Skip to content

Commit

Permalink
Add separated files
Browse files Browse the repository at this point in the history
  • Loading branch information
Sebastian Gumprich committed May 26, 2015
1 parent 79ca60b commit a305b94
Show file tree
Hide file tree
Showing 10 changed files with 271 additions and 0 deletions.
4 changes: 4 additions & 0 deletions roles/ansible-os-hardening/tasks/limits.yml
View file
@@ -0,0 +1,4 @@
---
- name: create sane limits.conf
template: src='limits.conf.j2' dest='/etc/security/limits.d/10.hardcore.conf' owner=root group=root mode=0440
when: os_security_kernel_enable_core_dump
4 changes: 4 additions & 0 deletions roles/ansible-os-hardening/tasks/login_defs.yml
View file
@@ -0,0 +1,4 @@
---
- name: create login.defs
template: src='login.defs.j2' dest='/etc/login.defs' owner=root group=root mode=0444

18 changes: 18 additions & 0 deletions roles/ansible-os-hardening/tasks/minimize_access.yml
View file
@@ -0,0 +1,18 @@
---
- name: minimize access
file: path='{{item}}' mode='go-w' recurse=yes
with_items:
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
- '{{os_env_extra_user_paths}}'

- name: change shadow ownership to root and mode to 0600 | DTAG SEC Req 3.21-7
file: dest='/etc/shadow' owner=root group=root mode=0600

- name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode
when: security_users_allow|default(None) != None
66 changes: 66 additions & 0 deletions roles/ansible-os-hardening/tasks/pam.yml
View file
@@ -0,0 +1,66 @@
---
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: update pam on Redhat systems
command: 'authconfig --update'
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

- name: remove pam ccreds on Debian systems
apt: name='{{os_packages_pam_ccreds}}' state=absent
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: remove pam ccreds on Redhat systems
yum: name='{{os_packages_pam_ccreds}}' state=absent
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

- name: remove pam_cracklib, because it does not play nice with passwdqc
apt: name='{{os_packages_pam_cracklib}}' state=absent
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable

- name: install the package for strong password checking
apt: name='{{os_packages_pam_passwdqc}}' state='installed'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable

- name: configure passwdqc
template: src='pam_passwdqd.j2' mode=0640 owner=root group=root dest='{{passwdqc_path}}'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable

- name: remove passwdqc
apt: name='{{os_packages_pam_passwdqc}}' state='absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable

- name: install tally2
apt: name='libpam-modules' state=installed
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0

- name: configure tally2
template: src='pam_tally2.j2' dest='{{tally2_path}}' mode=0640 owner=root group=root
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0

- name: delete tally2 when retries is 0
file: path='{{tally2_path}}' state=absent
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0

- name: update pam
command: 'pam-auth-update --package'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')

- name: remove pam_cracklib, because it does not play nice with passwdqc
yum: name='{{os_packages_pam_cracklib}}' state=absent
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable

- name: install the package for strong password checking
yum: name='{{os_packages_pam_passwdqc}}' state='installed'
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable

- name: remove passwdqc
yum: name='{{os_packages_pam_passwdqc}}' state='absent'
when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and not os_auth_pam_passwdqc_enable

- name: configure passwdqc and tally via central system-auth confic
template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root

- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

Only for RedHat Systems? This seems to have no affect on Debian based systems …

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro May 31, 2015

Member

Please open an issue for that, I can't reproduce the problem.
template: src='rhel_libuser.conf.j2' dest='/etc/libuser.conf' mode=0640 owner=root group=root
4 changes: 4 additions & 0 deletions roles/ansible-os-hardening/tasks/profile.yml
View file
@@ -0,0 +1,4 @@
---
- name: create profile.conf
template: src='profile.conf.j2' dest='/etc/profile.d/pinerolo_profile.sh' owner=root group=root mode=0750
when: not os_security_kernel_enable_core_dump
11 changes: 11 additions & 0 deletions roles/ansible-os-hardening/tasks/rhosts.yml
View file
@@ -0,0 +1,11 @@
---
- name: Get user accounts | DTAG SEC Req 3.21-4
command: "awk -F: '{print $1}' /etc/passwd"
register: users

- name: delete rhosts-files from system | DTAG SEC Req 3.21-4
file: dest='~{{ item }}/.rhosts' state=absent
with_items: users.stdout_lines

