Updated Ansible setup
This commit is contained in:
parent
2775bc8df1
commit
0a6dcf6cc7
165 changed files with 2101 additions and 1633 deletions
27
README.md
27
README.md
|
@ -89,20 +89,22 @@ Install or update the following roles from [Ansible Galaxy](https://docs.ansible
|
|||
|
||||
```
|
||||
ansible-galaxy install \
|
||||
dev-sec.nginx-hardening dev-sec.ssh-hardening dev-sec.os-hardening \
|
||||
geerlingguy.nodejs geerlingguy.certbot
|
||||
dev-sec.nginx-hardening \
|
||||
dev-sec.ssh-hardening \
|
||||
dev-sec.os-hardening \
|
||||
geerlingguy.nodejs
|
||||
```
|
||||
|
||||
To check that the scripts and roles are correctly installed, use this command to do a "dry run":
|
||||
|
||||
```
|
||||
ansible-playbook -s ansible/*.yaml -i ansible/inventories/production --syntax-check --list-tasks
|
||||
ansible-playbook -i ansible/inventories/production --syntax-check --list-tasks ansible/*.yaml
|
||||
```
|
||||
|
||||
To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
|
||||
|
||||
```
|
||||
ansible-playbook -s ansible/<*.yaml> -i ansible/inventories/production
|
||||
ansible-playbook -i ansible/inventories/production ansible/*.yaml
|
||||
```
|
||||
|
||||
For an update release with a specific version, use:
|
||||
|
@ -111,7 +113,7 @@ For an update release with a specific version, use:
|
|||
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release -e gitversion=<v*.*.*>
|
||||
```
|
||||
|
||||
We use a StackScript to deploy to Linode, the basic system set up is to have a user in the sudoers and docker group, and a few basic system packages ready.
|
||||
Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, and a few basic system packages ready.
|
||||
|
||||
For example, on Ubuntu:
|
||||
|
||||
|
@ -119,28 +121,19 @@ For example, on Ubuntu:
|
|||
apt-get install -q -y zip git nginx python-virtualenv python-dev
|
||||
```
|
||||
|
||||
The order of deployment is:
|
||||
The typical order of deployment is:
|
||||
|
||||
- docker.yaml (base system)
|
||||
- node.yaml
|
||||
- site.yaml
|
||||
- docker.yaml
|
||||
- harden.yaml
|
||||
- certbot.yaml
|
||||
|
||||
The last line adds support for Let's Encrypt, which you can configure and enable (updating your Nginx setup) with:
|
||||
|
||||
```
|
||||
sudo /opt/certbot/certbot-auto --nginx certonly
|
||||
```
|
||||
|
||||
If you do **not** wish to use SSL, delete the last part of your nginx site configuration (/etc/nginx/sites-enabled/...).
|
||||
|
||||
### Production releases
|
||||
|
||||
For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.:
|
||||
|
||||
```
|
||||
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release
|
||||
ansible-playbook -i ansible/inventories/production --tags release ansible/site.yaml
|
||||
ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release"
|
||||
```
|
||||
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
- hosts: webservers
|
||||
become: true
|
||||
become_method: 'sudo'
|
||||
gather_facts: yes
|
||||
vars:
|
||||
certbot_auto_renew_user: ansible
|
||||
certbot_auto_renew_minute: 20
|
||||
certbot_auto_renew_hour: 5
|
||||
certbot_dir: /opt/certbot
|
||||
certbot_install_from_source: yes
|
||||
certbot_version: v0.14.2
|
||||
roles:
|
||||
- geerlingguy.certbot
|
|
@ -3,7 +3,5 @@
|
|||
become_method: 'sudo'
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- role: docker-ubuntu
|
||||
- role: geerlingguy.docker
|
||||
docker_users: ansible
|
||||
- role: docker-compose
|
||||
docker_compose_version: 1.12.0
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
|
||||
django_project_name: publichealth
|
||||
|
||||
elasticsearch_heap_size: 1g
|
||||
|
||||
memcached_memory_allocation_mb: 256
|
||||
|
||||
nginx_worker_processes: 2
|
||||
nginx_worker_connections: 1024
|
||||
|
||||
domain: "{{ vault_domain }}"
|
||||
|
||||
allowed_domains: "{{ vault_allowed_domains }}"
|
||||
|
||||
django_email_key: "{{ vault_django_email_key }}"
|
||||
django_email_domain: "{{ vault_django_email_domain }}"
|
||||
django_email_from: "{{ vault_django_email_from }}"
|
||||
|
||||
django_secret_key: "{{ vault_django_secret_key }}"
|
||||
|
||||
# Default: postgres://postgres:@postgres:5432/postgres
|
||||
django_postgres_url: "{{ vault_django_postgres_url }}"
|
||||
|
||||
# Default: http://elasticsearch:9200
|
||||
django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}"
|
||||
|
||||
# Default: redis://redis:6379
|
||||
django_redis_url: "{{ vault_django_redis_url }}"
|
|
@ -0,0 +1,46 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39623434656631643030663563343865363562353834336262353939666566643961323936316537
|
||||
6139376161613163626664323564626134333066346265330a636334616466306464316365653038
|
||||
32646430633039303364366163646430633436366664333064393364663132363535666338666137
|
||||
3531323636316435640a326135303364623461623434343663343062653434356165356161326365
|
||||
66663664643463393964653764376264616166306433343761653037616639326538626531663239
|
||||
37376263303237346131326231656439366430373637653634396139333431636565373630626131
|
||||
39303661383937346630623830613462393163333032643035313765393030653337363161386364
|
||||
36623132353033316239326365343064663130333161353835643935613034303838373861323163
|
||||
62363564343531666665356439326139366463646661636534386334323765636336306136623766
|
||||
62636534626461326166613934663535633962336130386463633439343434353637396131383633
|
||||
61343335393463313433356363366639626535346263333635393039376335343965393138323639
|
||||
32386461626164356666386535393365616539323631303265303833373635646339343031346139
|
||||
39336332396662636561613636303866303230353866646330306433353938306133336239326431
|
||||
65383365313336636166353533363439333739373832353839656139306262366230646631363033
|
||||
62653430396463663232613539353135666465666635316432383230306361376330353938356538
|
||||
39333566373366323134613262623865383866363163383931386632643131313939346161343438
|
||||
38353733393938356266353761326635316239373964656535633937643830373161646661333130
|
||||
36646364646361343336326662346361616239653964646537306366333234313833623337653732
|
||||
66623238613961303131356632343163323264616664373638653331656561663333306133386630
|
||||
62333662306234663036333062646635303662646136396666343535383565386664313239656633
|
||||
32663366323964306362346366393734623630376432373936316362616639363636306439623636
|
||||
34313165663264653235636632386563323964373863396363303934336138323435333462373033
|
||||
34373163623864623836646435333730386137383634333066653865666331303438616462366134
|
||||
63343837373130616638646338643339393432343130323838303837636566626436336538396463
|
||||
65393332343964663233623634363234643266386634336231303930396463303537373466633565
|
||||
64393966306161336265393936656364383237363065326130356331643766383166656536643263
|
||||
32636236333637663737366666616461653939303033643730623137353735663234636438623431
|
||||
38623931343939376661633438336563383365633336343563646134376230613930626461383133
|
||||
39616535646166333435363234643939376464323730333263633333616531393666363561633133
|
||||
36396464383662623439616630633361316339306139393434383932663464653634393064343061
|
||||
63643338396432326539363166366163373336616137326566643764303361636130613439663036
|
||||
38376261326333373061653862663833313563363537373534336638656632313033616238393638
|
||||
63353435613231316439366535656139623366333534303662323839336232646636346166653866
|
||||
36633138396363616663306535353432313938306535376361353065323935303266386332343730
|
||||
36346335386238666235333263626265353431616262313537396336353232363964316538303363
|
||||
36303165313462653336653863343233323336383835336230393836343332376165653866643738
|
||||
65393734393037303162653930313564303837353631623632343561336561383062613363653238
|
||||
37353234616333356432643731343535313434613534323835613465656432333735643863386264
|
||||
61653235333239663739353738323264333930653337323431666461636265383836663539323531
|
||||
39633761323536306536633064666161383839626437666430613963353430366435383630386232
|
||||
35646439303031643035616133326433326163333830643436663262633665653365343830653630
|
||||
37613235623462623937383330656530363033336636653534316235636336636137333537393434
|
||||
33663664303437396632663630643166393631613566646165386333363035373733393333623365
|
||||
62313862383432396362363565636361623630313161653436633366323836333566396363313535
|
||||
39623166313239663638643134613364623934303438313136353562633962336538
|
13
ansible/inventories/evolution/webservers
Normal file
13
ansible/inventories/evolution/webservers
Normal file
|
@ -0,0 +1,13 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
61393361636537666237333561613438353833396362323665653635333365313632663138393464
|
||||
3235343235373336386135306436373332613033303034330a353536663964306266376662366263
|
||||
63346635333630656238366566666463373536323536396566363163393932613130623366323334
|
||||
3730333438326538380a623461333435376635373837346166303230383231623331363535623934
|
||||
38373834393464636633353132356136383363316134356334323737303762393063326532356135
|
||||
37643535386466656365663432376335666533653737323861393936353236343532663238663430
|
||||
30376161616161653539633934333366383061373134313866646262613430363930303866613837
|
||||
66643636393131393766653632386131613663363338376461623836613462643766376363626563
|
||||
37393938326465633661663938613935653838613063613937663837323435323765326461346261
|
||||
31616130336662326233623466353933343139666636313333303335306632663465666232373037
|
||||
33346235663765393337656336653866393233616561613738343337653038653665356535633631
|
||||
39366432343634303861
|
|
@ -1 +1,2 @@
|
|||
{install_date: 'Mon Dec 17 12:48:14 2018', version: 2.1.0}
|
||||
install_date: Fri May 15 20:29:19 2020
|
||||
version: 2.1.0
|
||||
|
|
34
ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml
vendored
Normal file
34
ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
name: Create Changelog
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [closed]
|
||||
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
issues:
|
||||
types: [closed, edited]
|
||||
|
||||
jobs:
|
||||
generate_changelog:
|
||||
runs-on: ubuntu-latest
|
||||
name: Generate changelog for master branch
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
|
||||
- name: Generate changelog
|
||||
uses: charmixer/auto-changelog-action@v1
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: push
|
||||
uses: github-actions-x/commit@v2.6
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
push-branch: 'master'
|
||||
commit-message: 'update changelog'
|
||||
force-add: 'true'
|
||||
files: CHANGELOG.md
|
||||
name: dev-sec CI
|
||||
email: github@gumpri.ch
|
50
ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml
vendored
Normal file
50
ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml
vendored
Normal file
|
@ -0,0 +1,50 @@
|
|||
name: New release
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
|
||||
jobs:
|
||||
generate_changelog:
|
||||
runs-on: ubuntu-latest
|
||||
name: create release draft
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
|
||||
- name: 'Get Previous tag'
|
||||
id: previoustag
|
||||
uses: "WyriHaximus/github-action-get-previous-tag@master"
|
||||
env:
|
||||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||
|
||||
- name: calculate next version
|
||||
id: version
|
||||
uses: patrickjahns/version-drafter-action@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Generate changelog
|
||||
uses: charmixer/auto-changelog-action@v1
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
since_tag: ${{ steps.previoustag.outputs.tag }}
|
||||
future_release: ${{ steps.version.outputs.next-version }}
|
||||
|
||||
- name: Read CHANGELOG.md
|
||||
id: package
|
||||
uses: juliangruber/read-file-action@v1
|
||||
with:
|
||||
path: ./CHANGELOG.md
|
||||
|
||||
- name: Create Release draft
|
||||
id: create_release
|
||||
uses: actions/create-release@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
|
||||
with:
|
||||
release_name: ${{ steps.version.outputs.next-version }}
|
||||
tag_name: ${{ steps.version.outputs.next-version }}
|
||||
body: |
|
||||
${{ steps.package.outputs.content }}
|
||||
draft: true
|
|
@ -16,47 +16,47 @@ provisioner:
|
|||
require_ruby_for_busser: false
|
||||
ansible_verbose: true
|
||||
roles_path: ../ansible-os-hardening/
|
||||
playbook: default.yml
|
||||
playbook: tests/test.yml
|
||||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 5
|
||||
max_ssh_sessions: 1
|
||||
|
||||
platforms:
|
||||
- name: ubuntu14.04
|
||||
- name: ubuntu-16.04
|
||||
driver_config:
|
||||
box: opscode-ubuntu-14.04
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
|
||||
- name: ubuntu16.04
|
||||
box: bento/ubuntu-16.04
|
||||
- name: ubuntu-18.04
|
||||
driver_config:
|
||||
box: opscode-ubuntu-16.04
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
|
||||
- name: ubuntu18.04
|
||||
box: bento/ubuntu-18.04
|
||||
- name: centos-6
|
||||
driver_config:
|
||||
box: ubuntu/bionic64
|
||||
- name: centos6
|
||||
box: bento/centos-6.7
|
||||
- name: centos-7
|
||||
driver_config:
|
||||
box: bento/centos-6.9
|
||||
- name: centos7
|
||||
box: bento/centos-7
|
||||
- name: centos-8
|
||||
driver_config:
|
||||
box: bento/centos-7.3
|
||||
- name: oracle6
|
||||
box: bento/centos-8
|
||||
- name: oracle-6
|
||||
driver_config:
|
||||
box: oracle-6.5
|
||||
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
|
||||
- name: oracle7
|
||||
box: bento/oracle-6
|
||||
- name: oracle-7
|
||||
driver_config:
|
||||
box: boxcutter/ol72
|
||||
- name: debian7
|
||||
box: bento/oracle-7
|
||||
- name: debian-9
|
||||
driver_config:
|
||||
box: bento/debian-7.11
|
||||
- name: debian8
|
||||
box: bento/debian-9
|
||||
- name: debian-10
|
||||
driver_config:
|
||||
box: bento/debian-8.8
|
||||
- name: debian9
|
||||
box: bento/debian-10
|
||||
- name: amazon
|
||||
driver_config:
|
||||
box: bento/debian-9.0
|
||||
box: bento/amazonlinux-2
|
||||
- name: opensuse_tumbleweed
|
||||
driver_config:
|
||||
box: opensuse/Tumbleweed.x86_64
|
||||
|
||||
verifier:
|
||||
name: inspec
|
||||
|
|
|
@ -7,7 +7,7 @@ driver:
|
|||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 5
|
||||
max_ssh_sessions: 1
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
|
@ -17,7 +17,7 @@ provisioner:
|
|||
require_ruby_for_busser: false
|
||||
ansible_verbose: true
|
||||
ansible_diff: true
|
||||
hosts: all
|
||||
|
||||
roles_path: ../ansible-os-hardening/
|
||||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
@ -36,6 +36,14 @@ platforms:
|
|||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: centos8-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-centos8-ansible:latest
|
||||
platform: centos
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: oracle6-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-oracle6-ansible:latest
|
||||
|
@ -48,10 +56,6 @@ platforms:
|
|||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: ubuntu1404-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-ubuntu1404-ansible:latest
|
||||
platform: ubuntu
|
||||
- name: ubuntu1604-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-ubuntu1604-ansible:latest
|
||||
|
@ -66,14 +70,6 @@ platforms:
|
|||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- systemctl enable ssh.service
|
||||
- name: debian7-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian7-ansible:latest
|
||||
platform: debian
|
||||
- name: debian8-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian8-ansible:latest
|
||||
platform: debian
|
||||
- name: debian9-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian9-ansible:latest
|
||||
|
@ -82,6 +78,14 @@ platforms:
|
|||
provision_command:
|
||||
- apt install -y systemd-sysv
|
||||
- systemctl enable ssh.service
|
||||
- name: debian10-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian10-ansible:latest
|
||||
platform: debian
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- apt install -y systemd-sysv
|
||||
- systemctl enable ssh.service
|
||||
- name: amazon-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-amazon-ansible:latest
|
||||
|
@ -90,6 +94,23 @@ platforms:
|
|||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: fedora-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-fedora-ansible:latest
|
||||
platform: centos
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- dnf install -y python
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: opensuse_tumbleweed-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-opensuse_tumbleweed-ansible
|
||||
platform: opensuse
|
||||
provision_command:
|
||||
- zypper -n install python-xml rpm-python
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
|
||||
verifier:
|
||||
name: inspec
|
||||
|
|
|
@ -11,6 +11,16 @@ env:
|
|||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
version: latest
|
||||
|
||||
- distro: centos8
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
version: latest
|
||||
|
||||
- distro: fedora
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
version: latest
|
||||
|
||||
- distro: oracle6
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
|
@ -20,10 +30,6 @@ env:
|
|||
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
# version: latest
|
||||
|
||||
- distro: ubuntu1404
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
|
||||
- distro: ubuntu1604
|
||||
version: latest
|
||||
init: /lib/systemd/systemd
|
||||
|
@ -34,16 +40,12 @@ env:
|
|||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: debian7
|
||||
- distro: debian9
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
|
||||
- distro: debian8
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: debian9
|
||||
- distro: debian10
|
||||
version: latest
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
@ -53,17 +55,28 @@ env:
|
|||
version: latest
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
# - distro: opensuse_tumbleweed
|
||||
# init: /usr/lib/systemd/systemd
|
||||
# version: latest
|
||||
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
|
||||
|
||||
before_install:
|
||||
# Pull container
|
||||
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
|
||||
|
||||
script:
|
||||
- pip install --user ansible-lint
|
||||
- ansible-lint ./
|
||||
|
||||
- container_id=$(mktemp)
|
||||
# Run container in detached state.
|
||||
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
|
||||
|
||||
# Output Ansible version from docker image
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook --version'
