||
- fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-os-hardening/issues/74)
|
||||
- Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-os-hardening/issues/71)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
|
||||
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
|
||||
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Fix a formatting issue in readme. [\#92](https://github.com/dev-sec/ansible-os-hardening/pull/92) ([vivekagr](https://github.com/vivekagr))
|
||||
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
|
||||
|
||||
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-os-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-os-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-os-hardening/pull/67) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- make sys_uid and sys_gid configurable [\#62](https://github.com/dev-sec/ansible-os-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-os-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- use inspec as test framework [\#58](https://github.com/dev-sec/ansible-os-hardening/pull/58) ([chris-rock](https://github.com/chris-rock))
|
||||
- Packages as attributes [\#57](https://github.com/dev-sec/ansible-os-hardening/pull/57) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change categories to tags for upcoming ansible 2.0 [\#56](https://github.com/dev-sec/ansible-os-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add SINGLE and PROMPT parameters. [\#55](https://github.com/dev-sec/ansible-os-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add changelog generator [\#54](https://github.com/dev-sec/ansible-os-hardening/pull/54) ([chris-rock](https://github.com/chris-rock))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
|
||||
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' [\#72](https://github.com/dev-sec/ansible-os-hardening/issues/72)
|
||||
- ansible 2.0 | "remove suid/sgid" task fails [\#64](https://github.com/dev-sec/ansible-os-hardening/issues/64)
|
||||
- Custom sysctl [\#50](https://github.com/dev-sec/ansible-os-hardening/issues/50)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Fix directory structure. [\#48](https://github.com/dev-sec/ansible-os-hardening/issues/48)
|
||||
- pam auth update error [\#47](https://github.com/dev-sec/ansible-os-hardening/issues/47)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Add explicit role-path to kitchen.yml [\#52](https://github.com/dev-sec/ansible-os-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix pam passwdqc template [\#51](https://github.com/dev-sec/ansible-os-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- New dir layout [\#49](https://github.com/dev-sec/ansible-os-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- remove duplicate "update pam" task [\#46](https://github.com/dev-sec/ansible-os-hardening/pull/46) ([fitz123](https://github.com/fitz123))
|
||||
- Fix stuck in case pam files was updated before by force update [\#45](https://github.com/dev-sec/ansible-os-hardening/pull/45) ([fitz123](https://github.com/fitz123))
|
||||
- Fix nologin shell path [\#44](https://github.com/dev-sec/ansible-os-hardening/pull/44) ([fitz123](https://github.com/fitz123))
|
||||
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- ansible-os-hardening/tasks/minimize_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
|
||||
- Role configuration. vars/main.yml? [\#34](https://github.com/dev-sec/ansible-os-hardening/issues/34)
|
||||
- Sysctl reloading [\#18](https://github.com/dev-sec/ansible-os-hardening/issues/18)
|
||||
- Add conditions for disabling of ip forwarding [\#15](https://github.com/dev-sec/ansible-os-hardening/issues/15)
|
||||
- Disable System Accounts [\#6](https://github.com/dev-sec/ansible-os-hardening/issues/6)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Update kitchen-ansible, remove separate debian install [\#40](https://github.com/dev-sec/ansible-os-hardening/pull/40) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add mode to su-binary task. Fix \#38 [\#39](https://github.com/dev-sec/ansible-os-hardening/pull/39) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#37](https://github.com/dev-sec/ansible-os-hardening/pull/37) ([chris-rock](https://github.com/chris-rock))
|
||||
- Change oneliner if-statements to be more readable [\#36](https://github.com/dev-sec/ansible-os-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Separate system-vars from editable vars. Fix \#34 [\#35](https://github.com/dev-sec/ansible-os-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Create limits.d-directory if it does not exist. [\#33](https://github.com/dev-sec/ansible-os-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add correct CONTRIB-file [\#32](https://github.com/dev-sec/ansible-os-hardening/pull/32) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add Ansible Galaxy badge [\#31](https://github.com/dev-sec/ansible-os-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Update readme, todo, changelog, vars [\#30](https://github.com/dev-sec/ansible-os-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- List-cleanup and follow symlinks added [\#29](https://github.com/dev-sec/ansible-os-hardening/pull/29) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add module configuration [\#28](https://github.com/dev-sec/ansible-os-hardening/pull/28) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix two sysctl-settings [\#27](https://github.com/dev-sec/ansible-os-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add meta-files for Ansible Galaxy [\#26](https://github.com/dev-sec/ansible-os-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Disable System Accounts. Fix \#6 [\#25](https://github.com/dev-sec/ansible-os-hardening/pull/25) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Use changed_when to avoid changed tasks [\#24](https://github.com/dev-sec/ansible-os-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Delete authconfig-task on rhel-systems [\#23](https://github.com/dev-sec/ansible-os-hardening/pull/23) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add missing rhosts-include task [\#21](https://github.com/dev-sec/ansible-os-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change sysctl-task. Fix \#18 [\#20](https://github.com/dev-sec/ansible-os-hardening/pull/20) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add travis-support [\#17](https://github.com/dev-sec/ansible-os-hardening/pull/17) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add conditions for various tasks. Fix \#15 [\#16](https://github.com/dev-sec/ansible-os-hardening/pull/16) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix configuration of playbook path [\#14](https://github.com/dev-sec/ansible-os-hardening/pull/14) ([chris-rock](https://github.com/chris-rock))
|
||||
- Make tasks clearer [\#13](https://github.com/dev-sec/ansible-os-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add remove suid/sgid function [\#12](https://github.com/dev-sec/ansible-os-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add task to remove unused repos and pkgs [\#11](https://github.com/dev-sec/ansible-os-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Edit README to fit to os-hardening [\#10](https://github.com/dev-sec/ansible-os-hardening/pull/10) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- ignore RAs on Ipv6 [\#9](https://github.com/dev-sec/ansible-os-hardening/pull/9) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Repair debian install script [\#8](https://github.com/dev-sec/ansible-os-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Separate tasks into multiple smaller files [\#7](https://github.com/dev-sec/ansible-os-hardening/pull/7) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Enable gpg-check on all yum-repositories [\#5](https://github.com/dev-sec/ansible-os-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Change playbook-path to accomodate test-repo [\#4](https://github.com/dev-sec/ansible-os-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- treat securetty config as an array [\#3](https://github.com/dev-sec/ansible-os-hardening/pull/3) ([arlimus](https://github.com/arlimus))
|
||||
- Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
|
|
@ -1,192 +1,242 @@
|
|||
# os-hardening (Ansible Role)
|
||||
# devsec.os_hardening
|
||||
|
||||
[![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1]
|
||||
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
|
||||
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3]
|
||||
![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg)
|
||||
|
||||
## Looking for the old ansible-os-hardening role?
|
||||
|
||||
This role is now part of the hardening-collection. You can find the old role in the branch `legacy`.
|
||||
|
||||
## Description
|
||||
|
||||
This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline).
