Ansible role to make a CentOS, Debian, Fedora or Ubuntu server a bit more secure, systemd edition.
Requires Ansible >= 2.8.
Available on Ansible Galaxy.
bento/debian-10
bento/fedora-31
centos/8
ubuntu/bionic64
ubuntu/focal64auditd_mode: 1Auditd failure mode. 0=silent 1=printk 2=panic.
grub_audit_backlog_cmdline: "audit_backlog_limit=8192"
grub_audit_cmdline: "audit=1"Enable auditd at boot using Grub.
dns: "127.0.0.1"
dnssec: allow-downgrade
fallback_dns: "1.1.1.1 9.9.9.9"IPv4 and IPv6 addresses to use as system and fallback DNS servers.
If dnssec is set to "allow-downgrade" DNSSEC validation is attempted, but if
the server does not support DNSSEC properly, DNSSEC mode is automatically
disabled. systemd
option.
fs_modules_blocklist:
- cramfs
- freevxfs
- hfs
- hfsplus
- jffs2
- squashfs
- udf
- vfatBlocked file system kernel modules.
limit_nofile_hard: 1024
limit_nofile_soft: 512
limit_nproc_hard: 1024
limit_nproc_soft: 512Maximum number of processes and open files.
misc_modules_blocklist:
- bluetooth
- bnep
- btusb
- cpia2
- firewire-core
- floppy
- n_hdlc
- net-pf-31
- pcspkr
- soundcore
- thunderbolt
- usb-midi
- usb-storage
- uvcvideo
- v4l2_commonBlocked kernel modules.
net_modules_blocklist:
- dccp
- sctp
- rds
- tipcBlocked kernel network modules.
ntp: "0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org"
fallback_ntp: "2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org"NTP server host names or IP addresses. systemd option.
packages_blocklist:
- apport*
- autofs
- avahi*
- avahi-*
- beep
- git
- pastebinit
- popularity-contest
- rsh*
- rsync
- talk*
- telnet*
- tftp*
- whoopsie
- xinetd
- yp-tools
- ypbindPackages to be removed.
packages_debian:
- acct
- aide-common
- apparmor-profiles
- apparmor-utils
- audispd-plugins
- auditd
- debsums
- gnupg2
- haveged
- libpam-apparmor
- libpam-cracklib
- libpam-tmpdir
- needrestart
- openssh-server
- postfix
- rkhunter
- rsyslog
- tcpd
- vlockPackages to be installed on a Debian OS family host.
packages_redhat:
- aide
- audispd-plugins
- audit
- haveged
- gnugpg2
- openssh-server
- needrestart
- postfix
- psacct
- rkhunter
- rsyslog
- tcp_wrappers
- vlockPackages to be installed on a RedHat OS family host.
random_ack_limit: "{{ 1000000 | random(start=1000) }}"net.ipv4.tcp_challenge_ack_limit, see tcp: make challenge acks less predictable.
reboot_ubuntu: falseIf true an Ubuntu node will be rebooted if required, using
pre_reboot_delay: "{{ 3600 | random(start=1) }}".
redhat_rpm_key:
- 567E347AD0044ADE55BA8A5F199E2F91FD431D51
- 47DB287789B21722B6D95DDE5326810137017186Red Hat RPM keys
for use when ansible_distribution == "RedHat".
sshd_admin_net:
- 192.168.0.0/24
- 192.168.1.0/24
sshd_allow_agent_forwarding: 'no'
sshd_allow_tcp_forwarding: 'no'
sshd_allow_groups: sudo
sshd_authentication_methods: any
sshd_log_level: VERBOSE
sshd_max_auth_tries: 3
sshd_max_sessions: 3
sshd_password_authentication: 'no'
sshd_port: 22Only the network(s) defined in sshd_admin_net are allowed to
connect to sshd_port. Note that additional rules need to be set up in order
to allow access to additional services.
OpenSSH login is allowed only for users whose primary group or supplementary
group list matches one of the patterns in sshd_allow_groups.
sshd_allow_agent_forwarding specifies whether ssh-agent(1) forwarding is
permitted.
sshd_allow_tcp_forwarding specifies whether TCP forwarding is permitted.
The available options are yes or all to allow TCP forwarding, no to prevent
all TCP forwarding, local to allow local (from the perspective of ssh(1))
forwarding only or remote to allow remote forwarding only.
sshd_authentication_methods specifies the authentication methods that must
be successfully completed in order to grant access to a user.
sshd_log_level gives the verbosity level that is used when logging messages.
sshd_max_auth_tries and sshd_max_sessions specifies the maximum number of
SSH authentication attempts permitted per connection and the maximum number of
open shell, login or subsystem (e.g. sftp) sessions permitted per network
connection.
sshd_password_authentication specifies whether password authentication is allowed.
sshd_port specifies the port number that sshd(8) listens on.
suid_sgid_blocklist:
- /bin/bash
- /bin/busybox
- /bin/cat
- /bin/chmod
- /bin/chown
- /bin/cp
- /bin/dash
- /bin/date
- /bin/dd
- /bin/dmesg
[...]Which binaries that should have SUID/SGID removed, a complete list is available at https://github.com/konstruktoid/ansible-role-hardening/blob/master/defaults/main.yml#L112
.
