mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
Update readme, todo, changelog, vars
* This commit updates the readme in several ways. * It adds a todo-list and a changelog. * It deletes unused variables
This commit is contained in:
Sebastian Gumprich
Christoph Hartmann
parent
ac4754ff16
commit
5e1e2513c5
4 changed files with 29 additions and 28 deletions
9
CHANGELOG.md
Normal file
9
CHANGELOG.md
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
# Changelog
|
||||
|
||||
## 1.0.0
|
||||
|
||||
* Implement os-hardening to meet our [tests](https://github.com/hardening-io/tests-os-hardening)
|
||||
* Enable GPG-checking on all yum-repository files [#5](https://github.com/hardening-io/ansible-os-hardening/pull/5)
|
||||
* Disable system accounts [#6](https://github.com/hardening-io/ansible-os-hardening/issues/6)
|
||||
* Module-loading configuration [#22](https://github.com/hardening-io/ansible-os-hardening/pull/22)
|
||||
* Travis support [#17](https://github.com/hardening-io/ansible-os-hardening/pull/17)
|
||||
30
README.md
30
README.md
|
|
@ -1,8 +1,7 @@
|
|||
# os-hardening (Ansible Role)
|
||||
|
||||
[][2]
|
||||
[][3]
|
||||
[][5]
|
||||
[][1]
|
||||
[][2]
|
||||
|
||||
## Description
|
||||
|
||||
|
|
@ -31,13 +30,11 @@ It will not:
|
|||
|
||||
## Variables
|
||||
|
||||
### in main.yml
|
||||
|
||||
* `os_desktop_enable: false` - true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
|
||||
* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
|
||||
* `os_network_ipv6_enable: false`
|
||||
* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
|
||||
* `os_env_extra_user_paths: []` - add additional paths to the user's `PATH` variable (default is empty).
|
||||
* `os_env_umask: "027"`
|
||||
* `os_env_root_path: "/"` - where root is mounted
|
||||
* `os_auth_pw_max_age: 60` - maximum password age
|
||||
* `os_auth_pw_min_age: 7` - minimum password age (before allowing any other password change)
|
||||
* `os_auth_retries: 5` - the maximum number of authentication attempts, before the account is locked for some time
|
||||
|
|
@ -53,10 +50,14 @@ It will not:
|
|||
* `os_security_suid_sgid_enforce: true` - true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
|
||||
* `os_security_suid_sgid_blacklist: []` - a list of paths which should have their SUID/SGID bits removed
|
||||
* `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
|
||||
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
|
||||
* `os_security_suid_sgid_dry_run_on_unknown: false` - like `remove_from_unknown` above, only that SUID/SGID bits aren't removed.
|
||||
It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
|
||||
* `os_security_packages_clean'] = true` - removes packages with known issues. See section packages.
|
||||
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
|
||||
* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
|
||||
|
||||
### in sysctl.yml
|
||||
|
||||
* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
|
||||
* `os_network_ipv6_enable: false`
|
||||
* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
|
||||
|
||||
## Packages
|
||||
|
||||
|
|
@ -117,7 +118,7 @@ This role is mostly based on guides by:
|
|||
* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
|
||||
* [Deutsche Telekom, Group IT Security, Security Requirements (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si)
|
||||
|
||||
Thanks to all of you!!
|
||||
Thanks to all of you!
|
||||
## Contributing
|
||||
|
||||
See [contributor guideline](CONTRIBUTING.md).
|
||||
|
|
@ -139,6 +140,5 @@ See the License for the specific language governing permissions and
|
|||
limitations under the License.
|
||||
|
||||
|
||||
[2]: http://travis-ci.org/hardening-io/ansible-os-hardening
|
||||
[3]: https://coveralls.io/r/hardening-io/ansible-os-hardening
|
||||
[5]: https://gitter.im/hardening-io
|
||||
[1]: http://travis-ci.org/hardening-io/ansible-os-hardening
|
||||
[2]: https://gitter.im/hardening-io
|
||||
|
|
|
|||
4
TODO.md
Normal file
4
TODO.md
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# TODO
|
||||
|
||||
* [Adduser consistency](https://github.com/hardening-io/chef-os-hardening/pull/73)
|
||||
* [add support for limiting password re-use](https://github.com/hardening-io/puppet-os-hardening/pull/61)
|
||||
|
|
@ -1,14 +1,6 @@
|
|||
# rhel, centos autoconf configuration
|
||||
#os_authconfig_shadow_enable: true
|
||||
#os_authconfig_md5_enable: true
|
||||
|
||||
os_desktop_enable: false
|
||||
os_network_forwarding: false
|
||||
os_network_ipv6_enable: false
|
||||
os_network_arp_restricted: true
|
||||
os_env_extra_user_paths: []
|
||||
os_env_umask: '027'
|
||||
os_env_root_path: '/'
|
||||
os_auth_pw_max_age: 60
|
||||
os_auth_pw_min_age: 7 # discourage password cycling
|
||||
os_auth_retries: 5
|
||||
|
|
@ -26,7 +18,6 @@ os_security_users_allow: []
|
|||
# specify system accounts those login should not be disabled and password not changed
|
||||
os_ignore_users: ['vagrant']
|
||||
os_security_kernel_enable_module_loading: true
|
||||
os_security_kernel_enable_sysrq: false
|
||||
os_security_kernel_enable_core_dump: false
|
||||
os_security_suid_sgid_enforce: true
|
||||
# user-defined blacklist and whitelist
|
||||
|
|
@ -36,15 +27,12 @@ os_security_suid_sgid_whitelist: []
|
|||
os_security_suid_sgid_remove_from_unknown: false
|
||||
|
||||
# remove packages with known issues
|
||||
os_security_packages_clean: true
|
||||
os_security_packages_clean: false
|
||||
|
||||
# SYSTEM CONFIGURATION
|
||||
# ====================
|
||||
# These are not meant to be modified by the user
|
||||
|
||||
# misc
|
||||
os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
|
||||
|
||||
# suid and sgid blacklists and whitelists
|
||||
# ---------------------------------------
|
||||
# don't change values in the system_blacklist/whitelist
|
||||
|
|
|
|||
Loading…
Reference in a new issue