ungleich-public
/
public-health-ch
6
1
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Updated Ansible setup

This commit is contained in:
Oleg Lavrovsky 2020-05-15 22:41:39 +02:00
parent 2775bc8df1
commit 0a6dcf6cc7
165 changed files with 2101 additions and 1633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -89,20 +89,22 @@ Install or update the following roles from [Ansible Galaxy](https://docs.ansible
```
ansible-galaxy install \
dev-sec.nginx-hardening dev-sec.ssh-hardening dev-sec.os-hardening \
geerlingguy.nodejs geerlingguy.certbot
dev-sec.nginx-hardening \
dev-sec.ssh-hardening \
dev-sec.os-hardening \
geerlingguy.nodejs
```
To check that the scripts and roles are correctly installed, use this command to do a "dry run":
```
ansible-playbook -s ansible/*.yaml -i ansible/inventories/production --syntax-check --list-tasks
ansible-playbook -i ansible/inventories/production --syntax-check --list-tasks ansible/*.yaml
```
To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
```
ansible-playbook -s ansible/<*.yaml> -i ansible/inventories/production
ansible-playbook -i ansible/inventories/production ansible/*.yaml
```
For an update release with a specific version, use:
@ -111,7 +113,7 @@ For an update release with a specific version, use:
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release -e gitversion=<v*.*.*>
```
We use a StackScript to deploy to Linode, the basic system set up is to have a user in the sudoers and docker group, and a few basic system packages ready.
Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, and a few basic system packages ready.
For example, on Ubuntu:
@ -119,28 +121,19 @@ For example, on Ubuntu:
apt-get install -q -y zip git nginx python-virtualenv python-dev
```
The order of deployment is:
The typical order of deployment is:
- docker.yaml (base system)
- node.yaml
- site.yaml
- docker.yaml
- harden.yaml
- certbot.yaml
The last line adds support for Let's Encrypt, which you can configure and enable (updating your Nginx setup) with:
```
sudo /opt/certbot/certbot-auto --nginx certonly
```
If you do **not** wish to use SSL, delete the last part of your nginx site configuration (/etc/nginx/sites-enabled/...).
### Production releases
For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.:
```
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release
ansible-playbook -i ansible/inventories/production --tags release ansible/site.yaml
ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release"
```

13
ansible/certbot.yaml
View File

@ -1,13 +0,0 @@
- hosts: webservers
become: true
become_method: 'sudo'
gather_facts: yes
vars:
certbot_auto_renew_user: ansible
certbot_auto_renew_minute: 20
certbot_auto_renew_hour: 5
certbot_dir: /opt/certbot
certbot_install_from_source: yes
certbot_version: v0.14.2
roles:
- geerlingguy.certbot

4
ansible/docker.yaml
View File

@ -3,7 +3,5 @@
become_method: 'sudo'
gather_facts: yes
roles:
- role: docker-ubuntu
- role: geerlingguy.docker
docker_users: ansible
- role: docker-compose
docker_compose_version: 1.12.0

29
ansible/inventories/evolution/group_vars/webservers/vars.yaml Normal file
View File

@ -0,0 +1,29 @@
---
django_project_name: publichealth
elasticsearch_heap_size: 1g
memcached_memory_allocation_mb: 256
nginx_worker_processes: 2
nginx_worker_connections: 1024
domain: "{{ vault_domain }}"
allowed_domains: "{{ vault_allowed_domains }}"
django_email_key: "{{ vault_django_email_key }}"
django_email_domain: "{{ vault_django_email_domain }}"
django_email_from: "{{ vault_django_email_from }}"
django_secret_key: "{{ vault_django_secret_key }}"
# Default: postgres://postgres:@postgres:5432/postgres
django_postgres_url: "{{ vault_django_postgres_url }}"
# Default: http://elasticsearch:9200
django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}"
# Default: redis://redis:6379
django_redis_url: "{{ vault_django_redis_url }}"

46
ansible/inventories/evolution/group_vars/webservers/vault.yaml Normal file
View File

@ -0,0 +1,46 @@
$ANSIBLE_VAULT;1.1;AES256
39623434656631643030663563343865363562353834336262353939666566643961323936316537
6139376161613163626664323564626134333066346265330a636334616466306464316365653038
32646430633039303364366163646430633436366664333064393364663132363535666338666137
3531323636316435640a326135303364623461623434343663343062653434356165356161326365
66663664643463393964653764376264616166306433343761653037616639326538626531663239
37376263303237346131326231656439366430373637653634396139333431636565373630626131
39303661383937346630623830613462393163333032643035313765393030653337363161386364
36623132353033316239326365343064663130333161353835643935613034303838373861323163
62363564343531666665356439326139366463646661636534386334323765636336306136623766
62636534626461326166613934663535633962336130386463633439343434353637396131383633
61343335393463313433356363366639626535346263333635393039376335343965393138323639
32386461626164356666386535393365616539323631303265303833373635646339343031346139
39336332396662636561613636303866303230353866646330306433353938306133336239326431
65383365313336636166353533363439333739373832353839656139306262366230646631363033
62653430396463663232613539353135666465666635316432383230306361376330353938356538
39333566373366323134613262623865383866363163383931386632643131313939346161343438
38353733393938356266353761326635316239373964656535633937643830373161646661333130
36646364646361343336326662346361616239653964646537306366333234313833623337653732
66623238613961303131356632343163323264616664373638653331656561663333306133386630
62333662306234663036333062646635303662646136396666343535383565386664313239656633
32663366323964306362346366393734623630376432373936316362616639363636306439623636
34313165663264653235636632386563323964373863396363303934336138323435333462373033
34373163623864623836646435333730386137383634333066653865666331303438616462366134
63343837373130616638646338643339393432343130323838303837636566626436336538396463
65393332343964663233623634363234643266386634336231303930396463303537373466633565
64393966306161336265393936656364383237363065326130356331643766383166656536643263
32636236333637663737366666616461653939303033643730623137353735663234636438623431
38623931343939376661633438336563383365633336343563646134376230613930626461383133
39616535646166333435363234643939376464323730333263633333616531393666363561633133
36396464383662623439616630633361316339306139393434383932663464653634393064343061
63643338396432326539363166366163373336616137326566643764303361636130613439663036
38376261326333373061653862663833313563363537373534336638656632313033616238393638
63353435613231316439366535656139623366333534303662323839336232646636346166653866
36633138396363616663306535353432313938306535376361353065323935303266386332343730
36346335386238666235333263626265353431616262313537396336353232363964316538303363
36303165313462653336653863343233323336383835336230393836343332376165653866643738
65393734393037303162653930313564303837353631623632343561336561383062613363653238
37353234616333356432643731343535313434613534323835613465656432333735643863386264
61653235333239663739353738323264333930653337323431666461636265383836663539323531
39633761323536306536633064666161383839626437666430613963353430366435383630386232
35646439303031643035616133326433326163333830643436663262633665653365343830653630
37613235623462623937383330656530363033336636653534316235636336636137333537393434
33663664303437396632663630643166393631613566646165386333363035373733393333623365
62313862383432396362363565636361623630313161653436633366323836333566396363313535
39623166313239663638643134613364623934303438313136353562633962336538

13
ansible/inventories/evolution/webservers Normal file
View File

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
61393361636537666237333561613438353833396362323665653635333365313632663138393464
3235343235373336386135306436373332613033303034330a353536663964306266376662366263
63346635333630656238366566666463373536323536396566363163393932613130623366323334
3730333438326538380a623461333435376635373837346166303230383231623331363535623934
38373834393464636633353132356136383363316134356334323737303762393063326532356135
37643535386466656365663432376335666533653737323861393936353236343532663238663430
30376161616161653539633934333366383061373134313866646262613430363930303866613837
66643636393131393766653632386131613663363338376461623836613462643766376363626563
37393938326465633661663938613935653838613063613937663837323435323765326461346261
31616130336662326233623466353933343139666636313333303335306632663465666232373037
33346235663765393337656336653866393233616561613738343337653038653665356535633631
39366432343634303861

3
ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info
View File

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:14 2018', version: 2.1.0}
install_date: Fri May 15 20:29:19 2020
version: 2.1.0

34
ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml vendored Normal file
View File

@ -0,0 +1,34 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

50
ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,50 @@
name: New release
on:
push:
branches:
- master
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: create release draft
steps:
- uses: actions/checkout@v1
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@master"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: calculate next version
id: version
uses: patrickjahns/version-drafter-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }}
future_release: ${{ steps.version.outputs.next-version }}
- name: Read CHANGELOG.md
id: package
uses: juliangruber/read-file-action@v1
with:
path: ./CHANGELOG.md
- name: Create Release draft
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
release_name: ${{ steps.version.outputs.next-version }}
tag_name: ${{ steps.version.outputs.next-version }}
body: |
${{ steps.package.outputs.content }}
draft: true

50
ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml
View File

@ -16,47 +16,47 @@ provisioner:
require_ruby_for_busser: false
ansible_verbose: true
roles_path: ../ansible-os-hardening/
playbook: default.yml
playbook: tests/test.yml
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
max_ssh_sessions: 1
platforms:
- name: ubuntu14.04
- name: ubuntu-16.04
driver_config:
box: opscode-ubuntu-14.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
- name: ubuntu16.04
box: bento/ubuntu-16.04
- name: ubuntu-18.04
driver_config:
box: opscode-ubuntu-16.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
- name: ubuntu18.04
box: bento/ubuntu-18.04
- name: centos-6
driver_config:
box: ubuntu/bionic64
- name: centos6
box: bento/centos-6.7
- name: centos-7
driver_config:
box: bento/centos-6.9
- name: centos7
box: bento/centos-7
- name: centos-8
driver_config:
box: bento/centos-7.3
- name: oracle6
box: bento/centos-8
- name: oracle-6
driver_config:
box: oracle-6.5
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
- name: oracle7
box: bento/oracle-6
- name: oracle-7
driver_config:
box: boxcutter/ol72
- name: debian7
box: bento/oracle-7
- name: debian-9
driver_config:
box: bento/debian-7.11
- name: debian8
box: bento/debian-9
- name: debian-10
driver_config:
box: bento/debian-8.8
- name: debian9
box: bento/debian-10
- name: amazon
driver_config:
box: bento/debian-9.0
box: bento/amazonlinux-2
- name: opensuse_tumbleweed
driver_config:
box: opensuse/Tumbleweed.x86_64
verifier:
name: inspec

49
ansible/roles/dev-sec.os-hardening/.kitchen.yml
View File

@ -7,7 +7,7 @@ driver:
https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
max_ssh_sessions: 1
provisioner:
name: ansible_playbook
@ -17,7 +17,7 @@ provisioner:
require_ruby_for_busser: false
ansible_verbose: true
ansible_diff: true
hosts: all
roles_path: ../ansible-os-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
@ -36,6 +36,14 @@ platforms:
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: centos8-ansible-latest
driver:
image: rndmh3ro/docker-centos8-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: oracle6-ansible-latest
driver:
image: rndmh3ro/docker-oracle6-ansible:latest
@ -48,10 +56,6 @@ platforms:
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: ubuntu1404-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1404-ansible:latest
platform: ubuntu
- name: ubuntu1604-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest
@ -66,14 +70,6 @@ platforms:
run_command: /sbin/init
provision_command:
- systemctl enable ssh.service
- name: debian7-ansible-latest
driver:
image: rndmh3ro/docker-debian7-ansible:latest
platform: debian
- name: debian8-ansible-latest
driver:
image: rndmh3ro/docker-debian8-ansible:latest
platform: debian
- name: debian9-ansible-latest
driver:
image: rndmh3ro/docker-debian9-ansible:latest
@ -82,6 +78,14 @@ platforms:
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: debian10-ansible-latest
driver:
image: rndmh3ro/docker-debian10-ansible:latest
platform: debian
run_command: /sbin/init
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: amazon-ansible-latest
driver:
image: rndmh3ro/docker-amazon-ansible:latest
@ -90,6 +94,23 @@ platforms:
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: fedora-ansible-latest
driver:
image: rndmh3ro/docker-fedora-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- dnf install -y python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: opensuse_tumbleweed-ansible-latest
driver:
image: rndmh3ro/docker-opensuse_tumbleweed-ansible
platform: opensuse
provision_command:
- zypper -n install python-xml rpm-python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
verifier:
name: inspec

