Harden mountpoints (#531)

* first testing with tasks and variables Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * update variables for dir options Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * updated permissions and defaults Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * fix home dir permissions Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * updated tasks with useful variables Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * reorder tasks. first remount, then manage fstab and fix permissions on directories. Renaming task names with mountpoints (slashes) Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * shorten tasks with list items Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * change defaults for /boot directory, because its a bad behaviour, if ansible changes boot entries with a default value Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * Update documentation for new parameters to manage mountpoints Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * Update roles/os_hardening/tasks/minimize_access.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * Update roles/os_hardening/tasks/minimize_access.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com> Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * Fix state on every new task Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * loop instead of list Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * testing remount with register Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * add remounts with loop over all changed folders Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * testing and solving trouble with variable names Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * optimize default permissions for var-log-audit Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * optimize default permissions for var-log-audit Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * change to new optimizied permissions of var-log-audit Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * fix some defaults in fstab to configure as mounted Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> * add stat and check, if boot folder exists Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com> Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2024-11-10 09:14:18 +00:00 · 2022-07-07 09:02:25 +02:00 · 2022-07-07 09:02:25 +02:00 · 488ff6a7c3
commit 488ff6a7c3
parent 0251172cd1
3 changed files with 369 additions and 0 deletions
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@ -286,6 +286,141 @@ We know that this is the case on Raspberry Pi.
 - `os_sha_crypt_max_rounds`
  - Default: `640000`
  - Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
+- `os_mnt_boot_dir_mode` 
+  - Default: `0700`
+  - Description: Set default perimissions for /boot
+- `os_mnt_boot_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /boot mountpoint
+- `os_mnt_boot_src` 
+  - Default: `''`
+  - Description: Set mount source for /boot
+- `os_mnt_boot_options` 
+  - Default: `rw,nosuid,nodev,noexec`
+  - Description: Configure mount options for /boot
+- `os_mnt_boot_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /boot
+- `os_mnt_dev_dir_mode`
+  - Default: `0755`
+  - Description: Set default perimissions for /dev
+- `os_mnt_dev_enabled` 
+  - Default: `true`
+  - Description: Set to false to ignore /dev mountpoint
+- `os_mnt_dev_src` 
+  - Default: `devtmpfs`
+  - Description: Set mount source for /dev
+- `os_mnt_dev_options` 
+  - Default: `'rw,nosuid,noexec'`
+  - Description: Configure mount options for /dev
+- `os_mnt_dev_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /dev
+- `os_mnt_dev_shm_dir_mode` 
+  - Default: `1777`
+  - Description: Set default perimissions for /dev/shm
+- `os_mnt_dev_shm_enabled` 
+  - Default: `true`
+  - Description: Set to false to ignore /dev/shm mountpoint
+- `os_mnt_dev_shm_src` 
+  - Default: `tmpfs`
+  - Description: Set mount source for /dev/shm
+- `os_mnt_dev_shm_options` 
+  - Default: `rw,nosuid,nodev,noexec`
+  - Description: Configure mount options for /dev/shm
+- `os_mnt_dev_shm_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /dev/shm
+- `os_mnt_home_dir_mode` 
+  - Default: `0755`
+  - Description: Set default perimissions for /home
+- `os_mnt_home_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /home mountpoint
+- `os_mnt_home_src` 
+  - Default: `""`
+  - Description: Set mount source for /home
+- `os_mnt_home_options` 
+  - Default: `rw,nosuid,nodev`
+  - Description: Configure mount options for /home
+- `os_mnt_home_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /home
+- `os_mnt_run_dir_mode` 
+  - Default: `0755`
+  - Description: Set default perimissions for /run
+- `os_mnt_run_enabled` 
+  - Default: `true`
+  - Description: Set to false to ignore /run mountpoint
+- `os_mnt_run_src` 
+  - Default: `tmpfs`
+  - Description: Set mount source for /run
+- `os_mnt_run_options` 
+  - Default: `rw,nosuid,nodev`
+  - Description: Configure mount options for /run
+- `os_mnt_run_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /run
+- `os_mnt_var_dir_mode` 
+  - Default: `0755`
+  - Description: Set default perimissions for /var
+- `os_mnt_var_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /var mountpoint
+- `os_mnt_var_src` 
+  - Default: `""`
+  - Description: Set mount source for /var
+- `os_mnt_var_options` 
+  - Default: `rw,nosuid,nodev`
+  - Description: Configure mount options for /var
+- `os_mnt_var_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /var
+- `os_mnt_var_log_dir_mode` 
+  - Default: `0755`
+  - Description: Set default perimissions for /var/log
+- `os_mnt_var_log_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /var/log mountpoint
+- `os_mnt_var_log_src` 
+  - Default: `""`
+  - Description: Set mount source for /var/log
+- `os_mnt_var_log_options` 
+  - Default: `rw,nosuid,nodev,noexec`
+  - Description: Configure mount options for /var/log
+- `os_mnt_var_log_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /var/log
+- `os_mnt_var_log_audit_dir_mode` 
+  - Default: `0640`
+  - Description: Set default perimissions for /var/log/audit
+- `os_mnt_var_log_audit_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /var/log/audit mountpoint
+- `os_mnt_var_log_audit_src` 
+  - Default: `""`
+  - Description: Set mount source for /var/log/audit
+- `os_mnt_var_log_audit_options` 
+  - Default: `rw,nosuid,nodev,noexec`
+  - Description: Configure mount options for /var/log/audit
+- `os_mnt_var_log_audit_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /var/log/audit
+- `os_mnt_var_tmp_dir_mode` 
+  - Default: `1777`
+  - Description: Set default perimissions for /var/tmp
+- `os_mnt_var_tmp_enabled` 
+  - Default: `false`
+  - Description: Set to true to configure /var/tmp mountpoint
+- `os_mnt_var_tmp_src` 
+  - Default: `""`
+  - Description: Set mount source for /var/tmp
+- `os_mnt_var_tmp_options` 
+  - Default: `rw,nosuid,nodev,noexec`
+  - Description: Configure mount options for /var/tmp
+- `os_mnt_var_tmp_filesystem` 
+  - Default: `ext4`
+  - Description: Configure file system for fstab entry /var/tmp

 ## Packages

--- a/roles/os_hardening/defaults/main.yml
+++ b/roles/os_hardening/defaults/main.yml
@ -385,3 +385,57 @@ os_selinux_enabled: true
 # The values must be inside the 1000-999999999 range.
 os_sha_crypt_min_rounds: "640000"
 os_sha_crypt_max_rounds: "640000"
+
+os_mnt_boot_dir_mode: '0700'