├── LICENSE
├── README.md
├── Vagrantfile
├── action-lint
│ ├── Dockerfile
│ ├── README.md
│ └── entrypoint.sh
├── defaults
│ └── main.yml
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── postChecks.sh
├── provision
│ └── setup.sh
├── renovate.json
├── runPlaybook.sh
├── tasks
│ ├── 01_pre.yml
│ ├── 02_firewall.yml
│ ├── 03_disablenet.yml
│ ├── 04_disablefs.yml
│ ├── 05_systemdconf.yml
│ ├── 06_journalconf.yml
│ ├── 07_timesyncd.yml
│ ├── 08_fstab.yml
│ ├── 09_prelink.yml
│ ├── 10_pkgupdate.yml
│ ├── 11_hosts.yml
│ ├── 12_logindefs.yml
│ ├── 13_sysctl.yml
│ ├── 14_limits.yml
│ ├── 15_adduser.yml
│ ├── 16_rootaccess.yml
│ ├── 17_packages.yml
│ ├── 18_sshdconfig.yml
│ ├── 19_password.yml
│ ├── 20_cron.yml
│ ├── 21_ctrlaltdel.yml
│ ├── 22_auditd.yml
│ ├── 23_disablemod.yml
│ ├── 24_aide.yml
│ ├── 26_users.yml
│ ├── 27_suid.yml
│ ├── 28_umask.yml
│ ├── 30_path.yml
│ ├── 31_logindconf.yml
│ ├── 32_resolvedconf.yml
│ ├── 33_rkhunter.yml
│ ├── 34_issue.yml
│ ├── 35_apport.yml
│ ├── 36_lockroot.yml
│ ├── 37_mount.yml
│ ├── 38_postfix.yml
│ ├── 39_motdnews.yml
│ ├── 43_sudo.yml
│ ├── 99_extras.yml
│ └── main.yml
├── templates
│ ├── etc
│ │ ├── adduser.conf.j2
│ │ ├── ansible
│ │ │ └── facts.d
│ │ │ ├── cpuinfo_rdrand.fact
│ │ │ ├── reboot_required.fact
│ │ │ └── systemd_version.fact
│ │ ├── apt
│ │ │ └── apt.conf.d
│ │ │ └── 99noexec-tmp.j2
│ │ ├── audit
│ │ │ └── rules.d
│ │ │ └── hardening.rules.j2
│ │ ├── default
│ │ │ ├── rkhunter.j2
│ │ │ └── useradd.j2
│ │ ├── hosts.allow.j2
│ │ ├── hosts.deny.j2
│ │ ├── issue.j2
│ │ ├── login.defs.j2
│ │ ├── logrotate.conf.j2
│ │ ├── pam.d
│ │ │ ├── common-account.j2
│ │ │ ├── common-auth.j2
│ │ │ ├── common-password.j2
│ │ │ └── login.j2
│ │ ├── profile.d
│ │ │ └── initpath.sh.j2
│ │ ├── securetty.j2
│ │ ├── security
│ │ │ ├── access.conf.j2
│ │ │ ├── limits.conf.j2
│ │ │ └── pwquality.conf.j2
│ │ ├── ssh
│ │ │ └── sshd_config.j2
│ │ ├── sysctl.conf.j2
│ │ └── systemd
│ │ ├── coredump.conf.j2
│ │ ├── journald.conf.j2
│ │ ├── logind.conf.j2
│ │ ├── resolved.conf.j2
│ │ ├── system.conf.j2
│ │ ├── timesyncd.conf.j2
│ │ ├── tmp.mount.j2
│ │ └── user.conf.j2
│ └── lib
│ └── systemd
│ └── system
│ ├── aidecheck.service.j2
│ └── aidecheck.timer.j2
└── tests
├── inventory
└── test.yml
24 directories, 89 filesNone.
---
- hosts: all
serial: 50%
- { role: konstruktoid.hardening, sshd_admin_net: [10.0.0.0/24] }
...ansible-playbook tests/test.yml --extra-vars "sshd_admin_net=192.168.1.0/24" \
-c local -i 'localhost,' -KThe repository contains a Vagrant
configuration file, which will run the konstruktoid.hardening role.
The runPlaybook.sh script may be used to automatically update and run the role on all configured Vagrant boxes. After the role has been applied, Lynis and various bats tests will be downloaded and the configurationen tested.
To run a OpenSCAP test on a Fedora host using the included Vagrantfile follow the instructions on https://copr.fedorainfracloud.org/coprs/openscapmaint/openscap-latest/.
curl -SsL http://copr.fedoraproject.org/coprs/openscapmaint/openscap-latest/repo/epel-7/openscapmaint-openscap-latest-epel-7.repo | \
sudo tee -a /etc/yum.repos.d/openscapmaint-openscap-latest-epel-7.repo
sudo dnf install -y openscap-scanner scap-security-guide
oscap info --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
sudo oscap xccdf eval --fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_pci-dss \
--report fedora_pci-report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xmlTo run a OpenSCAP test on a
Ubuntu 18.04 host, where v0.1.50 should be replaced with the latest available
version:
sudo apt-get -y install libopenscap8 unzip
wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.50/scap-security-guide-0.1.50.zip
unzip scap-security-guide-0.1.50.zip
cd scap-security-guide-0.1.50
oscap info --fetch-remote-resources ./ssg-ubuntu1804-ds.xml
sudo oscap xccdf eval --fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high \
--report ../bionic_anssi-report.html ./ssg-ubuntu1804-ds.xmlCIS Distribution Independent Linux Benchmark v1.0.0
Common Configuration Enumeration
Canonical Ubuntu 16.04 LTS STIG - Ver 1, Rel 2
Guide to the Secure Configuration of Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 7 - Ver 2, Rel 3 STIG
Security focused systemd configuration
Do you want to contribute? That's great! Contributions are always welcome, no matter how large or small. If you found something odd, feel free to submit a issue, improve the code by creating a pull request, or by sponsoring this project.
Apache License Version 2.0