37
ansible/roles/dev-sec.os-hardening/.travis.yml
View File

@ -11,6 +11,16 @@ env:
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: centos8
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: fedora
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: oracle6
version: latest
init: /sbin/init
@ -20,10 +30,6 @@ env:
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# version: latest
- distro: ubuntu1404
version: latest
init: /sbin/init
- distro: ubuntu1604
version: latest
init: /lib/systemd/systemd
@ -34,16 +40,12 @@ env:
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian7
- distro: debian9
version: latest
init: /sbin/init
- distro: debian8
version: latest
init: /sbin/init
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9
- distro: debian10
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
@ -53,17 +55,28 @@ env:
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# - distro: opensuse_tumbleweed
# init: /usr/lib/systemd/systemd
# version: latest
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
before_install:
# Pull container
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
script:
- pip install --user ansible-lint
- ansible-lint ./
- container_id=$(mktemp)
# Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Output Ansible version from docker image
- 'docker exec "$(cat ${container_id})" ansible-playbook --version'
# Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff --skip-tags "sysctl"'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
# Verify role
- 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'

127
ansible/roles/dev-sec.os-hardening/CHANGELOG.md
View File

@ -1,6 +1,113 @@
# Change Log
# Changelog
## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD)
**Implemented enhancements:**
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
**Implemented enhancements:**
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg))
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov))
- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
**Fixed bugs:**
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov))
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
**Implemented enhancements:**
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
**Implemented enhancements:**
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
**Fixed bugs:**
- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
**Implemented enhancements:**
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
**Implemented enhancements:**
@ -34,6 +141,7 @@
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
**Implemented enhancements:**
@ -63,6 +171,7 @@
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
**Fixed bugs:**
@ -70,6 +179,7 @@
- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
**Implemented enhancements:**
@ -93,6 +203,7 @@
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
**Fixed bugs:**
@ -113,6 +224,7 @@
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
**Implemented enhancements:**
@ -124,7 +236,6 @@
**Fixed bugs:**
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
**Closed issues:**
@ -139,6 +250,7 @@
- Dont refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
**Fixed bugs:**
@ -156,9 +268,11 @@
- add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
**Implemented enhancements:**
@ -181,7 +295,6 @@
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
- Norm-Audit-Hardening-Audit [\#76](https://github.com/dev-sec/ansible-os-hardening/issues/76)
**Merged pull requests:**
@ -189,6 +302,7 @@
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
**Implemented enhancements:**
@ -208,7 +322,6 @@
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
- ERROR! Include tasks should not specify tags in more than one way [\#60](https://github.com/dev-sec/ansible-os-hardening/pull/60) ([fitz123](https://github.com/fitz123))
**Closed issues:**
@ -221,6 +334,7 @@
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
**Closed issues:**
@ -239,6 +353,9 @@
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
**Closed issues:**
- ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
@ -285,4 +402,4 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

1
ansible/roles/dev-sec.os-hardening/Gemfile
View File

@ -11,6 +11,7 @@ group :integration do
gem 'kitchen-sync'
gem 'kitchen-transport-rsync'
gem 'kitchen-docker'
gem 'inspec', '~> 3'
end
group :tools do

47
ansible/roles/dev-sec.os-hardening/README.md
View File

@ -35,6 +35,20 @@ It will not:
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
```yaml
- hosts: localhost
roles:
- dev-sec.os-hardening
vars:
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
```
## Variables
| Name | Default Value | Description |
@ -57,24 +71,27 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.|
| `os_security_packages_clean`| true | removes packages with known issues. See section packages.|
| `os_selinux_state` | enforcing | Set the SELinux state, can be either disabled, permissive, or enforcing. |
| `os_selinux_policy` | targeted | Set the SELinux polixy. |
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
## Packages
We remove the following packages:
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
* xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
* inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
* tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
* ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
* telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
* rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
## Disabled filesystems
@ -92,6 +109,14 @@ We disable the following filesystems, because they're most likely not used:
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
## Installation
Install the role with ansible-galaxy:
```
ansible-galaxy install dev-sec.os-hardening
```
## Example Playbook
```yaml
@ -115,7 +140,13 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
net.ipv4.ip_forward: 1
```
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
## Improving Kernel Audit logging
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
## Local Testing

74
ansible/roles/dev-sec.os-hardening/default.yml
View File

@ -1,74 +0,0 @@
---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
hosts: localhost
roles:
- ansible-os-hardening
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
- name: Install firefox to get Xorg
package:
name: firefox
state: present
vars:
os_security_users_allow: change_user
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_remove_from_unknown: true
os_auth_pam_passwdqc_enable: false
os_desktop_enable: true
os_env_extra_user_paths: ['/home']
os_auth_allow_homeless: true
os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat']
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.icmp_ratelimit: 100
net.ipv4.icmp_ratemask: 88089
net.ipv6.conf.all.disable_ipv6: 1
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
net.ipv4.conf.all.shared_media: 1
net.ipv4.conf.default.shared_media: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.log_martians: 1
net.ipv6.conf.default.router_solicitations: 0
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
kernel.sysrq: 0
fs.suid_dumpable: 0
kernel.randomize_va_space: 2
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
roles:
- ansible-os-hardening

52
ansible/roles/dev-sec.os-hardening/defaults/main.yml
View File

@ -27,7 +27,7 @@ os_security_suid_sgid_remove_from_unknown: false
# remove packages with known issues
os_security_packages_clean: true
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink']
os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
# Allow interactive startup (rhel, centos)
os_security_init_prompt: true
@ -175,17 +175,6 @@ sysctl_config:
kernel.core_uses_pid: 1
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
kernel.kptr_restrict: 1
# The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access
@ -226,6 +215,33 @@ sysctl_config:
fs.protected_hardlinks: 1
fs.protected_symlinks: 1
# These settings are set to the maximum supported value in order to
# improve ASLR effectiveness for mmap, at the cost of increased
# address-space fragmentation. | Tail-1
vm.mmap_rnd_bits: 32
vm.mmap_rnd_compat_bits: 16
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
#
# Some off-the-shelf malware exploit kernel addresses exposed
# via /proc/kallsyms so by not making these addresses easily available
# we increase the cost of such attack some what; now such malware has
# to check which kernel Tails is running and then fetch the corresponding
# kernel address map from some external source. This is not hard,
# but certainly not all malware has such functionality. | Tails-2
kernel.kptr_restrict: 2
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
kernel.kexec_load_disabled: 1
# Do not delete the following line or otherwise the playbook will fail
# at task 'create a combined sysctl-dict if overwrites are defined'
sysctl_overwrite:
@ -240,6 +256,12 @@ os_unused_filesystems:
- "squashfs"
- "udf"
- "vfat"
# Obsolete network protocols that should be disabled
# per CIS Oracle Linux 6 Benchmark (2016)
- "tipc" # CIS 3.5.4
- "sctp" # CIS 3.5.2
- "dccp" # CIS 3.5.1
- "rds" # CIS 3.5.3
# whitelist for used filesystems
os_filesystem_whitelist: []
@ -250,3 +272,9 @@ os_hardening_enabled: true
# Set to false to disable installing and configuring auditd.
os_auditd_enabled: true
os_auditd_max_log_file_action: keep_logs
# Set the SELinux state, can be either disabled, permissive, or enforcing.
os_selinux_state: enforcing
# Set the SELinux polixy.
os_selinux_policy: targeted

3
ansible/roles/dev-sec.os-hardening/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: update-initramfs
command: 'update-initramfs -u'

3
ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info
View File

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:33 2018', version: 5.1.0}
install_date: Fri May 15 20:29:23 2020
version: 6.0.1

11
ansible/roles/dev-sec.os-hardening/meta/main.yml
View File

@ -1,7 +1,7 @@
---
galaxy_info:
author: "Sebastian Gumprich"
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.'
description: 'This role provides numerous security-related configurations, providing all-round base protection.'
company: Hardening Framework Team
license: Apache License 2.0
min_ansible_version: '2.5'
@ -10,17 +10,18 @@ galaxy_info:
versions:
- 6
- 7
- 8
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
- name: Amazon
- name: Fedora
- name: openSUSE
galaxy_tags:
- system
- security

6
ansible/roles/dev-sec.os-hardening/tasks/apt.yml
View File

@ -1,8 +1,6 @@
---
- name: remove deprecated or insecure packages | package-01 - package-09
apt:
name: '{{ item }}'
name: '{{ os_security_packages_list }}'
state: 'absent'
with_items:
- '{{ os_security_packages_list }}'
when: 'os_security_packages_clean'
when: os_security_packages_clean | bool

12
ansible/roles/dev-sec.os-hardening/tasks/find_files.yml
View File

@ -1,12 +0,0 @@
- name: find directories for minimizing access
find:
paths: '{{ outer_item }}'
recurse: yes
register: minimize_access_directories
- name: minimize access on found files
file:
path: '{{ item.path }}'
mode: 'go-w'
state: file
with_items: '{{ minimize_access_directories.files }}'

21
ansible/roles/dev-sec.os-hardening/tasks/hardening.yml
View File

@ -1,21 +1,21 @@
---
- name: Set OS family dependent variables
include_vars: '{{ ansible_os_family }}.yml'
include_vars: '{{ ansible_facts.os_family }}.yml'
tags: always
- name: Set OS dependent variables
include_vars: '{{ item }}'
with_first_found:
- files:
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_distribution }}.yml'
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
skip: true
tags: always
- import_tasks: auditd.yml
tags: auditd
when: os_auditd_enabled
when: os_auditd_enabled | bool
- import_tasks: limits.yml
tags: limits
@ -39,7 +39,7 @@
tags: securetty
- import_tasks: suid_sgid.yml
when: os_security_suid_sgid_enforce
when: os_security_suid_sgid_enforce | bool
tags: suid_sgid
- import_tasks: sysctl.yml
@ -52,9 +52,14 @@
tags: rhosts
- import_tasks: yum.yml
when: ansible_os_family == 'RedHat'
when: ansible_facts.os_family == 'RedHat'
tags: yum
- import_tasks: apt.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu'
tags: apt
- import_tasks: selinux.yml
tags: selinux
when:
- ansible_facts.selinux.status == 'enabled'

10
ansible/roles/dev-sec.os-hardening/tasks/limits.yml
View File

@ -9,14 +9,14 @@
mode: '0755'
state: 'directory'
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
pam_limits:
dest: '/etc/security/limits.d/10.hardcore.conf'
domain: '*'
limit_type: hard
limit_item: core
value: 0
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
value: '0'
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
- name: set 10.hardcore.conf perms to 0400 and root ownership
file:
@ -25,10 +25,10 @@
group: 'root'
mode: '0440'
when: 'not os_security_kernel_enable_core_dump'
when: not os_security_kernel_enable_core_dump | bool
- name: remove 10.hardcore.conf config file
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
when: 'os_security_kernel_enable_core_dump'
when: os_security_kernel_enable_core_dump | bool

1
ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml
View File

@ -6,4 +6,3 @@
owner: 'root'
group: 'root'
mode: '0444'

4
ansible/roles/dev-sec.os-hardening/tasks/main.yml
View File

@ -1,4 +1,4 @@
---
- include_tasks: hardening.yml
when: os_hardening_enabled
- import_tasks: hardening.yml
when: os_hardening_enabled | bool

27
ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml
View File

@ -1,16 +1,31 @@
---
# Using a two-pass approach for checking directories in order to support symlinks.
- include_tasks: find_files.yml
loop_control:
loop_var: outer_item
loop:
# If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
# the other files inside /usr/bin (and all other directories) are
# still getting found and the permissions minimized in the next task.
# This is also the reason why there's ignore_errors: true on the task.
# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
with_flattened:
- '/usr/local/sbin'
- '/usr/local/bin'
- '/usr/sbin'
- '/usr/bin'
- '/sbin'
- '/bin'
- '{{ os_env_extra_user_paths }}'
- "{{ os_env_extra_user_paths }}" # noqa 104
register: minimize_access_directories
ignore_errors: true
changed_when: false
- name: minimize access on found files
file:
path: '{{ item.1 }}'
mode: 'go-w'
state: file
with_subelements:
- "{{ minimize_access_directories.results }}"
- stdout_lines
- name: change shadow ownership to root and mode to 0600 | os-02
file:

5
ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml
View File

@ -1,7 +1,7 @@
---
- name: install modprobe to disable filesystems | os-10
package:
name: '{{modprobe_package}}'
name: '{{ modprobe_package }}'
state: 'present'
- name: check if efi is installed
@ -20,5 +20,4 @@
dest: '/etc/modprobe.d/dev-sec.conf'
owner: 'root'
group: 'root'
mode: '0640'
mode: '0644'

57
ansible/roles/dev-sec.os-hardening/tasks/pam.yml
View File

@ -1,7 +1,7 @@
---
- name: update pam on Debian systems
command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
when: ansible_facts.distribution in ['Debian', 'Ubuntu']
changed_when: False
environment:
DEBIAN_FRONTEND: noninteractive
@ -19,14 +19,18 @@
apt:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
update_cache: 'yes'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: configure passwdqc
template:
@ -35,19 +39,26 @@
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
apt:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- name: install tally2
apt:
name: 'libpam-modules'
state: 'present'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: configure tally2
template:
@ -56,31 +67,47 @@
mode: '0644'
owner: 'root'
group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: delete tally2 when retries is 0
file:
path: '{{ tally2_path }}'
state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries == 0
- name: remove pam_cracklib, because it does not play nice with passwdqc
yum:
name: '{{ os_packages_pam_cracklib }}'
state: 'absent'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'present'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: remove passwdqc
yum:
name: '{{ os_packages_pam_passwdqc }}'
state: 'absent'
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable
when:
- ansible_facts.os_family == 'RedHat'
- not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic
template:
@ -89,11 +116,17 @@
mode: '0640'
owner: 'root'
group: 'root'
when: ansible_facts.os_family == 'RedHat'
- name: Gather package facts
package_facts:
manager: auto
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template:
src: 'etc/rhel_libuser.conf.j2'
src: 'etc/libuser.conf.j2'
dest: '/etc/libuser.conf'
mode: '0640'
owner: 'root'
group: 'root'
when: "'libuser' in ansible_facts.packages"

4
ansible/roles/dev-sec.os-hardening/tasks/profile.yml
View File

@ -6,10 +6,10 @@
owner: 'root'
group: 'root'
mode: '0750'
when: not os_security_kernel_enable_core_dump
when: not os_security_kernel_enable_core_dump | bool
- name: remove pinerolo_profile.sh from profile.d
file:
path: /etc/profile.d/pinerolo_profile.sh
state: absent
when: os_security_kernel_enable_core_dump
when: os_security_kernel_enable_core_dump | bool

6
ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml
View File

@ -3,13 +3,13 @@
command: "awk -F: '{print $1}' /etc/passwd"
changed_when: False
check_mode: False
register: users
register: users_accounts
- name: delete rhosts-files from system | os-09
file:
dest: '~{{ item }}/.rhosts'
state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
- name: delete hosts.equiv from system | os-01
file:
@ -20,4 +20,4 @@
file:
dest: '~{{ item }}/.netrc'
state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}'
with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'

5
ansible/roles/dev-sec.os-hardening/tasks/selinux.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: configure selinux | selinux-01
selinux:
policy: "{{ os_selinux_policy }}"
state: "{{ os_selinux_state }}"

6
ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml
View File

@ -13,13 +13,13 @@
- name: find binaries with suid/sgid set | os-06
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
register: sbit_binaries
when: os_security_suid_sgid_remove_from_unknown
when: os_security_suid_sgid_remove_from_unknown | bool
changed_when: False
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
set_fact:
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown
when: os_security_suid_sgid_remove_from_unknown | bool
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
file:
@ -29,4 +29,4 @@
follow: 'yes'
with_flattened:
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown
when: os_security_suid_sgid_remove_from_unknown | bool

62
ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml
View File

@ -13,14 +13,15 @@
owner: 'root'
group: 'root'
mode: '0544'
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon'
when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or
ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
- name: install initramfs-tools
apt:
name: 'initramfs-tools'
state: 'present'
update_cache: true
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
template:
@ -29,41 +30,44 @@
owner: 'root'
group: 'root'
mode: '0440'
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
notify:
- update-initramfs
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
register: initramfs
- name: update-initramfs
command: 'update-initramfs -u'
when: initramfs.changed
- name: change sysctls
block:
- name: create a combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: create a combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_config }}'
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_config }}'
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc']
- name: Apply ufw defaults
template:
src: 'etc/default/ufw.j2'
dest: '/etc/default/ufw'
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu')
tags: ufw

8
ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml
View File

@ -10,17 +10,19 @@
- name: calculate UID_MAX from UID_MIN by substracting 1
set_fact:
uid_max: '{{ uid_min.stdout | int - 1 }}'
when: uid_min is defined
when: uid_min.stdout|int > 0
- name: set UID_MAX on Debian-systems if no login.defs exist
set_fact:
uid_max: '999'
when: ansible_os_family == 'Debian' and not uid_min
when:
- ansible_facts.os_family == 'Debian'
- uid_max is not defined
- name: set UID_MAX on other systems if no login.defs exist
set_fact:
uid_max: '499'
when: not uid_min
when: uid_max is not defined
- name: get all system accounts
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd

32
ansible/roles/dev-sec.os-hardening/tasks/yum.yml
View File

@ -7,41 +7,35 @@
- 'CentOS-Debuginfo'
- 'CentOS-Media'
- 'CentOS-Vault'
when: os_security_packages_clean
when: os_security_packages_clean | bool
- name: get yum-repository-files
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
changed_when: False
register: yum_repos
- name: check if rhnplugin.conf exists
stat:
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
register: rhnplugin_file
# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repos
#
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files
replace:
dest: '{{ item }}'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
register: status
failed_when: status.rc is defined and status.rc != 257
with_flattened:
- '/etc/yum.conf'
- '{{ yum_repos.stdout_lines| default([]) }}'
- name: activate gpg-check for yum rhn if it exists
replace:
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
when: rhnplugin_file.stat.exists
- '/etc/dnf/dnf.conf'
- '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
- '/etc/yum/pluginconf.d/rhnplugin.conf'
- name: remove deprecated or insecure packages | package-01 - package-09
yum:
name: '{{ item }}'
name: '{{ os_security_packages_list }}'
state: 'absent'
with_items:
- '{{ os_security_packages_list }}'
when: os_security_packages_clean
when: os_security_packages_clean | bool

4
ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = keep_logs
max_log_file_action = {{ os_auditd_max_log_file_action }}
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root

3
ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# /etc/default/ufw
#

7
ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
#
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
@ -10,7 +11,7 @@
#
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
{% if ansible_architecture == 'x86_64' %}
{% if ansible_facts.architecture == 'x86_64' %}
# Optimize for x86_64 cryptographic features
twofish-x86_64-3way
twofish-x86_64
@ -19,7 +20,7 @@ salsa20-x86_64
blowfish-x86_64
{% endif %}
{% if 'amd' in ansible_processor %}
{% if 'amd' in ansible_facts.processor %}
# AMD-specific optimizations
kvm-amd
{% else %}

4
ansible/roles/dev-sec.os-hardening/templates/etc/rhel_libuser.conf.j2 → ansible/roles/dev-sec.os-hardening/templates/etc/libuser.conf.j2
View File

@ -1,6 +1,6 @@
# See libuser.conf(5) for more information.
{{ ansible_managed | comment }}
# {{ ansible_managed | comment }}
# See libuser.conf(5) for more information.
# Do not modify the default module list if you care about unattended calls
# to programs (i.e., scripts) working!

101
ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2
View File

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# Configuration control definitions for the login package.
#
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
@ -7,6 +8,7 @@
#
#-- Modified for Linux. --marekm
{% if os_useradd_mail_dir is defined %}
# *REQUIRED for useradd/userdel/usermod*
#
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
@ -19,136 +21,141 @@
#
# See default PAM configuration files provided for login, su, etc.
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
MAIL_DIR {{ os_useradd_mail_dir }}
{% endif %}
{% if os_useradd_create_home is defined %}
# If useradd should create home directories for users by default
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
{% endif %}
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
FAILLOG_ENAB yes
FAILLOG_ENAB yes
# Enable display of unknown usernames when login failures are recorded.
#
# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
LOG_UNKFAIL_ENAB no
LOG_UNKFAIL_ENAB no
# Enable logging of successful logins
LOG_OK_LOGINS yes
LOG_OK_LOGINS yes
# Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SU_ENAB yes
SYSLOG_SU_ENAB yes
# Enable "syslog" logging of newgrp and sg.
SYSLOG_SG_ENAB yes
SYSLOG_SG_ENAB yes
# If defined, all su activity is logged to this file.
#SULOG_FILE /var/log/sulog
#SULOG_FILE /var/log/sulog
# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
#TTYTYPE_FILE /etc/ttytype
#TTYTYPE_FILE /etc/ttytype
# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
FTMP_FILE /var/log/btmp
FTMP_FILE /var/log/btmp
# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
SU_NAME su
SU_NAME su
# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
#HUSHLOGIN_FILE /etc/hushlogins
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
HUSHLOGIN_FILE .hushlogin
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }}
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
# Terminal permissions
# --------------------
# Login tty will be assigned this group ownership.
# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
TTYGROUP tty
TTYGROUP tty
# Login tty will be set to this permission.
# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing the `mesg y` command.
TTYPERM 0600
TTYPERM 0600
# Login conf initializations
# --------------------------
# Terminal ERASE character ('\010' = backspace). Only used on System V.
ERASECHAR 0177
ERASECHAR 0177
# Terminal KILL character ('\025' = CTRL/U). Only used on System V.
KILLCHAR 025
KILLCHAR 025
# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
# `022` is the "historical" value in Debian for UMASK
# `027`, or even `077`, could be considered better for privacy.
UMASK {{ os_env_umask }}
UMASK {{ os_env_umask }}
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
USERGROUPS_ENAB yes
USERGROUPS_ENAB yes
# Password aging controls
# -----------------------
# Maximum number of days a password may be used.
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
PASS_MAX_DAYS {{ os_auth_pw_max_age }}
# Minimum number of days allowed between password changes.
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
PASS_MIN_DAYS {{ os_auth_pw_min_age }}
# Number of days warning given before a password expires.
PASS_WARN_AGE 7
PASS_WARN_AGE 7
# Min/max values for automatic uid selection in useradd
UID_MIN {{ os_auth_uid_min }}
UID_MAX 60000
UID_MIN {{ os_auth_uid_min }}
UID_MAX 60000
# System accounts
SYS_UID_MIN {{ os_auth_sys_uid_min }}
SYS_UID_MAX {{ os_auth_sys_uid_max }}
SYS_UID_MIN {{ os_auth_sys_uid_min }}
SYS_UID_MAX {{ os_auth_sys_uid_max }}
# Min/max values for automatic gid selection in groupadd
GID_MIN {{ os_auth_gid_min }}
GID_MAX 60000
GID_MIN {{ os_auth_gid_min }}
GID_MAX 60000
# System accounts
SYS_GID_MIN {{ os_auth_sys_gid_min }}
SYS_GID_MAX {{ os_auth_sys_gid_max }}
SYS_GID_MIN {{ os_auth_sys_gid_min }}
SYS_GID_MAX {{ os_auth_sys_gid_max }}
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
LOGIN_RETRIES {{ os_auth_retries }}
LOGIN_RETRIES {{ os_auth_retries }}
# Max time in seconds for login
LOGIN_TIMEOUT {{ os_auth_timeout }}
LOGIN_TIMEOUT {{ os_auth_timeout }}
# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
{% if os_chfn_restrict %}
CHFN_RESTRICT {{ os_chfn_restrict }}
CHFN_RESTRICT {{ os_chfn_restrict }}
{% endif %}
# Should login be allowed if we can't cd to the home directory?
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#USERDEL_CMD /usr/sbin/userdel_local
#USERDEL_CMD /usr/sbin/userdel_local
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
#FAKE_SHELL /bin/fakeshell
#FAKE_SHELL /bin/fakeshell
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
# This variable is used by login and su.
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
# This variable is used by login and su.
#CONSOLE_GROUPS floppy:audio:cdrom
#CONSOLE_GROUPS floppy:audio:cdrom
# If set to `MD5`, MD5-based algorithm will be used for encrypting password
# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
MD5_CRYPT_ENAB no
ENCRYPT_METHOD SHA512
MD5_CRYPT_ENAB no
ENCRYPT_METHOD SHA512
# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
#SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000
# Obsoleted by PAM
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no

4
ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
#%PAM-1.0
{% if os_auth_retries > 0 %}
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
{% if (os_auth_pam_passwdqc_enable|bool) %}
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %}
{%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
{%- else %}
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}

2
ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
ulimit -S -c 0 > /dev/null 2>&1

3
ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2
View File

@ -1,5 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# A list of TTYs, from which root can log in
# see `man securetty` for reference

2
ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2
View File

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }}
{{ ansible_managed | comment }}
# color => new RH6.0 bootup
# verbose => old-style bootup

2
ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: passwdqc password strength enforcement
Default: yes
Priority: 1024

2
ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2
View File

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: tally2 lockout after failed attempts enforcement
Default: yes
Priority: 1024

29
ansible/roles/dev-sec.os-hardening/tests/test.yml
View File

@ -4,10 +4,22 @@
roles:
- ansible-os-hardening
pre_tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
when: ansible_facts.os_family == 'Debian'
- name: install required tools on fedora
dnf:
name:
- python
- findutils
- procps-ng
when: ansible_facts.distribution == 'Fedora'
- name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
vars:
@ -20,7 +32,7 @@
os_auth_allow_homeless: true
os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat']
os_filesystem_whitelist: []
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0
@ -52,23 +64,26 @@
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.conf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
kernel.sysrq: 0
fs.suid_dumpable: 0
kernel.randomize_va_space: 2
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost
vars:
- os_auditd_enabled: false
os_auditd_enabled: false
pre_tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
when: ansible_facts.os_family == 'Debian'
roles:
- ansible-os-hardening

2
ansible/roles/dev-sec.os-hardening/vars/Amazon.yml
View File

@ -1,6 +1,6 @@
---
# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user']
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
sysctl_rhel_config:
# ExecShield protection against buffer overflows

16
ansible/roles/dev-sec.os-hardening/vars/Debian.yml
View File

@ -1,13 +1,10 @@
---
os_packages_pam_ccreds: 'libpam-ccreds'
os_packages_pam_passwdqc: 'libpam-passwdqc'
os_packages_pam_cracklib: 'libpam-cracklib'
passwdqc_path: '/usr/share/pam-configs/passwdqc'
tally2_path: '/usr/share/pam-configs/tally2'
os_nologin_shell_path: '/usr/sbin/nologin'
auditd_package: 'auditd'
modprobe_package: 'kmod'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/mail
modprobe_package: 'kmod'
auditd_package: 'auditd'
tally2_path: '/usr/share/pam-configs/tally2'
passwdqc_path: '/usr/share/pam-configs/passwdqc'

31
ansible/roles/dev-sec.os-hardening/vars/Fedora.yml Normal file
View File

@ -0,0 +1,31 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: root
mode: '0000'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

8
ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml
View File

@ -1,6 +1,8 @@
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.

10
ansible/roles/dev-sec.os-hardening/vars/RedHat.yml
View File

@ -1,8 +1,5 @@
---
modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
os_useradd_create_home: true
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

34
ansible/roles/dev-sec.os-hardening/vars/Suse.yml Normal file
View File

@ -0,0 +1,34 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: root
mode: '0600'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 499
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 499
# defaults for useradd
os_useradd_create_home: false
modprobe_package: 'kmod-compat'
auditd_package: 'audit'

2
ansible/roles/dev-sec.os-hardening/vars/main.yml
View File

@ -108,4 +108,4 @@ os_security_suid_sgid_system_whitelist:
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
# system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt']
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']

40
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@ -0,0 +1,40 @@
---
name: Bug report
about: Create a report to help us improve
---
**Describe the bug**
A clear and concise description of what the bug is.
**Expected behavior**
A clear and concise description of what you expected to happen.
**Actual behavior**
<!--- Paste verbatim command output between quotes -->
```paste below
```
**Example Playbook**
<!--- Paste an example playbook that can be used to reproduce the problem between quotes -->
```paste below
```
**OS / Environment**
<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
**Ansible Version**
<!--- Paste verbatim output from "ansible --version" between quotes -->
```paste below
```
**Role Version**
<!--- Paste version of the role between quotes -->
```paste below
```
**Additional context**
Add any other context about the problem here.

17
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@ -0,0 +1,17 @@
---
name: Feature request
about: Suggest an idea for this project
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

34
ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml vendored Normal file
View File

@ -0,0 +1,34 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

51
ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,51 @@
name: New release
on:
push:
branches:
- master
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: create release draft
steps:
- uses: actions/checkout@v1
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@master"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: calculate next version
id: version
uses: patrickjahns/version-drafter-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }}
# wait for https://github.com/CharMixer/auto-changelog-action/pull/3
#future_release: ${{ steps.version.outputs.next-version }}
- name: Read CHANGELOG.md
id: package
uses: juliangruber/read-file-action@v1
with:
path: ./CHANGELOG.md
- name: Create Release draft
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
release_name: ${{ steps.version.outputs.next-version }}
tag_name: ${{ steps.version.outputs.next-version }}
body: |
${{ steps.package.outputs.content }}
draft: true

2
ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml
View File

@ -17,7 +17,7 @@ provisioner:
require_ansible_omnibus: true
ansible_verbose: true
ansible_diff: true
hosts: all
roles_path: ../ansible-ssh-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>

54
ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml
View File

@ -20,56 +20,34 @@ provisioner:
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
platforms:
- name: ubuntu-12.04
driver_config:
box: opscode-ubuntu-12.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
- name: ubuntu-14.04
driver_config:
box: opscode-ubuntu-14.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
- name: ubuntu-16.04
driver_config:
box: opscode-ubuntu-16.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
- name: centos-6.4
- name: centos-7.2
box: bento/ubuntu-16.04
- name: ubuntu-18.04
driver_config:
box: opscode-centos-7.2
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box
- name: centos-6.5
box: bento/ubuntu-18.04
- name: centos-6
driver_config:
box: opscode-centos-6.5
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
- name: centos-6.8
driver_config:
box: bento/centos-6.8
box: bento/centos-6
- name: centos-7
driver_config:
box: bento/centos-7.2
- name: oracle-6.4
box: bento/centos-7
- name: oracle-6
driver_config:
box: oracle-6.4
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
- name: oracle-6.5
driver_config:
box: oracle-6.5
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
box: bento/oracle-6
- name: oracle-7
driver_config:
box: boxcutter/ol72
- name: debian-7
box: bento/oracle-7
- name: debian-9
driver_config:
box: debian-7
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
- name: debian-8
box: bento/debian-9
- name: debian-10
driver_config:
box: debian-8
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
box: bento/debian-10
- name: amazon
driver_config:
box: bento/amazonlinux-2
verifier:
name: inspec

41
ansible/roles/dev-sec.ssh-hardening/.kitchen.yml
View File

@ -6,9 +6,6 @@ driver:
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
provisioner:
name: ansible_playbook
hosts: all
@ -17,12 +14,12 @@ provisioner:
require_ruby_for_busser: false
ansible_verbose: true
ansible_diff: true
hosts: all
roles_path: ../ansible-ssh-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %>
playbook: tests/default.yml
ansible_diff: true
ansible_extra_flags:
- "--skip-tags=sysctl"
@ -51,10 +48,6 @@ platforms:
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: ubuntu1404-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1404-ansible:latest
platform: ubuntu
- name: ubuntu1604-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest
@ -62,14 +55,13 @@ platforms:
run_command: /sbin/init
provision_command:
- systemctl enable ssh.service
- name: debian7-ansible-latest
- name: ubuntu1804-ansible-latest
driver:
image: rndmh3ro/docker-debian7-ansible:latest
platform: debian
- name: debian8-ansible-latest
driver:
image: rndmh3ro/docker-debian8-ansible:latest
platform: debian
image: rndmh3ro/docker-ubuntu1804-ansible:latest
platform: ubuntu
run_command: /sbin/init
provision_command:
- systemctl enable ssh.service
- name: debian9-ansible-latest
driver:
image: rndmh3ro/docker-debian9-ansible:latest
@ -78,6 +70,14 @@ platforms:
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: debian10-ansible-latest
driver:
image: rndmh3ro/docker-debian10-ansible
platform: debian
run_command: /sbin/init
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: amazon-ansible-latest
driver:
image: rndmh3ro/docker-amazon-ansible:latest
@ -86,6 +86,15 @@ platforms:
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: fedora-ansible-latest
driver:
image: rndmh3ro/docker-fedora-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- dnf install -y python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
verifier:
name: inspec

33
ansible/roles/dev-sec.ssh-hardening/.travis.yml
View File

@ -25,17 +25,9 @@ env:
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: ubuntu1404
- distro: ubuntu1804
version: latest
init: /sbin/init
- distro: debian7
version: latest
init: /sbin/init
- distro: debian8
version: latest
init: /sbin/init
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9
@ -43,29 +35,42 @@ env:
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian10
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: amazon
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: fedora
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
before_install:
# Pull container
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
script:
- pip install --user ansible-lint
- ansible-lint ./
- container_id=$(mktemp)
# Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
# Verify role
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

274
ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md
View File

@ -1,6 +1,217 @@
# Change Log
# Changelog
## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD)
**Implemented enhancements:**
- add changelog and release workflow [\#282](https://github.com/dev-sec/ansible-ssh-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: Ansible part of Fedora build [\#281](https://github.com/dev-sec/ansible-ssh-hardening/pull/281) ([kostasns](https://github.com/kostasns))
- Add changelog action [\#280](https://github.com/dev-sec/ansible-ssh-hardening/pull/280) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: Amazon linux build [\#279](https://github.com/dev-sec/ansible-ssh-hardening/pull/279) ([kostasns](https://github.com/kostasns))
- feat: Allow to set custom list of HostKeyAlgorithms [\#278](https://github.com/dev-sec/ansible-ssh-hardening/pull/278) ([kostasns](https://github.com/kostasns))
- fix\(ansible\_facts\): replace few remaining facts from 'ansible\_' to using 'ansible\_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns))
## [8.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.0.0) (2020-04-21)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/7.0.0...8.0.0)
**Implemented enhancements:**
- Remove dependency on bash [\#265](https://github.com/dev-sec/ansible-ssh-hardening/issues/265)
- Possibility to use other value than yes/no for AllowTCPforwarding [\#255](https://github.com/dev-sec/ansible-ssh-hardening/issues/255)
- Add support for Debian Buster in ansible-ssh-hardening [\#248](https://github.com/dev-sec/ansible-ssh-hardening/issues/248)
- Some options not configurable via the role [\#239](https://github.com/dev-sec/ansible-ssh-hardening/issues/239)
- PermitUserEnvironment should not be conflated with AcceptEnv [\#232](https://github.com/dev-sec/ansible-ssh-hardening/issues/232)
- Disable also dynamic MOTD via PAM if enabled - refs \#271 [\#273](https://github.com/dev-sec/ansible-ssh-hardening/pull/273) ([ancoron](https://github.com/ancoron))
- Use sha2 HMACs on RHEL 6 / CentOS 6. [\#270](https://github.com/dev-sec/ansible-ssh-hardening/pull/270) ([foonix](https://github.com/foonix))
- Removing 2fa [\#269](https://github.com/dev-sec/ansible-ssh-hardening/pull/269) ([dennisse](https://github.com/dennisse))
- Renaming Ansible variables discovered from systems [\#268](https://github.com/dev-sec/ansible-ssh-hardening/pull/268) ([PovilasGT](https://github.com/PovilasGT))
- Do not use bash to get ssh version [\#266](https://github.com/dev-sec/ansible-ssh-hardening/pull/266) ([kljensen](https://github.com/kljensen))
- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable [\#257](https://github.com/dev-sec/ansible-ssh-hardening/pull/257) ([brnck](https://github.com/brnck))
- Support KEX for OpenSSH 8.0+ & quantum resistant KEX [\#254](https://github.com/dev-sec/ansible-ssh-hardening/pull/254) ([lunarthegrey](https://github.com/lunarthegrey))
- SFTP: set default umask to 0027 [\#252](https://github.com/dev-sec/ansible-ssh-hardening/pull/252) ([Slamdunk](https://github.com/Slamdunk))
- Separate PermitUserEnviroment from AcceptEnv [\#251](https://github.com/dev-sec/ansible-ssh-hardening/pull/251) ([szEvEz](https://github.com/szEvEz))
- Feature: Debian 10 \(Buster\) support [\#249](https://github.com/dev-sec/ansible-ssh-hardening/pull/249) ([jaredledvina](https://github.com/jaredledvina))
- fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
- refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz))
- RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen))
- Added ssh\_syslog\_facility, ssh\_log\_level and ssh\_strict\_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))
**Fixed bugs:**
- HostKey comment "\# Req 20" breaks key based auth [\#262](https://github.com/dev-sec/ansible-ssh-hardening/issues/262)
- SSH fails to start/connect if custom server ports is set on CentOS 7.6 [\#212](https://github.com/dev-sec/ansible-ssh-hardening/issues/212)
- Google 2fa authentication problem [\#170](https://github.com/dev-sec/ansible-ssh-hardening/issues/170)
- vars: remove empty main.yml file [\#274](https://github.com/dev-sec/ansible-ssh-hardening/pull/274) ([paulfantom](https://github.com/paulfantom))
- Only manage moduli when hardening server [\#267](https://github.com/dev-sec/ansible-ssh-hardening/pull/267) ([jbronn](https://github.com/jbronn))
- Remove comment from sshd config HostKey param [\#263](https://github.com/dev-sec/ansible-ssh-hardening/pull/263) ([abtreece](https://github.com/abtreece))
## [7.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/7.0.0) (2019-09-15)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.2.0...7.0.0)
**Implemented enhancements:**
- Add new option ssh\_server\_match\_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230)
- set UsePAM to yes by default [\#233](https://github.com/dev-sec/ansible-ssh-hardening/pull/233) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- Unable to connect after applying the role \(Ubuntu 18.04, AWS EC2\) [\#229](https://github.com/dev-sec/ansible-ssh-hardening/issues/229)
**Closed issues:**
- Can't connect to new instance created from hardened image [\#189](https://github.com/dev-sec/ansible-ssh-hardening/issues/189)
**Merged pull requests:**
- changed string comparison to version comparison [\#234](https://github.com/dev-sec/ansible-ssh-hardening/pull/234) ([gobind-singh](https://github.com/gobind-singh))
## [6.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.2.0) (2019-08-05)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.3...6.2.0)
**Implemented enhancements:**
- added support for `ssh\_server\_match\_address` \(\#230\) [\#231](https://github.com/dev-sec/ansible-ssh-hardening/pull/231) ([MatthiasLohr](https://github.com/MatthiasLohr))
## [6.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.3) (2019-06-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.2...6.1.3)
**Implemented enhancements:**
- Fix squash\_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo))
- Fix deprecation warnings in Ansible 2.8 [\#227](https://github.com/dev-sec/ansible-ssh-hardening/pull/227) ([Normo](https://github.com/Normo))
**Fixed bugs:**
- deprecation warnings in Ansible 2.8 [\#226](https://github.com/dev-sec/ansible-ssh-hardening/issues/226)
## [6.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.2) (2019-05-17)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.1...6.1.2)
**Fixed bugs:**
- sshd\_custom\_options used in ssh\_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224)
**Merged pull requests:**
- use correct variable ssh\_custom\_options in ssh\_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.1) (2019-05-07)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.0...6.1.1)
**Fixed bugs:**
- Missing indent for `ChrootDirectory` in `Match Group sftponly` [\#221](https://github.com/dev-sec/ansible-ssh-hardening/issues/221)
**Merged pull requests:**
- fix indentation for matches [\#222](https://github.com/dev-sec/ansible-ssh-hardening/pull/222) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.0) (2019-05-04)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.0.0...6.1.0)
**Implemented enhancements:**
- PermitRootLogin yes [\#190](https://github.com/dev-sec/ansible-ssh-hardening/issues/190)
- Match Group' in configuration but 'user' not in connection test specification [\#188](https://github.com/dev-sec/ansible-ssh-hardening/issues/188)
- Allow custom values [\#175](https://github.com/dev-sec/ansible-ssh-hardening/issues/175)
- use selinux fact to check if selinux is used [\#220](https://github.com/dev-sec/ansible-ssh-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove eol os and add fedora [\#218](https://github.com/dev-sec/ansible-ssh-hardening/pull/218) ([rndmh3ro](https://github.com/rndmh3ro))
- document and move custom variables [\#217](https://github.com/dev-sec/ansible-ssh-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: allow other ssh ports using selinux [\#214](https://github.com/dev-sec/ansible-ssh-hardening/pull/214) ([guilieb](https://github.com/guilieb))
- Make ansible-lint happy [\#204](https://github.com/dev-sec/ansible-ssh-hardening/pull/204) ([alexclear](https://github.com/alexclear))
- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups [\#203](https://github.com/dev-sec/ansible-ssh-hardening/pull/203) ([alexclear](https://github.com/alexclear))
- enable ssh 7.7p1 support [\#202](https://github.com/dev-sec/ansible-ssh-hardening/pull/202) ([rndmh3ro](https://github.com/rndmh3ro))
- Removed DEPRECATION WARNING for apt, using list instead of with\_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre))
**Fixed bugs:**
- Using more than one rule in a Group or User Match block? [\#207](https://github.com/dev-sec/ansible-ssh-hardening/issues/207)
- fix multiple match rules not working \#207 [\#208](https://github.com/dev-sec/ansible-ssh-hardening/pull/208) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.0.0) (2018-11-18)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/5.0.0...6.0.0)
**Implemented enhancements:**
- Ubuntu 18.04 support [\#182](https://github.com/dev-sec/ansible-ssh-hardening/issues/182)
- Update opensshd.conf.js [\#196](https://github.com/dev-sec/ansible-ssh-hardening/pull/196) ([ikr0m](https://github.com/ikr0m))
**Fixed bugs:**
- GSSAPI support broken. Can't be enabled. [\#192](https://github.com/dev-sec/ansible-ssh-hardening/issues/192)
- Unsupported option "rhostsrsaauthentication" "rsaauthentication" [\#184](https://github.com/dev-sec/ansible-ssh-hardening/issues/184)
- Weak kex are controlled by wrong variable ? [\#174](https://github.com/dev-sec/ansible-ssh-hardening/issues/174)
- Can't connect to server by SSH after applying this role [\#115](https://github.com/dev-sec/ansible-ssh-hardening/issues/115)
**Closed issues:**
- Support StreamLocalBindUnlink [\#197](https://github.com/dev-sec/ansible-ssh-hardening/issues/197)
- Add molecule testing [\#183](https://github.com/dev-sec/ansible-ssh-hardening/issues/183)
**Merged pull requests:**
- Support for custom configuration [\#199](https://github.com/dev-sec/ansible-ssh-hardening/pull/199) ([MatthiasLohr](https://github.com/MatthiasLohr))
- parameterize PermitRootLogin [\#195](https://github.com/dev-sec/ansible-ssh-hardening/pull/195) ([rndmh3ro](https://github.com/rndmh3ro))
- set 'GSSAPIAuthentication yes' if variable 'ssh\_gssapi\_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz))
- Use ansible version compare module [\#187](https://github.com/dev-sec/ansible-ssh-hardening/pull/187) ([BentoumiTech](https://github.com/BentoumiTech))
- add ubuntu 18.04 support [\#186](https://github.com/dev-sec/ansible-ssh-hardening/pull/186) ([rndmh3ro](https://github.com/rndmh3ro))
## [5.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/5.0.0) (2018-09-16)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.4.0...5.0.0)
**Implemented enhancements:**
- Fixing the broken Ansible dependency mechanism [\#176](https://github.com/dev-sec/ansible-ssh-hardening/issues/176)
- Include new baseline-tests [\#161](https://github.com/dev-sec/ansible-ssh-hardening/issues/161)
- GlobalKnownHostsFile missing from ssh\_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155)
- Options not compatible with OpenSSH server 7.6 [\#151](https://github.com/dev-sec/ansible-ssh-hardening/issues/151)
- Kitchen travis [\#180](https://github.com/dev-sec/ansible-ssh-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
- update config of kex, macs, ciphers [\#179](https://github.com/dev-sec/ansible-ssh-hardening/pull/179) ([rndmh3ro](https://github.com/rndmh3ro))
- add debian 9 and a comment [\#178](https://github.com/dev-sec/ansible-ssh-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
- Dependency flag [\#177](https://github.com/dev-sec/ansible-ssh-hardening/pull/177) ([jcheroske](https://github.com/jcheroske))
- Travis [\#173](https://github.com/dev-sec/ansible-ssh-hardening/pull/173) ([rndmh3ro](https://github.com/rndmh3ro))
- OpenBSD Support [\#171](https://github.com/dev-sec/ansible-ssh-hardening/pull/171) ([jbronn](https://github.com/jbronn))
- Implement disabling chroot for sftp [\#166](https://github.com/dev-sec/ansible-ssh-hardening/pull/166) ([towo](https://github.com/towo))
- New tests [\#163](https://github.com/dev-sec/ansible-ssh-hardening/pull/163) ([rndmh3ro](https://github.com/rndmh3ro))
- yaml-lint update, refactor tasks [\#162](https://github.com/dev-sec/ansible-ssh-hardening/pull/162) ([rndmh3ro](https://github.com/rndmh3ro))
- Handle a few deprecated OpenSSH options [\#160](https://github.com/dev-sec/ansible-ssh-hardening/pull/160) ([ageis](https://github.com/ageis))
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. [\#157](https://github.com/dev-sec/ansible-ssh-hardening/pull/157) ([gdelafond](https://github.com/gdelafond))
- Adds sshd config for keyboard-interactive pam device [\#156](https://github.com/dev-sec/ansible-ssh-hardening/pull/156) ([rcII](https://github.com/rcII))
- Use package state 'present' since 'installed' is deprecated [\#154](https://github.com/dev-sec/ansible-ssh-hardening/pull/154) ([Normo](https://github.com/Normo))
- conform to current dev-sec/ssh-baseline [\#150](https://github.com/dev-sec/ansible-ssh-hardening/pull/150) ([alval5280](https://github.com/alval5280))
- new parameter: ssh\_max\_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher))
- Update syntax to 2.4 [\#148](https://github.com/dev-sec/ansible-ssh-hardening/pull/148) ([thomasjpfan](https://github.com/thomasjpfan))
- Amazonlinux-Testing [\#147](https://github.com/dev-sec/ansible-ssh-hardening/pull/147) ([rndmh3ro](https://github.com/rndmh3ro))
- Fixed trailing whitespace [\#146](https://github.com/dev-sec/ansible-ssh-hardening/pull/146) ([zbrojny120](https://github.com/zbrojny120))
- Add support for Amazon Linux [\#145](https://github.com/dev-sec/ansible-ssh-hardening/pull/145) ([woneill](https://github.com/woneill))
**Fixed bugs:**
- ssh\_server\_weak\_kex variable is not used any where [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167)
- opensshd.conf.j2 template type error [\#159](https://github.com/dev-sec/ansible-ssh-hardening/issues/159)
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
**Closed issues:**
- Travis & Debian 9 "Stretch" [\#158](https://github.com/dev-sec/ansible-ssh-hardening/issues/158)
**Merged pull requests:**
- remove oracle7 from travis tests for the time being [\#181](https://github.com/dev-sec/ansible-ssh-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.4.0) (2017-12-29)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.1...4.4.0)
**Implemented enhancements:**
@ -10,12 +221,11 @@
- allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu))
- Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky))
- corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault))
- Add Two-Factor Authentication [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs))
- Feature/2fa auth [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs))
**Fixed bugs:**
- ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
**Closed issues:**
@ -31,6 +241,7 @@
- force /bin/sh when getting openssh-version [\#134](https://github.com/dev-sec/ansible-ssh-hardening/pull/134) ([gtz42](https://github.com/gtz42))
## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1)
**Implemented enhancements:**
@ -46,7 +257,8 @@
- role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124)
## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.3.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.3.0)
**Implemented enhancements:**
@ -58,11 +270,13 @@
- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
- Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.1.3)
## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.2.0)
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.1.3)
**Implemented enhancements:**
@ -78,6 +292,7 @@
- Do not use shell when not needed + Lint whitespaces [\#118](https://github.com/dev-sec/ansible-ssh-hardening/pull/118) ([krhubert](https://github.com/krhubert))
## [4.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.2) (2017-05-31)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.1...4.1.2)
**Implemented enhancements:**
@ -93,17 +308,15 @@
- Update readme to include baselines [\#110](https://github.com/dev-sec/ansible-ssh-hardening/issues/110)
## [4.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.1) (2017-05-18)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.0...4.1.1)
**Implemented enhancements:**
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
**Fixed bugs:**
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
## [4.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.0) (2017-05-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.0.0...4.1.0)
**Implemented enhancements:**
@ -123,6 +336,7 @@
- Adds option to enable password based authentication on the server [\#107](https://github.com/dev-sec/ansible-ssh-hardening/pull/107) ([colin-nolan](https://github.com/colin-nolan))
## [4.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.0.0) (2017-04-22)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.2.0...4.0.0)
**Implemented enhancements:**
@ -145,8 +359,6 @@
**Fixed bugs:**
- SELinux-specific task still runs on SELinux-disabled systems [\#74](https://github.com/dev-sec/ansible-ssh-hardening/issues/74)
- List only one Port in ssh config [\#84](https://github.com/dev-sec/ansible-ssh-hardening/pull/84) ([fullyint](https://github.com/fullyint))
- Fix ssh config to handle custom options per Host [\#83](https://github.com/dev-sec/ansible-ssh-hardening/pull/83) ([fullyint](https://github.com/fullyint))
**Closed issues:**
@ -159,6 +371,7 @@
- Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio))
## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1.0...3.2.0)
**Implemented enhancements:**
@ -173,11 +386,8 @@
- Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75)
- Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61)
**Closed issues:**
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0)
**Implemented enhancements:**
@ -185,6 +395,7 @@
- use new ciphers, kex, macs and privilege separation for redhat family 7 or later [\#72](https://github.com/dev-sec/ansible-ssh-hardening/issues/72)
## [3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.0.0...3.1)
**Implemented enhancements:**
@ -212,11 +423,12 @@
- Add SCP/SFTP to FAQ [\#58](https://github.com/dev-sec/ansible-ssh-hardening/pull/58) ([rndmh3ro](https://github.com/rndmh3ro))
## [3.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.0.0) (2016-03-13)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/2.0.0...3.0.0)
**Implemented enhancements:**
- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([shirokatze](https://github.com/shirokatze))
- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost))
- add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
- update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
- add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
@ -235,6 +447,7 @@
- New release 3.0.0 [\#59](https://github.com/dev-sec/ansible-ssh-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
## [2.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/2.0.0) (2015-11-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.1...2.0.0)
**Closed issues:**
@ -248,6 +461,7 @@
- sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))
## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1)
**Merged pull requests:**
@ -255,10 +469,12 @@
- Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.2.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0)
**Merged pull requests:**
@ -266,16 +482,20 @@
- Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro))
- Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.1)
## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.1.0)
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1)
**Closed issues:**
- ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
- UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:**
@ -296,6 +516,9 @@
- Debian install script [\#19](https://github.com/dev-sec/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.0.0) (2015-04-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/a9591764206b79a4ed324bb8576151ebac0127b1...1.0.0)
**Implemented enhancements:**
- Update variable-documentation [\#12](https://github.com/dev-sec/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
@ -304,7 +527,6 @@
- add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7)
- Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:**
@ -325,4 +547,4 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

1
ansible/roles/dev-sec.ssh-hardening/Gemfile
View File

@ -11,6 +11,7 @@ group :integration do
gem 'kitchen-sync'
gem 'kitchen-transport-rsync'
gem 'kitchen-docker'
gem 'inspec', '~> 3'
end
group :tools do

57
ansible/roles/dev-sec.ssh-hardening/README.md
View File

@ -12,7 +12,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
## Requirements
* Ansible > 2.4
* Ansible > 2.5
## Role Variables
| Name | Default Value | Description |
@ -22,17 +22,18 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_client_port` | '22' |port to which ssh-client should connect|
|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
|`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms|
|`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
|`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.|
|`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.|
|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`|
|`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
|`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
|`ssh_pam_support` | true | true if SSH has PAM support.|
|`ssh_use_pam` | false | false to disable pam authentication.|
|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.|
|`ssh_use_pam` | true | false to disable pam authentication.|
|`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
|`ssh_kerberos_support` | true | true if SSH has Kerberos support.|
|`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
|`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|
@ -46,6 +47,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_print_motd` | false | false to disable printing of the MOTD|
|`ssh_print_last_log` | false | false to disable display of last login information|
|`sftp_enabled` | false | true to enable sftp configuration|
|`sftp_umask` | 0027 | Specifies the umask for sftp|
|`sftp_chroot` | true | false to disable chroot for sftp|
|`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
|`ssh_client_roaming` | false | enable experimental client roaming|
@ -54,8 +56,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
|`ssh_pam_device` | false | `true` to enable public key auth with pam device 2FA |
|`ssh_banner` | `false` | `true` to print a banner on login |
|`ssh_client_hardening` | `true` | `false` to stop harden the client |
|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
@ -64,15 +64,40 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
|`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
|`ssh_server_hardening` | `true` | `false` to stop harden the server |
|`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
|`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
|`ssh_custom_options` | [] | Custom lines for SSH client configuration |
|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
|`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
|`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd |
|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
|`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
## Configuring settings not listed in role-variables
If you want to configure ssh options that are not listed above, you can use `ssh_custom_options` (for `/etc/ssh/ssh_config`) or `sshd_custom_options` (for `/etc/ssh/sshd_config`) to set them. These options will be set on the **beginning** of the file so you can override options further down in the file.
Example playbook:
```
- hosts: localhost
roles:
- dev-sec.ssh-hardening
vars:
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"
```
## Example Playbook
@ -97,27 +122,31 @@ bundle install
### Testing with Docker
```
# fast test on one machine
bundle exec kitchen test default-ubuntu-1204
bundle exec kitchen test ssh-ubuntu1804-ansible-latest
# test on all machines
bundle exec kitchen test
# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204
bundle exec kitchen create ssh-ubuntu1804-ansible-latest
bundle exec kitchen converge ssh-ubuntu1804-ansible-latest
bundle exec kitchen verify ssh-ubuntu1804-ansible-latest
# cleanup
bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest
```
### Testing with Virtualbox
```
# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804
# test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
# for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804
```
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)

52
ansible/roles/dev-sec.ssh-hardening/defaults/main.yml
View File

@ -30,6 +30,9 @@ ssh_listen_to: ['0.0.0.0'] # sshd
# Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd
# Specifies the host key algorithms that the server offers
ssh_host_key_algorithms: [] # sshd
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2
@ -48,11 +51,11 @@ ssh_permit_tunnel: false
# options: ['StrictHostKeyChecking no']
ssh_remote_hosts: []
# false to disable root login altogether. Set to true to allow root to login via key-based mechanism.
ssh_allow_root_with_key: false # sshd
# Set this to "without-password" or "yes" to allow root to login
ssh_permit_root_login: 'no' # sshd
# false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: false # sshd
ssh_allow_tcp_forwarding: 'no' # sshd
# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
# Set to 'clientspecified' to allow the client to specify which address to bind to.
@ -65,16 +68,13 @@ ssh_allow_agent_forwarding: false # sshd
ssh_pam_support: true
# false to disable pam authentication.
ssh_use_pam: false # sshd
ssh_use_pam: true # sshd
# false to disable google 2fa authentication
ssh_google_auth: false # sshd
# false to disable pam device 2FA input
ssh_pam_device: false # sshd
# specify AuthenticationMethods
sshd_authenticationmethods: 'publickey'
# true if SSH support GSSAPI
ssh_gssapi_support: true
ssh_gssapi_support: false
# true if SSH support Kerberos
ssh_kerberos_support: true
@ -139,6 +139,9 @@ sftp_enabled: false
# false to disable sftp chroot
sftp_chroot: true
# sftp default umask
sftp_umask: 0027
# change default sftp chroot location
sftp_chroot_dir: /home/%u
@ -151,7 +154,11 @@ ssh_server_match_user: false # sshd
# list of hashes (containing group and rules) to generate Match Group blocks for.
ssh_server_match_group: false # sshd
ssh_server_permit_environment_vars: false
# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
ssh_server_match_address: false # sshd
ssh_server_permit_environment_vars: 'no'
ssh_server_accept_env_vars : ''
# maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100' # sshd
@ -167,6 +174,10 @@ ssh_macs_53_default:
- hmac-ripemd160
- hmac-sha1
ssh_macs_53_el_6_5_default:
- hmac-sha2-512
- hmac-sha2-256
ssh_macs_59_default:
- hmac-sha2-512
- hmac-sha2-256
@ -205,6 +216,11 @@ ssh_kex_59_default:
ssh_kex_66_default:
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
ssh_kex_80_default:
- sntrup4591761x25519-sha512@tinyssh.org
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
# directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies'
@ -220,4 +236,16 @@ ssh_server_revoked_keys: []
# Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism.
ssh_hardening_enabled: true
ssh_hardening_enabled: true
# Custom options for SSH client configuration file
ssh_custom_options: []
# Custom options for SSH daemon configuration file
sshd_custom_options: []
# Logging
sshd_syslog_facility: 'AUTH'
sshd_log_level: 'VERBOSE'
sshd_strict_modes: yes