+os_mnt_boot_enabled: false
+os_mnt_boot_src: ""
+os_mnt_boot_options: 'rw,nosuid,nodev,noexec'
+os_mnt_boot_filesystem: 'ext4'
+
+os_mnt_dev_dir_mode: '0755'
+os_mnt_dev_enabled: true
+os_mnt_dev_src: "devtmpfs"
+os_mnt_dev_options: 'rw,nosuid,noexec'
+os_mnt_dev_filesystem: "devtmpfs"
+
+os_mnt_dev_shm_dir_mode: '1777'
+os_mnt_dev_shm_enabled: true
+os_mnt_dev_shm_src: "tmpfs"
+os_mnt_dev_shm_options: 'rw,nosuid,nodev,noexec'
+os_mnt_dev_shm_filesystem: "tmpfs"
+
+os_mnt_home_dir_mode: '0755'
+os_mnt_home_enabled: false
+os_mnt_home_src: ""
+os_mnt_home_options: 'rw,nosuid,nodev'
+os_mnt_home_filesystem: "ext4"
+
+os_mnt_run_dir_mode: '0755'
+os_mnt_run_enabled: true
+os_mnt_run_src: "tmpfs"
+os_mnt_run_options: 'rw,nosuid,nodev'
+os_mnt_run_filesystem: "tmpfs"
+
+os_mnt_var_dir_mode: '0755'
+os_mnt_var_enabled: false
+os_mnt_var_src: ""
+os_mnt_var_options: 'rw,nosuid,nodev'
+os_mnt_var_filesystem: "ext4"
+
+os_mnt_var_log_dir_mode: '0755'
+os_mnt_var_log_enabled: false
+os_mnt_var_log_src: ""
+os_mnt_var_log_options: 'rw,nosuid,nodev,noexec'
+os_mnt_var_log_filesystem: "ext4"
+
+os_mnt_var_log_audit_dir_mode: '0640'
+os_mnt_var_log_audit_enabled: false
+os_mnt_var_log_audit_src: ""
+os_mnt_var_log_audit_options: 'rw,nosuid,nodev,noexec'
+os_mnt_var_log_audit_filesystem: "ext4"
+
+os_mnt_var_tmp_dir_mode: '1777'
+os_mnt_var_tmp_enabled: false
+os_mnt_var_tmp_src: ""
+os_mnt_var_tmp_options: 'rw,nosuid,nodev,noexec'
+os_mnt_var_tmp_filesystem: "ext4"
--- a/roles/os_hardening/tasks/minimize_access.yml
+++ b/roles/os_hardening/tasks/minimize_access.yml
@ -80,3 +80,183 @@
    fstype: proc
    opts: '{{ proc_mnt_options }}'
    state: mounted
+
+- name: Check if boot exists
+  stat:
+    path: /boot
+  register: boot_exists
+
+- name: Mount /boot with hardened options
+  mount:
+    path: /boot
+    src: '{{ os_mnt_boot_src }}'
+    fstype: '{{ os_mnt_boot_filesystem }}'
+    opts: '{{ os_mnt_boot_options }}'
+    state: present
+  register: bootmount
+  when: 
+    - os_mnt_boot_enabled | bool
+    - boot_exists | bool
+
+- name: Harden permissions for /boot directory
+  file:
+    dest: /boot
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_boot_dir_mode }}'
+  when:  boot_exists | bool
+
+- name: Mount /dev with hardened options
+  mount:
+    path: /dev
+    src: '{{ os_mnt_dev_src }}'
+    fstype: '{{ os_mnt_dev_filesystem }}'
+    opts: '{{ os_mnt_dev_options }}'
+    state: present
+  register: devmount
+  when: os_mnt_dev_enabled | bool
+
+- name: Harden permissions for /dev directory
+  file:
+    dest: /dev
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_dev_dir_mode }}'
+
+- name: Mount /dev/shm with hardened options
+  mount:
+    path: /dev/shm
+    src: '{{ os_mnt_dev_shm_src }}'
+    fstype: '{{ os_mnt_dev_shm_filesystem }}'
+    opts: '{{ os_mnt_dev_shm_options }}'
+    state: present
+  register: devshmmount
+  when: os_mnt_dev_shm_enabled | bool
+
+- name: Harden permissions for /dev/shm directory
+  file:
+    dest: /dev/shm
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_dev_shm_dir_mode }}'
+
+- name: Mount /home with hardened options
+  mount:
+    path: /home
+    src: '{{ os_mnt_home_src }}'
+    fstype: '{{ os_mnt_home_filesystem }}'
+    opts: '{{ os_mnt_home_options }}'
+    state: present
+  register: homemount
+  when: os_mnt_home_enabled | bool
+
+- name: Harden permissions for /home directory
+  file:
+    dest: /home
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_home_dir_mode }}'
+
+- name: Mount /run with hardened options
+  mount:
+    path: /run
+    src: '{{ os_mnt_run_src }}'
+    fstype: '{{ os_mnt_run_filesystem }}'
+    opts: '{{ os_mnt_run_options }}'
+    state: present
+  register: runmount
