diff --git a/roles/ansible-os-hardening/tasks/sysctl.yml b/roles/ansible-os-hardening/tasks/sysctl.yml index aad79496..a609621b 100644 --- a/roles/ansible-os-hardening/tasks/sysctl.yml +++ b/roles/ansible-os-hardening/tasks/sysctl.yml @@ -3,6 +3,22 @@ - name: include sysctl variables include_vars: sysctl.yml +- name: protect sysctl.conf + file: path='/etc/sysctl.conf' owner=root group=root mode=0440 + +- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family + template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544 + when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' + +- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled + template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440 + when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading + register: initramfs + +- name: update-initramfs + command: 'update-initramfs -u' + when: initramfs.changed + - name: Change various sysctl-settings, look at the sysctl-vars file for documentation sysctl: name: '{{ item.key }}' diff --git a/roles/ansible-os-hardening/templates/modules.j2 b/roles/ansible-os-hardening/templates/modules.j2 new file mode 100644 index 00000000..1cd2187d --- /dev/null +++ b/roles/ansible-os-hardening/templates/modules.j2 @@ -0,0 +1,111 @@ +# {{ ansible_managed }} +# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored. +# +# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/` +# We will sort by folder. + + +# Arch +# ---- +# +# Modules for certains builds, contains support modules and some CPU-specific optimizations. + +{% if ansible_architecture == 'x86_64' %} +# Optimize for x86_64 cryptographic features +twofish-x86_64-3way +twofish-x86_64 +aes-x86_64 +salsa20-x86_64 +blowfish-x86_64 +{% endif %} + +{% if 'amd' in ansible_processor %} +# AMD-specific optimizations +kvm-amd +{% else %} +# Intel-specific optimizations +ghash-clmulni-intel +aesni-intel +kvm-intel +{% endif %} + +kvm + +# Crypto +# ------ + +# Some core modules which comprise strong cryptography. +blowfish_common +blowfish_generic +ctr +cts +lrw +lzo +rmd160 +rmd256 +rmd320 +serpent +sha512_generic +twofish_common +twofish_generic +xts +zlib + + +# Drivers +# ------- + +# Basics +lp +rtc +loop + +# Filesystems +ext2 +btrfs + +{% if os_desktop_enable %} +# Desktop +psmouse +snd +snd_ac97_codec +snd_intel8x0 +snd_page_alloc +snd_pcm +snd_timer +soundcore +usbhid +{% endif %} + +# Lib +# --- +xz + + +# Net +# --- + +# All packets needed for netfilter rules (ie iptables, ebtables). +ip_tables +x_tables +iptable_filter +iptable_nat + +# Targets +ipt_LOG +ipt_REJECT + +# Modules +xt_connlimit +xt_tcpudp +xt_recent +xt_limit +xt_conntrack +nf_conntrack +nf_conntrack_ipv4 +nf_defrag_ipv4 +xt_state +nf_nat + +# Addons +xt_pknock diff --git a/roles/ansible-os-hardening/templates/rhel_sysconfig_init.j2 b/roles/ansible-os-hardening/templates/rhel_sysconfig_init.j2 new file mode 100644 index 00000000..50fcc457 --- /dev/null +++ b/roles/ansible-os-hardening/templates/rhel_sysconfig_init.j2 @@ -0,0 +1,31 @@ +# {{ ansible_managed }} + +# color => new RH6.0 bootup +# verbose => old-style bootup +# anything else => new style bootup without ANSI colors or positioning +BOOTUP=color +# column to start "[ OK ]" label in +RES_COL=60 +# terminal sequence to move to that column. You could change this +# to something like "tput hpa ${RES_COL}" if your terminal supports it +MOVE_TO_COL="echo -en \\033[${RES_COL}G" +# terminal sequence to set color to a 'success' color (currently: green) +SETCOLOR_SUCCESS="echo -en \\033[0;32m" +# terminal sequence to set color to a 'failure' color (currently: red) +SETCOLOR_FAILURE="echo -en \\033[0;31m" +# terminal sequence to set color to a 'warning' color (currently: yellow) +SETCOLOR_WARNING="echo -en \\033[0;33m" +# terminal sequence to reset to the default color. +SETCOLOR_NORMAL="echo -en \\033[0;39m" +# Set to anything other than 'no' to allow hotkey interactive startup... +PROMPT=yes +# Set to 'yes' to allow probing for devices with swap signatures +AUTOSWAP=no +# What ttys should gettys be started on? +ACTIVE_CONSOLES=/dev/tty[1-6] +# Set to '/sbin/sulogin' to prompt for password on single-user mode +# Set to '/sbin/sushell' otherwise +SINGLE=/sbin/sushell + +# NSA 2.2.4.1 Set Daemon umask +umask 027