Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Separate the tasks into smaller files

Browse source
This commit is contained in:
Sebastian Gumprich 2015-05-26 19:45:30 +00:00
parent 01572d9041
commit 557109e35a
2 changed files with 10 additions and 267 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

277
roles/ansible-os-hardening/tasks/main.yml
View file

@ -2,270 +2,13 @@
- name: add the OS specific variables
include_vars: "{{ ansible_os_family }}.yml"
- name: create sane limits.conf
template: src='limits.conf.j2' dest='/etc/security/limits.d/10.hardcore.conf' owner=root group=root mode=0440
when: os_security_kernel_enable_core_dump
- name: create login.defs
template: src='login.defs.j2' dest='/etc/login.defs' owner=root group=root mode=0444
- name: create securetty
template: src='securetty.j2' dest='/etc/securetty' owner=root group=root mode=0400
- name: create profile.conf
template: src='profile.conf.j2' dest='/etc/profile.d/pinerolo_profile.sh' owner=root group=root mode=0750
when: not os_security_kernel_enable_core_dump
- name: minimize access
file: path='{{item}}' mode='go-w' recurse=yes
with_items:
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
- '{{os_env_extra_user_paths}}'
- name: activate gpg-check for yum-repos in yum.conf
shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf"
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: activate gpg-check for yum-repos in yum-repositories
shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo"
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
#- name: remove suid/sgid bit from binaries in blacklist
# file: path='{{item}}' mode='a-s'
# ignore_errors: true
# with_items:
# - '{{ os_security_suid_sgid_system_blacklist }}'
#
#- name: find binaries with suid/sgid set
# shell: 'find / \( -perm -4000 -o -perm -2000 \) -type f -print 2>/dev/null | grep -v "No such file or directory"'
# register: sbit_binaries
#
#- debug: var=sbit_binaries.stdout_lines
#- debug: var={{os_security_suid_sgid_system_blacklist}}
#
#- name: remove suid/sgid bit from all binaries except in whitelist
# file: path='{{item}}' mode='a-s'
# with_items:
# - sbit_binaries.stdout_lines
- name: Get user accounts | DTAG SEC Req 3.21-4
command: "awk -F: '{print $1}' /etc/passwd"
register: users
- name: delete rhosts-files from system | DTAG SEC Req 3.21-4
file: dest='~{{ item }}/.rhosts' state=absent
with_items: users.stdout_lines
- name: delete hosts.equiv from system | DTAG SEC Req 3.21-4
file: dest='/etc/hosts.equiv' state=absent
- name: change shadow ownership to root and mode to 0600 | DTAG SEC Req 3.21-7
file: dest='/etc/shadow' owner=root group=root mode=0600
- name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode
when: security_users_allow|default(None) != None
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: update pam on Redhat systems
command: 'authconfig --update'
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: remove pam ccreds on Debian systems
apt: name='{{os_packages_pam_ccreds}}' state=absent
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: remove pam ccreds on Redhat systems
yum: name='{{os_packages_pam_ccreds}}' state=absent
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: remove pam_cracklib, because it does not play nice with passwdqc
apt: name='{{os_packages_pam_cracklib}}' state=absent
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
apt: name='{{os_packages_pam_passwdqc}}' state='installed'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: configure passwdqc
template: src='pam_passwdqd.j2' mode=0640 owner=root group=root dest='{{passwdqc_path}}'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
- name: remove passwdqc
apt: name='{{os_packages_pam_passwdqc}}' state='absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
- name: install tally2
apt: name='libpam-modules' state=installed
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
- name: configure tally2
template: src='pam_tally2.j2' dest='{{tally2_path}}' mode=0640 owner=root group=root
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
- name: delete tally2 when retries is 0
file: path='{{tally2_path}}' state=absent
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
- name: update pam
command: 'pam-auth-update --package'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
- name: remove pam_cracklib, because it does not play nice with passwdqc
yum: name='{{os_packages_pam_cracklib}}' state=absent
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
yum: name='{{os_packages_pam_passwdqc}}' state='installed'
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable
- name: remove passwdqc
yum: name='{{os_packages_pam_passwdqc}}' state='absent'
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic
template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template: src='rhel_libuser.conf.j2' dest='/etc/libuser.conf' mode=0640 owner=root group=root
- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv4.ip_forward' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv4.ip_forward' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_forwarding
- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv6.conf.all.forwarding' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv6.conf.all.forwarding' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_forwarding and os_network_ipv6_enable
- name: Enable RFC-recommended source validation feature.
sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Enable RFC-recommended source validation feature.
sysctl: name='net.ipv4.conf.default.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
sysctl: name='net.ipv4.icmp_echo_ignore_broadcasts' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: There is no reason to accept bogus error responses from ICMP, so ignore them instead.
sysctl: name='net.ipv4.icmp_ignore_bogus_error_responses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Limit the amount of traffic the system uses for ICMP.
sysctl: name='net.ipv4.icmp_ratelimit' value=100 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply
sysctl: name='net.ipv4.icmp_ratemask' value=88089 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Disable or Enable IPv6 as it is needed.
sysctl: name='net.ipv6.conf.all.disable_ipv6' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Disable or Enable IPv6 as it is needed.
sysctl: name='net.ipv6.conf.all.disable_ipv6' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_ipv6_enable
- name: Protect against wrapping sequence numbers at gigabit speeds
sysctl: name='net.ipv4.tcp_timestamps' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Define restriction level for announcing the local source IP
sysctl: name='net.ipv4.conf.all.arp_ignore' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Define restriction level for announcing the local source IP
sysctl: name='net.ipv4.conf.all.arp_ignore' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_arp_restricted
- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses
sysctl: name='net.ipv4.conf.all.arp_announce' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses
sysctl: name='net.ipv4.conf.all.arp_announce' value=2 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_arp_restricted
- name: RFC 1337 fix F1
sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Syncookies is used to prevent SYN-flooding attacks.
sysctl: name='net.ipv4.tcp_syncookies' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.default.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
sysctl: name='net.ipv4.conf.all.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
# Accepting redirects can lead to malicious networking behavior, so disable
# it if not needed.
- sysctl: name='net.ipv4.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.default.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
# For non-routers: don't send redirects, these settings are 0
- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: log martian packets
sysctl: name='net.ipv4.conf.all.log_martians' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
# ipv6 config
# NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
- sysctl: name='net.ipv6.conf.default.router_solicitations' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_rtr_pref' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_pinfo' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_defrtr' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.autoconf' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.dad_transmits' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.max_addresses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
# This settings controls how the kernel behaves towards module changes at
# runtime. Setting to 1 will disable module loading at runtime.
# Setting it to 0 is actually never supported.
- name: This settings controls how the kernel behaves towards module changes at runtime.
sysctl: name='kernel.modules_disabled' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: not os_security_kernel_enable_module_loading
# Magic Sysrq should be disabled, but can also be set to a safe value if so
# desired for physical machines. It can allow a safe reboot if the system hangs
# and is a 'cleaner' alternative to hitting the reset button.
# The following values are permitted:
#
# * **0** - disable sysrq
# * **1** - enable sysrq completely
# * **>1** - bitmask of enabled sysrq functions:
# * **2** - control of console logging level
# * **4** - control of keyboard (SAK, unraw)
# * **8** - debugging dumps of processes etc.
# * **16** - sync command
# * **32** - remount read-only
# * **64** - signalling of processes (term, kill, oom-kill)
# * **128** - reboot/poweroff
# * **256** - nicing of all RT tasks
- sysctl: name='kernel.sysrq' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='kernel.sysrq' value='{{ os_security_kernel_secure_sysrq }}' sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_security_kernel_enable_sysrq
- name: Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
sysctl: name='fs.suid_dumpable' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- name: # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
sysctl: name='fs.suid_dumpable' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_security_kernel_enable_core_dump
- include: limits.yml
- include: login_defs.yml
- include: minimize_access.yml
#- include: packages.yml
- include: pam.yml
- include: profile.yml
- include: securetty.yml
- include: suid_sgid.yml
- include: sysctl.yml
- include: yum.yml

0
roles/ansible-os-hardening/vars/Oracle
View file