|
||||
This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline).
|
||||
|
||||
It configures:
|
||||
|
||||
* Configures package management e.g. allows only signed packages
|
||||
* Remove packages with known issues
|
||||
* Configures `pam` and `pam_limits` module
|
||||
* Shadow password suite configuration
|
||||
* Configures system path permissions
|
||||
* Disable core dumps via soft limits
|
||||
* Restrict Root Logins to System Console
|
||||
* Set SUIDs
|
||||
* Configures kernel parameters via sysctl
|
||||
- Remove unused yum repositories and enable GPG key-checking
|
||||
- Remove packages with known issues
|
||||
- Configures pam for strong password checks
|
||||
- Installs and configures auditd
|
||||
- Disable core dumps via soft limits
|
||||
- sets a restrictive umask
|
||||
- Configures execute permissions of files in system paths
|
||||
- Hardens access to shadow and passwd files
|
||||
- Disables unused filesystems
|
||||
- Disables rhosts
|
||||
- Configures secure ttys
|
||||
- Configures kernel parameters via sysctl
|
||||
- Enables selinux on EL-based systems
|
||||
- Remove SUIDs and GUIDs
|
||||
- Configures login and passwords of system accounts
|
||||
|
||||
It will not:
|
||||
|
||||
* Update system packages
|
||||
* Install security patches
|
||||
- Update system packages
|
||||
- Install security patches
|
||||
|
||||
## Requirements
|
||||
|
||||
* Ansible 2.5.0
|
||||
- Ansible 2.9.0
|
||||
|
||||
## Warning
|
||||
## Known Limitations
|
||||
|
||||
### Docker support
|
||||
|
||||
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
|
||||
|
||||
```yaml
|
||||
- hosts: localhost
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Enable IPv4 traffic forwarding.
|
||||
net.ipv4.ip_forward: 1
|
||||
```
|
||||
|
||||
### sysctl - vm.mmap_rnd_bits
|
||||
|
||||
We are setting this sysctl to a default of `32`, some systems only support smaller values and this will generate an error. Unfortunately we cannot determine the correct applicable maximum. If you encounter this error you have to override this sysctl in your playbook.
|
||||
|
||||
```yaml
|
||||
- hosts: localhost
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
vm.mmap_rnd_bits: 16
|
||||
```
|
||||
|
||||
### Testing with inspec
|
||||
|
||||
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
|
||||
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
|
||||
|
||||
We know that this is the case on Raspberry Pi.
|
||||
|
||||
## Variables
|
||||
|
||||
| Name | Default Value | Description |
|
||||
| -------------- | ------------- | -----------------------------------|
|
||||
| `os_desktop_enable`| false | true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc|
|
||||
| `os_env_extra_user_paths`| [] | add additional paths to the user's `PATH` variable (default is empty).|
|
||||
| `os_env_umask`| 027| set default permissions for new files to `750` |
|
||||
| `os_auth_pw_max_age`| 60 | maximum password age (set to `99999` to effectively disable it) |
|
||||
| `os_auth_pw_min_age`| 7 | minimum password age (before allowing any other password change)|
|
||||
| `os_auth_retries`| 5 | the maximum number of authentication attempts, before the account is locked for some time|
|
||||
| `os_auth_lockout_time`| 600 | time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts|
|
||||
| `os_auth_timeout`| 60 | authentication timeout in seconds, so login will exit if this time passes|
|
||||
| `os_auth_allow_homeless`| false | true if to allow users without home to login|
|
||||
| `os_auth_pam_passwdqc_enable`| true | true if you want to use strong password checking in PAM using passwdqc|
|
||||
| `os_auth_pam_passwdqc_options`| "min=disabled,disabled,16,12,8" | set to any option line (as a string) that you want to pass to passwdqc|
|
||||
| `os_security_users_allow`| [] | list of things, that a user is allowed to do. May contain `change_user`.
|
||||
| `os_security_kernel_enable_module_loading`| true | true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)|
|
||||
| `os_security_kernel_enable_core_dump`| false | kernel is crashing or otherwise misbehaving and a kernel core dump is created |
|
||||
| `os_security_suid_sgid_enforce`| true | true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own|
|
||||
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
|
||||
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
|
||||
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
|
||||
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.|
|
||||
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
|
||||
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
|
||||
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
|
||||
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
|
||||
| `ufw_default_forward_policy` | DROP| set default forward policy of ufw to `DROP` |
|
||||
- `os_desktop_enable`
|
||||
- Default: `false`
|
||||
- Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
|
||||
- `os_env_extra_user_paths`
|
||||
- Default: `[]`
|
||||
- Description: add additional paths to the user's `PATH` variable (default is empty).
|
||||
- `os_env_umask`
|
||||
- Default: `027`
|
||||
- Description: set default permissions for new files to `750`
|
||||
- `os_auth_pw_max_age`
|
||||
- Default: `60`
|
||||
- Description: maximum password age (set to `99999` to effectively disable it)
|
||||
- `os_auth_pw_min_age`
|
||||
- Default: `7`
|
||||
- Description: minimum password age (before allowing any other password change)
|
||||
- `os_auth_retries`
|
||||
- Default: `5`
|
||||
- Description: the maximum number of authentication attempts, before the account is locked for some time
|
||||
- `os_auth_lockout_time`
|
||||
- Default: `600`
|
||||
- Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts
|
||||
- `os_auth_timeout`
|
||||
- Default: `60`
|
||||
- Description: authentication timeout in seconds, so login will exit if this time passes
|
||||
- `os_auth_allow_homeless`
|
||||
- Default: `false`
|
||||
- Description: true if to allow users without home to login
|
||||
- `os_auth_pam_passwdqc_enable`
|
||||
- Default: `true`
|
||||
- Description: true if you want to use strong password checking in PAM using passwdqc
|
||||
- `os_auth_pam_passwdqc_options`
|
||||
- Default: `min=disabled,disabled,16,12,8`
|
||||
- Description: set to any option line (as a string) that you want to pass to passwdqc
|
||||
- `os_security_users_allow`
|
||||
- Default: `[]`
|
||||
- Description: list of things, that a user is allowed to do. May contain `change_user`.
|
||||
- `os_security_kernel_enable_module_loading`
|
||||
- Default: `true`
|
||||
- Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
|
||||
- `os_security_kernel_enable_core_dump`
|
||||
- Default: `false`
|
||||
- Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created
|
||||
- `os_security_suid_sgid_enforce`
|
||||
- Default: `true`
|
||||
- Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
|
||||
- `os_security_suid_sgid_blacklist`
|
||||
- Default: `[]`
|
||||
- Description: a list of paths which should have their SUID/SGID bits removed
|
||||
- `os_security_suid_sgid_whitelist`
|
||||
- Default: `[]`
|
||||
- Description: a list of paths which should not have their SUID/SGID bits altered
|
||||
- `os_security_suid_sgid_remove_from_unknown`
|
||||
- Default: `false`
|
||||
- Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
|
||||
- `os_security_packages_clean`
|
||||
- Default: `true`
|
||||
- Description: removes packages with known issues. See section packages.