|
||||
|
||||
# Test role.
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff --skip-tags "sysctl"'
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
|
||||
|
||||
# Verify role
|
||||
- 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'
|
||||
|
|
|
@ -1,6 +1,113 @@
|
|||
# Change Log
|
||||
# Changelog
|
||||
|
||||
## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
|
||||
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
|
||||
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
|
||||
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
|
||||
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg))
|
||||
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
|
||||
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
|
||||
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
|
||||
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
|
||||
- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
|
||||
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov))
|
||||
- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
|
||||
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
|
||||
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
|
||||
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
|
||||
- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
|
||||
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
|
||||
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
|
||||
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
|
||||
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
|
||||
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
|
||||
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
|
||||
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
|
||||
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov))
|
||||
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
|
||||
|
||||
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
|
||||
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
|
||||
|
||||
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
|
||||
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
|
||||
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
|
||||
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
|
||||
- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
|
||||
- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
|
||||
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
|
||||
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
|
||||
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
|
||||
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
|
||||
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
|
||||
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
|
||||
|
||||
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
|
||||
- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
|
||||
- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
|
||||
- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
|
||||
|
||||
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -34,6 +141,7 @@
|
|||
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -63,6 +171,7 @@
|
|||
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
@ -70,6 +179,7 @@
|
|||
- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
|
||||
|
||||
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -93,6 +203,7 @@
|
|||
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
@ -113,6 +224,7 @@
|
|||
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -124,7 +236,6 @@
|
|||
**Fixed bugs:**
|
||||
|
||||
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
|
||||
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
|
@ -139,6 +250,7 @@
|
|||
- Don’t refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
|
||||
|
||||
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
@ -156,9 +268,11 @@
|
|||
- add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
|
||||
|
||||
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -181,7 +295,6 @@
|
|||
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
|
||||
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
|
||||
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
|
||||
- Norm-Audit-Hardening-Audit [\#76](https://github.com/dev-sec/ansible-os-hardening/issues/76)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
|
@ -189,6 +302,7 @@
|
|||
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
|
||||
|
||||
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -208,7 +322,6 @@
|
|||
|
||||
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
|
||||
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- ERROR! Include tasks should not specify tags in more than one way [\#60](https://github.com/dev-sec/ansible-os-hardening/pull/60) ([fitz123](https://github.com/fitz123))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
|
@ -221,6 +334,7 @@
|
|||
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
|
||||
|
||||
**Closed issues:**
|
||||
|
@ -239,6 +353,9 @@
|
|||
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
|
||||
|
@ -285,4 +402,4 @@
|
|||
|
||||
|
||||
|
||||
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
|
||||
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
|
||||
|
|
|
@ -11,6 +11,7 @@ group :integration do
|
|||
gem 'kitchen-sync'
|
||||
gem 'kitchen-transport-rsync'
|
||||
gem 'kitchen-docker'
|
||||
gem 'inspec', '~> 3'
|
||||
end
|
||||
|
||||
group :tools do
|
||||
|
|
|
@ -35,6 +35,20 @@ It will not:
|
|||
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
|
||||
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
|
||||
|
||||
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
|
||||
|
||||
```yaml
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- dev-sec.os-hardening
|
||||
vars:
|
||||
sysctl_overwrite:
|
||||
# Enable IPv4 traffic forwarding.
|
||||
net.ipv4.ip_forward: 1
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Variables
|
||||
|
||||
| Name | Default Value | Description |
|
||||
|
@ -57,24 +71,27 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
|
|||
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
|
||||
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
|
||||
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
|
||||
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.|
|
||||
| `os_security_packages_clean`| true | removes packages with known issues. See section packages.|
|
||||
| `os_selinux_state` | enforcing | Set the SELinux state, can be either disabled, permissive, or enforcing. |
|
||||
| `os_selinux_policy` | targeted | Set the SELinux polixy. |
|
||||
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
|
||||
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
|
||||
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
|
||||
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
|
||||
| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
|
||||
| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
|
||||
| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
|
||||
|
||||
## Packages
|
||||
|
||||
We remove the following packages:
|
||||
|
||||
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
||||
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
|
||||
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
|
||||
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
|
||||
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
|
||||
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
|
||||
* xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||
* inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
|
||||
* tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
|
||||
* ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
|
||||
* telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
|
||||
* rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
|
||||
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
|
||||
|
||||
## Disabled filesystems
|
||||
|
@ -92,6 +109,14 @@ We disable the following filesystems, because they're most likely not used:
|
|||
|
||||
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
|
||||
|
||||
## Installation
|
||||
|
||||
Install the role with ansible-galaxy:
|
||||
|
||||
```
|
||||
ansible-galaxy install dev-sec.os-hardening
|
||||
```
|
||||
|
||||
## Example Playbook
|
||||
|
||||
```yaml
|
||||
|
@ -115,7 +140,13 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
|
|||
net.ipv4.ip_forward: 1
|
||||
```
|
||||
|
||||
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
||||
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
|
||||
|
||||
## Improving Kernel Audit logging
|
||||
|
||||
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
|
||||
|
||||
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
|
||||
|
||||
## Local Testing
|
||||
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
|
||||
hosts: localhost
|
||||
roles:
|
||||
- ansible-os-hardening
|
||||
pre_tasks:
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_os_family == 'Debian'
|
||||
- name: Install firefox to get Xorg
|
||||
package:
|
||||
name: firefox
|
||||
state: present
|
||||
vars:
|
||||
os_security_users_allow: change_user
|
||||
os_security_kernel_enable_core_dump: false
|
||||
os_security_suid_sgid_remove_from_unknown: true
|
||||
os_auth_pam_passwdqc_enable: false
|
||||
os_desktop_enable: true
|
||||
os_env_extra_user_paths: ['/home']
|
||||
os_auth_allow_homeless: true
|
||||
os_security_suid_sgid_blacklist: ['/bin/umount']
|
||||
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
|
||||
os_filesystem_whitelist: ['vfat']
|
||||
sysctl_config:
|
||||
net.ipv4.ip_forward: 0
|
||||
net.ipv6.conf.all.forwarding: 0
|
||||
net.ipv6.conf.all.accept_ra: 0
|
||||
net.ipv6.conf.default.accept_ra: 0
|
||||
net.ipv4.conf.all.rp_filter: 1
|
||||
net.ipv4.conf.default.rp_filter: 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
||||
net.ipv4.icmp_ratelimit: 100
|
||||
net.ipv4.icmp_ratemask: 88089
|
||||
net.ipv6.conf.all.disable_ipv6: 1
|
||||
net.ipv4.conf.all.arp_ignore: 1
|
||||
net.ipv4.conf.all.arp_announce: 2
|
||||
net.ipv4.conf.all.shared_media: 1
|
||||
net.ipv4.conf.default.shared_media: 1
|
||||
net.ipv4.conf.all.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_source_route: 0
|
||||
net.ipv4.conf.default.accept_redirects: 0
|
||||
net.ipv4.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.secure_redirects: 0
|
||||
net.ipv4.conf.default.secure_redirects: 0
|
||||
net.ipv6.conf.default.accept_redirects: 0
|
||||
net.ipv6.conf.all.accept_redirects: 0
|
||||
net.ipv4.conf.all.send_redirects: 0
|
||||
net.ipv4.conf.default.send_redirects: 0
|
||||
net.ipv4.conf.all.log_martians: 1
|
||||
net.ipv6.conf.default.router_solicitations: 0
|
||||
net.ipv6.conf.default.accept_ra_rtr_pref: 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo: 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr: 0
|
||||
net.ipv6.conf.default.autoconf: 0
|
||||
net.ipv6.conf.default.dad_transmits: 0
|
||||
net.ipv6.conf.default.max_addresses: 1
|
||||
kernel.sysrq: 0
|
||||
fs.suid_dumpable: 0
|
||||
kernel.randomize_va_space: 2
|
||||
|
||||
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
||||
hosts: localhost
|
||||
pre_tasks:
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_os_family == 'Debian'
|
||||
roles:
|
||||
- ansible-os-hardening
|
||||
|
|
@ -27,7 +27,7 @@ os_security_suid_sgid_remove_from_unknown: false
|
|||
|
||||
# remove packages with known issues
|
||||
os_security_packages_clean: true
|
||||
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink']
|
||||
os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
|
||||
|
||||
# Allow interactive startup (rhel, centos)
|
||||
os_security_init_prompt: true
|
||||
|
@ -175,17 +175,6 @@ sysctl_config:
|
|||
|
||||
kernel.core_uses_pid: 1
|
||||
|
||||
# When an attacker is trying to exploit the local kernel, it is often
|
||||
# helpful to be able to examine where in memory the kernel, modules,
|
||||
# and data structures live. As such, kernel addresses should be treated
|
||||
# as sensitive information.
|
||||
#
|
||||
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
||||
# /proc/modules, etc), and this setting can censor the addresses. A value
|
||||
# of "0" allows all users to see the kernel addresses. A value of "1"
|
||||
# limits visibility to the root user, and "2" blocks even the root user.
|
||||
kernel.kptr_restrict: 1
|
||||
|
||||
# The PTRACE system is used for debugging. With it, a single user process
|
||||
# can attach to any other dumpable process owned by the same user. In the
|
||||
# case of malicious software, it is possible to use PTRACE to access
|
||||
|
@ -226,6 +215,33 @@ sysctl_config:
|
|||
fs.protected_hardlinks: 1
|
||||
fs.protected_symlinks: 1
|
||||
|
||||
# These settings are set to the maximum supported value in order to
|
||||
# improve ASLR effectiveness for mmap, at the cost of increased
|
||||
# address-space fragmentation. | Tail-1
|
||||
vm.mmap_rnd_bits: 32
|
||||
vm.mmap_rnd_compat_bits: 16
|
||||
|
||||
# When an attacker is trying to exploit the local kernel, it is often
|
||||
# helpful to be able to examine where in memory the kernel, modules,
|
||||
# and data structures live. As such, kernel addresses should be treated
|
||||
# as sensitive information.
|
||||
#
|
||||
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
|
||||
# /proc/modules, etc), and this setting can censor the addresses. A value
|
||||
# of "0" allows all users to see the kernel addresses. A value of "1"
|
||||
# limits visibility to the root user, and "2" blocks even the root user.
|
||||
#
|
||||
# Some off-the-shelf malware exploit kernel addresses exposed
|
||||
# via /proc/kallsyms so by not making these addresses easily available
|
||||
# we increase the cost of such attack some what; now such malware has
|
||||
# to check which kernel Tails is running and then fetch the corresponding
|
||||
# kernel address map from some external source. This is not hard,
|
||||
# but certainly not all malware has such functionality. | Tails-2
|
||||
kernel.kptr_restrict: 2
|
||||
|
||||
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
|
||||
kernel.kexec_load_disabled: 1
|
||||
|
||||
# Do not delete the following line or otherwise the playbook will fail
|
||||
# at task 'create a combined sysctl-dict if overwrites are defined'
|
||||
sysctl_overwrite:
|
||||
|
@ -240,6 +256,12 @@ os_unused_filesystems:
|
|||
- "squashfs"
|
||||
- "udf"
|
||||
- "vfat"
|
||||
# Obsolete network protocols that should be disabled
|
||||
# per CIS Oracle Linux 6 Benchmark (2016)
|
||||
- "tipc" # CIS 3.5.4
|
||||
- "sctp" # CIS 3.5.2
|
||||
- "dccp" # CIS 3.5.1
|
||||
- "rds" # CIS 3.5.3
|
||||
|
||||
# whitelist for used filesystems
|
||||
os_filesystem_whitelist: []
|
||||
|
@ -250,3 +272,9 @@ os_hardening_enabled: true
|
|||
|
||||
# Set to false to disable installing and configuring auditd.
|
||||
os_auditd_enabled: true
|
||||
os_auditd_max_log_file_action: keep_logs
|
||||
|
||||
# Set the SELinux state, can be either disabled, permissive, or enforcing.
|
||||
os_selinux_state: enforcing
|
||||
# Set the SELinux polixy.
|
||||
os_selinux_policy: targeted
|
||||
|
|
3
ansible/roles/dev-sec.os-hardening/handlers/main.yml
Normal file
3
ansible/roles/dev-sec.os-hardening/handlers/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: update-initramfs
|
||||
command: 'update-initramfs -u'
|
|
@ -1 +1,2 @@
|
|||
{install_date: 'Mon Dec 17 12:48:33 2018', version: 5.1.0}
|
||||
install_date: Fri May 15 20:29:23 2020
|
||||
version: 6.0.1
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: "Sebastian Gumprich"
|
||||
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
|
||||
description: 'This role provides numerous security-related configurations, providing all-round base protection.'
|
||||
company: Hardening Framework Team
|
||||
license: Apache License 2.0
|
||||
min_ansible_version: '2.5'
|
||||
|
@ -10,17 +10,18 @@ galaxy_info:
|
|||
versions:
|
||||
- 6
|
||||
- 7
|
||||
- 8
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- precise
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- name: Debian
|
||||
versions:
|
||||
- wheezy
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: Amazon
|
||||
- name: Fedora
|
||||
- name: openSUSE
|
||||
galaxy_tags:
|
||||
- system
|
||||
- security
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
---
|
||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
name: '{{ os_security_packages_list }}'
|
||||
state: 'absent'
|
||||
with_items:
|
||||
- '{{ os_security_packages_list }}'
|
||||
when: 'os_security_packages_clean'
|
||||
when: os_security_packages_clean | bool
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
- name: find directories for minimizing access
|
||||
find:
|
||||
paths: '{{ outer_item }}'
|
||||
recurse: yes
|
||||
register: minimize_access_directories
|
||||
|
||||
- name: minimize access on found files
|
||||
file:
|
||||
path: '{{ item.path }}'
|
||||
mode: 'go-w'
|
||||
state: file
|
||||
with_items: '{{ minimize_access_directories.files }}'
|
|
@ -1,21 +1,21 @@
|
|||
---
|
||||
- name: Set OS family dependent variables
|
||||
include_vars: '{{ ansible_os_family }}.yml'
|
||||
include_vars: '{{ ansible_facts.os_family }}.yml'
|
||||
tags: always
|
||||
|
||||
- name: Set OS dependent variables
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- files:
|
||||
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_distribution }}.yml'
|
||||
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.distribution }}.yml'
|
||||
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
|
||||
skip: true
|
||||
tags: always
|
||||
|
||||
- import_tasks: auditd.yml
|
||||
tags: auditd
|
||||
when: os_auditd_enabled
|
||||
when: os_auditd_enabled | bool
|
||||
|
||||
- import_tasks: limits.yml
|
||||
tags: limits
|
||||
|
@ -39,7 +39,7 @@
|
|||
tags: securetty
|
||||
|
||||
- import_tasks: suid_sgid.yml
|
||||
when: os_security_suid_sgid_enforce
|
||||
when: os_security_suid_sgid_enforce | bool
|
||||
tags: suid_sgid
|
||||
|
||||
- import_tasks: sysctl.yml
|
||||
|
@ -52,9 +52,14 @@
|
|||
tags: rhosts
|
||||
|
||||
- import_tasks: yum.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
tags: yum
|
||||
|
||||
- import_tasks: apt.yml
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu'
|
||||
tags: apt
|
||||
|
||||
- import_tasks: selinux.yml
|
||||
tags: selinux
|
||||
when:
|
||||
- ansible_facts.selinux.status == 'enabled'
|
||||
|
|
|
@ -9,14 +9,14 @@
|
|||
mode: '0755'
|
||||
state: 'directory'
|
||||
|
||||
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
||||
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
|
||||
pam_limits:
|
||||
dest: '/etc/security/limits.d/10.hardcore.conf'
|
||||
domain: '*'
|
||||
limit_type: hard
|
||||
limit_item: core
|
||||
value: 0
|
||||
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
|
||||
value: '0'
|
||||
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
|
||||
|
||||
- name: set 10.hardcore.conf perms to 0400 and root ownership
|
||||
file:
|
||||
|
@ -25,10 +25,10 @@
|
|||
group: 'root'
|
||||
mode: '0440'
|
||||
|
||||
when: 'not os_security_kernel_enable_core_dump'
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- name: remove 10.hardcore.conf config file
|
||||
file:
|
||||
path: /etc/security/limits.d/10.hardcore.conf
|
||||
state: absent
|
||||
when: 'os_security_kernel_enable_core_dump'
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
|
|
@ -6,4 +6,3 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0444'
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
|
||||
- include_tasks: hardening.yml
|
||||
when: os_hardening_enabled
|
||||
- import_tasks: hardening.yml
|
||||
when: os_hardening_enabled | bool
|
||||
|
|
|
@ -1,16 +1,31 @@
|
|||
---
|
||||
# Using a two-pass approach for checking directories in order to support symlinks.
|
||||
- include_tasks: find_files.yml
|
||||
loop_control:
|
||||
loop_var: outer_item
|
||||
loop:
|
||||
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
|
||||
# the other files inside /usr/bin (and all other directories) are
|
||||
# still getting found and the permissions minimized in the next task.
|
||||
# This is also the reason why there's ignore_errors: true on the task.
|
||||
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
|
||||
- name: find files with write-permissions for group
|
||||
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
|
||||
with_flattened:
|
||||
- '/usr/local/sbin'
|
||||
- '/usr/local/bin'
|
||||
- '/usr/sbin'
|
||||
- '/usr/bin'
|
||||
- '/sbin'
|
||||
- '/bin'
|
||||
- '{{ os_env_extra_user_paths }}'
|
||||
- "{{ os_env_extra_user_paths }}" # noqa 104
|
||||
register: minimize_access_directories
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
|
||||
- name: minimize access on found files
|
||||
file:
|
||||
path: '{{ item.1 }}'
|
||||
mode: 'go-w'
|
||||
state: file
|
||||
with_subelements:
|
||||
- "{{ minimize_access_directories.results }}"
|
||||
- stdout_lines
|
||||
|
||||
- name: change shadow ownership to root and mode to 0600 | os-02
|
||||
file:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: install modprobe to disable filesystems | os-10
|
||||
package:
|
||||
name: '{{modprobe_package}}'
|
||||
name: '{{ modprobe_package }}'
|
||||
state: 'present'
|
||||
|
||||
- name: check if efi is installed
|
||||
|
@ -20,5 +20,4 @@
|
|||
dest: '/etc/modprobe.d/dev-sec.conf'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0640'
|
||||
|
||||
mode: '0644'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: update pam on Debian systems
|
||||
command: 'pam-auth-update --package'
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
changed_when: False
|
||||
environment:
|
||||
DEBIAN_FRONTEND: noninteractive
|
||||
|
@ -19,14 +19,18 @@
|
|||
apt:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
apt:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
update_cache: 'yes'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: configure passwdqc
|
||||
template:
|
||||
|
@ -35,19 +39,26 @@
|
|||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
apt:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install tally2
|
||||
apt:
|
||||
name: 'libpam-modules'
|
||||
state: 'present'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries > 0
|
||||
|
||||
- name: configure tally2
|
||||
template:
|
||||
|
@ -56,31 +67,47 @@
|
|||
mode: '0644'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries > 0
|
||||
|
||||
- name: delete tally2 when retries is 0
|
||||
file:
|
||||
path: '{{ tally2_path }}'
|
||||
state: 'absent'
|
||||
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
|
||||
when:
|
||||
- ansible_facts.distribution in ['Debian', 'Ubuntu']
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
- os_auth_retries == 0
|
||||
|
||||
- name: remove pam_cracklib, because it does not play nice with passwdqc
|
||||
yum:
|
||||
name: '{{ os_packages_pam_cracklib }}'
|
||||
state: 'absent'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||
- ansible_facts.distribution != 'Amazon'
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: install the package for strong password checking
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'present'
|
||||
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- ansible_facts.distribution_major_version|int is version('7', '<')
|
||||
- ansible_facts.distribution != 'Amazon'
|
||||
- os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: remove passwdqc
|
||||
yum:
|
||||
name: '{{ os_packages_pam_passwdqc }}'
|
||||
state: 'absent'
|
||||
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- not os_auth_pam_passwdqc_enable
|
||||
|
||||
- name: configure passwdqc and tally via central system-auth confic
|
||||
template:
|
||||
|
@ -89,11 +116,17 @@
|
|||
mode: '0640'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: Gather package facts
|
||||
package_facts:
|
||||
manager: auto
|
||||
|
||||
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
|
||||
template:
|
||||
src: 'etc/rhel_libuser.conf.j2'
|
||||
src: 'etc/libuser.conf.j2'
|
||||
dest: '/etc/libuser.conf'
|
||||
mode: '0640'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
when: "'libuser' in ansible_facts.packages"
|
||||
|
|
|
@ -6,10 +6,10 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0750'
|
||||
when: not os_security_kernel_enable_core_dump
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- name: remove pinerolo_profile.sh from profile.d
|
||||
file:
|
||||
path: /etc/profile.d/pinerolo_profile.sh
|
||||
state: absent
|
||||
when: os_security_kernel_enable_core_dump
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
command: "awk -F: '{print $1}' /etc/passwd"
|
||||
changed_when: False
|
||||
check_mode: False
|
||||
register: users
|
||||
register: users_accounts
|
||||
|
||||
- name: delete rhosts-files from system | os-09
|
||||
file:
|
||||
dest: '~{{ item }}/.rhosts'
|
||||
state: 'absent'
|
||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
||||
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||
|
||||
- name: delete hosts.equiv from system | os-01
|
||||
file:
|
||||
|
@ -20,4 +20,4 @@
|
|||
file:
|
||||
dest: '~{{ item }}/.netrc'
|
||||
state: 'absent'
|
||||
with_flattened: '{{ users.stdout_lines | default([]) }}'
|
||||
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
|
||||
|
|
5
ansible/roles/dev-sec.os-hardening/tasks/selinux.yml
Normal file
5
ansible/roles/dev-sec.os-hardening/tasks/selinux.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: configure selinux | selinux-01
|
||||
selinux:
|
||||
policy: "{{ os_selinux_policy }}"
|
||||
state: "{{ os_selinux_state }}"
|
|
@ -13,13 +13,13 @@
|
|||
- name: find binaries with suid/sgid set | os-06
|
||||
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
|
||||
register: sbit_binaries
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
changed_when: False
|
||||
|
||||
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
|
||||
set_fact:
|
||||
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
|
||||
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
|
||||
file:
|
||||
|
@ -29,4 +29,4 @@
|
|||
follow: 'yes'
|
||||
with_flattened:
|
||||
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
|
||||
when: os_security_suid_sgid_remove_from_unknown
|
||||
when: os_security_suid_sgid_remove_from_unknown | bool
|
||||
|
|
|
@ -13,14 +13,15 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0544'
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
|
||||
when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or
|
||||
ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
|
||||
|
||||
- name: install initramfs-tools
|
||||
apt:
|
||||
name: 'initramfs-tools'
|
||||
state: 'present'
|
||||
update_cache: true
|
||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
|
||||
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
||||
template:
|
||||
|
@ -29,41 +30,44 @@
|
|||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0440'
|
||||
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
notify:
|
||||
- update-initramfs
|
||||
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
|
||||
register: initramfs
|
||||
|
||||
- name: update-initramfs
|
||||
command: 'update-initramfs -u'
|
||||
when: initramfs.changed
|
||||
- name: change sysctls
|
||||
block:
|
||||
- name: create a combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
|
||||
- name: create a combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
when: sysctl_overwrite | default()
|
||||
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
|
||||
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and
|
||||
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
|
||||
|
||||
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
reload: yes
|
||||
ignoreerrors: yes
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
|
||||
when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc']
|
||||
|
||||
- name: Apply ufw defaults
|
||||
template:
|
||||
src: 'etc/default/ufw.j2'
|
||||
dest: '/etc/default/ufw'
|
||||
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
||||
when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu')
|
||||
tags: ufw
|
||||
|
|
|
@ -10,17 +10,19 @@
|
|||
- name: calculate UID_MAX from UID_MIN by substracting 1
|
||||
set_fact:
|
||||
uid_max: '{{ uid_min.stdout | int - 1 }}'
|
||||
when: uid_min is defined
|
||||
when: uid_min.stdout|int > 0
|
||||
|
||||
- name: set UID_MAX on Debian-systems if no login.defs exist
|
||||
set_fact:
|
||||
uid_max: '999'
|
||||
when: ansible_os_family == 'Debian' and not uid_min
|
||||
when:
|
||||
- ansible_facts.os_family == 'Debian'
|
||||
- uid_max is not defined
|
||||
|
||||
- name: set UID_MAX on other systems if no login.defs exist
|
||||
set_fact:
|
||||
uid_max: '499'
|
||||
when: not uid_min
|
||||
when: uid_max is not defined
|
||||
|
||||
- name: get all system accounts
|
||||
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd
|
||||
|
|
|
@ -7,41 +7,35 @@
|
|||
- 'CentOS-Debuginfo'
|
||||
- 'CentOS-Media'
|
||||
- 'CentOS-Vault'
|
||||
when: os_security_packages_clean
|
||||
when: os_security_packages_clean | bool
|
||||
|
||||
- name: get yum-repository-files
|
||||
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
|
||||
changed_when: False
|
||||
register: yum_repos
|
||||
|
||||
- name: check if rhnplugin.conf exists
|
||||
stat:
|
||||
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
register: rhnplugin_file
|
||||
|
||||
# for the 'default([])' see here:
|
||||
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
|
||||
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
|
||||
- name: activate gpg-check for yum-repos
|
||||
#
|
||||
# failed_when is needed because by default replace module will fail if the file doesn't exists.
|
||||
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
|
||||
# All other errors will still be raised.
|
||||
- name: activate gpg-check for config files
|
||||
replace:
|
||||
dest: '{{ item }}'
|
||||
regexp: '^\s*gpgcheck: 0'
|
||||
replace: 'gpgcheck: 1'
|
||||
register: status
|
||||
failed_when: status.rc is defined and status.rc != 257
|
||||
with_flattened:
|
||||
- '/etc/yum.conf'
|
||||
- '{{ yum_repos.stdout_lines| default([]) }}'
|
||||
|
||||
- name: activate gpg-check for yum rhn if it exists
|
||||
replace:
|
||||
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
regexp: '^\s*gpgcheck: 0'
|
||||
replace: 'gpgcheck: 1'
|
||||
when: rhnplugin_file.stat.exists
|
||||
- '/etc/dnf/dnf.conf'
|
||||
- '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
|
||||
- '/etc/yum/pluginconf.d/rhnplugin.conf'
|
||||
|
||||
- name: remove deprecated or insecure packages | package-01 - package-09
|
||||
yum:
|
||||
name: '{{ item }}'
|
||||
name: '{{ os_security_packages_list }}'
|
||||
state: 'absent'
|
||||
with_items:
|
||||
- '{{ os_security_packages_list }}'
|
||||
when: os_security_packages_clean
|
||||
when: os_security_packages_clean | bool
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
log_file = /var/log/audit/audit.log
|
||||
log_format = RAW
|
||||
log_group = root
|
||||
|
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
|
|||
name_format = NONE
|
||||
##name = mydomain
|
||||
max_log_file = 6
|
||||
max_log_file_action = keep_logs
|
||||
max_log_file_action = {{ os_auditd_max_log_file_action }}
|
||||
space_left = 75
|
||||
space_left_action = SYSLOG
|
||||
action_mail_acct = root
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# /etc/default/ufw
|
||||
#
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
|
||||
#
|
||||
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
|
||||
|
@ -10,7 +11,7 @@
|
|||
#
|
||||
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
|
||||
|
||||
{% if ansible_architecture == 'x86_64' %}
|
||||
{% if ansible_facts.architecture == 'x86_64' %}
|
||||
# Optimize for x86_64 cryptographic features
|
||||
twofish-x86_64-3way
|
||||
twofish-x86_64
|
||||
|
@ -19,7 +20,7 @@ salsa20-x86_64
|
|||
blowfish-x86_64
|
||||
{% endif %}
|
||||
|
||||
{% if 'amd' in ansible_processor %}
|
||||
{% if 'amd' in ansible_facts.processor %}
|
||||
# AMD-specific optimizations
|
||||
kvm-amd
|
||||
{% else %}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# See libuser.conf(5) for more information.
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# {{ ansible_managed | comment }}
|
||||
# See libuser.conf(5) for more information.
|
||||
|
||||
# Do not modify the default module list if you care about unattended calls
|
||||
# to programs (i.e., scripts) working!
|
|
@ -1,4 +1,5 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Configuration control definitions for the login package.
|
||||
#
|
||||
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
|
||||
|
@ -7,6 +8,7 @@
|
|||
#
|
||||
#-- Modified for Linux. --marekm
|
||||
|
||||
{% if os_useradd_mail_dir is defined %}
|
||||
# *REQUIRED for useradd/userdel/usermod*
|
||||
#
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
|
||||
|
@ -19,136 +21,141 @@
|
|||
#
|
||||
# See default PAM configuration files provided for login, su, etc.
|
||||
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
|
||||
MAIL_DIR /var/mail
|
||||
#MAIL_FILE .mail
|
||||
MAIL_DIR {{ os_useradd_mail_dir }}
|
||||
{% endif %}
|
||||
|
||||
{% if os_useradd_create_home is defined %}
|
||||
# If useradd should create home directories for users by default
|
||||
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
|
||||
|
||||
{% endif %}
|
||||
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
|
||||
FAILLOG_ENAB yes
|
||||
FAILLOG_ENAB yes
|
||||
|
||||
# Enable display of unknown usernames when login failures are recorded.
|
||||
#
|
||||
# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
|
||||
LOG_UNKFAIL_ENAB no
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
# Enable logging of successful logins
|
||||
LOG_OK_LOGINS yes
|
||||
LOG_OK_LOGINS yes
|
||||
|
||||
# Enable "syslog" logging of su activity - in addition to sulog file logging.
|
||||
SYSLOG_SU_ENAB yes
|
||||
SYSLOG_SU_ENAB yes
|
||||
|
||||
# Enable "syslog" logging of newgrp and sg.
|
||||
SYSLOG_SG_ENAB yes
|
||||
SYSLOG_SG_ENAB yes
|
||||
|
||||
# If defined, all su activity is logged to this file.
|
||||
#SULOG_FILE /var/log/sulog
|
||||
#SULOG_FILE /var/log/sulog
|
||||
|
||||
# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
|
||||
FTMP_FILE /var/log/btmp
|
||||
FTMP_FILE /var/log/btmp
|
||||
|
||||
# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
|
||||
SU_NAME su
|
||||
SU_NAME su
|
||||
|
||||
# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
|
||||
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }}
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
|
||||
|
||||
# Terminal permissions
|
||||
# --------------------
|
||||
|
||||
# Login tty will be assigned this group ownership.
|
||||
# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
|
||||
TTYGROUP tty
|
||||
TTYGROUP tty
|
||||
|
||||
# Login tty will be set to this permission.
|
||||
# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
|
||||
# Users can still allow other people to write them by issuing the `mesg y` command.
|
||||
TTYPERM 0600
|
||||
TTYPERM 0600
|
||||
|
||||
# Login conf initializations
|
||||
# --------------------------
|
||||
|
||||
# Terminal ERASE character ('\010' = backspace). Only used on System V.
|
||||
ERASECHAR 0177
|
||||
ERASECHAR 0177
|
||||
|
||||
# Terminal KILL character ('\025' = CTRL/U). Only used on System V.
|
||||
KILLCHAR 025
|
||||
KILLCHAR 025
|
||||
|
||||
# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
|
||||
# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
|
||||
# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
|
||||
# `022` is the "historical" value in Debian for UMASK
|
||||
# `027`, or even `077`, could be considered better for privacy.
|
||||
UMASK {{ os_env_umask }}
|
||||
UMASK {{ os_env_umask }}
|
||||
|
||||
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
|
||||
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
|
||||
USERGROUPS_ENAB yes
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
|
||||
# Password aging controls
|
||||
# -----------------------
|
||||
|
||||
# Maximum number of days a password may be used.
|
||||
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
|
||||
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
|
||||
|
||||
# Minimum number of days allowed between password changes.
|
||||
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
|
||||
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
|
||||
|
||||
# Number of days warning given before a password expires.
|
||||
PASS_WARN_AGE 7
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
UID_MIN {{ os_auth_uid_min }}
|
||||
UID_MAX 60000
|
||||
UID_MIN {{ os_auth_uid_min }}
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
SYS_UID_MIN {{ os_auth_sys_uid_min }}
|
||||
SYS_UID_MAX {{ os_auth_sys_uid_max }}
|
||||
SYS_UID_MIN {{ os_auth_sys_uid_min }}
|
||||
SYS_UID_MAX {{ os_auth_sys_uid_max }}
|
||||
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
GID_MIN {{ os_auth_gid_min }}
|
||||
GID_MAX 60000
|
||||
GID_MIN {{ os_auth_gid_min }}
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
SYS_GID_MIN {{ os_auth_sys_gid_min }}
|
||||
SYS_GID_MAX {{ os_auth_sys_gid_max }}
|
||||
SYS_GID_MIN {{ os_auth_sys_gid_min }}
|
||||
SYS_GID_MAX {{ os_auth_sys_gid_max }}
|
||||
|
||||
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
|
||||
LOGIN_RETRIES {{ os_auth_retries }}
|
||||
LOGIN_RETRIES {{ os_auth_retries }}
|
||||
|
||||
# Max time in seconds for login
|
||||
LOGIN_TIMEOUT {{ os_auth_timeout }}
|
||||
LOGIN_TIMEOUT {{ os_auth_timeout }}
|
||||
|
||||
# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
{% if os_chfn_restrict %}
|
||||
CHFN_RESTRICT {{ os_chfn_restrict }}
|
||||
CHFN_RESTRICT {{ os_chfn_restrict }}
|
||||
{% endif %}
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
||||
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
||||
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
|
||||
#FAKE_SHELL /bin/fakeshell
|
||||
#FAKE_SHELL /bin/fakeshell
|
||||
|
||||
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
|
||||
# This variable is used by login and su.
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
|
||||
# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
|
||||
# This variable is used by login and su.
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
# If set to `MD5`, MD5-based algorithm will be used for encrypting password
|
||||
# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
|
||||
|
@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
|
|||
#
|
||||
# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
MD5_CRYPT_ENAB no
|
||||
ENCRYPT_METHOD SHA512
|
||||
MD5_CRYPT_ENAB no
|
||||
ENCRYPT_METHOD SHA512
|
||||
|
||||
# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
|
||||
# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
|
||||
# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
|
||||
# If MIN > MAX, the highest value will be used.
|
||||
#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
|
||||
|
||||
# Obsoleted by PAM
|
||||
|
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
|
|||
# This variable is deprecated. You should use ENCRYPT_METHOD.
|
||||
#
|
||||
#MD5_CRYPT_ENAB no
|
||||
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
#%PAM-1.0
|
||||
{% if os_auth_retries > 0 %}
|
||||
|
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
|
|||
account required pam_permit.so
|
||||
|
||||
{% if (os_auth_pam_passwdqc_enable|bool) %}
|
||||
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %}
|
||||
{%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
|
||||
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
|
||||
{%- else %}
|
||||
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
|
||||
ulimit -S -c 0 > /dev/null 2>&1
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# A list of TTYs, from which root can log in
|
||||
# see `man securetty` for reference
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# {{ ansible_managed | comment }}
|
||||
{{ ansible_managed | comment }}
|
||||
|
||||
# color => new RH6.0 bootup
|
||||
# verbose => old-style bootup
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
Name: passwdqc password strength enforcement
|
||||
Default: yes
|
||||
Priority: 1024
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
Name: tally2 lockout after failed attempts enforcement
|
||||
Default: yes
|
||||
Priority: 1024
|
||||
|
|
|
@ -4,10 +4,22 @@
|
|||
roles:
|
||||
- ansible-os-hardening
|
||||
pre_tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_os_family == 'Debian'
|
||||
when: ansible_facts.os_family == 'Debian'
|
||||
- name: install required tools on fedora
|
||||
dnf:
|
||||
name:
|
||||
- python
|
||||
- findutils
|
||||
- procps-ng
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
- name: create recursing symlink to test minimize access
|
||||
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
vars:
|
||||
|
@ -20,7 +32,7 @@
|
|||
os_auth_allow_homeless: true
|
||||
os_security_suid_sgid_blacklist: ['/bin/umount']
|
||||
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
|
||||
os_filesystem_whitelist: ['vfat']
|
||||
os_filesystem_whitelist: []
|
||||
sysctl_config:
|
||||
net.ipv4.ip_forward: 0
|
||||
net.ipv6.conf.all.forwarding: 0
|
||||
|
@ -52,23 +64,26 @@
|
|||
net.ipv6.conf.default.accept_ra_rtr_pref: 0
|
||||
net.ipv6.conf.default.accept_ra_pinfo: 0
|
||||
net.ipv6.conf.default.accept_ra_defrtr: 0
|
||||
net.ipv6.conf.default.autoconf: 0
|
||||
net.ipv6.conf.default.conf: 0
|
||||
net.ipv6.conf.default.dad_transmits: 0
|
||||
net.ipv6.conf.default.max_addresses: 1
|
||||
kernel.sysrq: 0
|
||||
fs.suid_dumpable: 0
|
||||
kernel.randomize_va_space: 2
|
||||
|
||||
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
||||
hosts: localhost
|
||||
vars:
|
||||
- os_auditd_enabled: false
|
||||
os_auditd_enabled: false
|
||||
pre_tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: yes
|
||||
when: ansible_os_family == 'Debian'
|
||||
when: ansible_facts.os_family == 'Debian'
|
||||
roles:
|
||||
- ansible-os-hardening
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user']
|
||||
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
|
||||
|
||||
sysctl_rhel_config:
|
||||
# ExecShield protection against buffer overflows
|
||||
|
|
|
@ -1,13 +1,10 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'libpam-ccreds'
|
||||
os_packages_pam_passwdqc: 'libpam-passwdqc'
|
||||
os_packages_pam_cracklib: 'libpam-cracklib'
|
||||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||
tally2_path: '/usr/share/pam-configs/tally2'
|
||||
os_nologin_shell_path: '/usr/sbin/nologin'
|
||||
|
||||
auditd_package: 'auditd'
|
||||
modprobe_package: 'kmod'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
|
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
|
|||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 100
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_mail_dir: /var/mail
|
||||
|
||||
modprobe_package: 'kmod'
|
||||
auditd_package: 'auditd'
|
||||
|
||||
tally2_path: '/usr/share/pam-configs/tally2'
|
||||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||
|
|
31
ansible/roles/dev-sec.os-hardening/vars/Fedora.yml
Normal file
31
ansible/roles/dev-sec.os-hardening/vars/Fedora.yml
Normal file
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
os_shadow_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0000'
|
||||
|
||||
os_passwd_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
os_auth_sys_uid_min: 201
|
||||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 201
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
|
@ -1,6 +1,8 @@
|
|||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
|
|
|
@ -1,8 +1,5 @@
|
|||
---
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'pam_cracklib'
|
||||
|
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
|
|||
os_auth_sys_uid_max: 999
|
||||
os_auth_sys_gid_min: 201
|
||||
os_auth_sys_gid_max: 999
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_mail_dir: /var/spool/mail
|
||||
os_useradd_create_home: true
|
||||
|
||||
modprobe_package: 'module-init-tools'
|
||||
auditd_package: 'audit'
|
||||
|
|
34
ansible/roles/dev-sec.os-hardening/vars/Suse.yml
Normal file
34
ansible/roles/dev-sec.os-hardening/vars/Suse.yml
Normal file
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
|
||||
os_packages_pam_ccreds: 'pam_ccreds'
|
||||
os_packages_pam_passwdqc: 'pam_passwdqc'
|
||||
os_packages_pam_cracklib: 'cracklib'
|
||||
os_nologin_shell_path: '/sbin/nologin'
|
||||
|
||||
# Different distros use different standards for /etc/shadow perms, e.g.
|
||||
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
|
||||
# You must provide key/value pairs for owner, group, and mode if overriding.
|
||||
os_shadow_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
|
||||
os_passwd_perms:
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
os_env_umask: '027'
|
||||
|
||||
os_auth_uid_min: 1000
|
||||
os_auth_gid_min: 1000
|
||||
os_auth_sys_uid_min: 100
|
||||
os_auth_sys_uid_max: 499
|
||||
os_auth_sys_gid_min: 100
|
||||
os_auth_sys_gid_max: 499
|
||||
|
||||
# defaults for useradd
|
||||
os_useradd_create_home: false
|
||||
|
||||
modprobe_package: 'kmod-compat'
|
||||
auditd_package: 'audit'
|
|
@ -108,4 +108,4 @@ os_security_suid_sgid_system_whitelist:
|
|||
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
|
||||
|
||||
# system accounts that do not get their login disabled and pasword changed
|
||||
os_always_ignore_users: ['root','sync','shutdown','halt']
|
||||
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']
|
||||
|
|
40
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
40
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md
vendored
Normal file
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
name: Bug report
|
||||
about: Create a report to help us improve
|
||||
|
||||
---
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**Expected behavior**
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
**Actual behavior**
|
||||
<!--- Paste verbatim command output between quotes -->
|
||||
```paste below
|
||||
|
||||
```
|
||||
**Example Playbook**
|
||||
<!--- Paste an example playbook that can be used to reproduce the problem between quotes -->
|
||||
```paste below
|
||||
|
||||
```
|
||||
|
||||
**OS / Environment**
|
||||
<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
|
||||
|
||||
**Ansible Version**
|
||||
<!--- Paste verbatim output from "ansible --version" between quotes -->
|
||||
```paste below
|
||||
|
||||
```
|
||||
|
||||
**Role Version**
|
||||
<!--- Paste version of the role between quotes -->
|
||||
```paste below
|
||||
|
||||
```
|
||||
|
||||
**Additional context**
|
||||
Add any other context about the problem here.
|
17
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md
vendored
Normal file
17
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md
vendored
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for this project
|
||||
|
||||
---
|
||||
|
||||
**Is your feature request related to a problem? Please describe.**
|
||||
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
|
||||
|
||||
**Describe the solution you'd like**
|
||||
A clear and concise description of what you want to happen.
|
||||
|
||||
**Describe alternatives you've considered**
|
||||
A clear and concise description of any alternative solutions or features you've considered.
|
||||
|
||||
**Additional context**
|
||||
Add any other context or screenshots about the feature request here.
|
34
ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml
vendored
Normal file
34
ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
name: Create Changelog
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types: [closed]
|
||||
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
issues:
|
||||
types: [closed, edited]
|
||||
|
||||
jobs:
|
||||
generate_changelog:
|
||||
runs-on: ubuntu-latest
|
||||
name: Generate changelog for master branch
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
|
||||
- name: Generate changelog
|
||||
uses: charmixer/auto-changelog-action@v1
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: push
|
||||
uses: github-actions-x/commit@v2.6
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
push-branch: 'master'
|
||||
commit-message: 'update changelog'
|
||||
force-add: 'true'
|
||||
files: CHANGELOG.md
|
||||
name: dev-sec CI
|
||||
email: github@gumpri.ch
|
51
ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml
vendored
Normal file
51
ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml
vendored
Normal file
|
@ -0,0 +1,51 @@
|
|||
name: New release
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
|
||||
jobs:
|
||||
generate_changelog:
|
||||
runs-on: ubuntu-latest
|
||||
name: create release draft
|
||||
steps:
|
||||
- uses: actions/checkout@v1
|
||||
|
||||
- name: 'Get Previous tag'
|
||||
id: previoustag
|
||||
uses: "WyriHaximus/github-action-get-previous-tag@master"
|
||||
env:
|
||||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||
|
||||
- name: calculate next version
|
||||
id: version
|
||||
uses: patrickjahns/version-drafter-action@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Generate changelog
|
||||
uses: charmixer/auto-changelog-action@v1
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
since_tag: ${{ steps.previoustag.outputs.tag }}
|
||||
# wait for https://github.com/CharMixer/auto-changelog-action/pull/3
|
||||
#future_release: ${{ steps.version.outputs.next-version }}
|
||||
|
||||
- name: Read CHANGELOG.md
|
||||
id: package
|
||||
uses: juliangruber/read-file-action@v1
|
||||
with:
|
||||
path: ./CHANGELOG.md
|
||||
|
||||
- name: Create Release draft
|
||||
id: create_release
|
||||
uses: actions/create-release@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
|
||||
with:
|
||||
release_name: ${{ steps.version.outputs.next-version }}
|
||||
tag_name: ${{ steps.version.outputs.next-version }}
|
||||
body: |
|
||||
${{ steps.package.outputs.content }}
|
||||
draft: true
|
|
@ -17,7 +17,7 @@ provisioner:
|
|||
require_ansible_omnibus: true
|
||||
ansible_verbose: true
|
||||
ansible_diff: true
|
||||
hosts: all
|
||||
|
||||
roles_path: ../ansible-ssh-hardening/
|
||||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
|
|
@ -20,56 +20,34 @@ provisioner:
|
|||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 5
|
||||
|
||||
platforms:
|
||||
- name: ubuntu-12.04
|
||||
driver_config:
|
||||
box: opscode-ubuntu-12.04
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
|
||||
- name: ubuntu-14.04
|
||||
driver_config:
|
||||
box: opscode-ubuntu-14.04
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
|
||||
- name: ubuntu-16.04
|
||||
driver_config:
|
||||
box: opscode-ubuntu-16.04
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
|
||||
- name: centos-6.4
|
||||
- name: centos-7.2
|
||||
box: bento/ubuntu-16.04
|
||||
- name: ubuntu-18.04
|
||||
driver_config:
|
||||
box: opscode-centos-7.2
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box
|
||||
- name: centos-6.5
|
||||
box: bento/ubuntu-18.04
|
||||
- name: centos-6
|
||||
driver_config:
|
||||
box: opscode-centos-6.5
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
|
||||
- name: centos-6.8
|
||||
driver_config:
|
||||
box: bento/centos-6.8
|
||||
box: bento/centos-6
|
||||
- name: centos-7
|
||||
driver_config:
|
||||
box: bento/centos-7.2
|
||||
- name: oracle-6.4
|
||||
box: bento/centos-7
|
||||
- name: oracle-6
|
||||
driver_config:
|
||||
box: oracle-6.4
|
||||
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
|
||||
- name: oracle-6.5
|
||||
driver_config:
|
||||
box: oracle-6.5
|
||||
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
|
||||
box: bento/oracle-6
|
||||
- name: oracle-7
|
||||
driver_config:
|
||||
box: boxcutter/ol72
|
||||
- name: debian-7
|
||||
box: bento/oracle-7
|
||||
- name: debian-9
|
||||
driver_config:
|
||||
box: debian-7
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
|
||||
- name: debian-8
|
||||
box: bento/debian-9
|
||||
- name: debian-10
|
||||
driver_config:
|
||||
box: debian-8
|
||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
|
||||
box: bento/debian-10
|
||||
- name: amazon
|
||||
driver_config:
|
||||
box: bento/amazonlinux-2
|
||||
|
||||
verifier:
|
||||
name: inspec
|
||||
|
|
|
@ -6,9 +6,6 @@ driver:
|
|||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 5
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: all
|
||||
|
@ -17,12 +14,12 @@ provisioner:
|
|||
require_ruby_for_busser: false
|
||||
ansible_verbose: true
|
||||
ansible_diff: true
|
||||
hosts: all
|
||||
|
||||
roles_path: ../ansible-ssh-hardening/
|
||||
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||
playbook: tests/default.yml
|
||||
ansible_diff: true
|
||||
|
||||
ansible_extra_flags:
|
||||
- "--skip-tags=sysctl"
|
||||
|
||||
|
@ -51,10 +48,6 @@ platforms:
|
|||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: ubuntu1404-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-ubuntu1404-ansible:latest
|
||||
platform: ubuntu
|
||||
- name: ubuntu1604-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-ubuntu1604-ansible:latest
|
||||
|
@ -62,14 +55,13 @@ platforms:
|
|||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- systemctl enable ssh.service
|
||||
- name: debian7-ansible-latest
|
||||
- name: ubuntu1804-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian7-ansible:latest
|
||||
platform: debian
|
||||
- name: debian8-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian8-ansible:latest
|
||||
platform: debian
|
||||
image: rndmh3ro/docker-ubuntu1804-ansible:latest
|
||||
platform: ubuntu
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- systemctl enable ssh.service
|
||||
- name: debian9-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian9-ansible:latest
|
||||
|
@ -78,6 +70,14 @@ platforms:
|
|||
provision_command:
|
||||
- apt install -y systemd-sysv
|
||||
- systemctl enable ssh.service
|
||||
- name: debian10-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-debian10-ansible
|
||||
platform: debian
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- apt install -y systemd-sysv
|
||||
- systemctl enable ssh.service
|
||||
- name: amazon-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-amazon-ansible:latest
|
||||
|
@ -86,6 +86,15 @@ platforms:
|
|||
provision_command:
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
- name: fedora-ansible-latest
|
||||
driver:
|
||||
image: rndmh3ro/docker-fedora-ansible:latest
|
||||
platform: centos
|
||||
run_command: /sbin/init
|
||||
provision_command:
|
||||
- dnf install -y python
|
||||
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
|
||||
- systemctl enable sshd.service
|
||||
|
||||
verifier:
|
||||
name: inspec
|
||||
|
|
|
@ -25,17 +25,9 @@ env:
|
|||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: ubuntu1404
|
||||
- distro: ubuntu1804
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
|
||||
- distro: debian7
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
|
||||
- distro: debian8
|
||||
version: latest
|
||||
init: /sbin/init
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: debian9
|
||||
|
@ -43,29 +35,42 @@ env:
|
|||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: debian10
|
||||
version: latest
|
||||
init: /lib/systemd/systemd
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: amazon
|
||||
init: /lib/systemd/systemd
|
||||
version: latest
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
- distro: fedora
|
||||
init: /lib/systemd/systemd
|
||||
version: latest
|
||||
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||
|
||||
before_install:
|
||||
# Pull container
|
||||
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
|
||||
|
||||
script:
|
||||
- pip install --user ansible-lint
|
||||
- ansible-lint ./
|
||||
|
||||
- container_id=$(mktemp)
|
||||
# Run container in detached state.
|
||||
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
|
||||
|
||||
# Test role.
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml'
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml'
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
|
||||
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
|
||||
|
||||
# Verify role
|
||||
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
|
||||
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
|
||||
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
|
||||
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
|
||||
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
|
||||
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
||||
|
|
|
@ -1,6 +1,217 @@
|
|||
# Change Log
|
||||
# Changelog
|
||||
|
||||
## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- add changelog and release workflow [\#282](https://github.com/dev-sec/ansible-ssh-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix: Ansible part of Fedora build [\#281](https://github.com/dev-sec/ansible-ssh-hardening/pull/281) ([kostasns](https://github.com/kostasns))
|
||||
- Add changelog action [\#280](https://github.com/dev-sec/ansible-ssh-hardening/pull/280) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix: Amazon linux build [\#279](https://github.com/dev-sec/ansible-ssh-hardening/pull/279) ([kostasns](https://github.com/kostasns))
|
||||
- feat: Allow to set custom list of HostKeyAlgorithms [\#278](https://github.com/dev-sec/ansible-ssh-hardening/pull/278) ([kostasns](https://github.com/kostasns))
|
||||
- fix\(ansible\_facts\): replace few remaining facts from 'ansible\_' to using 'ansible\_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns))
|
||||
|
||||
## [8.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.0.0) (2020-04-21)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/7.0.0...8.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Remove dependency on bash [\#265](https://github.com/dev-sec/ansible-ssh-hardening/issues/265)
|
||||
- Possibility to use other value than yes/no for AllowTCPforwarding [\#255](https://github.com/dev-sec/ansible-ssh-hardening/issues/255)
|
||||
- Add support for Debian Buster in ansible-ssh-hardening [\#248](https://github.com/dev-sec/ansible-ssh-hardening/issues/248)
|
||||
- Some options not configurable via the role [\#239](https://github.com/dev-sec/ansible-ssh-hardening/issues/239)
|
||||
- PermitUserEnvironment should not be conflated with AcceptEnv [\#232](https://github.com/dev-sec/ansible-ssh-hardening/issues/232)
|
||||
- Disable also dynamic MOTD via PAM if enabled - refs \#271 [\#273](https://github.com/dev-sec/ansible-ssh-hardening/pull/273) ([ancoron](https://github.com/ancoron))
|
||||
- Use sha2 HMACs on RHEL 6 / CentOS 6. [\#270](https://github.com/dev-sec/ansible-ssh-hardening/pull/270) ([foonix](https://github.com/foonix))
|
||||
- Removing 2fa [\#269](https://github.com/dev-sec/ansible-ssh-hardening/pull/269) ([dennisse](https://github.com/dennisse))
|
||||
- Renaming Ansible variables discovered from systems [\#268](https://github.com/dev-sec/ansible-ssh-hardening/pull/268) ([PovilasGT](https://github.com/PovilasGT))
|
||||
- Do not use bash to get ssh version [\#266](https://github.com/dev-sec/ansible-ssh-hardening/pull/266) ([kljensen](https://github.com/kljensen))
|
||||
- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable [\#257](https://github.com/dev-sec/ansible-ssh-hardening/pull/257) ([brnck](https://github.com/brnck))
|
||||
- Support KEX for OpenSSH 8.0+ & quantum resistant KEX [\#254](https://github.com/dev-sec/ansible-ssh-hardening/pull/254) ([lunarthegrey](https://github.com/lunarthegrey))
|
||||
- SFTP: set default umask to 0027 [\#252](https://github.com/dev-sec/ansible-ssh-hardening/pull/252) ([Slamdunk](https://github.com/Slamdunk))
|
||||
- Separate PermitUserEnviroment from AcceptEnv [\#251](https://github.com/dev-sec/ansible-ssh-hardening/pull/251) ([szEvEz](https://github.com/szEvEz))
|
||||
- Feature: Debian 10 \(Buster\) support [\#249](https://github.com/dev-sec/ansible-ssh-hardening/pull/249) ([jaredledvina](https://github.com/jaredledvina))
|
||||
- fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
|
||||
- refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz))
|
||||
- RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen))
|
||||
- Added ssh\_syslog\_facility, ssh\_log\_level and ssh\_strict\_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- HostKey comment "\# Req 20" breaks key based auth [\#262](https://github.com/dev-sec/ansible-ssh-hardening/issues/262)
|
||||
- SSH fails to start/connect if custom server ports is set on CentOS 7.6 [\#212](https://github.com/dev-sec/ansible-ssh-hardening/issues/212)
|
||||
- Google 2fa authentication problem [\#170](https://github.com/dev-sec/ansible-ssh-hardening/issues/170)
|
||||
- vars: remove empty main.yml file [\#274](https://github.com/dev-sec/ansible-ssh-hardening/pull/274) ([paulfantom](https://github.com/paulfantom))
|
||||
- Only manage moduli when hardening server [\#267](https://github.com/dev-sec/ansible-ssh-hardening/pull/267) ([jbronn](https://github.com/jbronn))
|
||||
- Remove comment from sshd config HostKey param [\#263](https://github.com/dev-sec/ansible-ssh-hardening/pull/263) ([abtreece](https://github.com/abtreece))
|
||||
|
||||
## [7.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/7.0.0) (2019-09-15)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.2.0...7.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Add new option ssh\_server\_match\_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230)
|
||||
- set UsePAM to yes by default [\#233](https://github.com/dev-sec/ansible-ssh-hardening/pull/233) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Unable to connect after applying the role \(Ubuntu 18.04, AWS EC2\) [\#229](https://github.com/dev-sec/ansible-ssh-hardening/issues/229)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Can't connect to new instance created from hardened image [\#189](https://github.com/dev-sec/ansible-ssh-hardening/issues/189)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- changed string comparison to version comparison [\#234](https://github.com/dev-sec/ansible-ssh-hardening/pull/234) ([gobind-singh](https://github.com/gobind-singh))
|
||||
|
||||
## [6.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.2.0) (2019-08-05)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.3...6.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- added support for `ssh\_server\_match\_address` \(\#230\) [\#231](https://github.com/dev-sec/ansible-ssh-hardening/pull/231) ([MatthiasLohr](https://github.com/MatthiasLohr))
|
||||
|
||||
## [6.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.3) (2019-06-09)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.2...6.1.3)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Fix squash\_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo))
|
||||
- Fix deprecation warnings in Ansible 2.8 [\#227](https://github.com/dev-sec/ansible-ssh-hardening/pull/227) ([Normo](https://github.com/Normo))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- deprecation warnings in Ansible 2.8 [\#226](https://github.com/dev-sec/ansible-ssh-hardening/issues/226)
|
||||
|
||||
## [6.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.2) (2019-05-17)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.1...6.1.2)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- sshd\_custom\_options used in ssh\_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- use correct variable ssh\_custom\_options in ssh\_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.1) (2019-05-07)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.0...6.1.1)
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Missing indent for `ChrootDirectory` in `Match Group sftponly` [\#221](https://github.com/dev-sec/ansible-ssh-hardening/issues/221)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- fix indentation for matches [\#222](https://github.com/dev-sec/ansible-ssh-hardening/pull/222) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.0) (2019-05-04)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.0.0...6.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- PermitRootLogin yes [\#190](https://github.com/dev-sec/ansible-ssh-hardening/issues/190)
|
||||
- Match Group' in configuration but 'user' not in connection test specification [\#188](https://github.com/dev-sec/ansible-ssh-hardening/issues/188)
|
||||
- Allow custom values [\#175](https://github.com/dev-sec/ansible-ssh-hardening/issues/175)
|
||||
- use selinux fact to check if selinux is used [\#220](https://github.com/dev-sec/ansible-ssh-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Remove eol os and add fedora [\#218](https://github.com/dev-sec/ansible-ssh-hardening/pull/218) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- document and move custom variables [\#217](https://github.com/dev-sec/ansible-ssh-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- fix: allow other ssh ports using selinux [\#214](https://github.com/dev-sec/ansible-ssh-hardening/pull/214) ([guilieb](https://github.com/guilieb))
|
||||
- Make ansible-lint happy [\#204](https://github.com/dev-sec/ansible-ssh-hardening/pull/204) ([alexclear](https://github.com/alexclear))
|
||||
- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups [\#203](https://github.com/dev-sec/ansible-ssh-hardening/pull/203) ([alexclear](https://github.com/alexclear))
|
||||
- enable ssh 7.7p1 support [\#202](https://github.com/dev-sec/ansible-ssh-hardening/pull/202) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Removed DEPRECATION WARNING for apt, using list instead of with\_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- Using more than one rule in a Group or User Match block? [\#207](https://github.com/dev-sec/ansible-ssh-hardening/issues/207)
|
||||
- fix multiple match rules not working \#207 [\#208](https://github.com/dev-sec/ansible-ssh-hardening/pull/208) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [6.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.0.0) (2018-11-18)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/5.0.0...6.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Ubuntu 18.04 support [\#182](https://github.com/dev-sec/ansible-ssh-hardening/issues/182)
|
||||
- Update opensshd.conf.js [\#196](https://github.com/dev-sec/ansible-ssh-hardening/pull/196) ([ikr0m](https://github.com/ikr0m))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- GSSAPI support broken. Can't be enabled. [\#192](https://github.com/dev-sec/ansible-ssh-hardening/issues/192)
|
||||
- Unsupported option "rhostsrsaauthentication" "rsaauthentication" [\#184](https://github.com/dev-sec/ansible-ssh-hardening/issues/184)
|
||||
- Weak kex are controlled by wrong variable ? [\#174](https://github.com/dev-sec/ansible-ssh-hardening/issues/174)
|
||||
- Can't connect to server by SSH after applying this role [\#115](https://github.com/dev-sec/ansible-ssh-hardening/issues/115)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Support StreamLocalBindUnlink [\#197](https://github.com/dev-sec/ansible-ssh-hardening/issues/197)
|
||||
- Add molecule testing [\#183](https://github.com/dev-sec/ansible-ssh-hardening/issues/183)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- Support for custom configuration [\#199](https://github.com/dev-sec/ansible-ssh-hardening/pull/199) ([MatthiasLohr](https://github.com/MatthiasLohr))
|
||||
- parameterize PermitRootLogin [\#195](https://github.com/dev-sec/ansible-ssh-hardening/pull/195) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- set 'GSSAPIAuthentication yes' if variable 'ssh\_gssapi\_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz))
|
||||
- Use ansible version compare module [\#187](https://github.com/dev-sec/ansible-ssh-hardening/pull/187) ([BentoumiTech](https://github.com/BentoumiTech))
|
||||
- add ubuntu 18.04 support [\#186](https://github.com/dev-sec/ansible-ssh-hardening/pull/186) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [5.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/5.0.0) (2018-09-16)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.4.0...5.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Fixing the broken Ansible dependency mechanism [\#176](https://github.com/dev-sec/ansible-ssh-hardening/issues/176)
|
||||
- Include new baseline-tests [\#161](https://github.com/dev-sec/ansible-ssh-hardening/issues/161)
|
||||
- GlobalKnownHostsFile missing from ssh\_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155)
|
||||
- Options not compatible with OpenSSH server 7.6 [\#151](https://github.com/dev-sec/ansible-ssh-hardening/issues/151)
|
||||
- Kitchen travis [\#180](https://github.com/dev-sec/ansible-ssh-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- update config of kex, macs, ciphers [\#179](https://github.com/dev-sec/ansible-ssh-hardening/pull/179) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add debian 9 and a comment [\#178](https://github.com/dev-sec/ansible-ssh-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Dependency flag [\#177](https://github.com/dev-sec/ansible-ssh-hardening/pull/177) ([jcheroske](https://github.com/jcheroske))
|
||||
- Travis [\#173](https://github.com/dev-sec/ansible-ssh-hardening/pull/173) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- OpenBSD Support [\#171](https://github.com/dev-sec/ansible-ssh-hardening/pull/171) ([jbronn](https://github.com/jbronn))
|
||||
- Implement disabling chroot for sftp [\#166](https://github.com/dev-sec/ansible-ssh-hardening/pull/166) ([towo](https://github.com/towo))
|
||||
- New tests [\#163](https://github.com/dev-sec/ansible-ssh-hardening/pull/163) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- yaml-lint update, refactor tasks [\#162](https://github.com/dev-sec/ansible-ssh-hardening/pull/162) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Handle a few deprecated OpenSSH options [\#160](https://github.com/dev-sec/ansible-ssh-hardening/pull/160) ([ageis](https://github.com/ageis))
|
||||
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. [\#157](https://github.com/dev-sec/ansible-ssh-hardening/pull/157) ([gdelafond](https://github.com/gdelafond))
|
||||
- Adds sshd config for keyboard-interactive pam device [\#156](https://github.com/dev-sec/ansible-ssh-hardening/pull/156) ([rcII](https://github.com/rcII))
|
||||
- Use package state 'present' since 'installed' is deprecated [\#154](https://github.com/dev-sec/ansible-ssh-hardening/pull/154) ([Normo](https://github.com/Normo))
|
||||
- conform to current dev-sec/ssh-baseline [\#150](https://github.com/dev-sec/ansible-ssh-hardening/pull/150) ([alval5280](https://github.com/alval5280))
|
||||
- new parameter: ssh\_max\_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher))
|
||||
- Update syntax to 2.4 [\#148](https://github.com/dev-sec/ansible-ssh-hardening/pull/148) ([thomasjpfan](https://github.com/thomasjpfan))
|
||||
- Amazonlinux-Testing [\#147](https://github.com/dev-sec/ansible-ssh-hardening/pull/147) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Fixed trailing whitespace [\#146](https://github.com/dev-sec/ansible-ssh-hardening/pull/146) ([zbrojny120](https://github.com/zbrojny120))
|
||||
- Add support for Amazon Linux [\#145](https://github.com/dev-sec/ansible-ssh-hardening/pull/145) ([woneill](https://github.com/woneill))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- ssh\_server\_weak\_kex variable is not used any where [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167)
|
||||
- opensshd.conf.j2 template type error [\#159](https://github.com/dev-sec/ansible-ssh-hardening/issues/159)
|
||||
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Travis & Debian 9 "Stretch" [\#158](https://github.com/dev-sec/ansible-ssh-hardening/issues/158)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
- remove oracle7 from travis tests for the time being [\#181](https://github.com/dev-sec/ansible-ssh-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [4.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.4.0) (2017-12-29)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.1...4.4.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -10,12 +221,11 @@
|
|||
- allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu))
|
||||
- Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky))
|
||||
- corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault))
|
||||
- Add Two-Factor Authentication [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs))
|
||||
- Feature/2fa auth [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)
|
||||
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
|
@ -31,6 +241,7 @@
|
|||
- force /bin/sh when getting openssh-version [\#134](https://github.com/dev-sec/ansible-ssh-hardening/pull/134) ([gtz42](https://github.com/gtz42))
|
||||
|
||||
## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -46,7 +257,8 @@
|
|||
- role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124)
|
||||
|
||||
## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.3.0)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.3.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
|
@ -58,11 +270,13 @@
|
|||
- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
|
||||
- Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))
|
||||
|
||||
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.1.3)
|
||||
|
||||
## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.2.0)
|
||||
|
||||
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.1.3)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
|
@ -78,6 +292,7 @@
|
|||
- Do not use shell when not needed + Lint whitespaces [\#118](https://github.com/dev-sec/ansible-ssh-hardening/pull/118) ([krhubert](https://github.com/krhubert))
|
||||
|
||||
## [4.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.2) (2017-05-31)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.1...4.1.2)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -93,17 +308,15 @@
|
|||
- Update readme to include baselines [\#110](https://github.com/dev-sec/ansible-ssh-hardening/issues/110)
|
||||
|
||||
## [4.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.1) (2017-05-18)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.0...4.1.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
|
||||
|
||||
**Fixed bugs:**
|
||||
|
||||
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
|
||||
|
||||
## [4.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.0) (2017-05-09)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.0.0...4.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -123,6 +336,7 @@
|
|||
- Adds option to enable password based authentication on the server [\#107](https://github.com/dev-sec/ansible-ssh-hardening/pull/107) ([colin-nolan](https://github.com/colin-nolan))
|
||||
|
||||
## [4.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.0.0) (2017-04-22)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.2.0...4.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -145,8 +359,6 @@
|
|||
**Fixed bugs:**
|
||||
|
||||
- SELinux-specific task still runs on SELinux-disabled systems [\#74](https://github.com/dev-sec/ansible-ssh-hardening/issues/74)
|
||||
- List only one Port in ssh config [\#84](https://github.com/dev-sec/ansible-ssh-hardening/pull/84) ([fullyint](https://github.com/fullyint))
|
||||
- Fix ssh config to handle custom options per Host [\#83](https://github.com/dev-sec/ansible-ssh-hardening/pull/83) ([fullyint](https://github.com/fullyint))
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
|
@ -159,6 +371,7 @@
|
|||
- Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio))
|
||||
|
||||
## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1.0...3.2.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -173,11 +386,8 @@
|
|||
- Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75)
|
||||
- Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
|
||||
|
||||
## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -185,6 +395,7 @@
|
|||
- use new ciphers, kex, macs and privilege separation for redhat family 7 or later [\#72](https://github.com/dev-sec/ansible-ssh-hardening/issues/72)
|
||||
|
||||
## [3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1) (2016-08-03)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.0.0...3.1)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
@ -212,11 +423,12 @@
|
|||
- Add SCP/SFTP to FAQ [\#58](https://github.com/dev-sec/ansible-ssh-hardening/pull/58) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [3.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.0.0) (2016-03-13)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/2.0.0...3.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([shirokatze](https://github.com/shirokatze))
|
||||
- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost))
|
||||
- add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
@ -235,6 +447,7 @@
|
|||
- New release 3.0.0 [\#59](https://github.com/dev-sec/ansible-ssh-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [2.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/2.0.0) (2015-11-28)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.1...2.0.0)
|
||||
|
||||
**Closed issues:**
|
||||
|
@ -248,6 +461,7 @@
|
|||
- sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))
|
||||
|
||||
## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
@ -255,10 +469,12 @@
|
|||
- Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
|
||||
|
||||
## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
|
||||
|
||||
## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.2.0)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
|
@ -266,16 +482,20 @@
|
|||
- Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
- Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.1)
|
||||
|
||||
## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01)
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1.0)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.1.0)
|
||||
|
||||
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1)
|
||||
|
||||
**Closed issues:**
|
||||
|
||||
- ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
|
||||
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
|
||||
- UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)
|
||||
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
|
@ -296,6 +516,9 @@
|
|||
- Debian install script [\#19](https://github.com/dev-sec/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
||||
## [1.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.0.0) (2015-04-30)
|
||||
|
||||
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/a9591764206b79a4ed324bb8576151ebac0127b1...1.0.0)
|
||||
|
||||
**Implemented enhancements:**
|
||||
|
||||
- Update variable-documentation [\#12](https://github.com/dev-sec/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
|
||||
|
@ -304,7 +527,6 @@
|
|||
|
||||
- add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7)
|
||||
- Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6)
|
||||
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
|
||||
|
||||
**Merged pull requests:**
|
||||
|
||||
|
@ -325,4 +547,4 @@
|
|||
|
||||
|
||||
|
||||
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
|
||||
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
|
||||
|
|
|
@ -11,6 +11,7 @@ group :integration do
|
|||
gem 'kitchen-sync'
|
||||
gem 'kitchen-transport-rsync'
|
||||
gem 'kitchen-docker'
|
||||
gem 'inspec', '~> 3'
|
||||
end
|
||||
|
||||
group :tools do
|
||||
|
|
|
@ -12,7 +12,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
|
||||
## Requirements
|
||||
|
||||
* Ansible > 2.4
|
||||
* Ansible > 2.5
|
||||
|
||||
## Role Variables
|
||||
| Name | Default Value | Description |
|
||||
|
@ -22,17 +22,18 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
|`ssh_client_port` | '22' |port to which ssh-client should connect|
|
||||
|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
|
||||
|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
|
||||
|`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms|
|
||||
|`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
|
||||
|`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
|
||||
|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
|
||||
|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
|
||||
|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
|
||||
|`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
|
||||
|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
|
||||
|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`|
|
||||
|`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
|
||||
|`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
|
||||
|`ssh_pam_support` | true | true if SSH has PAM support.|
|
||||
|`ssh_use_pam` | false | false to disable pam authentication.|
|
||||
|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.|
|
||||
|`ssh_use_pam` | true | false to disable pam authentication.|
|
||||
|`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
|
||||
|`ssh_kerberos_support` | true | true if SSH has Kerberos support.|
|
||||
|`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
|
||||
|`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|
|
||||
|
@ -46,6 +47,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
|`ssh_print_motd` | false | false to disable printing of the MOTD|
|
||||
|`ssh_print_last_log` | false | false to disable display of last login information|
|
||||
|`sftp_enabled` | false | true to enable sftp configuration|
|
||||
|`sftp_umask` | 0027 | Specifies the umask for sftp|
|
||||
|`sftp_chroot` | true | false to disable chroot for sftp|
|
||||
|`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
|
||||
|`ssh_client_roaming` | false | enable experimental client roaming|
|
||||
|
@ -54,8 +56,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
|
||||
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
|
||||
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
|
||||
|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
|
||||
|`ssh_pam_device` | false | `true` to enable public key auth with pam device 2FA |
|
||||
|`ssh_banner` | `false` | `true` to print a banner on login |
|
||||
|`ssh_client_hardening` | `true` | `false` to stop harden the client |
|
||||
|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
|
||||
|
@ -64,15 +64,40 @@ Warning: This role disables root-login on the target server! Please make sure yo
|
|||
|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
|
||||
|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
|
||||
|`ssh_server_hardening` | `true` | `false` to stop harden the server |
|
||||
|`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|
||||
|`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|
||||
|`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|
||||
|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
|
||||
|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
|
||||
|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
|
||||
|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
|
||||
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
|
||||
|`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
|
||||
|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
|
||||
|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
|
||||
|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
|
||||
|`ssh_custom_options` | [] | Custom lines for SSH client configuration |
|
||||
|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
|
||||
|`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
|
||||
|`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd |
|
||||
|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
|
||||
|`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
|
||||
|
||||
## Configuring settings not listed in role-variables
|
||||
|
||||
If you want to configure ssh options that are not listed above, you can use `ssh_custom_options` (for `/etc/ssh/ssh_config`) or `sshd_custom_options` (for `/etc/ssh/sshd_config`) to set them. These options will be set on the **beginning** of the file so you can override options further down in the file.
|
||||
|
||||
Example playbook:
|
||||
|
||||
```
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- dev-sec.ssh-hardening
|
||||
vars:
|
||||
ssh_custom_options:
|
||||
- "Include /etc/ssh/ssh_config.d/*"
|
||||
sshd_custom_options:
|
||||
- "AcceptEnv LANG"
|
||||
```
|
||||
|
||||
## Example Playbook
|
||||
|
||||
|
@ -97,27 +122,31 @@ bundle install
|
|||
### Testing with Docker
|
||||
```
|
||||
# fast test on one machine
|
||||
bundle exec kitchen test default-ubuntu-1204
|
||||
bundle exec kitchen test ssh-ubuntu1804-ansible-latest
|
||||
|
||||
# test on all machines
|
||||
bundle exec kitchen test
|
||||
|
||||
# for development
|
||||
bundle exec kitchen create default-ubuntu-1204
|
||||
bundle exec kitchen converge default-ubuntu-1204
|
||||
bundle exec kitchen create ssh-ubuntu1804-ansible-latest
|
||||
bundle exec kitchen converge ssh-ubuntu1804-ansible-latest
|
||||
bundle exec kitchen verify ssh-ubuntu1804-ansible-latest
|
||||
|
||||
# cleanup
|
||||
bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest
|
||||
```
|
||||
|
||||
### Testing with Virtualbox
|
||||
```
|
||||
# fast test on one machine
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804
|
||||
|
||||
# test on all machines
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
|
||||
|
||||
# for development
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804
|
||||
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804
|
||||
```
|
||||
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)
|
||||
|
||||
|
|
|
@ -30,6 +30,9 @@ ssh_listen_to: ['0.0.0.0'] # sshd
|
|||
# Host keys to look for when starting sshd.
|
||||
ssh_host_key_files: [] # sshd
|
||||
|
||||
# Specifies the host key algorithms that the server offers
|
||||
ssh_host_key_algorithms: [] # sshd
|
||||
|
||||
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
|
||||
ssh_max_auth_retries: 2
|
||||
|
||||
|
@ -48,11 +51,11 @@ ssh_permit_tunnel: false
|
|||
# options: ['StrictHostKeyChecking no']
|
||||
ssh_remote_hosts: []
|
||||
|
||||
# false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
|
||||
ssh_allow_root_with_key: false # sshd
|
||||
# Set this to "without-password" or "yes" to allow root to login
|
||||
ssh_permit_root_login: 'no' # sshd
|
||||
|
||||
# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
|
||||
ssh_allow_tcp_forwarding: false # sshd
|
||||
ssh_allow_tcp_forwarding: 'no' # sshd
|
||||
|
||||
# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
|
||||
# Set to 'clientspecified' to allow the client to specify which address to bind to.
|
||||
|
@ -65,16 +68,13 @@ ssh_allow_agent_forwarding: false # sshd
|
|||
ssh_pam_support: true
|
||||
|
||||
# false to disable pam authentication.
|
||||
ssh_use_pam: false # sshd
|
||||
ssh_use_pam: true # sshd
|
||||
|
||||
# false to disable google 2fa authentication
|
||||
ssh_google_auth: false # sshd
|
||||
|
||||
# false to disable pam device 2FA input
|
||||
ssh_pam_device: false # sshd
|
||||
# specify AuthenticationMethods
|
||||
sshd_authenticationmethods: 'publickey'
|
||||
|
||||
# true if SSH support GSSAPI
|
||||
ssh_gssapi_support: true
|
||||
ssh_gssapi_support: false
|
||||
|
||||
# true if SSH support Kerberos
|
||||
ssh_kerberos_support: true
|
||||
|
@ -139,6 +139,9 @@ sftp_enabled: false
|
|||
# false to disable sftp chroot
|
||||
sftp_chroot: true
|
||||
|
||||
# sftp default umask
|
||||
sftp_umask: 0027
|
||||
|
||||
# change default sftp chroot location
|
||||
sftp_chroot_dir: /home/%u
|
||||
|
||||
|
@ -151,7 +154,11 @@ ssh_server_match_user: false # sshd
|
|||
# list of hashes (containing group and rules) to generate Match Group blocks for.
|
||||
ssh_server_match_group: false # sshd
|
||||
|
||||
ssh_server_permit_environment_vars: false
|
||||
# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
|
||||
ssh_server_match_address: false # sshd
|
||||
|
||||
ssh_server_permit_environment_vars: 'no'
|
||||
ssh_server_accept_env_vars : ''
|
||||
|
||||
# maximum number of concurrent unauthenticated connections to the SSH daemon
|
||||
ssh_max_startups: '10:30:100' # sshd
|
||||
|
@ -167,6 +174,10 @@ ssh_macs_53_default:
|
|||
- hmac-ripemd160
|
||||
- hmac-sha1
|
||||
|
||||
ssh_macs_53_el_6_5_default:
|
||||
- hmac-sha2-512
|
||||
- hmac-sha2-256
|
||||
|
||||
ssh_macs_59_default:
|
||||
- hmac-sha2-512
|
||||
- hmac-sha2-256
|
||||
|
@ -205,6 +216,11 @@ ssh_kex_59_default:
|
|||
ssh_kex_66_default:
|
||||
- curve25519-sha256@libssh.org
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
|
||||
ssh_kex_80_default:
|
||||
- sntrup4591761x25519-sha512@tinyssh.org
|
||||
- curve25519-sha256@libssh.org
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
|
||||
# directory where to store ssh_password policy
|
||||
ssh_custom_selinux_dir: '/etc/selinux/local-policies'
|
||||
|
@ -220,4 +236,16 @@ ssh_server_revoked_keys: []