- name: delete hosts.equiv from system | DTAG SEC Req 3.21-4
file: dest='/etc/hosts.equiv' state=absent
3 changes: 3 additions & 0 deletions roles/ansible-os-hardening/tasks/securetty.yml
View file
@@ -0,0 +1,3 @@
---
- name: create securetty
template: src='securetty.j2' dest='/etc/securetty' owner=root group=root mode=0400
19 changes: 19 additions & 0 deletions roles/ansible-os-hardening/tasks/suid_sgid.yml
View file
@@ -0,0 +1,19 @@
---
#- name: remove suid/sgid bit from binaries in blacklist
# file: path='{{item}}' mode='a-s'
# ignore_errors: true
# with_items:
# - '{{ os_security_suid_sgid_system_blacklist }}'
#
#- name: find binaries with suid/sgid set
# shell: 'find / \( -perm -4000 -o -perm -2000 \) -type f -print 2>/dev/null | grep -v "No such file or directory"'
# register: sbit_binaries
#
#- debug: var=sbit_binaries.stdout_lines
#- debug: var={{os_security_suid_sgid_system_blacklist}}
#
#- name: remove suid/sgid bit from all binaries except in whitelist
# file: path='{{item}}' mode='a-s'
# with_items:
# - sbit_binaries.stdout_lines

134 changes: 134 additions & 0 deletions roles/ansible-os-hardening/tasks/sysctl.yml
View file
@@ -0,0 +1,134 @@
---

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

Do the reload at the and via notify or/and use a template file under /etc/sysctl.d/? This could be a bit more clear.

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro May 31, 2015

Member

Why should I use notify when the module already ships with a reloading-mechanism? How would I make sure that the reload only happens when something actually changed? If I always reload, it wouldn't be idempotent.
Using a template file could be a good idea, but I don't know yet what will happen, if a value does not exist on the operating system. Will sysctl fail? Right now, if a value doesn't exist, it simply is ignored.

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

See: https://github.com/picotrading/ansible-sysctl
Not sure what sysctl does when the parameter is unknown …

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro May 31, 2015

Member

I just tried it, the task fails. Seems that this is not an option.

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

Fair enough. What about:

vars:
  sysctl:
    'net.ipv6.conf.all.forwarding': 0

tasks:
  - name: Only enable IP traffic forwarding, if required.
    sysctl:
      name: '{{ item.key }}'
      value: '{{ item.value }}'
      sysctl_set: yes
      state: present
      reload: yes
      ignoreerrors: yes
    with_dict: sysctl
- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv4.ip_forward' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv4.ip_forward' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_forwarding

- name: Only enable IP traffic forwarding, if required.
sysctl: name='net.ipv6.conf.all.forwarding' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Only enable IP traffic forwarding, if required.

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

First net.ipv6.conf.all.forwarding is set to 0 and then conditionally to 1?

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro May 31, 2015

Member

How else would you do it? I have to make sure that net.ipv6.conf.all.forwarding is set to 0, unless it is explicitly set to 1.

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

How about:

- name: Only enable IP traffic forwarding, if required.
  sysctl:
    name: 'net.ipv6.conf.all.forwarding'
    value: '{% if os_network_forwarding and os_network_ipv6_enable %}1{% else %}0{% endif %}'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro May 31, 2015

Member

Using Jinja-syntax in tasks is dicouraged by Ansible, so I didn't do that aswell.
However, I can change the task-names to make it more clear what's happening.

BTW: Thanks for your input, I really appreciate it!

This comment has been minimized.

Sign in to view

Copy link
@ypid

ypid May 31, 2015

Member

Interesting, I did not know that. Is this specific use case really discouraged (see comment? I did not read the whole thing …
In that case you could use something like:

- name: Only enable IP traffic forwarding, if required.
  sysctl:
    name: 'net.ipv6.conf.all.forwarding'
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
  when: os_network_forwarding and os_network_ipv6_enable

- name: Only enable IP traffic forwarding, if required.
  sysctl:
    name: 'net.ipv6.conf.all.forwarding'
    value: '0'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
  when: not (os_network_forwarding and os_network_ipv6_enable)

This comment has been minimized.

