mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
install modprobe package,
check for modprobe use apt and yum instead of package Revert "use apt and yum instead of package" This reverts commit 215a97b1867a7a8af5e0e64e9f77181d4c4a5050. use latest to install kmod run apt-get update
This commit is contained in:
Sebastian Gumprich
Sebastian Gumprich
parent
f1df3a3c48
commit
62d20e299f
6 changed files with 59 additions and 9 deletions
13
README.md
13
README.md
|
|
@ -71,6 +71,19 @@ We remove the following packages:
|
|||
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
|
||||
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
||||
|
||||
## Disabled filesystems
|
||||
|
||||
We disable the following filesystems, because they're most likely not used:
|
||||
|
||||
* "cramfs"
|
||||
* "freevxfs"
|
||||
* "jffs2"
|
||||
* "hfs"
|
||||
* "hfsplus"
|
||||
* "squashfs"
|
||||
* "udf"
|
||||
* "vfat"
|
||||
|
||||
## Example Playbook
|
||||
|
||||
- hosts: localhost
|
||||
|
|
|
|||
|
|
@ -3,6 +3,10 @@
|
|||
hosts: localhost
|
||||
roles:
|
||||
- ansible-os-hardening
|
||||
pre_tasks:
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
vars:
|
||||
os_security_users_allow: change_user
|
||||
os_security_kernel_enable_core_dump: false
|
||||
|
|
@ -54,6 +58,10 @@
|
|||
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
||||
hosts: localhost
|
||||
pre_tasks:
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
roles:
|
||||
- ansible-os-hardening
|
||||
|
||||
|
|
|
|||
|
|
@ -188,3 +188,14 @@ sysctl_rhel_config:
|
|||
kernel.exec-shield: 1
|
||||
# Syncookies is used to prevent SYN-flooding attacks. | sysctl-11
|
||||
net.ipv4.tcp_syncookies: 1
|
||||
|
||||
# disable unused filesystems
|
||||
os_unused_filesystems:
|
||||
- "cramfs"
|
||||
- "freevxfs"
|
||||
- "jffs2"
|
||||
- "hfs"
|
||||
- "hfsplus"
|
||||
- "squashfs"
|
||||
- "udf"
|
||||
- "vfat"
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@
|
|||
- include: minimize_access.yml
|
||||
tags: minimize_acces
|
||||
|
||||
- include: modprobe.yml
|
||||
tags: modprobe
|
||||
|
||||
- include: pam.yml
|
||||
tags: pam
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,22 @@
|
|||
---
|
||||
|
||||
# modprobe
|
||||
- name: check if modprobe is already installed | os-10
|
||||
command: 'modprobe -V'
|
||||
register: modprobe_installed
|
||||
ignore_errors: True
|
||||
changed_when: False
|
||||
|
||||
- name: install modprobe to disable filesystems | os-10
|
||||
package:
|
||||
name: 'kmod'
|
||||
state: 'installed'
|
||||
when: modprobe_installed and modprobe_installed.rc != 0
|
||||
|
||||
- name: disable unused filesystems | os-10
|
||||
template:
|
||||
src: 'modprobe.j2'
|
||||
dest: '/etc/modprobe.d/dev-sec.conf'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0640'
|
||||
|
||||
|
|
|
|||
|
|
@ -1,9 +1,5 @@
|
|||
install cramfs /bin/true
|
||||
install freevxfs /bin/true
|
||||
install jffs2 /bin/true
|
||||
install hfs /bin/true
|
||||
install hfsplus /bin/true
|
||||
install squashfs /bin/true
|
||||
install udf /bin/true
|
||||
install vfat /bin/true
|
||||
# {{ ansible_managed | comment }}
|
||||
|
||||
{% for fs in os_unused_filesystems %}
|
||||
install {{fs}} /bin/true
|
||||
{% endfor %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue