Add module configuration

roles/ansible-os-hardening/tasks/sysctl.yml

@@ -3,6 +3,22 @@
 - name: include sysctl variables
   include_vars: sysctl.yml
 
+- name: protect sysctl.conf
+  file: path='/etc/sysctl.conf' owner=root group=root mode=0440
+
+- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family
+  template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544
+  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
+
+- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
+  template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440
+  when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
+  register: initramfs
+
+- name: update-initramfs
+  command: 'update-initramfs -u'
+  when: initramfs.changed
+
 - name: Change various sysctl-settings, look at the sysctl-vars file for documentation
   sysctl:
     name: '{{ item.key }}'

roles/ansible-os-hardening/templates/modules.j2

@@ -0,0 +1,111 @@
+# {{ ansible_managed }}
+# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
+#
+# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
+# We will sort by folder.
+
+
+# Arch
+# ----
+#
+# Modules for certains builds, contains support modules and some CPU-specific optimizations.
+
+{% if ansible_architecture == 'x86_64' %}
+# Optimize for x86_64 cryptographic features
+twofish-x86_64-3way
+twofish-x86_64
+aes-x86_64
+salsa20-x86_64
+blowfish-x86_64
+{% endif %}
+
+{% if 'amd' in ansible_processor %}
+# AMD-specific optimizations
+kvm-amd
+{% else %}
+# Intel-specific optimizations
+ghash-clmulni-intel
+aesni-intel
+kvm-intel
+{% endif %}
+
+kvm
+
+# Crypto
+# ------
+
+# Some core modules which comprise strong cryptography.
+blowfish_common
+blowfish_generic
+ctr
+cts
+lrw
+lzo
+rmd160
+rmd256
+rmd320
+serpent
+sha512_generic
+twofish_common
+twofish_generic
+xts
+zlib
+
+
+# Drivers
+# -------
+
+# Basics
+lp
+rtc
+loop
+
+# Filesystems
+ext2
+btrfs
+
+{% if os_desktop_enable %}
+# Desktop
+psmouse
+snd
+snd_ac97_codec
+snd_intel8x0
+snd_page_alloc
+snd_pcm
+snd_timer
+soundcore
+usbhid
+{% endif %}
+
+# Lib
+# ---
+xz
+
+
+# Net
+# ---
+
+# All packets needed for netfilter rules (ie iptables, ebtables).
+ip_tables
+x_tables
+iptable_filter
+iptable_nat
+
+# Targets
+ipt_LOG
+ipt_REJECT
+
+# Modules
+xt_connlimit
+xt_tcpudp
+xt_recent
+xt_limit
+xt_conntrack
+nf_conntrack
+nf_conntrack_ipv4
+nf_defrag_ipv4
+xt_state
+nf_nat
+
+# Addons
+xt_pknock

roles/ansible-os-hardening/templates/rhel_sysconfig_init.j2

@@ -0,0 +1,31 @@
+# {{ ansible_managed }}
+
+# color => new RH6.0 bootup
+# verbose => old-style bootup
+# anything else => new style bootup without ANSI colors or positioning
+BOOTUP=color
+# column to start "[  OK  ]" label in
+RES_COL=60
+# terminal sequence to move to that column. You could change this
+# to something like "tput hpa ${RES_COL}" if your terminal supports it
+MOVE_TO_COL="echo -en \\033[${RES_COL}G"
+# terminal sequence to set color to a 'success' color (currently: green)
+SETCOLOR_SUCCESS="echo -en \\033[0;32m"
+# terminal sequence to set color to a 'failure' color (currently: red)
+SETCOLOR_FAILURE="echo -en \\033[0;31m"
+# terminal sequence to set color to a 'warning' color (currently: yellow)
+SETCOLOR_WARNING="echo -en \\033[0;33m"
+# terminal sequence to reset to the default color.
+SETCOLOR_NORMAL="echo -en \\033[0;39m"
+# Set to anything other than 'no' to allow hotkey interactive startup...
+PROMPT=yes
+# Set to 'yes' to allow probing for devices with swap signatures
+AUTOSWAP=no
+# What ttys should gettys be started on?
+ACTIVE_CONSOLES=/dev/tty[1-6]
+# Set to '/sbin/sulogin' to prompt for password on single-user mode
+# Set to '/sbin/sushell' otherwise
+SINGLE=/sbin/sushell
+
+# NSA 2.2.4.1 Set Daemon umask
+umask 027