mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-13 02:17:06 +00:00
Merge pull request #85 from fitz123/ufw_manage_defaults
Ufw manage defaults
This commit is contained in:
Sebastian Gumprich
commit
80e2365687
4 changed files with 71 additions and 0 deletions
|
|
@ -51,6 +51,11 @@ It will not:
|
|||
* `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
|
||||
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
|
||||
* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
|
||||
* `ufw_manage_defaults` - true means apply all settings with ufw_ prefix
|
||||
* `ufw_ipt_sysctl` - by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example: /etc/ufw/sysctl.conf.
|
||||
* `ufw_default_input_policy` - DROP
|
||||
* `ufw_default_output_policy` - ACCEPT
|
||||
* `ufw_default_forward_policy` - DROP
|
||||
|
||||
## Packages
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,23 @@ os_security_init_prompt: true
|
|||
# Require root password for single user mode. (rhel, centos)
|
||||
os_security_init_single: false
|
||||
|
||||
# Apply ufw defaults
|
||||
ufw_manage_defaults: true
|
||||
|
||||
# Empty variable disables IPT_SYSCTL in /etc/default/ufw
|
||||
# by default in Ubuntu it set to: /etc/ufw/sysctl.conf
|
||||
# CAUTION
|
||||
# if you enable it - it'll overwrite /etc/sysctl.conf file, managed by hardening framework
|
||||
ufw_ipt_sysctl: ''
|
||||
|
||||
# Default ufw variables
|
||||
ufw_default_input_policy: 'DROP'
|
||||
ufw_default_output_policy: 'ACCEPT'
|
||||
ufw_default_forward_policy: 'DROP'
|
||||
ufw_default_application_policy: 'SKIP'
|
||||
ufw_manage_builtins: 'no'
|
||||
ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
|
||||
|
||||
# CAUTION
|
||||
# If you want to overwrite sysctl-variables,
|
||||
# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
|
||||
|
|
|
|||
|
|
@ -35,3 +35,8 @@
|
|||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
|
||||
|
||||
- name: Apply ufw defaults
|
||||
template: src="ufw.j2" dest=/etc/default/ufw
|
||||
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
||||
tags: ufw
|
||||
|
|
|
|||
44
templates/ufw.j2
Normal file
44
templates/ufw.j2
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
# /etc/default/ufw
|
||||
#
|
||||
|
||||
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
|
||||
# accepted). You will need to 'disable' and then 'enable' the firewall for
|
||||
# the changes to take affect.
|
||||
IPV6={{ 'no' if sysctl_config['net.ipv6.conf.all.disable_ipv6'] is defined and sysctl_config['net.ipv6.conf.all.disable_ipv6'] == 1 else 'yes' }}
|
||||
|
||||
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
|
||||
# you change this you will most likely want to adjust your rules.
|
||||
DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}"
|
||||
|
||||
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
|
||||
# you change this you will most likely want to adjust your rules.
|
||||
DEFAULT_OUTPUT_POLICY="{{ ufw_default_output_policy }}"
|
||||
|
||||
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
|
||||
# if you change this you will most likely want to adjust your rules
|
||||
DEFAULT_FORWARD_POLICY="{{ ufw_default_forward_policy }}"
|
||||
|
||||
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
|
||||
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
|
||||
# details
|
||||
DEFAULT_APPLICATION_POLICY="{{ ufw_default_application_policy }}"
|
||||
|
||||
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
|
||||
# manage the built-in chains too. Warning: setting this to 'yes' will break
|
||||
# non-ufw managed firewall rules
|
||||
MANAGE_BUILTINS="{{ ufw_manage_builtins }}"
|
||||
|
||||
#
|
||||
# IPT backend
|
||||
#
|
||||
# only enable if using iptables backend and want to overwrite /etc/sysctl.conf
|
||||
{% if ufw_ipt_sysctl == '' %}#{% endif %}IPT_SYSCTL={{ ufw_ipt_sysctl }}
|
||||
|
||||
# Extra connection tracking modules to load. Complete list can be found in
|
||||
# net/netfilter/Kconfig of your kernel source. Some common modules:
|
||||
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
|
||||
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
|
||||
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
|
||||
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
|
||||
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
|
||||
IPT_MODULES="{{ ufw_ipt_modules }}"
|
||||
Loading…
Reference in a new issue