mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-14 02:47:06 +00:00
7eb8b4f3d3
This change gets rid of the separate role dir and puts everything into the root-directory, making it possible to install the role via ansible galaxy.
111 lines
3.8 KiB
YAML
111 lines
3.8 KiB
YAML
# SYSTEM CONFIGURATION
|
|
# ====================
|
|
# These are not meant to be modified by the user
|
|
|
|
# suid and sgid blacklists and whitelists
|
|
# ---------------------------------------
|
|
# don't change values in the system_blacklist/whitelist
|
|
# adjust values for blacklist/whitelist instead, they can override system_blacklist/whitelist
|
|
|
|
# list of suid/sgid entries that must be removed
|
|
os_security_suid_sgid_system_blacklist:
|
|
# blacklist as provided by NSA
|
|
- '/usr/bin/rcp'
|
|
- '/usr/bin/rlogin'
|
|
- '/usr/bin/rsh'
|
|
# sshd must not use host-based authentication (see ssh cookbook)
|
|
- '/usr/libexec/openssh/ssh-keysign'
|
|
- '/usr/lib/openssh/ssh-keysign'
|
|
# misc others
|
|
- '/sbin/netreport' # not normally required for user
|
|
- '/usr/sbin/usernetctl' # modify interfaces via functional accounts
|
|
# connecting to ...
|
|
- '/usr/sbin/userisdnctl' # no isdn...
|
|
- '/usr/sbin/pppd' # no ppp / dsl ...
|
|
# lockfile
|
|
- '/usr/bin/lockfile'
|
|
- '/usr/bin/mail-lock'
|
|
- '/usr/bin/mail-unlock'
|
|
- '/usr/bin/mail-touchlock'
|
|
- '/usr/bin/dotlockfile'
|
|
# need more investigation blacklist for now
|
|
- '/usr/bin/arping'
|
|
- '/usr/sbin/uuidd'
|
|
- '/usr/bin/mtr' # investigate current state...
|
|
- '/usr/lib/evolution/camel-lock-helper-1.2' # investigate current state...
|
|
- '/usr/lib/pt_chown' # pseudo-tty needed?
|
|
- '/usr/lib/eject/dmcrypt-get-device'
|
|
- '/usr/lib/mc/cons.saver' # midnight commander screensaver
|
|
|
|
# list of suid/sgid entries that can remain untouched
|
|
os_security_suid_sgid_system_whitelist:
|
|
# whitelist as provided by NSA
|
|
- '/bin/mount'
|
|
- '/bin/ping'
|
|
- '/bin/su'
|
|
- '/bin/umount'
|
|
- '/sbin/pam_timestamp_check'
|
|
- '/sbin/unix_chkpwd'
|
|
- '/usr/bin/at'
|
|
- '/usr/bin/gpasswd'
|
|
- '/usr/bin/locate'
|
|
- '/usr/bin/newgrp'
|
|
- '/usr/bin/passwd'
|
|
- '/usr/bin/ssh-agent'
|
|
- '/usr/libexec/utempter/utempter'
|
|
- '/usr/sbin/lockdev'
|
|
- '/usr/sbin/sendmail.sendmail'
|
|
- '/usr/bin/expiry'
|
|
# whitelist ipv6
|
|
- '/bin/ping6'
|
|
- '/usr/bin/traceroute6.iputils'
|
|
# whitelist nfs
|
|
- '/sbin/mount.nfs'
|
|
- '/sbin/umount.nfs'
|
|
# whitelist nfs4
|
|
- '/sbin/mount.nfs4'
|
|
- '/sbin/umount.nfs4'
|
|
# whitelist cron
|
|
- '/usr/bin/crontab'
|
|
# whitelist consolemssaging
|
|
- '/usr/bin/wall'
|
|
- '/usr/bin/write'
|
|
# whitelist: only SGID with utmp group for multi-session access
|
|
# impact is limited; installation/usage has some remaining risk
|
|
- '/usr/bin/screen'
|
|
# whitelist locate
|
|
- '/usr/bin/mlocate'
|
|
# whitelist usermanagement
|
|
- '/usr/bin/chage'
|
|
- '/usr/bin/chfn'
|
|
- '/usr/bin/chsh'
|
|
# whitelist fuse
|
|
- '/bin/fusermount'
|
|
# whitelist pkexec
|
|
- '/usr/bin/pkexec'
|
|
# whitelist sudo
|
|
- '/usr/bin/sudo'
|
|
- '/usr/bin/sudoedit'
|
|
# whitelist postfix
|
|
- '/usr/sbin/postdrop'
|
|
- '/usr/sbin/postqueue'
|
|
# whitelist apache
|
|
- '/usr/sbin/suexec'
|
|
# whitelist squid
|
|
- '/usr/lib/squid/ncsa_auth'
|
|
- '/usr/lib/squid/pam_auth'
|
|
# whitelist kerberos
|
|
- '/usr/kerberos/bin/ksu'
|
|
# whitelist pam_caching
|
|
- '/usr/sbin/ccreds_validate'
|
|
# whitelist Xorg
|
|
- '/usr/bin/Xorg' # xorg
|
|
- '/usr/bin/X' # xorg
|
|
- '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' # freedesktop ipc
|
|
- '/usr/lib/vte/gnome-pty-helper' # gnome
|
|
- '/usr/lib/libvte9/gnome-pty-helper' # gnome
|
|
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
|
|
|
|
# system accounts that do not get their login disabled and pasword changed
|
|
os_always_ignore_users: ['root','sync','shutdown','halt']
|
|
|