Merge pull request #138 from dev-sec/modprobe

add modprobe template, control os-10

README.md

@@ -71,6 +71,19 @@ We remove the following packages:
  * rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
  * prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
 
+## Disabled filesystems
+
+We disable the following filesystems, because they're most likely not used:
+
+ * "cramfs"
+ * "freevxfs"
+ * "jffs2"
+ * "hfs"
+ * "hfsplus"
+ * "squashfs"
+ * "udf"
+ * "vfat"
+
 ## Example Playbook
 
     - hosts: localhost

default.yml

@@ -3,6 +3,11 @@
   hosts: localhost
   roles:
     - ansible-os-hardening
+  pre_tasks:
+    - name: Run the equivalent of "apt-get update" as a separate step
+      apt:
+        update_cache: yes
+      when: ansible_os_family == 'Debian'
   vars:
     os_security_users_allow: change_user
     os_security_kernel_enable_core_dump: false
@@ -54,6 +59,11 @@
 
 - name: wrapper playbook for kitchen testing "ansible-os-hardening"
   hosts: localhost
+  pre_tasks:
+    - name: Run the equivalent of "apt-get update" as a separate step
+      apt:
+        update_cache: yes
+      when: ansible_os_family == 'Debian'
   roles:
     - ansible-os-hardening
 

defaults/main.yml

@@ -182,3 +182,15 @@ sysctl_config:
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:
+
+# disable unused filesystems
+os_unused_filesystems:
+  - "cramfs"
+  - "freevxfs"
+  - "jffs2"
+  - "hfs"
+  - "hfsplus"
+  - "squashfs"
+  - "udf"
+  - "vfat"
+

tasks/main.yml

@@ -22,6 +22,9 @@
 - include: minimize_access.yml
   tags: minimize_acces
 
+- include: modprobe.yml
+  tags: modprobe
+
 - include: pam.yml
   tags: pam
 

tasks/modprobe.yml

@@ -1,3 +1,14 @@
 ---
+- name: install modprobe to disable filesystems | os-10
+  package:
+    name: '{{modprobe_package}}'
+    state: 'installed'
+
+- name: disable unused filesystems | os-10
+  template:
+    src: 'modprobe.j2'
+    dest: '/etc/modprobe.d/dev-sec.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0640'
 
-# modprobe

templates/modprobe.j2

@@ -1,9 +1,5 @@
-install cramfs /bin/true
-install freevxfs /bin/true
-install jffs2 /bin/true
-install hfs /bin/true
-install hfsplus /bin/true
-install squashfs /bin/true
-install udf /bin/true
-install vfat /bin/true
+# {{ ansible_managed | comment }}
 
+{% for fs in os_unused_filesystems %}
+install {{fs}} /bin/true
+{% endfor %}

vars/Debian.yml

@@ -5,6 +5,8 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc'
 tally2_path: '/usr/share/pam-configs/tally2'
 os_nologin_shell_path: '/usr/sbin/nologin'
 
+modprobe_package: 'kmod'
+
 # Different distros use different standards for /etc/shadow perms, e.g.
 # RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
 # You must provide key/value pairs for owner, group, and mode if overriding.

vars/RedHat-6.yml

@@ -1,4 +1,5 @@
 ---
+
 sysctl_rhel_config:
   # ExecShield protection against buffer overflows
   kernel.exec-shield: 1

vars/RedHat.yml

@@ -1,3 +1,7 @@
+---
+
+modprobe_package: 'module-init-tools'
+
 os_packages_pam_ccreds: 'pam_ccreds'
 os_packages_pam_passwdqc: 'pam_passwdqc'
 os_packages_pam_cracklib: 'pam_cracklib'