|
||||
- `os_selinux_state`
|
||||
- Default: `enforcing`
|
||||
- Description: Set the SELinux state, can be either disabled, permissive, or enforcing.
|
||||
- `os_selinux_policy`
|
||||
- Default: `targeted`
|
||||
- Description: Set the SELinux polixy.
|
||||
- `ufw_manage_defaults`
|
||||
- Default: `true`
|
||||
- Description: true means apply all settings with `ufw_` prefix
|
||||
- `ufw_ipt_sysctl`
|
||||
- Default: `''`
|
||||
- Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
|
||||
- `ufw_default_input_policy`
|
||||
- Default: `DROP`
|
||||
- Description: set default input policy of ufw to `DROP`
|
||||
- `ufw_default_output_policy`
|
||||
- Default: `ACCEPT`
|
||||
- Description: set default output policy of ufw to `ACCEPT`
|
||||
- `ufw_default_forward_policy`
|
||||
- Default: `DROP`
|
||||
- Description: set default forward policy of ufw to `DROP`
|
||||
- `os_auditd_enabled`
|
||||
- Default: `true`
|
||||
- Description: Set to false to disable installing and configuring auditd.
|
||||
- `os_auditd_max_log_file_action`
|
||||
- Default: `keep_logs`
|
||||
- Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
|
||||
- `hidepid_option`
|
||||
- Default: `2`
|
||||
- Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
|
||||
- `proc_mnt_options`
|
||||
- Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
|
||||
- Description: Mount proc with hardenized options, including `hidepid` with variable value.
|
||||
|
||||
## Packages
|
||||
|
||||
We remove the following packages:
|
||||
|
||||
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
||||
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
||||
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
|
||||
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
|
||||
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
|
||||
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
|
||||
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
||||
- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||
- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||
- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
|
||||
- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
|
||||
- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
|
||||
- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
|
||||
- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
||||
|
||||
## Disabled filesystems
|
||||
|
||||
We disable the following filesystems, because they're most likely not used:
|
||||
|
||||
* "cramfs"
|
||||
* "freevxfs"
|
||||
* "jffs2"
|
||||
* "hfs"
|
||||
* "hfsplus"
|
||||
* "squashfs"
|
||||
* "udf"
|
||||
* "vfat"
|
||||
- "cramfs"
|
||||
- "freevxfs"
|
||||
- "jffs2"
|
||||
- "hfs"
|
||||
- "hfsplus"
|
||||
- "squashfs"
|
||||
- "udf"
|
||||
- "vfat" # only if uefi is not in use
|
||||
|
||||
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
|
||||
|
||||
## Example Playbook
|
||||
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- dev-sec.os-hardening
|
||||
|
||||
```yaml
|
||||
- hosts: localhost
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
```
|
||||
|
||||
## Changing sysctl variables
|
||||
|
||||
If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`).
|
||||
+So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
|
||||
So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
|
||||
|
||||
```
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- dev-sec.os-hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Enable IPv4 traffic forwarding.
|
||||
net.ipv4.ip_forward: 1
|
||||
```yaml
|
||||
- hosts: localhost
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Enable IPv4 traffic forwarding.
|
||||
net.ipv4.ip_forward: 1
|
||||
```
|
||||
|
||||
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
||||
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
||||
|
||||
## Local Testing
|
||||
## Improving Kernel Audit logging
|
||||
|
||||
The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system.
|
||||
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
|
||||
|
||||
You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).
|
||||
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
|
||||
|
||||
Next install test-kitchen:
|
||||
|
||||
```bash
|
||||
# Install dependencies
|
||||
gem install bundler
|
||||
bundle install
|
||||
```
|
||||
|
||||
### Testing with Docker
|
||||
```
|
||||
# fast test on one machine
|
||||
bundle exec kitchen test default-ubuntu-1404
|
||||
|
||||
# test on all machines
|
||||
bundle exec kitchen test
|
||||
|
||||
# for development
|
||||
bundle exec kitchen create default-ubuntu-1404
|
||||
bundle exec kitchen converge default-ubuntu-1404
|
||||
```
|
||||
|
||||
### Testing with Virtualbox
|
||||
```
|
||||
# fast test on one machine
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404
|
||||
|
||||
# test on all machines
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
|
||||
|
||||
# for development
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404
|
||||
```
|
||||
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)
|
||||
|
||||
## Contributors + Kudos
|
||||
|
||||
...
|
||||
## More information
|
||||
|
||||
This role is mostly based on guides by:
|
||||
|
||||
* [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
|
||||
* [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
|
||||
* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
|
||||
* [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
|
||||
|
||||
Thanks to all of you!
|
||||
## Contributing
|
||||
|
||||
See [contributor guideline](CONTRIBUTING.md).
|
||||
|
||||
## License and Author
|
||||
|
||||
* Author:: Sebastian Gumprich
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
|
||||
[1]: http://travis-ci.org/dev-sec/ansible-os-hardening
|
||||
[2]: https://gitter.im/dev-sec/general
|
||||
[3]: https://galaxy.ansible.com/dev-sec/os-hardening
|
||||
- [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
|
||||
- [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
|
||||
- [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
|
||||
- [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
---
|
||||
os_desktop_enable: false
|
||||
os_env_extra_user_paths: []
|
||||
os_auth_pw_max_age: 60
|
||||
os_auth_pw_min_age: 7 # discourage password cycling
|
||||
os_auth_pw_min_age: 7 # discourage password cycling
|
||||
os_auth_retries: 5
|
||||
os_auth_lockout_time: 600 # 10min
|
||||
os_auth_lockout_time: 600 # 10min
|
||||
os_auth_timeout: 60
|
||||
os_auth_allow_homeless: false
|
||||
os_auth_pam_passwdqc_enable: true
|
||||
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
|
||||
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
|
||||
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
|
||||
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
|
||||
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
|
||||
|
||||
os_chfn_restrict: ''
|
||||
|
@ -27,7 +28,7 @@ os_security_suid_sgid_remove_from_unknown: false
|
|||
|
||||
# remove packages with known issues
|
||||
os_security_packages_clean: true
|
||||
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink']
|
||||
os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
|
||||
|
||||
# Allow interactive startup (rhel, centos)
|
||||
os_security_init_prompt: true
|
||||
|
@ -175,17 +176,6 @@ sysctl_config:
|
|||
|
||||
kernel.core_uses_pid: 1
|
||||
|
||||
# When an attacker is trying to exploit the local kernel, it is often
|
||||
# helpful to be able to examine where in memory the kernel, modules,
|
||||
# and data structures live. As such, kernel addresses should be treated
|
||||
# as sensitive information.
|
||||
#
|
||||
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
||||
# /proc/modules, etc), and this setting can censor the addresses. A value
|
||||
# of "0" allows all users to see the kernel addresses. A value of "1"
|
||||
# limits visibility to the root user, and "2" blocks even the root user.
|
||||
kernel.kptr_restrict: 1
|
||||
|
||||
# The PTRACE system is used for debugging. With it, a single user process
|
||||
# can attach to any other dumpable process owned by the same user. In the
|
||||
# case of malicious software, it is possible to use PTRACE to access
|
||||
|
@ -226,9 +216,40 @@ sysctl_config:
|
|||
fs.protected_hardlinks: 1
|
||||
fs.protected_symlinks: 1
|
||||
|
||||
# These settings are set to the maximum supported value in order to
|
||||
# improve ASLR effectiveness for mmap, at the cost of increased
|
||||
# address-space fragmentation. | Tail-1
|
||||
vm.mmap_rnd_bits: 32
|
||||
vm.mmap_rnd_compat_bits: 16
|
||||
|
||||
# When an attacker is trying to exploit the local kernel, it is often
|
||||
# helpful to be able to examine where in memory the kernel, modules,
|
||||
# and data structures live. As such, kernel addresses should be treated
|
||||
# as sensitive information.
|
||||
#
|
||||
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
||||
# /proc/modules, etc), and this setting can censor the addresses. A value
|
||||
# of "0" allows all users to see the kernel addresses. A value of "1"
|
||||
# limits visibility to the root user, and "2" blocks even the root user.
|
||||
#
|
||||
# Some off-the-shelf malware exploit kernel addresses exposed
|
||||
# via /proc/kallsyms so by not making these addresses easily available
|
||||
# we increase the cost of such attack some what; now such malware has
|
||||
# to check which kernel Tails is running and then fetch the corresponding
|
||||
# kernel address map from some external source. This is not hard,
|
||||
# but certainly not all malware has such functionality. | Tails-2
|
||||
kernel.kptr_restrict: 2
|
||||
|
||||
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
|
||||
kernel.kexec_load_disabled: 1
|
||||
|
||||
# Do not delete the following line or otherwise the playbook will fail
|
||||
# at task 'create a combined sysctl-dict if overwrites are defined'
|
||||
sysctl_overwrite:
|
||||
net.ipv4.ip_forward: 1
|
||||
net.bridge.bridge-nf-call-iptables: 1
|
||||
net.bridge.bridge-nf-call-ip6tables: 1
|
||||
net.bridge.bridge-nf-call-arptables: 1
|
||||
|
||||
# disable unused filesystems
|
||||
os_unused_filesystems:
|
||||
|
@ -240,6 +261,12 @@ os_unused_filesystems:
|
|||
- "squashfs"
|
||||
- "udf"
|
||||
- "vfat"
|
||||
# Obsolete network protocols that should be disabled
|
||||
# per CIS Oracle Linux 6 Benchmark (2016)
|
||||
- "tipc" # CIS 3.5.4
|
||||
- "sctp" # CIS 3.5.2
|
||||
- "dccp" # CIS 3.5.1
|
||||
- "rds" # CIS 3.5.3
|
||||
|
||||
# whitelist for used filesystems
|
||||
os_filesystem_whitelist: []
|
||||
|
@ -247,3 +274,15 @@ os_filesystem_whitelist: []
|
|||
# Set to false to turn the role into a no-op. Useful when using
|
||||
# the Ansible role dependency mechanism.
|
||||
os_hardening_enabled: true
|
||||
|
||||
# Set to false to disable installing and configuring auditd.
|
||||
os_auditd_enabled: false
|
||||
os_auditd_max_log_file_action: keep_logs
|
||||
|
||||
# Set the SELinux state, can be either disabled, permissive, or enforcing.
|
||||
os_selinux_state: disabled
|
||||
# Set the SELinux polixy.
|
||||
os_selinux_policy: targeted
|
||||
|
||||
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||
proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: update-initramfs
|
||||
command: 'update-initramfs -u'
|
|
@ -1,25 +1,28 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: "Sebastian Gumprich"
|
||||
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
|
||||
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
|
||||
company: Hardening Framework Team
|
||||
license: Apache License 2.0
|
||||
min_ansible_version: '2.5'
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 6
|
||||
- 7
|
||||
- 8
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- precise
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- name: Debian
|
||||
versions:
|
||||
- wheezy
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: Amazon
|
||||
- name: Fedora
|
||||
- name: Archlinux
|
||||
- name: SmartOS
|
||||
- name: openSUSE
|
||||
galaxy_tags:
|
||||
- system
|
||||
- security
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
|
||||
- hosts:
|
||||
- kube_master
|
||||
- kube_node
|
||||
- etcd
|
||||
- ex_lb
|
||||
- chrony
|
||||
vars:
|
||||
os_security_users_allow: change_user
|
||||
os_auth_pam_passwdqc_enable: false
|
||||
os_security_suid_sgid_blacklist: ['/bin/umount']
|
||||
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
|
||||
os_filesystem_whitelist: ['vfat']
|
||||
sysctl_config:
|
||||
net.ipv4.ip_forward: 1
|
||||
net.ipv6.conf.all.forwarding: 1
|
||||
net.ipv6.conf.all.accept_ra: 0
|
||||
net.ipv6.conf.default.accept_ra: 0
|
||||
net.ipv4.conf.all.rp_filter: 1
|
||||
net.ipv4.conf.default.rp_filter: 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
||||
net.ipv4.icmp_ratelimit: 100
|
||||
net.ipv4.icmp_ratemask: 88089
|
||||
net.ipv6.conf.all.disable_ipv6: 1
|
||||
net.ipv4.conf.all.arp_ignore: 1
|
||||
net.ipv4.conf.all.arp_announce: 2
|
||||
net.ipv4.conf.all.shared_media: 1
|
||||
net.ipv4.conf.default.shared_media: 1
|
||||
net.ipv4.conf.all.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_redirects: 0
|
||||
net.ipv4.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.secure_redirects: 0
|
||||
net.ipv4.conf.default.secure_redirects: 0
|
||||
net.ipv6.conf.default.accept_redirects: 0
|
||||
net.ipv6.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.send_redirects: 0
|
||||
net.ipv4.conf.default.send_redirects: 0
|
||||
net.ipv4.conf.all.log_martians: 1
|
||||
net.ipv6.conf.default.router_solicitations: 0
|
||||
net.ipv6.conf.default.accept_ra_rtr_pref: 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo: 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr: 0
|
||||
net.ipv6.conf.default.autoconf: 0
|
||||
net.ipv6.conf.default.dad_transmits: 0
|
||||
net.ipv6.conf.default.max_addresses: 1
|
||||
roles:
|
||||
- os-harden
|
||||
#- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
|
||||
|
|
@ -1,8 +1,7 @@
|
|||
---
|
||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
name: '{{ os_security_packages_list }}'
|
||||
state: 'absent'
|
||||
with_items:
|
||||
- '{{ os_security_packages_list }}'
|
||||
when: 'os_security_packages_clean'
|
||||
purge: 'yes'
|
||||
when: os_security_packages_clean | bool
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
|
||||
- name: install auditd package | package-08
|
||||
package:
|
||||
name: '{{ auditd_package }}'
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
- name: find directories for minimizing access
|
||||
find:
|
||||
paths: '{{ outer_item }}'
|
||||
recurse: yes
|
||||
register: minimize_access_directories
|
||||
|
||||
- name: minimize access on found files
|
||||
file:
|
||||
path: '{{ item.path }}'
|
||||
mode: 'go-w'
|
||||
state: file
|
||||
with_items: '{{ minimize_access_directories.files }}'
|
|
@ -1,20 +1,21 @@
|
|||
---
|
||||
- name: Set OS family dependent variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
include_vars: '{{ ansible_facts.os_family }}.yml'
|
||||
tags: always
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- files:
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_distribution }}.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.distribution }}.yml'
|
||||
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||
skip: true
|
||||
tags: always
|
||||
|
||||
- import_tasks: auditd.yml
|
||||
tags: auditd
|
||||
when: os_auditd_enabled | bool
|
||||
|
||||
- import_tasks: limits.yml
|
||||
tags: limits
|
||||
|
@ -38,7 +39,7 @@
|
|||
tags: securetty
|
||||
|
||||
- import_tasks: suid_sgid.yml
|
||||
when: os_security_suid_sgid_enforce
|
||||
when: os_security_suid_sgid_enforce | bool
|
||||
tags: suid_sgid
|
||||
|
||||
- import_tasks: sysctl.yml
|
||||
|
@ -51,9 +52,13 @@
|
|||
tags: rhosts
|
||||
|
||||
- import_tasks: yum.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
tags: yum
|
||||
|
||||
- import_tasks: apt.yml
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
tags: apt
|
||||
|
||||
- import_tasks: selinux.yml
|
||||
tags: selinux
|
||||
when: ansible_facts.selinux.status == 'enabled'
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
|
||||
- block:
|
||||
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
|
||||
file:
|
||||
|
@ -9,14 +8,14 @@
|
|||
mode: '0755'
|
||||
state: 'directory'
|
||||
|
||||
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
||||
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
||||
pam_limits:
|
||||
dest: '/etc/security/limits.d/10.hardcore.conf'
|
||||
domain: '*'
|
||||
limit_type: hard
|
||||
limit_item: core
|
||||
value: 0
|
||||
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
|
||||
value: '0'
|
||||
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
|
||||
|
||||
- name: set 10.hardcore.conf perms to 0400 and root ownership
|
||||
file:
|
||||
|
@ -24,11 +23,14 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0440'
|
||||
state: touch
|
||||
modification_time: preserve
|
||||
access_time: preserve
|
||||
|
||||
when: 'not os_security_kernel_enable_core_dump'
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- name: remove 10.hardcore.conf config file
|
||||
file:
|
||||
path: /etc/security/limits.d/10.hardcore.conf
|
||||
state: absent
|
||||
when: 'os_security_kernel_enable_core_dump'
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
|
|
@ -6,4 +6,3 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0444'
|
||||
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
---
|
||||
|
||||
- include_tasks: hardening.yml
|
||||
when: os_hardening_enabled
|
||||
- import_tasks: hardening.yml
|
||||
when: os_hardening_enabled | bool
|
||||
|
|
|
@ -1,16 +1,31 @@
|
|||
---
|
||||
# Using a two-pass approach for checking directories in order to support symlinks.
|
||||
- include_tasks: find_files.yml
|
||||
loop_control:
|
||||
loop_var: outer_item
|
||||
loop:
|
||||
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
|
||||
# the other files inside /usr/bin (and all other directories) are
|
||||
# still getting found and the permissions minimized in the next task.
|
||||
# This is also the reason why there's ignore_errors: true on the task.
|
||||
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
|
||||
- name: find files with write-permissions for group
|
||||
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
|
||||
with_flattened:
|
||||
- '/usr/local/sbin'
|
||||
- '/usr/local/bin'
|
||||
- '/usr/sbin'
|
||||
- '/usr/bin'
|
||||
- '/sbin'
|
||||
- '/bin'
|
||||
- '{{ os_env_extra_user_paths }}'
|
||||
- "{{ os_env_extra_user_paths }}" # noqa 104
|
||||
register: minimize_access_directories
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
|
||||
- name: minimize access on found files
|
||||
file:
|
||||
path: '{{ item.1 }}'
|
||||
mode: 'go-w'
|
||||
state: file
|
||||
with_subelements:
|
||||
- "{{ minimize_access_directories.results }}"
|
||||
- stdout_lines
|
||||
|
||||
- name: change shadow ownership to root and mode to 0600 | os-02
|
||||
file:
|
||||
|
@ -32,4 +47,12 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0750'
|
||||
when: os_security_users_allow != None
|
||||
when: '"change_user" not in os_security_users_allow'
|
||||
|
||||
- name: set option hidepid for proc filesystem
|
||||
mount:
|
||||
path: /proc
|
||||
src: proc
|
||||
fstype: proc
|
||||
opts: '{{ proc_mnt_options }}'
|
||||
state: present
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: install modprobe to disable filesystems | os-10
|
||||
package:
|
||||
name: '{{modprobe_package}}'
|
||||
name: '{{ modprobe_package }}'
|
||||
state: 'present'
|
||||
|
||||
- name: check if efi is installed
|
||||
|
@ -12,7 +12,15 @@
|
|||
- name: remove vfat from fs-list if efi is used
|
||||
set_fact:
|
||||
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
|
||||
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
|
||||
when:
|
||||
- efi_installed.stat.isdir is defined
|
||||
- efi_installed.stat.isdir
|
||||
|
||||
- name: remove used filesystems from fs-list
|
||||
set_fact:
|
||||
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
|
||||
# we cannot do this on el6 and below, because these systems don't support the map function
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
|
||||
|
||||
- name: disable unused filesystems | os-10
|
||||
template:
|
||||
|
@ -20,5 +28,4 @@
|
|||
dest: '/etc/modprobe.d/dev-sec.conf'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0640'
|
||||
|
||||
mode: '0644'
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
- name: update pam on Debian systems
|
||||
command: 'pam-auth-update --package'
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
changed_when: False
|
||||
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
changed_when: false
|
||||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
|
||||
|
@ -14,19 +14,25 @@
|
|||
package:
|
||||
name: '{{ os_packages_pam_ccreds }}'
|
||||
state: 'absent'
|
||||
when:
|
||||
- ansible_facts.os_family != 'Archlinux'
|
||||
|
||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||
apt:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
apt:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
update_cache: 'yes'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: configure passwdqc
|
||||
template:
|
||||
|
@ -35,19 +41,26 @@
|
|||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
apt:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install tally2
|
||||
apt:
|
||||
name: 'libpam-modules'
|
||||
state: 'present'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries > 0
|
||||
|
||||
- name: configure tally2
|
||||
template:
|
||||
|
@ -56,31 +69,47 @@
|
|||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries > 0
|
||||
|
||||
- name: delete tally2 when retries is 0
|
||||
file:
|
||||
path: '{{ tally2_path }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries == 0
|
||||
|
||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||
yum:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||
- ansible_facts.distribution != 'Amazon'
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||
- ansible_facts.distribution != 'Amazon'
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'absent'
|
||||
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: configure passwdqc and tally via central system-auth confic
|
||||
template:
|
||||
|
@ -89,11 +118,23 @@
|
|||
mode: '0640'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
manager: auto
|
||||
when:
|
||||
- ansible_facts.os_family != 'Suse'
|
||||
- ansible_facts.os_family != 'Archlinux'
|
||||
|
||||
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
||||
template:
|
||||
src: 'etc/rhel_libuser.conf.j2'
|
||||
src: 'etc/libuser.conf.j2'
|
||||
dest: '/etc/libuser.conf'
|
||||
mode: '0640'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when:
|
||||
- ansible_facts.os_family != 'Suse'
|
||||
- ansible_facts.os_family != 'Archlinux'
|
||||
- "'libuser' in ansible_facts.packages"
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0750'
|
||||
when: not os_security_kernel_enable_core_dump
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- name: remove pinerolo_profile.sh from profile.d
|
||||
file:
|
||||
path: /etc/profile.d/pinerolo_profile.sh
|
||||
state: absent
|
||||
when: os_security_kernel_enable_core_dump
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
- name: Get user accounts | os-09
|
||||
command: "awk -F: '{print $1}' /etc/passwd"
|
||||
changed_when: False
|
||||
check_mode: False
|
||||
register: users
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: users_accounts
|
||||
|
||||
- name: delete rhosts-files from system | os-09
|
||||
file:
|
||||
dest: '~{{ item }}/.rhosts'
|
||||
state: 'absent'
|
||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
||||
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||
|
||||
- name: delete hosts.equiv from system | os-01
|
||||
file:
|
||||
|
@ -20,4 +20,4 @@
|
|||
file:
|
||||
dest: '~{{ item }}/.netrc'
|
||||
state: 'absent'
|
||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
||||
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: configure selinux | selinux-01
|
||||
selinux:
|
||||
policy: "{{ os_selinux_policy }}"
|
||||
state: "{{ os_selinux_state }}"
|
|
@ -13,13 +13,13 @@
|
|||
- name: find binaries with suid/sgid set | os-06
|
||||
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
||||
register: sbit_binaries
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
changed_when: False
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
changed_when: false
|
||||
|
||||
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
||||
set_fact:
|
||||
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
|
||||
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
||||
file:
|
||||
|
@ -29,4 +29,4 @@
|
|||
follow: 'yes'
|
||||
with_flattened:
|
||||
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
|
|
|
@ -5,6 +5,9 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0440'
|
||||
state: touch
|
||||
modification_time: preserve
|
||||
access_time: preserve
|
||||
|
||||
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
|
||||
template:
|
||||
|
@ -13,14 +16,16 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0544'
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
|
||||
when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat']
|
||||
|
||||
- name: install initramfs-tools
|
||||
apt:
|
||||
name: 'initramfs-tools'
|
||||
state: 'present'
|
||||
update_cache: true
|
||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
when:
|
||||
- ansible_facts.os_family == 'Debian'
|
||||
- os_security_kernel_enable_module_loading
|
||||
|
||||
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
||||
template:
|
||||
|
@ -29,41 +34,49 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0440'
|
||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
notify:
|
||||
- update-initramfs
|
||||
when:
|
||||
- ansible_facts.os_family == 'Debian'
|
||||
- os_security_kernel_enable_module_loading
|
||||
register: initramfs
|
||||
|
||||
- name: update-initramfs
|
||||
command: 'update-initramfs -u'
|
||||
when: initramfs.changed
|
||||
- name: change sysctls
|
||||
block:
|
||||
- name: create a combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
|
||||
- name: create a combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
sysctl_set: true
|
||||
state: present
|
||||
reload: true
|
||||
ignoreerrors: true
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
|
||||
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
reload: true
|
||||
ignoreerrors: true
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
|
||||
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
|
||||
|
||||
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
|
||||
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
|
||||
|
||||
- name: Apply ufw defaults
|
||||
template:
|
||||
src: 'etc/default/ufw.j2'
|
||||
dest: '/etc/default/ufw'
|
||||
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
||||
mode: '0644'
|
||||
when:
|
||||
- ufw_manage_defaults
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
tags: ufw
|
||||
|
|
|
@ -4,42 +4,44 @@
|
|||
args:
|
||||
removes: /etc/login.defs
|
||||
register: uid_min
|
||||
check_mode: False
|
||||
changed_when: False
|
||||
check_mode: false
|
||||
changed_when: false
|
||||
|
||||
- name: calculate UID_MAX from UID_MIN by substracting 1
|
||||
set_fact:
|
||||
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
||||
when: uid_min is defined
|
||||
when: uid_min.stdout|int > 0
|
||||
|
||||
- name: set UID_MAX on Debian-systems if no login.defs exist
|
||||
set_fact:
|
||||
uid_max: '999'
|
||||
when: ansible_os_family == 'Debian' and not uid_min
|
||||
when:
|
||||
- ansible_facts.os_family == 'Debian'
|
||||
- uid_max is not defined
|
||||
|
||||
- name: set UID_MAX on other systems if no login.defs exist
|
||||
set_fact:
|
||||
uid_max: '499'
|
||||
when: not uid_min
|
||||
when: uid_max is not defined
|
||||
|
||||
- name: get all system accounts
|
||||
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
||||
args:
|
||||
removes: /etc/passwd
|
||||
changed_when: False
|
||||
check_mode: False
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
register: sys_accs
|
||||
|
||||
- name: remove always ignored system accounts from list
|
||||
set_fact:
|
||||
sys_accs_cond: '{{ sys_accs.stdout_lines | difference(os_always_ignore_users) }}'
|
||||
check_mode: False
|
||||
check_mode: false
|
||||
|
||||
- name: change system accounts not on the user provided ignore-list
|
||||
user:
|
||||
name: '{{ item }}'
|
||||
shell: '{{ os_nologin_shell_path }}'
|
||||
password: '*'
|
||||
createhome: False
|
||||
createhome: false
|
||||
with_flattened:
|
||||
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
|
||||
|
|
|
@ -3,45 +3,48 @@
|
|||
file:
|
||||
name: '/etc/yum.repos.d/{{ item }}.repo'
|
||||
state: 'absent'
|
||||
with_items:
|
||||
loop:
|
||||
- 'CentOS-Debuginfo'
|
||||
- 'CentOS-Media'
|
||||
- 'CentOS-Vault'
|
||||
when: os_security_packages_clean
|
||||
when: os_security_packages_clean | bool
|
||||
|
||||
- name: get yum-repository-files
|
||||
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
|
||||
changed_when: False
|
||||
find:
|
||||
paths: '/etc/yum.repos.d'
|
||||
patterns: '*.repo'
|
||||
register: yum_repos
|
||||
|
||||
- name: check if rhnplugin.conf exists
|
||||
stat:
|
||||
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
register: rhnplugin_file
|
||||
|
||||
# for the 'default([])' see here:
|
||||
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
|
||||
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
|
||||
- name: activate gpg-check for yum-repos
|
||||
# for the 'default([])' see here:
|
||||
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
|
||||
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
|
||||
- name: activate gpg-check for yum-repository-files
|
||||
replace:
|
||||
dest: '{{ item }}'
|
||||
regexp: '^\s*gpgcheck: 0'
|
||||
replace: 'gpgcheck: 1'
|
||||
with_flattened:
|
||||
path: '{{ item.path }}'
|
||||
regexp: '^\s*gpgcheck.*'
|
||||
replace: 'gpgcheck=1'
|
||||
mode: '0644'
|
||||
with_items:
|
||||
- '{{ yum_repos.files | default([]) }}'
|
||||
|
||||
# failed_when is needed because by default replace module will fail if the file doesn't exists.
|
||||
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
|
||||
# All other errors will still be raised.
|
||||
- name: activate gpg-check for config files
|
||||
replace:
|
||||
path: '{{ item }}'
|
||||
regexp: '^\s*gpgcheck\W.*'
|
||||
replace: 'gpgcheck=1'
|
||||
mode: '0644'
|
||||
register: status
|
||||
failed_when: status.rc is defined and status.rc != 257
|
||||
loop:
|
||||
- '/etc/yum.conf'
|
||||
- '{{ yum_repos.stdout_lines| default([]) }}'
|
||||
|
||||
- name: activate gpg-check for yum rhn if it exists
|
||||
replace:
|
||||
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
regexp: '^\s*gpgcheck: 0'
|
||||
replace: 'gpgcheck: 1'
|
||||
when: rhnplugin_file.stat.exists
|
||||
- '/etc/dnf/dnf.conf'
|
||||
- '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
|
||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||
yum:
|
||||
name: '{{ item }}'
|
||||
name: '{{ os_security_packages_list }}'
|
||||
state: 'absent'
|
||||
with_items:
|
||||
- '{{ os_security_packages_list }}'
|
||||
when: os_security_packages_clean
|
||||
when: os_security_packages_clean | bool
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
log_file = /var/log/audit/audit.log
|
||||
log_format = RAW
|
||||
log_group = root
|
||||
|
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
|
|||
name_format = NONE
|
||||
##name = mydomain
|
||||
max_log_file = 6
|
||||
max_log_file_action = keep_logs
|
||||
max_log_file_action = {{ os_auditd_max_log_file_action }}
|
||||
space_left = 75
|
||||
space_left_action = SYSLOG
|
||||
action_mail_acct = root
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# /etc/default/ufw
|
||||
#
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
|
||||
#
|
||||
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
|
||||
|
@ -10,7 +11,7 @@
|
|||
#
|
||||
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
|
||||
|
||||
{% if ansible_architecture == 'x86_64' %}
|
||||
{% if ansible_facts.architecture == 'x86_64' %}
|
||||
# Optimize for x86_64 cryptographic features
|
||||
twofish-x86_64-3way
|
||||
twofish-x86_64
|
||||
|
@ -19,7 +20,7 @@ salsa20-x86_64
|
|||
blowfish-x86_64
|
||||
{% endif %}
|
||||
|
||||
{% if 'amd' in ansible_processor %}
|
||||
{% if 'amd' in ansible_facts.processor %}
|
||||
# AMD-specific optimizations
|
||||
kvm-amd
|
||||
{% else %}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# See libuser.conf(5) for more information.
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# {{ ansible_managed | comment }}
|
||||
# See libuser.conf(5) for more information.
|
||||
|
||||
# Do not modify the default module list if you care about unattended calls
|
||||
# to programs (i.e., scripts) working!
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Configuration control definitions for the login package.
|
||||
#
|
||||
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
|
||||
|
@ -7,6 +8,7 @@
|
|||
#
|
||||
#-- Modified for Linux. --marekm
|
||||
|
||||
{% if os_useradd_mail_dir is defined %}
|
||||
# *REQUIRED for useradd/userdel/usermod*
|
||||
#
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
|
||||
|
@ -19,136 +21,141 @@
|
|||
#
|
||||
# See default PAM configuration files provided for login, su, etc.
|
||||
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
|
||||
MAIL_DIR /var/mail
|
||||
#MAIL_FILE .mail
|
||||
MAIL_DIR {{ os_useradd_mail_dir }}
|
||||
{% endif %}
|
||||
|
||||
{% if os_useradd_create_home is defined %}
|
||||
# If useradd should create home directories for users by default
|
||||
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
|
||||
|
||||
{% endif %}
|
||||
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
|
||||
FAILLOG_ENAB yes
|
||||
FAILLOG_ENAB yes
|
||||
|
||||
# Enable display of unknown usernames when login failures are recorded.
|
||||
#
|
||||
# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
|
||||
LOG_UNKFAIL_ENAB no
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
# Enable logging of successful logins
|
||||
LOG_OK_LOGINS yes
|
||||
LOG_OK_LOGINS yes
|
||||
|
||||
# Enable "syslog" logging of su activity - in addition to sulog file logging.
|
||||
SYSLOG_SU_ENAB yes
|
||||
SYSLOG_SU_ENAB yes
|
||||
|
||||
# Enable "syslog" logging of newgrp and sg.
|
||||
SYSLOG_SG_ENAB yes
|
||||
SYSLOG_SG_ENAB yes
|
||||
|
||||
# If defined, all su activity is logged to this file.
|
||||
#SULOG_FILE /var/log/sulog
|
||||
#SULOG_FILE /var/log/sulog
|
||||
|
||||
# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
|
||||
FTMP_FILE /var/log/btmp
|
||||
FTMP_FILE /var/log/btmp
|
||||
|
||||
# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
|
||||
SU_NAME su
|
||||
SU_NAME su
|
||||
|
||||
# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
|
||||
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }}
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
|
||||
|
||||
# Terminal permissions
|
||||
# --------------------
|
||||
|
||||
# Login tty will be assigned this group ownership.
|
||||
# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
|
||||
TTYGROUP tty
|
||||
TTYGROUP tty
|
||||
|
||||
# Login tty will be set to this permission.
|
||||
# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
|
||||
# Users can still allow other people to write them by issuing the `mesg y` command.
|
||||
TTYPERM 0600
|
||||
TTYPERM 0600
|
||||
|
||||
# Login conf initializations
|
||||
# --------------------------
|
||||
|
||||
# Terminal ERASE character ('\010' = backspace). Only used on System V.
|
||||
ERASECHAR 0177
|
||||
ERASECHAR 0177
|
||||
|
||||
# Terminal KILL character ('\025' = CTRL/U). Only used on System V.
|
||||
KILLCHAR 025
|
||||
KILLCHAR 025
|
||||
|
||||
# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
|
||||
# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
|
||||
# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
|
||||
# `022` is the "historical" value in Debian for UMASK
|
||||
# `027`, or even `077`, could be considered better for privacy.
|
||||
UMASK {{ os_env_umask }}
|
||||
UMASK {{ os_env_umask }}
|
||||
|
||||
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
|
||||
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
|
||||
USERGROUPS_ENAB yes
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
|
||||
# Password aging controls
|
||||
# -----------------------
|
||||
|
||||
# Maximum number of days a password may be used.
|
||||
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
|
||||
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
|
||||
|
||||
# Minimum number of days allowed between password changes.
|
||||
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
|
||||
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
|
||||
|
||||
# Number of days warning given before a password expires.
|
||||
PASS_WARN_AGE 7
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
UID_MIN {{ os_auth_uid_min }}
|
||||
UID_MAX 60000
|
||||
UID_MIN {{ os_auth_uid_min }}
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN {{ os_auth_sys_uid_min }}
|
||||
SYS_UID_MAX {{ os_auth_sys_uid_max }}
|
||||
SYS_UID_MIN {{ os_auth_sys_uid_min }}
|
||||
SYS_UID_MAX {{ os_auth_sys_uid_max }}
|
||||
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
GID_MIN {{ os_auth_gid_min }}
|
||||
GID_MAX 60000
|
||||
GID_MIN {{ os_auth_gid_min }}
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN {{ os_auth_sys_gid_min }}
|
||||
SYS_GID_MAX {{ os_auth_sys_gid_max }}
|
||||
SYS_GID_MIN {{ os_auth_sys_gid_min }}
|
||||
SYS_GID_MAX {{ os_auth_sys_gid_max }}
|
||||
|
||||
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
|
||||
LOGIN_RETRIES {{ os_auth_retries }}
|
||||
LOGIN_RETRIES {{ os_auth_retries }}
|
||||
|
||||
# Max time in seconds for login
|
||||
LOGIN_TIMEOUT {{ os_auth_timeout }}
|
||||
LOGIN_TIMEOUT {{ os_auth_timeout }}
|
||||
|
||||
# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
{% if os_chfn_restrict %}
|
||||
CHFN_RESTRICT {{ os_chfn_restrict }}
|
||||
CHFN_RESTRICT {{ os_chfn_restrict }}
|
||||
{% endif %}
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
||||
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
||||
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
|
||||
#FAKE_SHELL /bin/fakeshell
|
||||
#FAKE_SHELL /bin/fakeshell
|
||||
|
||||
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
|
||||
# This variable is used by login and su.
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
|
||||
# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
|
||||
# This variable is used by login and su.
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
# If set to `MD5`, MD5-based algorithm will be used for encrypting password
|
||||
# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
|
||||
|
@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
|||
#
|
||||
# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
MD5_CRYPT_ENAB no
|
||||
ENCRYPT_METHOD SHA512
|
||||
MD5_CRYPT_ENAB no
|
||||
ENCRYPT_METHOD SHA512
|
||||
|
||||
# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
|
||||
# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
|
||||
# Obsoleted by PAM
|
||||
|
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
|
|||
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
||||
#
|
||||
#MD5_CRYPT_ENAB no
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
#%PAM-1.0
|
||||
{% if os_auth_retries > 0 %}
|
||||
|
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
|
|||
account required pam_permit.so
|
||||
|
||||
{% if (os_auth_pam_passwdqc_enable|bool) %}
|
||||
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %}
|
||||
{%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
|
||||
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
|
||||
{%- else %}
|
||||
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
|
||||
ulimit -S -c 0 > /dev/null 2>&1
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# A list of TTYs, from which root can log in
|
||||
# see `man securetty` for reference
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# color => new RH6.0 bootup
|
||||
# verbose => old-style bootup
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
Name: passwdqc password strength enforcement
|
||||
Default: yes
|
||||
Priority: 1024
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
Name: tally2 lockout after failed attempts enforcement
|
||||
Default: yes
|
||||
Priority: 1024
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user']
|
||||
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
|
||||
|
||||
sysctl_rhel_config:
|
||||
# ExecShield protection against buffer overflows
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
os_shadow_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
|
||||
os_passwd_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
os_auth_sys_uid_min: 500
|
||||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 500
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
modprobe_package: 'kmod'
|
||||
auditd_package: 'audit'
|
|
@ -1,13 +1,10 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'libpam-ccreds'
|
||||
os_packages_pam_passwdqc: 'libpam-passwdqc'
|
||||
os_packages_pam_cracklib: 'libpam-cracklib'
|
||||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||
tally2_path: '/usr/share/pam-configs/tally2'
|
||||
os_nologin_shell_path: '/usr/sbin/nologin'
|
||||
|
||||
auditd_package: 'auditd'
|
||||
modprobe_package: 'kmod'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
|
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
|
|||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 100
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_mail_dir: /var/mail
|
||||
|
||||
modprobe_package: 'kmod'
|
||||
auditd_package: 'auditd'
|
||||
|
||||
tally2_path: '/usr/share/pam-configs/tally2'
|
||||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
os_shadow_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0000'
|
||||
|
||||
os_passwd_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
os_auth_sys_uid_min: 201
|
||||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 201
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
|
@ -1,6 +1,8 @@
|
|||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
|
|
|
@ -1,8 +1,5 @@
|
|||
---
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
|
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
|
|||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 201
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_mail_dir: /var/spool/mail
|
||||
os_useradd_create_home: true
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
os_shadow_perms:
|
||||
owner: root
|
||||
group: shadow
|
||||
mode: '0640'
|
||||
|
||||
os_passwd_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
os_auth_sys_uid_min: 100
|
||||
os_auth_sys_uid_max: 499
|
||||
os_auth_sys_gid_min: 100
|
||||
os_auth_sys_gid_max: 499
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_create_home: false
|
||||
|
||||
modprobe_package: 'kmod-compat'
|
||||
auditd_package: 'audit'
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
# SYSTEM CONFIGURATION
|
||||
# ====================
|
||||
# These are not meant to be modified by the user
|
||||
|
@ -43,6 +44,7 @@ os_security_suid_sgid_system_whitelist:
|
|||
- '/bin/mount'
|
||||
- '/bin/ping'
|
||||
- '/bin/su'
|
||||
- '/usr/bin/su'
|
||||
- '/bin/umount'
|
||||
- '/sbin/pam_timestamp_check'
|
||||
- '/sbin/unix_chkpwd'
|
||||
|
@ -107,4 +109,4 @@ os_security_suid_sgid_system_whitelist:
|
|||
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
|
||||
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
os_always_ignore_users: ['root','sync','shutdown','halt']
|
||||
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']
|
||||
|
|
Loading…
Reference in New Issue