+  when: os_mnt_run_enabled | bool
+
+- name: Harden permissions for /run directory
+  file:
+    dest: /run
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_run_dir_mode }}'
+
+- name: Mount /var with hardened options
+  mount:
+    path: /var
+    src: '{{ os_mnt_var_src }}'
+    fstype: '{{ os_mnt_var_filesystem }}'
+    opts: '{{ os_mnt_var_options }}'
+    state: present
+  register: varmount
+  when: os_mnt_var_enabled | bool
+
+- name: Harden permissions for /var directory
+  file:
+    dest: /var
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_var_dir_mode }}'
+
+- name: Mount /var/log with hardened options
+  mount:
+    path: /var/log
+    src: '{{ os_mnt_var_log_src }}'
+    fstype: '{{ os_mnt_var_log_filesystem }}'
+    opts: '{{ os_mnt_var_log_options }}'
+    state: present
+  register: varlogmount
+  when: os_mnt_var_log_enabled | bool
+
+- name: Harden permissions for /var/log directory
+  file:
+    dest: /var/log
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_var_log_dir_mode }}'
+
+- name: Mount /var/log/audit with hardened options
+  mount:
+    path: /var/log/audit
+    src: '{{ os_mnt_var_log_audit_src }}'
+    fstype: '{{ os_mnt_var_log_audit_filesystem }}'
+    opts: '{{ os_mnt_var_log_audit_options }}'
+    state: present
+  register: varlogauditmount
+  when: os_mnt_var_log_audit_enabled | bool
+
+- name: Harden permissions for /var/log/audit directory
+  file:
+    dest: /var/log/audit
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_var_log_audit_dir_mode }}'
+
+- name: Mount /var/tmp with hardened options
+  mount:
+    path: /var/tmp
+    src: '{{ os_mnt_var_tmp_src }}'
+    fstype: '{{ os_mnt_var_tmp_filesystem }}'
+    opts: '{{ os_mnt_var_tmp_options }}'
+    state: present
+  register: vartmpmount
+  when: os_mnt_var_tmp_enabled | bool
+
+- name: Harden permissions for /var/tmp directory
+  file:
+    dest: /var/tmp
+    owner: 'root'
+    group: 'root'
+    mode: '{{ os_mnt_var_tmp_dir_mode }}'
+
+- name: remount all changed mountpoints
+  mount:
+    path: "{{ item.path }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype }}"
+    opts: "{{ item.opts }}"
+    state: remounted
+  when: item.when | bool
+  loop:
+    - { path: '/boot', src: '{{ os_mnt_boot_src }}', fstype: '{{ os_mnt_boot_filesystem }}', opts: '{{ os_mnt_boot_options }}', when: "{{ bootmount.changed }}" }
+    - { path: '/dev', src: '{{ os_mnt_dev_src }}', fstype: '{{ os_mnt_dev_filesystem }}', opts: '{{ os_mnt_dev_options }}', when: "{{ devmount.changed }}" }
+    - { path: '/dev/shm', src: '{{ os_mnt_dev_shm_src }}', fstype: '{{ os_mnt_dev_shm_filesystem }}', opts: '{{ os_mnt_dev_shm_options }}', when: "{{ devshmmount.changed }}" }
+    - { path: '/home', src: '{{ os_mnt_home_src }}', fstype: '{{ os_mnt_home_filesystem }}', opts: '{{ os_mnt_home_options }}', when: "{{ homemount.changed }}" }
+    - { path: '/run', src: '{{ os_mnt_run_src }}', fstype: '{{ os_mnt_run_filesystem }}', opts: '{{ os_mnt_run_options }}', when: "{{ runmount.changed }}" }
+    - { path: '/var', src: '{{ os_mnt_var_src }}', fstype: '{{ os_mnt_var_filesystem }}', opts: '{{ os_mnt_var_options }}', when: "{{ varmount.changed }}" }
+    - { path: '/var/log', src: '{{ os_mnt_var_log_src }}', fstype: '{{ os_mnt_var_log_filesystem }}', opts: '{{ os_mnt_var_log_options }}', when: "{{ varlogmount.changed }}" }
+    - { path: '/var/log/audit', src: '{{ os_mnt_var_log_audit_src }}', fstype: '{{ os_mnt_var_log_audit_filesystem }}', opts: '{{ os_mnt_var_log_audit_options }}', when: "{{ varlogauditmount.changed }}" }
+    - { path: '/var/tmp', src: '{{ os_mnt_var_tmp_src }}', fstype: '{{ os_mnt_var_tmp_filesystem }}', opts: '{{ os_mnt_var_tmp_options }}', when: "{{ vartmpmount.changed }}" }