3
ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info
View File

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:22 2018', version: 5.0.0}
install_date: Fri May 15 20:29:21 2020
version: 8.1.0

10
ansible/roles/dev-sec.ssh-hardening/meta/main.yml
View File

@ -4,7 +4,7 @@ galaxy_info:
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
company: Hardening Framework Team
license: Apache License 2.0
min_ansible_version: '2.4'
min_ansible_version: '2.5'
platforms:
- name: EL
versions:
@ -12,14 +12,14 @@ galaxy_info:
- 7
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
- name: Amazon
- name: Fedora
galaxy_tags:
- system
- security

36
ansible/roles/dev-sec.ssh-hardening/tasks/2fa.yml
View File

@ -1,36 +0,0 @@
---
# Install the 2FA packages and setup the config in PAM and SSH
- name: Install google authenticator PAM module
apt:
name: 'libpam-google-authenticator'
state: present
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: Install google authenticator PAM module
yum:
name: 'google-authenticator'
state: present
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: Add google auth module to PAM
pamd:
name: 'sshd'
type: 'auth'
control: 'required'
module_path: 'pam_google_authenticator.so'
- name: Remove password auth from PAM
pamd:
name: 'sshd'
type: 'auth'
control: 'substack'
module_path: 'password-auth'
state: absent
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon'
- name: Remove password auth from PAM
replace:
dest: '/etc/pam.d/sshd'
regexp: '^@include common-auth'
replace: '#@include common-auth'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

36
ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml
View File

@ -3,61 +3,73 @@
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
when: sshd_version.stdout >= '6.3' and not ssh_host_key_files
when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
when: sshd_version.stdout >= '6.0' and not ssh_host_key_files
when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
when: sshd_version.stdout >= '5.3' and not ssh_host_key_files
when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
###
- name: set macs according to openssh-version if openssh >= 7.6
set_fact:
ssh_macs: '{{ ssh_macs_76_default }}'
when: sshd_version.stdout >= '7.6' and not ssh_macs
when: sshd_version is version('7.6', '>=') and not ssh_macs
- name: set macs according to openssh-version if openssh >= 6.6
set_fact:
ssh_macs: '{{ ssh_macs_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_macs
when: sshd_version is version('6.6', '>=') and not ssh_macs
- name: set macs according to openssh-version
set_fact:
ssh_macs: '{{ ssh_macs_59_default }}'
when: sshd_version.stdout >= '5.9' and not ssh_macs
when: sshd_version is version('5.9', '>=') and not ssh_macs
- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
set_fact:
ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
when:
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
- ansible_facts.distribution_version is version('6.5', '>=')
- not ssh_macs
- name: set macs according to openssh-version
set_fact:
ssh_macs: '{{ ssh_macs_53_default }}'
when: sshd_version.stdout >= '5.3' and not ssh_macs
when: sshd_version is version('5.3', '>=') and not ssh_macs
###
- name: set ciphers according to openssh-version if openssh >= 6.6
set_fact:
ssh_ciphers: '{{ ssh_ciphers_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_ciphers
when: sshd_version is version('6.6', '>=') and not ssh_ciphers
- name: set ciphers according to openssh-version
set_fact:
ssh_ciphers: '{{ ssh_ciphers_53_default }}'
when: sshd_version.stdout >= '5.3' and not ssh_ciphers
when: sshd_version is version('5.3', '>=') and not ssh_ciphers
###
- name: set kex according to openssh-version if openssh >= 8.0
set_fact:
ssh_kex: '{{ ssh_kex_80_default }}'
when: sshd_version is version('8.0', '>=') and not ssh_kex
- name: set kex according to openssh-version if openssh >= 6.6
set_fact:
ssh_kex: '{{ ssh_kex_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_kex
when: sshd_version is version('6.6', '>=') and not ssh_kex
- name: set kex according to openssh-version
set_fact:
ssh_kex: '{{ ssh_kex_59_default }}'
when: sshd_version.stdout >= '5.9' and not ssh_kex
when: sshd_version is version('5.9', '>=') and not ssh_kex

61
ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml
View File

@ -2,19 +2,21 @@
- name: Set OS dependent variables
include_vars: '{{ item }}'
with_first_found:
- '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_distribution }}.yml'
- '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
- '{{ ansible_os_family }}.yml'
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.os_family }}.yml'
- name: get openssh-version
shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
args:
executable: /bin/sh
command: ssh -V
register: sshd_version_raw
changed_when: false
register: sshd_version
check_mode: no
- name: parse openssh-version
set_fact:
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
- name: include tasks to create crypo-vars
include_tasks: crypto.yml
@ -26,7 +28,7 @@
owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}'
notify: restart sshd
when: ssh_server_hardening
when: ssh_server_hardening | bool
- name: create sshd_config and set permissions to root/600
template:
@ -35,9 +37,21 @@
mode: '0600'
owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
notify: restart sshd
when: ssh_server_hardening
when: ssh_server_hardening | bool
- name: disable dynamic MOTD
pamd:
name: sshd
type: session
control: optional
module_path: pam_motd.so
state: absent
when:
- ssh_server_hardening | bool
- ssh_pam_support | bool
- not (ssh_print_motd | bool)
- name: create ssh_config and set permissions to root/644
template:
@ -46,38 +60,27 @@
mode: '0644'
owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}'
when: ssh_client_hardening
when: ssh_client_hardening | bool
- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
register: sshd_register_moduli
changed_when: false
check_mode: no
when: ssh_server_hardening | bool
- name: remove all small primes
shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
notify: restart sshd
when: sshd_register_moduli.stdout
when:
- ssh_server_hardening | bool
- sshd_register_moduli.stdout
- name: include tasks to setup ca keys and principals
include_tasks: ca_keys_and_principals.yml
when: ssh_trusted_user_ca_keys_file != ''
- name: include tasks to setup 2FA
include_tasks: 2fa.yml
when:
- ssh_use_pam
- ssh_challengeresponseauthentication
- ssh_google_auth
- name: test to see if selinux is installed and running
command: getenforce
register: sestatus
failed_when: false
changed_when: false
check_mode: no
when: ssh_trusted_user_ca_keys_file | length > 0
- name: include selinux specific tasks
include_tasks: selinux.yml
when: sestatus.rc == 0
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"

2
ansible/roles/dev-sec.ssh-hardening/tasks/main.yml
View File

@ -1,4 +1,4 @@
---
- include_tasks: hardening.yml
when: ssh_hardening_enabled
when: ssh_hardening_enabled | bool

37
ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml
View File

@ -1,24 +1,22 @@
---
- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
- name: install selinux dependencies when selinux is installed
package:
name: '{{ item }}'
name: '{{ ssh_selinux_packages }}'
state: present
with_items:
- 'policycoreutils-python'
- 'checkpolicy'
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: install selinux dependencies when selinux is installed on Debian or Ubuntu
apt:
name: '{{ item }}'
- name: "authorize {{ ssh_server_ports }} ports for selinux"
seport:
ports: '{{ item }}'
proto: tcp
setype: ssh_port_t
state: present
with_items:
- 'policycoreutils'
- 'checkpolicy'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- "{{ ssh_server_ports }}"
- name: check if ssh_password module is already installed
shell: 'semodule -l | grep ssh_password'
shell: 'set -o pipefail && semodule -l | grep ssh_password'
args:
executable: /bin/bash
register: ssh_password_module
failed_when: false
changed_when: false
@ -41,17 +39,18 @@
dest: '{{ ssh_custom_selinux_dir }}'
- name: check and compile policy
shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
- name: create selinux policy module package
shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
- name: install selinux policy
shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
# See http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
command: semodule -r ssh_password
when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0

14
ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2
View File

@ -2,7 +2,15 @@
# This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#
{% if ssh_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in ssh_custom_options %}
{{ line }}
{% endfor %}
{% endif %}
# Basic configuration
# ===================
@ -82,7 +90,7 @@ ForwardX11 no
# Never use host-based authentication. It can be exploited.
HostbasedAuthentication no
{% if sshd_version.stdout | float < 7.4 -%}
{% if sshd_version is version('7.6', '<') %}
RhostsRSAAuthentication no
# Enable RSA authentication via identity files.
RSAAuthentication yes
@ -111,7 +119,7 @@ Compression yes
#EscapeChar ~
#VisualHostKey yes
{% if sshd_version.stdout | float <= 7.1 -%}
{% if sshd_version is version('7.1', '<=') %}
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
{% endif %}

119
ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2
View File

@ -3,11 +3,19 @@
# This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
{% if sshd_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in sshd_custom_options -%}
{{ line }}
{% endfor %}
{% endif %}
# Basic configuration
# ===================
# Either disable or only allowssh root login via certificates.
PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }}
# Either disable or only allow root login via certificates.
PermitRootLogin {{ ssh_permit_root_login }}
# Define which port sshd should listen to. Default to `22`.
{% for port in ssh_server_ports -%}
@ -24,9 +32,14 @@ ListenAddress {{address}}
# List HostKeys here.
{% for key in ssh_host_key_files -%}
HostKey {{key}} # Req 20
HostKey {{key}}
{% endfor %}
# Specifies the host key algorithms that the server offers.
{% if sshd_version is version('5.8', '>=') %}
{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
{% endif %}
# Security configuration
# ======================
@ -34,11 +47,11 @@ HostKey {{key}} # Req 20
Protocol 2
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
StrictModes yes
StrictModes {{ 'yes' if (sshd_strict_modes|bool) else 'no' }}
# Logging, obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel VERBOSE
SyslogFacility {{ sshd_syslog_facility }}
LogLevel {{ sshd_log_level }}
# Cryptography
# ------------
@ -75,8 +88,11 @@ LogLevel VERBOSE
# --------------
# Secure Login directives.
{% if sshd_version.stdout | float < 7.5 -%}
UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
{% if sshd_version is version('7.4', '<') %}
UseLogin no
{% endif %}
{% if sshd_version is version('7.5', '<') %}
UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
{% endif %}
LoginGraceTime 30s
@ -96,14 +112,11 @@ HostbasedAuthentication no
{% if ssh_pam_support -%}
UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
{% endif %}
{% if ssh_google_auth %}
# Force public key auth then ask for google auth code
AuthenticationMethods publickey,keyboard-interactive
{% endif %}
# Force public key auth then ask for pam device input
{% if ssh_pam_device %}
AuthenticationMethods publickey,keyboard-interactive:pam
# Set AuthenticationMethods per default to publickey
# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
{% if sshd_version is version('6.2', '>=') %}
AuthenticationMethods {{ sshd_authenticationmethods }}
{% endif %}
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
@ -119,11 +132,9 @@ KerberosTicketCleanup yes
#KerberosGetAFSToken no
{% endif %}
{% if ssh_gssapi_support -%}
# Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no
GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
GSSAPICleanupCredentials yes
{% endif %}
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
{% if ssh_deny_users -%}
@ -142,15 +153,15 @@ DenyGroups {{ssh_deny_groups}}
AllowGroups {{ssh_allow_groups}}
{% endif %}
{% if ssh_authorized_keys_file %}
{% if ssh_authorized_keys_file -%}
AuthorizedKeysFile {{ ssh_authorized_keys_file }}
{% endif %}
{% if ssh_trusted_user_ca_keys_file %}
{% if ssh_trusted_user_ca_keys_file -%}
TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
{% if ssh_authorized_principals_file %}
{% if ssh_authorized_principals_file -%}
AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
{% endif %}
{% endif %}
{% endif %}
# Network
@ -168,19 +179,23 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
# Disable forwarding tcp connections.
# no real advantage without denied shell access
AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }}
{% if sshd_version is version('6.2', '>=') %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }}
{% else %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}
{% endif %}
# Disable agent formwarding, since local agent could be accessed through forwarded connection.
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
# no real advantage without denied shell access
AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
{% if ssh_gateway_ports|bool %}
{% if ssh_gateway_ports|bool -%}
# Port forwardings are forced to bind to the wildcard address
GatewayPorts yes
{% elif ssh_gateway_ports == 'clientspecified' %}
{% elif ssh_gateway_ports == 'clientspecified' -%}
# Clients allowed to specify which address to bind port forwardings to
GatewayPorts clientspecified
{% else %}
{% else -%}
# Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no
{% endif %}
@ -192,13 +207,10 @@ X11UseLocalhost yes
# User environment configuration
# ==============================
{% if ssh_server_permit_environment_vars %}
PermitUserEnvironment yes
{% for item in ssh_server_permit_environment_vars %}
AcceptEnv {{ item }}
{% endfor %}
{% else %}
PermitUserEnvironment no
PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
{% if ssh_server_accept_env_vars -%}
AcceptEnv {{ ssh_server_accept_env_vars }}
{% endif %}
# Misc. configuration
@ -210,31 +222,31 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
{% if ansible_os_family != 'FreeBSD' %}
{% if ansible_facts.os_family != 'FreeBSD' %}
PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
{% endif %}
Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
{% if ansible_os_family == 'Debian' %}
{% if ansible_facts.os_family == 'Debian' -%}
DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
{% endif %}
# Reject keys that are explicitly blacklisted
RevokedKeys /etc/ssh/revoked_keys
{% if sftp_enabled %}
{% if sftp_enabled -%}
# SFTP matching configuration
# ===========================
# Configuration, in case SFTP is used
# override default of no subsystems
# Subsystem sftp /opt/app/openssh5/libexec/sftp-server
Subsystem sftp internal-sftp -l INFO -f LOCAL6
Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ForceCommand internal-sftp -l INFO -f LOCAL6
ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
{% if sftp_chroot %}
ChrootDirectory {{ sftp_chroot_dir }}
{% endif %}
@ -245,23 +257,38 @@ Match Group sftponly
X11Forwarding no
{% endif %}
{% if ssh_server_match_group %}
{% if ssh_server_match_address -%}
# Address matching configuration
# ============================
{% for item in ssh_server_match_address -%}
Match Address {{ item.address }}
{% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}
{% if ssh_server_match_group -%}
# Group matching configuration
# ============================
{% for item in ssh_server_match_group %}
{% for item in ssh_server_match_group -%}
Match Group {{ item.group }}
{{ item.rules | indent(4) }}
{% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}
{% if ssh_server_match_user %}
{% if ssh_server_match_user -%}
# User matching configuration
# ===========================
{% for item in ssh_server_match_user %}
{% for item in ssh_server_match_user -%}
Match User {{ item.user }}
{{ item.rules | indent(4) }}
{% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}

28
ansible/roles/dev-sec.ssh-hardening/tests/default.yml
View File

@ -2,20 +2,30 @@
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: localhost
pre_tasks:
- package: name="{{item}}" state=present
with_items:
- "openssh-clients"
- "openssh-server"
- name: use python3
set_fact:
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present
vars:
packages:
- openssh-clients
- openssh-server
- libselinux-python
ignore_errors: true
- apt: name="{{item}}" state=present update_cache=true
with_items:
- "openssh-client"
- "openssh-server"
- apt: name="{{packages}}" state=present update_cache=true
vars:
packages:
- "openssh-client"
- "openssh-server"
ignore_errors: true
- file: path="/var/run/sshd" state=directory
- name: create ssh host keys
command: "ssh-keygen -A"
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon"
roles:
- ansible-ssh-hardening

59
ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml
View File

@ -2,30 +2,40 @@
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
hosts: localhost
pre_tasks:
- package: name="{{item}}" state=present
with_items:
- "openssh-clients"
- "openssh-server"
- name: use python3
set_fact:
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present
vars:
packages:
- openssh-clients
- openssh-server
- libselinux-python
ignore_errors: true
- apt: name="{{item}}" state=present update_cache=true
with_items:
- "openssh-client"
- "openssh-server"
- apt: name="{{packages}}" state=present update_cache=true
vars:
packages:
- "openssh-client"
- "openssh-server"
ignore_errors: true
- file: path="/var/run/sshd" state=directory
- name: create ssh host keys
command: "ssh-keygen -A"
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7')
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon"
roles:
- ansible-ssh-hardening
vars:
network_ipv6_enable: true
ssh_allow_root_with_key: true
ssh_allow_tcp_forwarding: true
ssh_allow_tcp_forwarding: 'yes'
ssh_gateway_ports: true
ssh_allow_agent_forwarding: true
ssh_server_permit_environment_vars: ['PWD','HTTP_PROXY']
ssh_server_permit_environment_vars: 'yes'
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
ssh_client_alive_interval: 100
ssh_client_alive_count: 10
ssh_client_password_login: true
@ -37,6 +47,7 @@
ssh_deny_groups: 'foo bar'
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
ssh_max_auth_retries: 10
ssh_permit_root_login: "without-password"
ssh_permit_tunnel: true
ssh_print_motd: true
ssh_print_last_log: true
@ -45,12 +56,21 @@
sftp_enabled: true
sftp_chroot: true
#ssh_server_enabled: false
ssh_server_match_address:
- address: '192.168.1.1/24'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_group:
- group: 'root'
rules: 'AllowTcpForwarding yes'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_user:
- user: 'root'
rules: 'AllowTcpForwarding yes'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_remote_hosts:
- names: ['example.com', 'example2.com']
options: ['Port 2222', 'ForwardAgent yes']
@ -63,8 +83,13 @@
ssh_trusted_user_ca_keys:
- '# ssh-rsa ...'
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
ssh_authorized_principals :
ssh_authorized_principals:
- { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
ssh_host_key_algorithms:
- ssh-ed25519
- rsa-sha2-512
- rsa-sha2-256
- ssh-rsa
ssh_macs:
- hmac-sha2-512
- hmac-sha2-256
@ -76,3 +101,7 @@
ssh_kex:
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"

3
ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml
View File

@ -1,3 +1,6 @@
sshd_service_name: ssh
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

6
ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml Normal file
View File

@ -0,0 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- python3-policycoreutils
- checkpolicy

3
ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml
View File

@ -1,3 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

3
ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml
View File

@ -1,3 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

6
ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml Normal file
View File

@ -0,0 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- python3-policycoreutils
- checkpolicy

0
ansible/roles/dev-sec.ssh-hardening/vars/main.yml
View File

5
ansible/roles/docker-compose/.gitignore vendored
View File

@ -1,5 +0,0 @@
*.retry
.vagrant
tests/_roles
!tests/_roles/.gitkeep
.DS_Store

24
ansible/roles/docker-compose/.travis.yml
View File

@ -1,24 +0,0 @@
---
language: python
python: "2.7"
sudo: required
dist: trusty
addons:
apt:
sources:
- sourceline: ppa:ansible/ansible
packages:
- ansible
before_install: cd tests
install:
- ansible-galaxy install -r roles.yml
script:
- ansible-playbook -i localhost test.yml
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

21
ansible/roles/docker-compose/LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2016 Suzuki Shunsuke
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

39
ansible/roles/docker-compose/README.md
View File

@ -1,39 +0,0 @@
docker-compose
===============
[![Build Status](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose.svg?branch=master)](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose)
Install Docker Compose.
https://galaxy.ansible.com/suzuki-shunsuke/docker-compose/
Requirements
------------
* Docker Engine
Role Variables
--------------
* docker_compose_path: the path where docker-compose is installed. The default is /usr/local/bin
* docker_compose_mode: the permission of the docker-compose. The default is 0755
* docker_compose_version: docker-compose version. The default is `1.11.2`
Dependencies
------------
Nothing.
Example Playbook
----------------
```yaml
- hosts: servers
roles:
- role: suzuki-shunsuke.docker-compose
```
License
-------
MIT

5
ansible/roles/docker-compose/defaults/main.yml
View File

@ -1,5 +0,0 @@
---
# defaults file for docker-compose
docker_compose_path: /usr/local/bin
docker_compose_mode: 0755
docker_compose_version: 1.11.2

1
ansible/roles/docker-compose/meta/.galaxy_install_info
View File

@ -1 +0,0 @@
{install_date: 'Mon Apr 24 12:06:46 2017', version: 1.2.0}

15
ansible/roles/docker-compose/meta/main.yml
View File

@ -1,15 +0,0 @@
galaxy_info:
author: Suzuki Shunsuke
description: Install Docker Compose
license: MIT
min_ansible_version: 1.2
github_branch: master
platforms:
- name: GenericUnix
versions:
- all
galaxy_tags:
- docker
- docker compose
dependencies: []

7
ansible/roles/docker-compose/tasks/main.yml
View File

@ -1,7 +0,0 @@
---
# tasks file for docker-compose
- name: Install docker-compose
get_url:
url: https://github.com/docker/compose/releases/download/{{docker_compose_version}}/docker-compose-{{ansible_system}}-{{ansible_architecture}}
dest: "{{'{}/docker-compose'.format(docker_compose_path)}}"
mode: "{{docker_compose_mode}}"

12
ansible/roles/docker-compose/tests/Vagrantfile vendored
View File

@ -1,12 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
config.vm.box = "bento/ubuntu-16.04"
config.vm.provider "virtualbox" do |vb|
vb.memory = "2048"
end
config.vm.provision "ansible" do |ansible|
ansible.playbook = "./test.yml"
end
end

6
ansible/roles/docker-compose/tests/ansible.cfg
View File

@ -1,6 +0,0 @@
[defaults]
roles_path = ./_roles:../../
[ssh_connection]
ssh_args = -o ControlPersist=1800s -o ControlMaster=auto
pipelining = True

2
ansible/roles/docker-compose/tests/localhost
View File

@ -1,2 +0,0 @@
[default]
localhost ansible_connection=local

1
ansible/roles/docker-compose/tests/roles.yml
View File

@ -1 +0,0 @@
- src: suzuki-shunsuke.docker-ubuntu

11
ansible/roles/docker-compose/tests/test.yml
View File

@ -1,11 +0,0 @@
---
- hosts: default
roles:
- suzuki-shunsuke.docker-ubuntu
- ansible-docker-compose
tasks:
- command: docker-compose --version
register: result
changed_when: false
- debug:
var: result

3
ansible/roles/docker-compose/vars/main.yml
View File

@ -1,3 +0,0 @@
---
# vars file for docker-compose
docker_compose_nonroot: "{{ (ansible_env.HOME == '/root') | ternary('no', 'yes') }}"

2
ansible/roles/docker-ubuntu/.gitignore vendored
View File

@ -1,2 +0,0 @@
*.retry
.vagrant

23
ansible/roles/docker-ubuntu/.travis.yml
View File

@ -1,23 +0,0 @@
---
language: python
python: "2.7"
sudo: required
dist: trusty
addons:
apt:
sources:
- sourceline: ppa:ansible/ansible
packages:
- ansible
before_script:
- ansible --version
- cd tests
script:
- ansible-playbook -i inventory-local test.yml
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

Some files were not shown because too many files have changed in this diff Show More