Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

adopt all current suggestions from ansible-lint (#592)

Browse source
This commit is contained in:
schurzi 2022-10-24 09:42:23 +02:00 committed by GitHub
parent 53be805099
commit a1b80fe657
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 86 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.config/ansible-lint.yml
View file

@ -11,6 +11,7 @@ exclude_paths:
skip_list:
- fqcn-builtins
- name[template]
mock_roles:
- geerlingguy.git

6
roles/mysql_hardening/tasks/main.yml
View file

@ -59,12 +59,14 @@
- mysql_version.version.full is version('8.0.3', '>=')
- mysql_distribution == "mysql"
- include: configure.yml
- name: Include tasks for configuration
import_tasks: configure.yml
when: mysql_hardening_enabled | bool
tags:
- mysql_hardening
- include: mysql_secure_installation.yml
- name: Include tasks to secure mysql installation
import_tasks: mysql_secure_installation.yml
when: mysql_hardening_enabled | bool
tags:
- mysql_hardening

18
roles/mysql_hardening/tasks/mysql_secure_installation.yml
View file

@ -4,7 +4,7 @@
msg: 'ERROR - you have to change default mysql_root_password'
when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
- name: ensure that the root password is present
- name: Ensure that the root password is present
community.mysql.mysql_user:
name: 'root'
host_all: true
@ -19,14 +19,14 @@
mode: '0400'
tags: my_cnf
- name: ensure that the test database is absent
- name: Ensure that the test database is absent
community.mysql.mysql_db:
name: test
state: absent
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when: mysql_remove_test_database
- name: ensure that anonymous users are absent
- name: Ensure that anonymous users are absent
community.mysql.mysql_user:
name: ''
state: absent
@ -34,7 +34,7 @@
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when: mysql_remove_anonymous_users
- name: ensure that root can only login from localhost
- name: Ensure that root can only login from localhost
community.mysql.mysql_query:
query:
- DELETE
@ -46,7 +46,7 @@
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when: mysql_remove_remote_root
- name: get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
- name: Get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
community.mysql.mysql_query:
query:
- SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
@ -62,7 +62,7 @@
- (mysql_distribution == "mysql" and mysql_version.version.full is version('5.7.6', '>=')) or
(mysql_distribution == "mariadb" and mysql_version.version.full is version('10.4.0', '>='))
- name: get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
- name: Get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
community.mysql.mysql_query:
query:
- SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
@ -80,21 +80,21 @@
- (mysql_distribution == "mysql" and mysql_version.version.full is version('5.7.6', '<')) or
(mysql_distribution == "mariadb" and mysql_version.version.full is version('10.4.0', '<'))
- name: create a fact for users without password or authentication_string
- name: Create a fact for users without password or authentication_string
set_fact:
users_wo_auth: "{{ mysql_users_wo_passwords_or_auth_string.query_result.0.0 | community.general.json_query('users') }}"
when:
- mysql_users_wo_passwords_or_auth_string.query_result is defined
- mysql_users_wo_passwords_or_auth_string.query_result != "" # noqa empty-string-compare
- name: create a fact for users without password
- name: Create a fact for users without password
set_fact:
users_wo_auth: "{{ mysql_users_wo_passwords.query_result.0.0 | community.general.json_query('users') }}"
when:
- mysql_users_wo_passwords.query_result is defined
- mysql_users_wo_passwords.query_result != "" # noqa empty-string-compare
- name: ensure that there are no users without password or authentication_string
- name: Ensure that there are no users without password or authentication_string
community.mysql.mysql_query:
query:
- "DROP USER {{ users_wo_auth }}"

2
roles/os_hardening/handlers/main.yml
View file

@ -2,7 +2,7 @@
- name: Update-initramfs
command: 'update-initramfs -u'
- name: restart-auditd
- name: Restart auditd
command:
cmd: 'service auditd restart' # rhel: see: https://access.redhat.com/solutions/2664811
warn: false # sadly 'service' module fails in that case also by using 'use: service'

2
roles/os_hardening/tasks/auditd.yml
View file

@ -12,5 +12,5 @@
owner: 'root'
group: 'root'
mode: '0640'
notify: 'restart-auditd'
notify: Restart auditd
tags: auditd

54
roles/os_hardening/tasks/hardening.yml
View file

@ -22,79 +22,97 @@
with_dict: '{{ os_vars }}'
tags: always
- import_tasks: auditd.yml
- name: Import tasks for auditd
import_tasks: auditd.yml
tags: auditd
when: os_auditd_enabled | bool
- import_tasks: cron.yml
- name: Import tasks for cron
import_tasks: cron.yml
tags: cron
when: os_cron_enabled | bool
- import_tasks: ctrlaltdel.yml
- name: Import tasks to configure ctrl+alt+del
import_tasks: ctrlaltdel.yml
tags: ctrlaltdel
when: os_ctrlaltdel_disabled | bool
- import_tasks: limits.yml
- name: Import tasks to configure limits
import_tasks: limits.yml
tags: limits
when: os_limits_enabled | bool
- import_tasks: login_defs.yml
- name: Import tasks to configure login_defs
import_tasks: login_defs.yml
tags: login_defs
when: os_login_defs_enabled | bool
- import_tasks: minimize_access.yml
- name: Import tasks to minimize access permissions
import_tasks: minimize_access.yml
tags: minimize_access
when: os_minimize_access_enabled | bool
- import_tasks: pam.yml
- name: Import tasks to configure PAM
import_tasks: pam.yml
tags: pam
when: os_pam_enabled | bool
- import_tasks: modprobe.yml
- name: Import tasks to configure modules
import_tasks: modprobe.yml
tags: modprobe
when: os_modprobe_enabled | bool
- import_tasks: profile.yml
- name: Import tasks to configure profile
import_tasks: profile.yml
tags: profile
when: os_profile_enabled | bool
- import_tasks: securetty.yml
- name: Import tasks to configure securetty
import_tasks: securetty.yml
tags: securetty
when: os_securetty_enabled | bool
- import_tasks: suid_sgid.yml
- name: Import tasks to set suid and sgid
import_tasks: suid_sgid.yml
when: os_security_suid_sgid_enforce | bool
tags: suid_sgid
- import_tasks: sysctl.yml
- name: Import tasks to configure sysctl
import_tasks: sysctl.yml
tags: sysctl
when: os_sysctl_enabled | bool
- import_tasks: user_accounts.yml
- name: Import tasks to harden user accounts
import_tasks: user_accounts.yml
tags: user_accounts
when: os_user_accounts_enabled | bool
- import_tasks: rhosts.yml
- name: Import tasks to configure rhosts
import_tasks: rhosts.yml
tags: rhosts
when: os_rhosts_enabled | bool
- import_tasks: netrc.yml
- name: Import tasks to configure netrc
import_tasks: netrc.yml
tags: netrc
when: os_netrc_enabled | bool
- import_tasks: yum.yml
- name: Import tasks to configure yum
import_tasks: yum.yml
tags: yum
when:
- ansible_facts.os_family == 'RedHat'
- os_yum_enabled | bool
- import_tasks: apt.yml
- name: Import tasks to configure apt
import_tasks: apt.yml
tags: apt
when:
- ansible_facts.os_family == 'Debian'
- os_apt_enabled | bool
- import_tasks: selinux.yml
- name: Import tasks to configure selinux
import_tasks: selinux.yml
tags: selinux
when:
- ansible_facts.selinux.status == 'enabled'

13
roles/os_hardening/tasks/limits.yml
View file

@ -1,5 +1,6 @@
---
- name: disable coredumps
- name: Disable coredumps
when: not os_security_kernel_enable_core_dump | bool
block:
- name: Create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
file:
@ -28,7 +29,7 @@
modification_time: preserve
access_time: preserve
- name: create coredump.conf.d-directory if it does not exist
- name: Create coredump.conf.d-directory if it does not exist
file:
path: '/etc/systemd/coredump.conf.d'
owner: root
@ -37,7 +38,7 @@
state: directory
when: ansible_service_mgr == "systemd"
- name: create custom.conf for disabling coredumps
- name: Create custom.conf for disabling coredumps
template:
src: 'etc/systemd/coredump.conf.d/coredumps.conf.j2'
dest: '/etc/systemd/coredump.conf.d/custom.conf'
@ -47,9 +48,8 @@
when: ansible_service_mgr == "systemd"
notify: Reload systemd
when: not os_security_kernel_enable_core_dump | bool
- name: enable coredumps
- name: Enable coredumps
when: os_security_kernel_enable_core_dump | bool
block:
- name: Remove coredump.conf.d directory with files
file:
@ -62,4 +62,3 @@
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
when: os_security_kernel_enable_core_dump | bool

3
roles/os_hardening/tasks/main.yml
View file

@ -1,5 +1,6 @@
---
- include_tasks: hardening.yml
- name: Include hardening tasks
include_tasks: hardening.yml
when: os_hardening_enabled | bool
tags:
- always

6
roles/os_hardening/tasks/pam.yml
View file

@ -17,11 +17,13 @@
when:
- ansible_facts.os_family != 'Archlinux'
- import_tasks: pam_debian.yml
- name: Import tasks for Debian PAM
import_tasks: pam_debian.yml
when:
- ansible_facts.os_family == 'Debian'
- import_tasks: pam_rhel.yml
- name: Import tasks for RedHat PAM
import_tasks: pam_rhel.yml
when:
- ansible_facts.os_family == 'RedHat'

14
roles/os_hardening/tasks/pam_debian.yml
View file

@ -25,6 +25,9 @@
- os_auth_retries > 0
- name: Manage tally on Debian stable
when:
- "'libpam-modules' in ansible_facts.packages"
- "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '<')"
block:
- name: Configure tally2
template:
@ -42,18 +45,18 @@
state: 'absent'
when:
- os_auth_retries == 0
when:
- "'libpam-modules' in ansible_facts.packages"
- "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '<')"
- name: Manage tally/faillock on Debian unstable
when:
- "'libpam-modules' in ansible_facts.packages"
- "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"
block:
- name: Delete tally2
file:
path: '{{ tally2_path }}'
state: 'absent'
- name: create tally directory
- name: Create tally directory
file:
path: '/var/run/faillock'
state: 'directory'
@ -102,9 +105,6 @@
state: 'absent'
when:
- os_auth_retries == 0
when:
- "'libpam-modules' in ansible_facts.packages"
- "ansible_facts.packages['libpam-modules'][0].version is version('1.4.0', '>=')"
- name: Update pam on Debian systems
command: 'pam-auth-update --package'

2
roles/os_hardening/tasks/sysctl.yml
View file

@ -42,6 +42,7 @@
register: initramfs
- name: Change sysctls
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
block:
- name: Create a combined sysctl-dict if os-dependent sysctls are defined
set_fact:
@ -69,7 +70,6 @@
ignoreerrors: true
with_dict: '{{ sysctl_config }}'
when: item.key not in sysctl_unsupported_entries | default()
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
- name: Apply ufw defaults
template:

22
roles/os_hardening/tasks/user_accounts.yml
View file

@ -2,17 +2,17 @@
- name: Read local linux user database
getent:
database: passwd
#creates a dict for each user containing UID/HOMEDIR etc...
when: getent_passwd is undefined # skip this task if "getent" has run before
# creates a dict for each user containing UID/HOMEDIR etc...
when: getent_passwd is undefined # skip this task if "getent" has run before
- name: extract root account(s) from local user database
loop: "{{ getent_passwd.keys()|list }}"
- name: Extract root account(s) from local user database
loop: "{{ getent_passwd.keys() | list }}"
when:
- getent_passwd[item][1]|int == 0
set_fact:
root_users: "{{ root_users|default([]) + [item] }}"
root_users: "{{ root_users | default([]) + [item] }}"
- name: set ownership of root user home directory(s) to 0700
- name: Set ownership of root user home directory(s) to 0700
file:
mode: 0700
owner: "{{ item }}"
@ -22,7 +22,7 @@
when:
- os_chmod_rootuser_home_folder | bool
- name: set password ageing for root user(s)
- name: Set password ageing for root user(s)
user:
name: "{{ item }}"
password_expire_min: "{{ os_auth_pw_min_age }}"
@ -30,7 +30,7 @@
loop: "{{ root_users }}"
when: os_rootuser_pw_ageing|bool
- name: remove additional users with UID=0 ("root" user is not touched)
- name: Remove additional users with UID=0 ("root" user is not touched)
user:
name: "{{ item }}"
state: absent
@ -66,7 +66,7 @@
when: uid_max is not defined
- name: Get all system accounts
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
command: awk -F'':'' '{ if ( $3 <= {{ uid_max | quote }} ) print $1}' /etc/passwd
args:
removes: /etc/passwd
changed_when: false
@ -87,7 +87,7 @@
with_community.general.flattened:
- '{{ sys_accs_cond | default([]) | difference(os_ignore_users) | list }}'
- name: get all home directories in /home, but skip ignored users
- name: Get all home directories in /home, but skip ignored users
find:
paths: /home/
recurse: false
@ -96,7 +96,7 @@
register: home_directories
when: os_chmod_home_folders | bool
- name: set ownership of /home directories to 0700
- name: Set ownership of /home directories to 0700
file:
mode: 0700
path: "{{ item.path }}"

3
roles/ssh_hardening/tasks/main.yml
View file

@ -1,5 +1,6 @@
---
- include_tasks: hardening.yml
- name: Include hardening tasks
include_tasks: hardening.yml
args:
apply:
become: true

2
roles/ssh_hardening/tasks/selinux.yml
View file

@ -24,7 +24,7 @@
# The following tasks only get executed when selinux is in state enforcing,
# UsePam is 'no' and the ssh_password module is not installed. See this issue for
# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
- name: run selinux tasks
- name: Run selinux tasks
when:
- not (ssh_use_pam | bool)
- ('ssh_password' not in ssh_password_module.stdout)