Sign in to view

Copy link
@rndmh3ro

rndmh3ro Jun 1, 2015

Member

That's a good idea and I'll change that on all tasks that have this condition! Thanks!
sysctl: name='net.ipv6.conf.all.forwarding' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_forwarding and os_network_ipv6_enable

- name: Enable RFC-recommended source validation feature.
sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Enable RFC-recommended source validation feature.
sysctl: name='net.ipv4.conf.default.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
sysctl: name='net.ipv4.icmp_echo_ignore_broadcasts' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: There is no reason to accept bogus error responses from ICMP, so ignore them instead.
sysctl: name='net.ipv4.icmp_ignore_bogus_error_responses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Limit the amount of traffic the system uses for ICMP.
sysctl: name='net.ipv4.icmp_ratelimit' value=100 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply
sysctl: name='net.ipv4.icmp_ratemask' value=88089 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Disable or Enable IPv6 as it is needed.
sysctl: name='net.ipv6.conf.all.disable_ipv6' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Disable or Enable IPv6 as it is needed.
sysctl: name='net.ipv6.conf.all.disable_ipv6' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_ipv6_enable

- name: Protect against wrapping sequence numbers at gigabit speeds
sysctl: name='net.ipv4.tcp_timestamps' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Define restriction level for announcing the local source IP
sysctl: name='net.ipv4.conf.all.arp_ignore' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Define restriction level for announcing the local source IP
sysctl: name='net.ipv4.conf.all.arp_ignore' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_arp_restricted

- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses
sysctl: name='net.ipv4.conf.all.arp_announce' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses
sysctl: name='net.ipv4.conf.all.arp_announce' value=2 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_network_arp_restricted

- name: RFC 1337 fix F1
sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Syncookies is used to prevent SYN-flooding attacks.
sysctl: name='net.ipv4.tcp_syncookies' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- sysctl: name='net.ipv4.conf.all.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.default.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
sysctl: name='net.ipv4.conf.all.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

# Accepting redirects can lead to malicious networking behavior, so disable
# it if not needed.
- sysctl: name='net.ipv4.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.default.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

# For non-routers: don't send redirects, these settings are 0
- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: log martian packets
sysctl: name='net.ipv4.conf.all.log_martians' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

# ipv6 config
# NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
- sysctl: name='net.ipv6.conf.default.router_solicitations' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_rtr_pref' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_pinfo' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.accept_ra_defrtr' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.autoconf' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.dad_transmits' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
- sysctl: name='net.ipv6.conf.default.max_addresses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes


# This settings controls how the kernel behaves towards module changes at
# runtime. Setting to 1 will disable module loading at runtime.
# Setting it to 0 is actually never supported.
- name: This settings controls how the kernel behaves towards module changes at runtime.
sysctl: name='kernel.modules_disabled' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: not os_security_kernel_enable_module_loading

# Magic Sysrq should be disabled, but can also be set to a safe value if so
# desired for physical machines. It can allow a safe reboot if the system hangs
# and is a 'cleaner' alternative to hitting the reset button.
# The following values are permitted:
#
# * **0** - disable sysrq
# * **1** - enable sysrq completely
# * **>1** - bitmask of enabled sysrq functions:
# * **2** - control of console logging level
# * **4** - control of keyboard (SAK, unraw)
# * **8** - debugging dumps of processes etc.
# * **16** - sync command
# * **32** - remount read-only
# * **64** - signalling of processes (term, kill, oom-kill)
# * **128** - reboot/poweroff
# * **256** - nicing of all RT tasks
- sysctl: name='kernel.sysrq' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- sysctl: name='kernel.sysrq' value='{{ os_security_kernel_secure_sysrq }}' sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_security_kernel_enable_sysrq

- name: Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
sysctl: name='fs.suid_dumpable' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes

- name: # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
sysctl: name='fs.suid_dumpable' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
when: os_security_kernel_enable_core_dump

8 changes: 8 additions & 0 deletions roles/ansible-os-hardening/tasks/yum.yml
View file
@@ -0,0 +1,8 @@
---
- name: activate gpg-check for yum-repos in yum.conf
shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.conf"
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

- name: activate gpg-check for yum-repos in yum-repositories
shell: "sed -i 's/gpgcheck=0/gpgcheck=1/g' /etc/yum.repos.d/*.repo"
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'

0 comments on commit a305b94

Please sign in to comment.