|
|||
|
||||
# Set to false to turn the role into a no-op. Useful when using
|
||||
# the Ansible role dependency mechanism.
|
||||
ssh_hardening_enabled: true
|
||||
ssh_hardening_enabled: true
|
||||
|
||||
# Custom options for SSH client configuration file
|
||||
ssh_custom_options: []
|
||||
|
||||
# Custom options for SSH daemon configuration file
|
||||
sshd_custom_options: []
|
||||
|
||||
# Logging
|
||||
sshd_syslog_facility: 'AUTH'
|
||||
sshd_log_level: 'VERBOSE'
|
||||
|
||||
sshd_strict_modes: yes
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
{install_date: 'Mon Dec 17 12:48:22 2018', version: 5.0.0}
|
||||
install_date: Fri May 15 20:29:21 2020
|
||||
version: 8.1.0
|
||||
|
|
|
@ -4,7 +4,7 @@ galaxy_info:
|
|||
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
|
||||
company: Hardening Framework Team
|
||||
license: Apache License 2.0
|
||||
min_ansible_version: '2.4'
|
||||
min_ansible_version: '2.5'
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
|
@ -12,14 +12,14 @@ galaxy_info:
|
|||
- 7
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- precise
|
||||
- trusty
|
||||
- xenial
|
||||
- bionic
|
||||
- name: Debian
|
||||
versions:
|
||||
- wheezy
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: Amazon
|
||||
- name: Fedora
|
||||
galaxy_tags:
|
||||
- system
|
||||
- security
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
# Install the 2FA packages and setup the config in PAM and SSH
|
||||
- name: Install google authenticator PAM module
|
||||
apt:
|
||||
name: 'libpam-google-authenticator'
|
||||
state: present
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
|
||||
- name: Install google authenticator PAM module
|
||||
yum:
|
||||
name: 'google-authenticator'
|
||||
state: present
|
||||
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
|
||||
|
||||
- name: Add google auth module to PAM
|
||||
pamd:
|
||||
name: 'sshd'
|
||||
type: 'auth'
|
||||
control: 'required'
|
||||
module_path: 'pam_google_authenticator.so'
|
||||
|
||||
- name: Remove password auth from PAM
|
||||
pamd:
|
||||
name: 'sshd'
|
||||
type: 'auth'
|
||||
control: 'substack'
|
||||
module_path: 'password-auth'
|
||||
state: absent
|
||||
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon'
|
||||
|
||||
- name: Remove password auth from PAM
|
||||
replace:
|
||||
dest: '/etc/pam.d/sshd'
|
||||
regexp: '^@include common-auth'
|
||||
replace: '#@include common-auth'
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
@ -3,61 +3,73 @@
|
|||
- name: set hostkeys according to openssh-version
|
||||
set_fact:
|
||||
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
|
||||
when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
|
||||
when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
|
||||
|
||||
- name: set hostkeys according to openssh-version
|
||||
set_fact:
|
||||
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
|
||||
when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
|
||||
when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
|
||||
|
||||
- name: set hostkeys according to openssh-version
|
||||
set_fact:
|
||||
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
|
||||
when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
|
||||
when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
|
||||
|
||||
###
|
||||
|
||||
- name: set macs according to openssh-version if openssh >= 7.6
|
||||
set_fact:
|
||||
ssh_macs: '{{ ssh_macs_76_default }}'
|
||||
when: sshd_version.stdout >= '7.6' and not ssh_macs
|
||||
when: sshd_version is version('7.6', '>=') and not ssh_macs
|
||||
|
||||
- name: set macs according to openssh-version if openssh >= 6.6
|
||||
set_fact:
|
||||
ssh_macs: '{{ ssh_macs_66_default }}'
|
||||
when: sshd_version.stdout >= '6.6' and not ssh_macs
|
||||
when: sshd_version is version('6.6', '>=') and not ssh_macs
|
||||
|
||||
- name: set macs according to openssh-version
|
||||
set_fact:
|
||||
ssh_macs: '{{ ssh_macs_59_default }}'
|
||||
when: sshd_version.stdout >= '5.9' and not ssh_macs
|
||||
when: sshd_version is version('5.9', '>=') and not ssh_macs
|
||||
|
||||
- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
|
||||
set_fact:
|
||||
ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
|
||||
when:
|
||||
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
|
||||
- ansible_facts.distribution_version is version('6.5', '>=')
|
||||
- not ssh_macs
|
||||
|
||||
- name: set macs according to openssh-version
|
||||
set_fact:
|
||||
ssh_macs: '{{ ssh_macs_53_default }}'
|
||||
when: sshd_version.stdout >= '5.3' and not ssh_macs
|
||||
when: sshd_version is version('5.3', '>=') and not ssh_macs
|
||||
|
||||
###
|
||||
|
||||
- name: set ciphers according to openssh-version if openssh >= 6.6
|
||||
set_fact:
|
||||
ssh_ciphers: '{{ ssh_ciphers_66_default }}'
|
||||
when: sshd_version.stdout >= '6.6' and not ssh_ciphers
|
||||
when: sshd_version is version('6.6', '>=') and not ssh_ciphers
|
||||
|
||||
- name: set ciphers according to openssh-version
|
||||
set_fact:
|
||||
ssh_ciphers: '{{ ssh_ciphers_53_default }}'
|
||||
when: sshd_version.stdout >= '5.3' and not ssh_ciphers
|
||||
when: sshd_version is version('5.3', '>=') and not ssh_ciphers
|
||||
|
||||
###
|
||||
|
||||
- name: set kex according to openssh-version if openssh >= 8.0
|
||||
set_fact:
|
||||
ssh_kex: '{{ ssh_kex_80_default }}'
|
||||
when: sshd_version is version('8.0', '>=') and not ssh_kex
|
||||
|
||||
- name: set kex according to openssh-version if openssh >= 6.6
|
||||
set_fact:
|
||||
ssh_kex: '{{ ssh_kex_66_default }}'
|
||||
when: sshd_version.stdout >= '6.6' and not ssh_kex
|
||||
when: sshd_version is version('6.6', '>=') and not ssh_kex
|
||||
|
||||
- name: set kex according to openssh-version
|
||||
set_fact:
|
||||
ssh_kex: '{{ ssh_kex_59_default }}'
|
||||
when: sshd_version.stdout >= '5.9' and not ssh_kex
|
||||
|
||||
when: sshd_version is version('5.9', '>=') and not ssh_kex
|
||||
|
|
|
@ -2,19 +2,21 @@
|
|||
- name: Set OS dependent variables
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_distribution }}.yml'
|
||||
- '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
|
||||
- '{{ ansible_os_family }}.yml'
|
||||
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.distribution }}.yml'
|
||||
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
|
||||
- '{{ ansible_facts.os_family }}.yml'
|
||||
|
||||
- name: get openssh-version
|
||||
shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
|
||||
args:
|
||||
executable: /bin/sh
|
||||
command: ssh -V
|
||||
register: sshd_version_raw
|
||||
changed_when: false
|
||||
register: sshd_version
|
||||
check_mode: no
|
||||
|
||||
- name: parse openssh-version
|
||||
set_fact:
|
||||
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
|
||||
|
||||
- name: include tasks to create crypo-vars
|
||||
include_tasks: crypto.yml
|
||||
|
||||
|
@ -26,7 +28,7 @@
|
|||
owner: '{{ ssh_owner }}'
|
||||
group: '{{ ssh_group }}'
|
||||
notify: restart sshd
|
||||
when: ssh_server_hardening
|
||||
when: ssh_server_hardening | bool
|
||||
|
||||
- name: create sshd_config and set permissions to root/600
|
||||
template:
|
||||
|
@ -35,9 +37,21 @@
|
|||
mode: '0600'
|
||||
owner: '{{ ssh_owner }}'
|
||||
group: '{{ ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
|
||||
notify: restart sshd
|
||||
when: ssh_server_hardening
|
||||
when: ssh_server_hardening | bool
|
||||
|
||||
- name: disable dynamic MOTD
|
||||
pamd:
|
||||
name: sshd
|
||||
type: session
|
||||
control: optional
|
||||
module_path: pam_motd.so
|
||||
state: absent
|
||||
when:
|
||||
- ssh_server_hardening | bool
|
||||
- ssh_pam_support | bool
|
||||
- not (ssh_print_motd | bool)
|
||||
|
||||
- name: create ssh_config and set permissions to root/644
|
||||
template:
|
||||
|
@ -46,38 +60,27 @@
|
|||
mode: '0644'
|
||||
owner: '{{ ssh_owner }}'
|
||||
group: '{{ ssh_group }}'
|
||||
when: ssh_client_hardening
|
||||
when: ssh_client_hardening | bool
|
||||
|
||||
- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
|
||||
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
|
||||
register: sshd_register_moduli
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: ssh_server_hardening | bool
|
||||
|
||||
- name: remove all small primes
|
||||
shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
|
||||
[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
|
||||
notify: restart sshd
|
||||
when: sshd_register_moduli.stdout
|
||||
when:
|
||||
- ssh_server_hardening | bool
|
||||
- sshd_register_moduli.stdout
|
||||
|
||||
- name: include tasks to setup ca keys and principals
|
||||
include_tasks: ca_keys_and_principals.yml
|
||||
when: ssh_trusted_user_ca_keys_file != ''
|
||||
|
||||
- name: include tasks to setup 2FA
|
||||
include_tasks: 2fa.yml
|
||||
when:
|
||||
- ssh_use_pam
|
||||
- ssh_challengeresponseauthentication
|
||||
- ssh_google_auth
|
||||
|
||||
- name: test to see if selinux is installed and running
|
||||
command: getenforce
|
||||
register: sestatus
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: ssh_trusted_user_ca_keys_file | length > 0
|
||||
|
||||
- name: include selinux specific tasks
|
||||
include_tasks: selinux.yml
|
||||
when: sestatus.rc == 0
|
||||
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
|
||||
- include_tasks: hardening.yml
|
||||
when: ssh_hardening_enabled
|
||||
when: ssh_hardening_enabled | bool
|
||||
|
|
|
@ -1,24 +1,22 @@
|
|||
---
|
||||
- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
|
||||
- name: install selinux dependencies when selinux is installed
|
||||
package:
|
||||
name: '{{ item }}'
|
||||
name: '{{ ssh_selinux_packages }}'
|
||||
state: present
|
||||
with_items:
|
||||
- 'policycoreutils-python'
|
||||
- 'checkpolicy'
|
||||
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
|
||||
|
||||
- name: install selinux dependencies when selinux is installed on Debian or Ubuntu
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
- name: "authorize {{ ssh_server_ports }} ports for selinux"
|
||||
seport:
|
||||
ports: '{{ item }}'
|
||||
proto: tcp
|
||||
setype: ssh_port_t
|
||||
state: present
|
||||
with_items:
|
||||
- 'policycoreutils'
|
||||
- 'checkpolicy'
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
- "{{ ssh_server_ports }}"
|
||||
|
||||
- name: check if ssh_password module is already installed
|
||||
shell: 'semodule -l | grep ssh_password'
|
||||
shell: 'set -o pipefail && semodule -l | grep ssh_password'
|
||||
args:
|
||||
executable: /bin/bash
|
||||
register: ssh_password_module
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
|
@ -41,17 +39,18 @@
|
|||
dest: '{{ ssh_custom_selinux_dir }}'
|
||||
|
||||
- name: check and compile policy
|
||||
shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
|
||||
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
|
||||
|
||||
- name: create selinux policy module package
|
||||
shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
|
||||
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
|
||||
|
||||
- name: install selinux policy
|
||||
shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
|
||||
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
|
||||
|
||||
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
|
||||
when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
|
||||
|
||||
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
|
||||
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
|
||||
# See http://danwalsh.livejournal.com/12333.html for more info
|
||||
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
|
||||
command: semodule -r ssh_password
|
||||
when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
|
||||
when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0
|
||||
|
|
|
@ -2,7 +2,15 @@
|
|||
|
||||
# This is the ssh client system-wide configuration file.
|
||||
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
|
||||
#
|
||||
|
||||
{% if ssh_custom_options -%}
|
||||
# Custom configuration that overwrites default configuration
|
||||
# ==========================================================
|
||||
{% for line in ssh_custom_options %}
|
||||
{{ line }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Basic configuration
|
||||
# ===================
|
||||
|
||||
|
@ -82,7 +90,7 @@ ForwardX11 no
|
|||
|
||||
# Never use host-based authentication. It can be exploited.
|
||||
HostbasedAuthentication no
|
||||
{% if sshd_version.stdout | float < 7.4 -%}
|
||||
{% if sshd_version is version('7.6', '<') %}
|
||||
RhostsRSAAuthentication no
|
||||
# Enable RSA authentication via identity files.
|
||||
RSAAuthentication yes
|
||||
|
@ -111,7 +119,7 @@ Compression yes
|
|||
#EscapeChar ~
|
||||
#VisualHostKey yes
|
||||
|
||||
{% if sshd_version.stdout | float <= 7.1 -%}
|
||||
{% if sshd_version is version('7.1', '<=') %}
|
||||
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
|
||||
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
|
||||
{% endif %}
|
||||
|
|
|
@ -3,11 +3,19 @@
|
|||
# This is the ssh client system-wide configuration file.
|
||||
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
|
||||
|
||||
{% if sshd_custom_options -%}
|
||||
# Custom configuration that overwrites default configuration
|
||||
# ==========================================================
|
||||
{% for line in sshd_custom_options -%}
|
||||
{{ line }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Basic configuration
|
||||
# ===================
|
||||
|
||||
# Either disable or only allowssh root login via certificates.
|
||||
PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
|
||||
# Either disable or only allow root login via certificates.
|
||||
PermitRootLogin {{ ssh_permit_root_login }}
|
||||
|
||||
# Define which port sshd should listen to. Default to `22`.
|
||||
{% for port in ssh_server_ports -%}
|
||||
|
@ -24,9 +32,14 @@ ListenAddress {{address}}
|
|||
|
||||
# List HostKeys here.
|
||||
{% for key in ssh_host_key_files -%}
|
||||
HostKey {{key}} # Req 20
|
||||
HostKey {{key}}
|
||||
{% endfor %}
|
||||
|
||||
# Specifies the host key algorithms that the server offers.
|
||||
{% if sshd_version is version('5.8', '>=') %}
|
||||
{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
|
||||
{% endif %}
|
||||
|
||||
# Security configuration
|
||||
# ======================
|
||||
|
||||
|
@ -34,11 +47,11 @@ HostKey {{key}} # Req 20
|
|||
Protocol 2
|
||||
|
||||
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
|
||||
StrictModes yes
|
||||
StrictModes {{ 'yes' if (sshd_strict_modes|bool) else 'no' }}
|
||||
|
||||
# Logging, obsoletes QuietMode and FascistLogging
|
||||
SyslogFacility AUTH
|
||||
LogLevel VERBOSE
|
||||
SyslogFacility {{ sshd_syslog_facility }}
|
||||
LogLevel {{ sshd_log_level }}
|
||||
|
||||
# Cryptography
|
||||
# ------------
|
||||
|
@ -75,8 +88,11 @@ LogLevel VERBOSE
|
|||
# --------------
|
||||
|
||||
# Secure Login directives.
|
||||
{% if sshd_version.stdout | float < 7.5 -%}
|
||||
UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
|
||||
{% if sshd_version is version('7.4', '<') %}
|
||||
UseLogin no
|
||||
{% endif %}
|
||||
{% if sshd_version is version('7.5', '<') %}
|
||||
UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
|
||||
{% endif %}
|
||||
|
||||
LoginGraceTime 30s
|
||||
|
@ -96,14 +112,11 @@ HostbasedAuthentication no
|
|||
{% if ssh_pam_support -%}
|
||||
UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
|
||||
{% endif %}
|
||||
{% if ssh_google_auth %}
|
||||
# Force public key auth then ask for google auth code
|
||||
AuthenticationMethods publickey,keyboard-interactive
|
||||
{% endif %}
|
||||
|
||||
# Force public key auth then ask for pam device input
|
||||
{% if ssh_pam_device %}
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# Set AuthenticationMethods per default to publickey
|
||||
# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
|
||||
{% if sshd_version is version('6.2', '>=') %}
|
||||
AuthenticationMethods {{ sshd_authenticationmethods }}
|
||||
{% endif %}
|
||||
|
||||
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
|
||||
|
@ -119,11 +132,9 @@ KerberosTicketCleanup yes
|
|||
#KerberosGetAFSToken no
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_gssapi_support -%}
|
||||
# Only enable GSSAPI authentication if it is configured.
|
||||
GSSAPIAuthentication no
|
||||
GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
|
||||
GSSAPICleanupCredentials yes
|
||||
{% endif %}
|
||||
|
||||
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
|
||||
{% if ssh_deny_users -%}
|
||||
|
@ -142,15 +153,15 @@ DenyGroups {{ssh_deny_groups}}
|
|||
AllowGroups {{ssh_allow_groups}}
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_authorized_keys_file %}
|
||||
{% if ssh_authorized_keys_file -%}
|
||||
AuthorizedKeysFile {{ ssh_authorized_keys_file }}
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_trusted_user_ca_keys_file %}
|
||||
{% if ssh_trusted_user_ca_keys_file -%}
|
||||
TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
|
||||
{% if ssh_authorized_principals_file %}
|
||||
{% if ssh_authorized_principals_file -%}
|
||||
AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# Network
|
||||
|
@ -168,19 +179,23 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
|
|||
|
||||
# Disable forwarding tcp connections.
|
||||
# no real advantage without denied shell access
|
||||
AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
|
||||
{% if sshd_version is version('6.2', '>=') %}
|
||||
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }}
|
||||
{% else %}
|
||||
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}
|
||||
{% endif %}
|
||||
|
||||
# Disable agent formwarding, since local agent could be accessed through forwarded connection.
|
||||
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
|
||||
# no real advantage without denied shell access
|
||||
AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
|
||||
|
||||
{% if ssh_gateway_ports|bool %}
|
||||
{% if ssh_gateway_ports|bool -%}
|
||||
# Port forwardings are forced to bind to the wildcard address
|
||||
GatewayPorts yes
|
||||
{% elif ssh_gateway_ports == 'clientspecified' %}
|
||||
{% elif ssh_gateway_ports == 'clientspecified' -%}
|
||||
# Clients allowed to specify which address to bind port forwardings to
|
||||
GatewayPorts clientspecified
|
||||
{% else %}
|
||||
{% else -%}
|
||||
# Do not allow remote port forwardings to bind to non-loopback addresses.
|
||||
GatewayPorts no
|
||||
{% endif %}
|
||||
|
@ -192,13 +207,10 @@ X11UseLocalhost yes
|
|||
# User environment configuration
|
||||
# ==============================
|
||||
|
||||
{% if ssh_server_permit_environment_vars %}
|
||||
PermitUserEnvironment yes
|
||||
{% for item in ssh_server_permit_environment_vars %}
|
||||
AcceptEnv {{ item }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
PermitUserEnvironment no
|
||||
PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
|
||||
|
||||
{% if ssh_server_accept_env_vars -%}
|
||||
AcceptEnv {{ ssh_server_accept_env_vars }}
|
||||
{% endif %}
|
||||
|
||||
# Misc. configuration
|
||||
|
@ -210,31 +222,31 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
|
|||
|
||||
PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
|
||||
|
||||
{% if ansible_os_family != 'FreeBSD' %}
|
||||
{% if ansible_facts.os_family != 'FreeBSD' %}
|
||||
PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
|
||||
{% endif %}
|
||||
|
||||
Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
|
||||
|
||||
{% if ansible_os_family == 'Debian' %}
|
||||
{% if ansible_facts.os_family == 'Debian' -%}
|
||||
DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
|
||||
{% endif %}
|
||||
|
||||
# Reject keys that are explicitly blacklisted
|
||||
RevokedKeys /etc/ssh/revoked_keys
|
||||
|
||||
{% if sftp_enabled %}
|
||||
{% if sftp_enabled -%}
|
||||
# SFTP matching configuration
|
||||
# ===========================
|
||||
# Configuration, in case SFTP is used
|
||||
# override default of no subsystems
|
||||
# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
|
||||
|
||||
Subsystem sftp internal-sftp -l INFO -f LOCAL6
|
||||
Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
|
||||
|
||||
# These lines must appear at the *end* of sshd_config
|
||||
Match Group sftponly
|
||||
ForceCommand internal-sftp -l INFO -f LOCAL6
|
||||
ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
|
||||
{% if sftp_chroot %}
|
||||
ChrootDirectory {{ sftp_chroot_dir }}
|
||||
{% endif %}
|
||||
|
@ -245,23 +257,38 @@ Match Group sftponly
|
|||
X11Forwarding no
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_server_match_group %}
|
||||
{% if ssh_server_match_address -%}
|
||||
# Address matching configuration
|
||||
# ============================
|
||||
|
||||
{% for item in ssh_server_match_address -%}
|
||||
Match Address {{ item.address }}
|
||||
{% for rule in item.rules %}
|
||||
{{ rule | indent(4) }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ssh_server_match_group -%}
|
||||
# Group matching configuration
|
||||
# ============================
|
||||
|
||||
{% for item in ssh_server_match_group %}
|
||||
{% for item in ssh_server_match_group -%}
|
||||
Match Group {{ item.group }}
|
||||
{{ item.rules | indent(4) }}
|
||||
{% for rule in item.rules %}
|
||||
{{ rule | indent(4) }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if ssh_server_match_user %}
|
||||
{% if ssh_server_match_user -%}
|
||||
# User matching configuration
|
||||
# ===========================
|
||||
|
||||
{% for item in ssh_server_match_user %}
|
||||
{% for item in ssh_server_match_user -%}
|
||||
Match User {{ item.user }}
|
||||
{{ item.rules | indent(4) }}
|
||||
{% for rule in item.rules %}
|
||||
{{ rule | indent(4) }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
@ -2,20 +2,30 @@
|
|||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
hosts: localhost
|
||||
pre_tasks:
|
||||
- package: name="{{item}}" state=present
|
||||
with_items:
|
||||
- "openssh-clients"
|
||||
- "openssh-server"
|
||||
- name: use python3
|
||||
set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- package: name="{{ packages }}" state=present
|
||||
vars:
|
||||
packages:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
- libselinux-python
|
||||
ignore_errors: true
|
||||
- apt: name="{{item}}" state=present update_cache=true
|
||||
with_items:
|
||||
- "openssh-client"
|
||||
- "openssh-server"
|
||||
- apt: name="{{packages}}" state=present update_cache=true
|
||||
vars:
|
||||
packages:
|
||||
- "openssh-client"
|
||||
- "openssh-server"
|
||||
ignore_errors: true
|
||||
- file: path="/var/run/sshd" state=directory
|
||||
- name: create ssh host keys
|
||||
command: "ssh-keygen -A"
|
||||
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
||||
ansible_facts.distribution == "Fedora" or
|
||||
ansible_facts.distribution == "Amazon"
|
||||
|
||||
roles:
|
||||
- ansible-ssh-hardening
|
||||
|
|
|
@ -2,30 +2,40 @@
|
|||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
|
||||
hosts: localhost
|
||||
pre_tasks:
|
||||
- package: name="{{item}}" state=present
|
||||
with_items:
|
||||
- "openssh-clients"
|
||||
- "openssh-server"
|
||||
- name: use python3
|
||||
set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- package: name="{{ packages }}" state=present
|
||||
vars:
|
||||
packages:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
- libselinux-python
|
||||
ignore_errors: true
|
||||
- apt: name="{{item}}" state=present update_cache=true
|
||||
with_items:
|
||||
- "openssh-client"
|
||||
- "openssh-server"
|
||||
- apt: name="{{packages}}" state=present update_cache=true
|
||||
vars:
|
||||
packages:
|
||||
- "openssh-client"
|
||||
- "openssh-server"
|
||||
ignore_errors: true
|
||||
- file: path="/var/run/sshd" state=directory
|
||||
- name: create ssh host keys
|
||||
command: "ssh-keygen -A"
|
||||
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
||||
ansible_facts.distribution == "Fedora" or
|
||||
ansible_facts.distribution == "Amazon"
|
||||
|
||||
roles:
|
||||
- ansible-ssh-hardening
|
||||
vars:
|
||||
network_ipv6_enable: true
|
||||
ssh_allow_root_with_key: true
|
||||
ssh_allow_tcp_forwarding: true
|
||||
ssh_allow_tcp_forwarding: 'yes'
|
||||
ssh_gateway_ports: true
|
||||
ssh_allow_agent_forwarding: true
|
||||
ssh_server_permit_environment_vars: ['PWD','HTTP_PROXY']
|
||||
ssh_server_permit_environment_vars: 'yes'
|
||||
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
|
||||
ssh_client_alive_interval: 100
|
||||
ssh_client_alive_count: 10
|
||||
ssh_client_password_login: true
|
||||
|
@ -37,6 +47,7 @@
|
|||
ssh_deny_groups: 'foo bar'
|
||||
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
|
||||
ssh_max_auth_retries: 10
|
||||
ssh_permit_root_login: "without-password"
|
||||
ssh_permit_tunnel: true
|
||||
ssh_print_motd: true
|
||||
ssh_print_last_log: true
|
||||
|
@ -45,12 +56,21 @@
|
|||
sftp_enabled: true
|
||||
sftp_chroot: true
|
||||
#ssh_server_enabled: false
|
||||
ssh_server_match_address:
|
||||
- address: '192.168.1.1/24'
|
||||
rules:
|
||||
- 'AllowTcpForwarding yes'
|
||||
- 'AllowAgentForwarding no'
|
||||
ssh_server_match_group:
|
||||
- group: 'root'
|
||||
rules: 'AllowTcpForwarding yes'
|
||||
rules:
|
||||
- 'AllowTcpForwarding yes'
|
||||
- 'AllowAgentForwarding no'
|
||||
ssh_server_match_user:
|
||||
- user: 'root'
|
||||
rules: 'AllowTcpForwarding yes'
|
||||
rules:
|
||||
- 'AllowTcpForwarding yes'
|
||||
- 'AllowAgentForwarding no'
|
||||
ssh_remote_hosts:
|
||||
- names: ['example.com', 'example2.com']
|
||||
options: ['Port 2222', 'ForwardAgent yes']
|
||||
|
@ -63,8 +83,13 @@
|
|||
ssh_trusted_user_ca_keys:
|
||||
- '# ssh-rsa ...'
|
||||
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
|
||||
ssh_authorized_principals :
|
||||
ssh_authorized_principals:
|
||||
- { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
|
||||
ssh_host_key_algorithms:
|
||||
- ssh-ed25519
|
||||
- rsa-sha2-512
|
||||
- rsa-sha2-256
|
||||
- ssh-rsa
|
||||
ssh_macs:
|
||||
- hmac-sha2-512
|
||||
- hmac-sha2-256
|
||||
|
@ -76,3 +101,7 @@
|
|||
ssh_kex:
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
- diffie-hellman-group-exchange-sha1
|
||||
ssh_custom_options:
|
||||
- "Include /etc/ssh/ssh_config.d/*"
|
||||
sshd_custom_options:
|
||||
- "AcceptEnv LANG"
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
sshd_service_name: ssh
|
||||
ssh_owner: root
|
||||
ssh_group: root
|
||||
ssh_selinux_packages:
|
||||
- policycoreutils-python
|
||||
- checkpolicy
|
||||
|
|
6
ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml
Normal file
6
ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
sshd_service_name: sshd
|
||||
ssh_owner: root
|
||||
ssh_group: root
|
||||
ssh_selinux_packages:
|
||||
- python3-policycoreutils
|
||||
- checkpolicy
|
|
@ -1,3 +1,6 @@
|
|||
sshd_service_name: sshd
|
||||
ssh_owner: root
|
||||
ssh_group: root
|
||||
ssh_selinux_packages:
|
||||
- policycoreutils-python
|
||||
- checkpolicy
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
sshd_service_name: sshd
|
||||
ssh_owner: root
|
||||
ssh_group: root
|
||||
ssh_selinux_packages:
|
||||
- policycoreutils-python
|
||||
- checkpolicy
|
||||
|
|
6
ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml
Normal file
6
ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
sshd_service_name: sshd
|
||||
ssh_owner: root
|
||||
ssh_group: root
|
||||
ssh_selinux_packages:
|
||||
- python3-policycoreutils
|
||||
- checkpolicy
|
5
ansible/roles/docker-compose/.gitignore
vendored
5
ansible/roles/docker-compose/.gitignore
vendored
|
@ -1,5 +0,0 @@
|
|||
*.retry
|
||||
.vagrant
|
||||
tests/_roles
|
||||
!tests/_roles/.gitkeep
|
||||
.DS_Store
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
language: python
|
||||
python: "2.7"
|
||||
|
||||
sudo: required
|
||||
dist: trusty
|
||||
|
||||
addons:
|
||||
apt:
|
||||
sources:
|
||||
- sourceline: ppa:ansible/ansible
|
||||
packages:
|
||||
- ansible
|
||||
|
||||
before_install: cd tests
|
||||
|
||||
install:
|
||||
- ansible-galaxy install -r roles.yml
|
||||
|
||||
script:
|
||||
- ansible-playbook -i localhost test.yml
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
@ -1,21 +0,0 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2016 Suzuki Shunsuke
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
|
@ -1,39 +0,0 @@
|
|||
docker-compose
|
||||
===============
|
||||
|
||||
[![Build Status](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose.svg?branch=master)](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose)
|
||||
|
||||
Install Docker Compose.
|
||||
|
||||
https://galaxy.ansible.com/suzuki-shunsuke/docker-compose/
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
* Docker Engine
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
* docker_compose_path: the path where docker-compose is installed. The default is /usr/local/bin
|
||||
* docker_compose_mode: the permission of the docker-compose. The default is 0755
|
||||
* docker_compose_version: docker-compose version. The default is `1.11.2`
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
Nothing.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
```yaml
|
||||
- hosts: servers
|
||||
roles:
|
||||
- role: suzuki-shunsuke.docker-compose
|
||||
```
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
MIT
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
# defaults file for docker-compose
|
||||
docker_compose_path: /usr/local/bin
|
||||
docker_compose_mode: 0755
|
||||
docker_compose_version: 1.11.2
|
|
@ -1 +0,0 @@
|
|||
{install_date: 'Mon Apr 24 12:06:46 2017', version: 1.2.0}
|
|
@ -1,15 +0,0 @@
|
|||
galaxy_info:
|
||||
author: Suzuki Shunsuke
|
||||
description: Install Docker Compose
|
||||
license: MIT
|
||||
min_ansible_version: 1.2
|
||||
github_branch: master
|
||||
platforms:
|
||||
- name: GenericUnix
|
||||
versions:
|
||||
- all
|
||||
galaxy_tags:
|
||||
- docker
|
||||
- docker compose
|
||||
|
||||
dependencies: []
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
# tasks file for docker-compose
|
||||
- name: Install docker-compose
|
||||
get_url:
|
||||
url: https://github.com/docker/compose/releases/download/{{docker_compose_version}}/docker-compose-{{ansible_system}}-{{ansible_architecture}}
|
||||
dest: "{{'{}/docker-compose'.format(docker_compose_path)}}"
|
||||
mode: "{{docker_compose_mode}}"
|
12
ansible/roles/docker-compose/tests/Vagrantfile
vendored
12
ansible/roles/docker-compose/tests/Vagrantfile
vendored
|
@ -1,12 +0,0 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant.configure(2) do |config|
|
||||
config.vm.box = "bento/ubuntu-16.04"
|
||||
config.vm.provider "virtualbox" do |vb|
|
||||
vb.memory = "2048"
|
||||
end
|
||||
config.vm.provision "ansible" do |ansible|
|
||||
ansible.playbook = "./test.yml"
|
||||
end
|
||||
end
|
|
@ -1,6 +0,0 @@
|
|||
[defaults]
|
||||
roles_path = ./_roles:../../
|
||||
|
||||
[ssh_connection]
|
||||
ssh_args = -o ControlPersist=1800s -o ControlMaster=auto
|
||||
pipelining = True
|
|
@ -1,2 +0,0 @@
|
|||
[default]
|
||||
localhost ansible_connection=local
|
|
@ -1 +0,0 @@
|
|||
- src: suzuki-shunsuke.docker-ubuntu
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- hosts: default
|
||||
roles:
|
||||
- suzuki-shunsuke.docker-ubuntu
|
||||
- ansible-docker-compose
|
||||
tasks:
|
||||
- command: docker-compose --version
|
||||
register: result
|
||||
changed_when: false
|
||||
- debug:
|
||||
var: result
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
# vars file for docker-compose
|
||||
docker_compose_nonroot: "{{ (ansible_env.HOME == '/root') | ternary('no', 'yes') }}"
|
2
ansible/roles/docker-ubuntu/.gitignore
vendored
2
ansible/roles/docker-ubuntu/.gitignore
vendored
|
@ -1,2 +0,0 @@
|
|||
*.retry
|
||||
.vagrant
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
language: python
|
||||
python: "2.7"
|
||||
|
||||
sudo: required
|
||||
dist: trusty
|
||||
|
||||
addons:
|
||||
apt:
|
||||
sources:
|
||||
- sourceline: ppa:ansible/ansible
|
||||
packages:
|
||||
- ansible
|
||||
|
||||
before_script:
|
||||
- ansible --version
|
||||
- cd tests
|
||||
|
||||
script:
|
||||
- ansible-playbook -i inventory-local test.yml
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue