diff --git a/README.md b/README.md index cec62be..e276195 100644 --- a/README.md +++ b/README.md @@ -89,20 +89,22 @@ Install or update the following roles from [Ansible Galaxy](https://docs.ansible ``` ansible-galaxy install \ - dev-sec.nginx-hardening dev-sec.ssh-hardening dev-sec.os-hardening \ - geerlingguy.nodejs geerlingguy.certbot + dev-sec.nginx-hardening \ + dev-sec.ssh-hardening \ + dev-sec.os-hardening \ + geerlingguy.nodejs ``` To check that the scripts and roles are correctly installed, use this command to do a "dry run": ``` -ansible-playbook -s ansible/*.yaml -i ansible/inventories/production --syntax-check --list-tasks +ansible-playbook -i ansible/inventories/production --syntax-check --list-tasks ansible/*.yaml ``` To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site: ``` -ansible-playbook -s ansible/<*.yaml> -i ansible/inventories/production +ansible-playbook -i ansible/inventories/production ansible/*.yaml ``` For an update release with a specific version, use: @@ -111,7 +113,7 @@ For an update release with a specific version, use: ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release -e gitversion= ``` -We use a StackScript to deploy to Linode, the basic system set up is to have a user in the sudoers and docker group, and a few basic system packages ready. +Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, and a few basic system packages ready. For example, on Ubuntu: @@ -119,28 +121,19 @@ For example, on Ubuntu: apt-get install -q -y zip git nginx python-virtualenv python-dev ``` -The order of deployment is: +The typical order of deployment is: -- docker.yaml (base system) - node.yaml - site.yaml +- docker.yaml - harden.yaml -- certbot.yaml - -The last line adds support for Let's Encrypt, which you can configure and enable (updating your Nginx setup) with: - -``` -sudo /opt/certbot/certbot-auto --nginx certonly -``` - -If you do **not** wish to use SSL, delete the last part of your nginx site configuration (/etc/nginx/sites-enabled/...). ### Production releases For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.: ``` -ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release +ansible-playbook -i ansible/inventories/production --tags release ansible/site.yaml ssh -i .keys/ansible.pem ansible@ "cd && make release" ``` diff --git a/ansible/certbot.yaml b/ansible/certbot.yaml deleted file mode 100644 index a99130c..0000000 --- a/ansible/certbot.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- hosts: webservers - become: true - become_method: 'sudo' - gather_facts: yes - vars: - certbot_auto_renew_user: ansible - certbot_auto_renew_minute: 20 - certbot_auto_renew_hour: 5 - certbot_dir: /opt/certbot - certbot_install_from_source: yes - certbot_version: v0.14.2 - roles: - - geerlingguy.certbot diff --git a/ansible/docker.yaml b/ansible/docker.yaml index d382087..5989910 100644 --- a/ansible/docker.yaml +++ b/ansible/docker.yaml @@ -3,7 +3,5 @@ become_method: 'sudo' gather_facts: yes roles: - - role: docker-ubuntu + - role: geerlingguy.docker docker_users: ansible - - role: docker-compose - docker_compose_version: 1.12.0 diff --git a/ansible/inventories/evolution/group_vars/webservers/vars.yaml b/ansible/inventories/evolution/group_vars/webservers/vars.yaml new file mode 100644 index 0000000..ef08c51 --- /dev/null +++ b/ansible/inventories/evolution/group_vars/webservers/vars.yaml @@ -0,0 +1,29 @@ +--- + +django_project_name: publichealth + +elasticsearch_heap_size: 1g + +memcached_memory_allocation_mb: 256 + +nginx_worker_processes: 2 +nginx_worker_connections: 1024 + +domain: "{{ vault_domain }}" + +allowed_domains: "{{ vault_allowed_domains }}" + +django_email_key: "{{ vault_django_email_key }}" +django_email_domain: "{{ vault_django_email_domain }}" +django_email_from: "{{ vault_django_email_from }}" + +django_secret_key: "{{ vault_django_secret_key }}" + +# Default: postgres://postgres:@postgres:5432/postgres +django_postgres_url: "{{ vault_django_postgres_url }}" + +# Default: http://elasticsearch:9200 +django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}" + +# Default: redis://redis:6379 +django_redis_url: "{{ vault_django_redis_url }}" diff --git a/ansible/inventories/evolution/group_vars/webservers/vault.yaml b/ansible/inventories/evolution/group_vars/webservers/vault.yaml new file mode 100644 index 0000000..1028263 --- /dev/null +++ b/ansible/inventories/evolution/group_vars/webservers/vault.yaml @@ -0,0 +1,46 @@ +$ANSIBLE_VAULT;1.1;AES256 +39623434656631643030663563343865363562353834336262353939666566643961323936316537 +6139376161613163626664323564626134333066346265330a636334616466306464316365653038 +32646430633039303364366163646430633436366664333064393364663132363535666338666137 +3531323636316435640a326135303364623461623434343663343062653434356165356161326365 +66663664643463393964653764376264616166306433343761653037616639326538626531663239 +37376263303237346131326231656439366430373637653634396139333431636565373630626131 +39303661383937346630623830613462393163333032643035313765393030653337363161386364 +36623132353033316239326365343064663130333161353835643935613034303838373861323163 +62363564343531666665356439326139366463646661636534386334323765636336306136623766 +62636534626461326166613934663535633962336130386463633439343434353637396131383633 +61343335393463313433356363366639626535346263333635393039376335343965393138323639 +32386461626164356666386535393365616539323631303265303833373635646339343031346139 +39336332396662636561613636303866303230353866646330306433353938306133336239326431 +65383365313336636166353533363439333739373832353839656139306262366230646631363033 +62653430396463663232613539353135666465666635316432383230306361376330353938356538 +39333566373366323134613262623865383866363163383931386632643131313939346161343438 +38353733393938356266353761326635316239373964656535633937643830373161646661333130 +36646364646361343336326662346361616239653964646537306366333234313833623337653732 +66623238613961303131356632343163323264616664373638653331656561663333306133386630 +62333662306234663036333062646635303662646136396666343535383565386664313239656633 +32663366323964306362346366393734623630376432373936316362616639363636306439623636 +34313165663264653235636632386563323964373863396363303934336138323435333462373033 +34373163623864623836646435333730386137383634333066653865666331303438616462366134 +63343837373130616638646338643339393432343130323838303837636566626436336538396463 +65393332343964663233623634363234643266386634336231303930396463303537373466633565 +64393966306161336265393936656364383237363065326130356331643766383166656536643263 +32636236333637663737366666616461653939303033643730623137353735663234636438623431 +38623931343939376661633438336563383365633336343563646134376230613930626461383133 +39616535646166333435363234643939376464323730333263633333616531393666363561633133 +36396464383662623439616630633361316339306139393434383932663464653634393064343061 +63643338396432326539363166366163373336616137326566643764303361636130613439663036 +38376261326333373061653862663833313563363537373534336638656632313033616238393638 +63353435613231316439366535656139623366333534303662323839336232646636346166653866 +36633138396363616663306535353432313938306535376361353065323935303266386332343730 +36346335386238666235333263626265353431616262313537396336353232363964316538303363 +36303165313462653336653863343233323336383835336230393836343332376165653866643738 +65393734393037303162653930313564303837353631623632343561336561383062613363653238 +37353234616333356432643731343535313434613534323835613465656432333735643863386264 +61653235333239663739353738323264333930653337323431666461636265383836663539323531 +39633761323536306536633064666161383839626437666430613963353430366435383630386232 +35646439303031643035616133326433326163333830643436663262633665653365343830653630 +37613235623462623937383330656530363033336636653534316235636336636137333537393434 +33663664303437396632663630643166393631613566646165386333363035373733393333623365 +62313862383432396362363565636361623630313161653436633366323836333566396363313535 +39623166313239663638643134613364623934303438313136353562633962336538 diff --git a/ansible/inventories/evolution/webservers b/ansible/inventories/evolution/webservers new file mode 100644 index 0000000..e0cca49 --- /dev/null +++ b/ansible/inventories/evolution/webservers @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +61393361636537666237333561613438353833396362323665653635333365313632663138393464 +3235343235373336386135306436373332613033303034330a353536663964306266376662366263 +63346635333630656238366566666463373536323536396566363163393932613130623366323334 +3730333438326538380a623461333435376635373837346166303230383231623331363535623934 +38373834393464636633353132356136383363316134356334323737303762393063326532356135 +37643535386466656365663432376335666533653737323861393936353236343532663238663430 +30376161616161653539633934333366383061373134313866646262613430363930303866613837 +66643636393131393766653632386131613663363338376461623836613462643766376363626563 +37393938326465633661663938613935653838613063613937663837323435323765326461346261 +31616130336662326233623466353933343139666636313333303335306632663465666232373037 +33346235663765393337656336653866393233616561613738343337653038653665356535633631 +39366432343634303861 diff --git a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info index 9a76547..9266ae8 100644 --- a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info @@ -1 +1,2 @@ -{install_date: 'Mon Dec 17 12:48:14 2018', version: 2.1.0} +install_date: Fri May 15 20:29:19 2020 +version: 2.1.0 diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml new file mode 100644 index 0000000..99857c7 --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml @@ -0,0 +1,34 @@ +name: Create Changelog + +on: + pull_request: + types: [closed] + + release: + types: [published] + + issues: + types: [closed, edited] + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: Generate changelog for master branch + steps: + - uses: actions/checkout@v1 + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: push + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml new file mode 100644 index 0000000..34cf1cf --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml @@ -0,0 +1,50 @@ +name: New release + +on: + push: + branches: + - master + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: create release draft + steps: + - uses: actions/checkout@v1 + + - name: 'Get Previous tag' + id: previoustag + uses: "WyriHaximus/github-action-get-previous-tag@master" + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - name: calculate next version + id: version + uses: patrickjahns/version-drafter-action@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + since_tag: ${{ steps.previoustag.outputs.tag }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Read CHANGELOG.md + id: package + uses: juliangruber/read-file-action@v1 + with: + path: ./CHANGELOG.md + + - name: Create Release draft + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + release_name: ${{ steps.version.outputs.next-version }} + tag_name: ${{ steps.version.outputs.next-version }} + body: | + ${{ steps.package.outputs.content }} + draft: true diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml index 500b90c..ab58ecd 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml @@ -16,47 +16,47 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true roles_path: ../ansible-os-hardening/ - playbook: default.yml + playbook: tests/test.yml http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> transport: - max_ssh_sessions: 5 + max_ssh_sessions: 1 platforms: -- name: ubuntu14.04 +- name: ubuntu-16.04 driver_config: - box: opscode-ubuntu-14.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box -- name: ubuntu16.04 + box: bento/ubuntu-16.04 +- name: ubuntu-18.04 driver_config: - box: opscode-ubuntu-16.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box -- name: ubuntu18.04 + box: bento/ubuntu-18.04 +- name: centos-6 driver_config: - box: ubuntu/bionic64 -- name: centos6 + box: bento/centos-6.7 +- name: centos-7 driver_config: - box: bento/centos-6.9 -- name: centos7 + box: bento/centos-7 +- name: centos-8 driver_config: - box: bento/centos-7.3 -- name: oracle6 + box: bento/centos-8 +- name: oracle-6 driver_config: - box: oracle-6.5 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box -- name: oracle7 + box: bento/oracle-6 +- name: oracle-7 driver_config: - box: boxcutter/ol72 -- name: debian7 + box: bento/oracle-7 +- name: debian-9 driver_config: - box: bento/debian-7.11 -- name: debian8 + box: bento/debian-9 +- name: debian-10 driver_config: - box: bento/debian-8.8 -- name: debian9 + box: bento/debian-10 +- name: amazon driver_config: - box: bento/debian-9.0 + box: bento/amazonlinux-2 +- name: opensuse_tumbleweed + driver_config: + box: opensuse/Tumbleweed.x86_64 verifier: name: inspec diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.yml index 5fa1108..cceda4e 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.yml @@ -7,7 +7,7 @@ driver: https_proxy: <%= ENV['https_proxy'] || nil %> transport: - max_ssh_sessions: 5 + max_ssh_sessions: 1 provisioner: name: ansible_playbook @@ -17,7 +17,7 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true - hosts: all + roles_path: ../ansible-os-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> @@ -36,6 +36,14 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service +- name: centos8-ansible-latest + driver: + image: rndmh3ro/docker-centos8-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest @@ -48,10 +56,6 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service -- name: ubuntu1404-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1404-ansible:latest - platform: ubuntu - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest @@ -66,14 +70,6 @@ platforms: run_command: /sbin/init provision_command: - systemctl enable ssh.service -- name: debian7-ansible-latest - driver: - image: rndmh3ro/docker-debian7-ansible:latest - platform: debian -- name: debian8-ansible-latest - driver: - image: rndmh3ro/docker-debian8-ansible:latest - platform: debian - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest @@ -82,6 +78,14 @@ platforms: provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service +- name: debian10-ansible-latest + driver: + image: rndmh3ro/docker-debian10-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest @@ -90,6 +94,23 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service +- name: fedora-ansible-latest + driver: + image: rndmh3ro/docker-fedora-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - dnf install -y python + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service +- name: opensuse_tumbleweed-ansible-latest + driver: + image: rndmh3ro/docker-opensuse_tumbleweed-ansible + platform: opensuse + provision_command: + - zypper -n install python-xml rpm-python + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec diff --git a/ansible/roles/dev-sec.os-hardening/.travis.yml b/ansible/roles/dev-sec.os-hardening/.travis.yml index c89b5ac..ed74614 100644 --- a/ansible/roles/dev-sec.os-hardening/.travis.yml +++ b/ansible/roles/dev-sec.os-hardening/.travis.yml @@ -11,6 +11,16 @@ env: run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" version: latest + - distro: centos8 + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + version: latest + + - distro: fedora + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + version: latest + - distro: oracle6 version: latest init: /sbin/init @@ -20,10 +30,6 @@ env: # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" # version: latest - - distro: ubuntu1404 - version: latest - init: /sbin/init - - distro: ubuntu1604 version: latest init: /lib/systemd/systemd @@ -34,16 +40,12 @@ env: init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - distro: debian7 + - distro: debian9 version: latest - init: /sbin/init - - - distro: debian8 - version: latest - init: /sbin/init + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - distro: debian9 + - distro: debian10 version: latest init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" @@ -53,17 +55,28 @@ env: version: latest run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + # - distro: opensuse_tumbleweed + # init: /usr/lib/systemd/systemd + # version: latest + # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro" + before_install: # Pull container - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: + - pip install --user ansible-lint + - ansible-lint ./ + - container_id=$(mktemp) # Run container in detached state. - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + # Output Ansible version from docker image + - 'docker exec "$(cat ${container_id})" ansible-playbook --version' + # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff --skip-tags "sysctl"' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff' # Verify role - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit' diff --git a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md index 4e698ce..faa840e 100644 --- a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md @@ -1,6 +1,113 @@ -# Change Log +# Changelog + +## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD) + +**Implemented enhancements:** + +- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro)) +- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0) + +**Implemented enhancements:** + +- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253) +- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233) +- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232) +- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154) +- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg)) +- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz)) +- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz)) +- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina)) +- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz)) +- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337)) +- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337)) +- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd)) +- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov)) +- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina)) +- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove)) +- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina)) +- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes)) +- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue)) +- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb)) + +**Fixed bugs:** + +- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265) +- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255) +- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247) +- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227) +- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223) +- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221) +- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148) +- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel)) +- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta)) +- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov)) +- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina)) + +## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1) + +**Implemented enhancements:** + +- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo)) +- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218) + +## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0) + +**Implemented enhancements:** + +- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208) +- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163) +- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee)) +- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro)) +- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre)) +- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo)) + +**Fixed bugs:** + +- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202) +- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167) +- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140) +- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo)) +- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb)) +- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb)) +- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99)) +- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro)) +- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120)) + +## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0) + +**Implemented enhancements:** + +- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro)) +- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191) +- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175) +- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic)) +- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz)) ## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0) **Implemented enhancements:** @@ -34,6 +141,7 @@ - change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro)) ## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0) **Implemented enhancements:** @@ -63,6 +171,7 @@ - move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro)) ## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1) **Fixed bugs:** @@ -70,6 +179,7 @@ - os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115) ## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0) **Implemented enhancements:** @@ -93,6 +203,7 @@ - remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro)) ## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0) **Fixed bugs:** @@ -113,6 +224,7 @@ - add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro)) ## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0) **Implemented enhancements:** @@ -124,7 +236,6 @@ **Fixed bugs:** - The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105) -- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro)) **Closed issues:** @@ -139,6 +250,7 @@ - Don’t refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid)) ## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0) **Fixed bugs:** @@ -156,9 +268,11 @@ - add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro)) ## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0) ## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1) **Implemented enhancements:** @@ -181,7 +295,6 @@ - Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86) - network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82) - ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78) -- Norm-Audit-Hardening-Audit [\#76](https://github.com/dev-sec/ansible-os-hardening/issues/76) **Merged pull requests:** @@ -189,6 +302,7 @@ - Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch)) ## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0) **Implemented enhancements:** @@ -208,7 +322,6 @@ - Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch)) - Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro)) -- ERROR! Include tasks should not specify tags in more than one way [\#60](https://github.com/dev-sec/ansible-os-hardening/pull/60) ([fitz123](https://github.com/fitz123)) **Closed issues:** @@ -221,6 +334,7 @@ - Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro)) ## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28) + [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0) **Closed issues:** @@ -239,6 +353,9 @@ - improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro)) ## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0) + **Closed issues:** - ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38) @@ -285,4 +402,4 @@ -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/ansible/roles/dev-sec.os-hardening/Gemfile b/ansible/roles/dev-sec.os-hardening/Gemfile index c11b3bf..3502d8f 100644 --- a/ansible/roles/dev-sec.os-hardening/Gemfile +++ b/ansible/roles/dev-sec.os-hardening/Gemfile @@ -11,6 +11,7 @@ group :integration do gem 'kitchen-sync' gem 'kitchen-transport-rsync' gem 'kitchen-docker' + gem 'inspec', '~> 3' end group :tools do diff --git a/ansible/roles/dev-sec.os-hardening/README.md b/ansible/roles/dev-sec.os-hardening/README.md index f997938..5186dcb 100644 --- a/ansible/roles/dev-sec.os-hardening/README.md +++ b/ansible/roles/dev-sec.os-hardening/README.md @@ -35,6 +35,20 @@ It will not: If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable. Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124). +If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting. + +```yaml +- hosts: localhost + roles: + - dev-sec.os-hardening + vars: + sysctl_overwrite: + # Enable IPv4 traffic forwarding. + net.ipv4.ip_forward: 1 +``` + + + ## Variables | Name | Default Value | Description | @@ -57,24 +71,27 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu | `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed| | `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered| | `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.| -| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.| +| `os_security_packages_clean`| true | removes packages with known issues. See section packages.| +| `os_selinux_state` | enforcing | Set the SELinux state, can be either disabled, permissive, or enforcing. | +| `os_selinux_policy` | targeted | Set the SELinux polixy. | | `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix| | `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf` | `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` | | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` | | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` | | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. | +| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. | ## Packages We remove the following packages: - * xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1) - * inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1) - * tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5) - * ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4) - * telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2) - * rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3) + * xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) + * inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) + * tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5) + * ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4) + * telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2) + * rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3) * prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) ## Disabled filesystems @@ -92,6 +109,14 @@ We disable the following filesystems, because they're most likely not used: To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. +## Installation + +Install the role with ansible-galaxy: + +``` +ansible-galaxy install dev-sec.os-hardening +``` + ## Example Playbook ```yaml @@ -115,7 +140,13 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1` net.ipv4.ip_forward: 1 ``` -Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible. +Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible. + +## Improving Kernel Audit logging + +By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes. + +For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters. ## Local Testing diff --git a/ansible/roles/dev-sec.os-hardening/default.yml b/ansible/roles/dev-sec.os-hardening/default.yml deleted file mode 100644 index 751aef2..0000000 --- a/ansible/roles/dev-sec.os-hardening/default.yml +++ /dev/null @@ -1,74 +0,0 @@ ---- -- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing - hosts: localhost - roles: - - ansible-os-hardening - pre_tasks: - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: yes - when: ansible_os_family == 'Debian' - - name: Install firefox to get Xorg - package: - name: firefox - state: present - vars: - os_security_users_allow: change_user - os_security_kernel_enable_core_dump: false - os_security_suid_sgid_remove_from_unknown: true - os_auth_pam_passwdqc_enable: false - os_desktop_enable: true - os_env_extra_user_paths: ['/home'] - os_auth_allow_homeless: true - os_security_suid_sgid_blacklist: ['/bin/umount'] - os_security_suid_sgid_whitelist: ['/usr/bin/rlogin'] - os_filesystem_whitelist: ['vfat'] - sysctl_config: - net.ipv4.ip_forward: 0 - net.ipv6.conf.all.forwarding: 0 - net.ipv6.conf.all.accept_ra: 0 - net.ipv6.conf.default.accept_ra: 0 - net.ipv4.conf.all.rp_filter: 1 - net.ipv4.conf.default.rp_filter: 1 - net.ipv4.icmp_echo_ignore_broadcasts: 1 - net.ipv4.icmp_ignore_bogus_error_responses: 1 - net.ipv4.icmp_ratelimit: 100 - net.ipv4.icmp_ratemask: 88089 - net.ipv6.conf.all.disable_ipv6: 1 - net.ipv4.conf.all.arp_ignore: 1 - net.ipv4.conf.all.arp_announce: 2 - net.ipv4.conf.all.shared_media: 1 - net.ipv4.conf.default.shared_media: 1 - net.ipv4.conf.all.accept_source_route: 0 - net.ipv4.conf.default.accept_source_route: 0 - net.ipv4.conf.default.accept_redirects: 0 - net.ipv4.conf.all.accept_redirects: 0 - net.ipv4.conf.all.secure_redirects: 0 - net.ipv4.conf.default.secure_redirects: 0 - net.ipv6.conf.default.accept_redirects: 0 - net.ipv6.conf.all.accept_redirects: 0 - net.ipv4.conf.all.send_redirects: 0 - net.ipv4.conf.default.send_redirects: 0 - net.ipv4.conf.all.log_martians: 1 - net.ipv6.conf.default.router_solicitations: 0 - net.ipv6.conf.default.accept_ra_rtr_pref: 0 - net.ipv6.conf.default.accept_ra_pinfo: 0 - net.ipv6.conf.default.accept_ra_defrtr: 0 - net.ipv6.conf.default.autoconf: 0 - net.ipv6.conf.default.dad_transmits: 0 - net.ipv6.conf.default.max_addresses: 1 - kernel.sysrq: 0 - fs.suid_dumpable: 0 - kernel.randomize_va_space: 2 - - -- name: wrapper playbook for kitchen testing "ansible-os-hardening" - hosts: localhost - pre_tasks: - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: yes - when: ansible_os_family == 'Debian' - roles: - - ansible-os-hardening - diff --git a/ansible/roles/dev-sec.os-hardening/defaults/main.yml b/ansible/roles/dev-sec.os-hardening/defaults/main.yml index 4c3e181..e047f49 100644 --- a/ansible/roles/dev-sec.os-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.os-hardening/defaults/main.yml @@ -27,7 +27,7 @@ os_security_suid_sgid_remove_from_unknown: false # remove packages with known issues os_security_packages_clean: true -os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink'] +os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink'] # Allow interactive startup (rhel, centos) os_security_init_prompt: true @@ -175,17 +175,6 @@ sysctl_config: kernel.core_uses_pid: 1 - # When an attacker is trying to exploit the local kernel, it is often - # helpful to be able to examine where in memory the kernel, modules, - # and data structures live. As such, kernel addresses should be treated - # as sensitive information. - # - # Many files and interfaces contain these addresses (e.g. /proc/kallsyms, - # /proc/modules, etc), and this setting can censor the addresses. A value - # of "0" allows all users to see the kernel addresses. A value of "1" - # limits visibility to the root user, and "2" blocks even the root user. - kernel.kptr_restrict: 1 - # The PTRACE system is used for debugging. With it, a single user process # can attach to any other dumpable process owned by the same user. In the # case of malicious software, it is possible to use PTRACE to access @@ -226,6 +215,33 @@ sysctl_config: fs.protected_hardlinks: 1 fs.protected_symlinks: 1 + # These settings are set to the maximum supported value in order to + # improve ASLR effectiveness for mmap, at the cost of increased + # address-space fragmentation. | Tail-1 + vm.mmap_rnd_bits: 32 + vm.mmap_rnd_compat_bits: 16 + + # When an attacker is trying to exploit the local kernel, it is often + # helpful to be able to examine where in memory the kernel, modules, + # and data structures live. As such, kernel addresses should be treated + # as sensitive information. + # + # Many files and interfaces contain these addresses (e.g. /proc/kallsyms, + # /proc/modules, etc), and this setting can censor the addresses. A value + # of "0" allows all users to see the kernel addresses. A value of "1" + # limits visibility to the root user, and "2" blocks even the root user. + # + # Some off-the-shelf malware exploit kernel addresses exposed + # via /proc/kallsyms so by not making these addresses easily available + # we increase the cost of such attack some what; now such malware has + # to check which kernel Tails is running and then fetch the corresponding + # kernel address map from some external source. This is not hard, + # but certainly not all malware has such functionality. | Tails-2 + kernel.kptr_restrict: 2 + + # kexec is dangerous: it enables replacement of the running kernel. | Tails-3 + kernel.kexec_load_disabled: 1 + # Do not delete the following line or otherwise the playbook will fail # at task 'create a combined sysctl-dict if overwrites are defined' sysctl_overwrite: @@ -240,6 +256,12 @@ os_unused_filesystems: - "squashfs" - "udf" - "vfat" + # Obsolete network protocols that should be disabled + # per CIS Oracle Linux 6 Benchmark (2016) + - "tipc" # CIS 3.5.4 + - "sctp" # CIS 3.5.2 + - "dccp" # CIS 3.5.1 + - "rds" # CIS 3.5.3 # whitelist for used filesystems os_filesystem_whitelist: [] @@ -250,3 +272,9 @@ os_hardening_enabled: true # Set to false to disable installing and configuring auditd. os_auditd_enabled: true +os_auditd_max_log_file_action: keep_logs + +# Set the SELinux state, can be either disabled, permissive, or enforcing. +os_selinux_state: enforcing +# Set the SELinux polixy. +os_selinux_policy: targeted diff --git a/ansible/roles/dev-sec.os-hardening/handlers/main.yml b/ansible/roles/dev-sec.os-hardening/handlers/main.yml new file mode 100644 index 0000000..63aa505 --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: update-initramfs + command: 'update-initramfs -u' diff --git a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info index 9f275e5..099ab8c 100644 --- a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info @@ -1 +1,2 @@ -{install_date: 'Mon Dec 17 12:48:33 2018', version: 5.1.0} +install_date: Fri May 15 20:29:23 2020 +version: 6.0.1 diff --git a/ansible/roles/dev-sec.os-hardening/meta/main.yml b/ansible/roles/dev-sec.os-hardening/meta/main.yml index b09b2d5..1da0085 100644 --- a/ansible/roles/dev-sec.os-hardening/meta/main.yml +++ b/ansible/roles/dev-sec.os-hardening/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: "Sebastian Gumprich" - description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.' + description: 'This role provides numerous security-related configurations, providing all-round base protection.' company: Hardening Framework Team license: Apache License 2.0 min_ansible_version: '2.5' @@ -10,17 +10,18 @@ galaxy_info: versions: - 6 - 7 + - 8 - name: Ubuntu versions: - - precise - - trusty - xenial - bionic - name: Debian versions: - - wheezy - - jessie + - stretch + - buster - name: Amazon + - name: Fedora + - name: openSUSE galaxy_tags: - system - security diff --git a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml index b3ceff3..9eabf31 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml @@ -1,8 +1,6 @@ --- - name: remove deprecated or insecure packages | package-01 - package-09 apt: - name: '{{ item }}' + name: '{{ os_security_packages_list }}' state: 'absent' - with_items: - - '{{ os_security_packages_list }}' - when: 'os_security_packages_clean' + when: os_security_packages_clean | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/find_files.yml b/ansible/roles/dev-sec.os-hardening/tasks/find_files.yml deleted file mode 100644 index 0891332..0000000 --- a/ansible/roles/dev-sec.os-hardening/tasks/find_files.yml +++ /dev/null @@ -1,12 +0,0 @@ -- name: find directories for minimizing access - find: - paths: '{{ outer_item }}' - recurse: yes - register: minimize_access_directories - -- name: minimize access on found files - file: - path: '{{ item.path }}' - mode: 'go-w' - state: file - with_items: '{{ minimize_access_directories.files }}' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml index 0564dcc..3f309f0 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml @@ -1,21 +1,21 @@ --- - name: Set OS family dependent variables - include_vars: '{{ ansible_os_family }}.yml' + include_vars: '{{ ansible_facts.os_family }}.yml' tags: always - name: Set OS dependent variables include_vars: '{{ item }}' with_first_found: - files: - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_distribution }}.yml' - - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml' skip: true tags: always - import_tasks: auditd.yml tags: auditd - when: os_auditd_enabled + when: os_auditd_enabled | bool - import_tasks: limits.yml tags: limits @@ -39,7 +39,7 @@ tags: securetty - import_tasks: suid_sgid.yml - when: os_security_suid_sgid_enforce + when: os_security_suid_sgid_enforce | bool tags: suid_sgid - import_tasks: sysctl.yml @@ -52,9 +52,14 @@ tags: rhosts - import_tasks: yum.yml - when: ansible_os_family == 'RedHat' + when: ansible_facts.os_family == 'RedHat' tags: yum - import_tasks: apt.yml - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu' tags: apt + +- import_tasks: selinux.yml + tags: selinux + when: + - ansible_facts.selinux.status == 'enabled' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml index ed78780..804cbad 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml @@ -9,14 +9,14 @@ mode: '0755' state: 'directory' - - name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b + - name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b pam_limits: dest: '/etc/security/limits.d/10.hardcore.conf' domain: '*' limit_type: hard limit_item: core - value: 0 - comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information + value: '0' + comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information - name: set 10.hardcore.conf perms to 0400 and root ownership file: @@ -25,10 +25,10 @@ group: 'root' mode: '0440' - when: 'not os_security_kernel_enable_core_dump' + when: not os_security_kernel_enable_core_dump | bool - name: remove 10.hardcore.conf config file file: path: /etc/security/limits.d/10.hardcore.conf state: absent - when: 'os_security_kernel_enable_core_dump' + when: os_security_kernel_enable_core_dump | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml b/ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml index 165e615..499f2a7 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml @@ -6,4 +6,3 @@ owner: 'root' group: 'root' mode: '0444' - diff --git a/ansible/roles/dev-sec.os-hardening/tasks/main.yml b/ansible/roles/dev-sec.os-hardening/tasks/main.yml index 33eb1ea..3571b6f 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/main.yml @@ -1,4 +1,4 @@ --- -- include_tasks: hardening.yml - when: os_hardening_enabled +- import_tasks: hardening.yml + when: os_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml index c9121fc..1b5f94b 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml @@ -1,16 +1,31 @@ --- -# Using a two-pass approach for checking directories in order to support symlinks. -- include_tasks: find_files.yml - loop_control: - loop_var: outer_item - loop: +# If the find-task throws an error on /usr/bin/X11 like "File system loop detected" +# the other files inside /usr/bin (and all other directories) are +# still getting found and the permissions minimized in the next task. +# This is also the reason why there's ignore_errors: true on the task. +# also see: https://github.com/dev-sec/ansible-os-hardening/issues/219 +- name: find files with write-permissions for group + shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305 + with_flattened: - '/usr/local/sbin' - '/usr/local/bin' - '/usr/sbin' - '/usr/bin' - '/sbin' - '/bin' - - '{{ os_env_extra_user_paths }}' + - "{{ os_env_extra_user_paths }}" # noqa 104 + register: minimize_access_directories + ignore_errors: true + changed_when: false + +- name: minimize access on found files + file: + path: '{{ item.1 }}' + mode: 'go-w' + state: file + with_subelements: + - "{{ minimize_access_directories.results }}" + - stdout_lines - name: change shadow ownership to root and mode to 0600 | os-02 file: diff --git a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml index 98f36dc..bccb54b 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml @@ -1,7 +1,7 @@ --- - name: install modprobe to disable filesystems | os-10 package: - name: '{{modprobe_package}}' + name: '{{ modprobe_package }}' state: 'present' - name: check if efi is installed @@ -20,5 +20,4 @@ dest: '/etc/modprobe.d/dev-sec.conf' owner: 'root' group: 'root' - mode: '0640' - + mode: '0644' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml index 91d8e2c..1beeac4 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml @@ -1,7 +1,7 @@ --- - name: update pam on Debian systems command: 'pam-auth-update --package' - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + when: ansible_facts.distribution in ['Debian', 'Ubuntu'] changed_when: False environment: DEBIAN_FRONTEND: noninteractive @@ -19,14 +19,18 @@ apt: name: '{{ os_packages_pam_cracklib }}' state: 'absent' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - os_auth_pam_passwdqc_enable - name: install the package for strong password checking apt: name: '{{ os_packages_pam_passwdqc }}' state: 'present' update_cache: 'yes' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - os_auth_pam_passwdqc_enable - name: configure passwdqc template: @@ -35,19 +39,26 @@ mode: '0644' owner: 'root' group: 'root' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - os_auth_pam_passwdqc_enable - name: remove passwdqc apt: name: '{{ os_packages_pam_passwdqc }}' state: 'absent' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - not os_auth_pam_passwdqc_enable - name: install tally2 apt: name: 'libpam-modules' state: 'present' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - not os_auth_pam_passwdqc_enable + - os_auth_retries > 0 - name: configure tally2 template: @@ -56,31 +67,47 @@ mode: '0644' owner: 'root' group: 'root' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - not os_auth_pam_passwdqc_enable + - os_auth_retries > 0 - name: delete tally2 when retries is 0 file: path: '{{ tally2_path }}' state: 'absent' - when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0 + when: + - ansible_facts.distribution in ['Debian', 'Ubuntu'] + - not os_auth_pam_passwdqc_enable + - os_auth_retries == 0 - name: remove pam_cracklib, because it does not play nice with passwdqc yum: name: '{{ os_packages_pam_cracklib }}' state: 'absent' - when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable + when: + - ansible_facts.os_family == 'RedHat' + - ansible_facts.distribution_major_version|int is version('7', '<') + - ansible_facts.distribution != 'Amazon' + - os_auth_pam_passwdqc_enable - name: install the package for strong password checking yum: name: '{{ os_packages_pam_passwdqc }}' state: 'present' - when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable + when: + - ansible_facts.os_family == 'RedHat' + - ansible_facts.distribution_major_version|int is version('7', '<') + - ansible_facts.distribution != 'Amazon' + - os_auth_pam_passwdqc_enable - name: remove passwdqc yum: name: '{{ os_packages_pam_passwdqc }}' state: 'absent' - when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable + when: + - ansible_facts.os_family == 'RedHat' + - not os_auth_pam_passwdqc_enable - name: configure passwdqc and tally via central system-auth confic template: @@ -89,11 +116,17 @@ mode: '0640' owner: 'root' group: 'root' + when: ansible_facts.os_family == 'RedHat' + +- name: Gather package facts + package_facts: + manager: auto - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 template: - src: 'etc/rhel_libuser.conf.j2' + src: 'etc/libuser.conf.j2' dest: '/etc/libuser.conf' mode: '0640' owner: 'root' group: 'root' + when: "'libuser' in ansible_facts.packages" diff --git a/ansible/roles/dev-sec.os-hardening/tasks/profile.yml b/ansible/roles/dev-sec.os-hardening/tasks/profile.yml index f1edae3..09e4253 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/profile.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/profile.yml @@ -6,10 +6,10 @@ owner: 'root' group: 'root' mode: '0750' - when: not os_security_kernel_enable_core_dump + when: not os_security_kernel_enable_core_dump | bool - name: remove pinerolo_profile.sh from profile.d file: path: /etc/profile.d/pinerolo_profile.sh state: absent - when: os_security_kernel_enable_core_dump + when: os_security_kernel_enable_core_dump | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml b/ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml index bad12c7..494ee0e 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml @@ -3,13 +3,13 @@ command: "awk -F: '{print $1}' /etc/passwd" changed_when: False check_mode: False - register: users + register: users_accounts - name: delete rhosts-files from system | os-09 file: dest: '~{{ item }}/.rhosts' state: 'absent' - with_flattened: '{{ users.stdout_lines | default([]) }}' + with_flattened: '{{ users_accounts.stdout_lines | default([]) }}' - name: delete hosts.equiv from system | os-01 file: @@ -20,4 +20,4 @@ file: dest: '~{{ item }}/.netrc' state: 'absent' - with_flattened: '{{ users.stdout_lines | default([]) }}' \ No newline at end of file + with_flattened: '{{ users_accounts.stdout_lines | default([]) }}' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/selinux.yml b/ansible/roles/dev-sec.os-hardening/tasks/selinux.yml new file mode 100644 index 0000000..7fa103d --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/tasks/selinux.yml @@ -0,0 +1,5 @@ +--- +- name: configure selinux | selinux-01 + selinux: + policy: "{{ os_selinux_policy }}" + state: "{{ os_selinux_state }}" diff --git a/ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml b/ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml index 625b7ff..867766b 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml @@ -13,13 +13,13 @@ - name: find binaries with suid/sgid set | os-06 shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null register: sbit_binaries - when: os_security_suid_sgid_remove_from_unknown + when: os_security_suid_sgid_remove_from_unknown | bool changed_when: False - name: gather files from which to remove suids/sgids and remove system white-listed files | os-06 set_fact: suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}' - when: os_security_suid_sgid_remove_from_unknown + when: os_security_suid_sgid_remove_from_unknown | bool - name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06 file: @@ -29,4 +29,4 @@ follow: 'yes' with_flattened: - '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}' - when: os_security_suid_sgid_remove_from_unknown + when: os_security_suid_sgid_remove_from_unknown | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml index 5ff9719..fa1afc5 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml @@ -13,14 +13,15 @@ owner: 'root' group: 'root' mode: '0544' - when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon' + when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or + ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon' - name: install initramfs-tools apt: name: 'initramfs-tools' state: 'present' update_cache: true - when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading + when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled template: @@ -29,41 +30,44 @@ owner: 'root' group: 'root' mode: '0440' - when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading + notify: + - update-initramfs + when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading register: initramfs -- name: update-initramfs - command: 'update-initramfs -u' - when: initramfs.changed +- name: change sysctls + block: + - name: create a combined sysctl-dict if overwrites are defined + set_fact: + sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' + when: sysctl_overwrite | default() -- name: create a combined sysctl-dict if overwrites are defined - set_fact: - sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' - when: sysctl_overwrite | default() + - name: Change various sysctl-settings, look at the sysctl-vars file for documentation + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_dict: '{{ sysctl_config }}' -- name: Change various sysctl-settings, look at the sysctl-vars file for documentation - sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' - sysctl_set: yes - state: present - reload: yes - ignoreerrors: yes - with_dict: '{{ sysctl_config }}' + - name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + state: present + reload: yes + ignoreerrors: yes + with_dict: '{{ sysctl_rhel_config }}' + when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and + ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon' -- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation - sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' - state: present - reload: yes - ignoreerrors: yes - with_dict: '{{ sysctl_rhel_config }}' - when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon' + when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc'] - name: Apply ufw defaults template: src: 'etc/default/ufw.j2' dest: '/etc/default/ufw' - when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') + when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu') tags: ufw diff --git a/ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml b/ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml index 9160535..f7d7cd6 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml @@ -10,17 +10,19 @@ - name: calculate UID_MAX from UID_MIN by substracting 1 set_fact: uid_max: '{{ uid_min.stdout | int - 1 }}' - when: uid_min is defined + when: uid_min.stdout|int > 0 - name: set UID_MAX on Debian-systems if no login.defs exist set_fact: uid_max: '999' - when: ansible_os_family == 'Debian' and not uid_min + when: + - ansible_facts.os_family == 'Debian' + - uid_max is not defined - name: set UID_MAX on other systems if no login.defs exist set_fact: uid_max: '499' - when: not uid_min + when: uid_max is not defined - name: get all system accounts command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd diff --git a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml index 2f4000f..9902af6 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml @@ -7,41 +7,35 @@ - 'CentOS-Debuginfo' - 'CentOS-Media' - 'CentOS-Vault' - when: os_security_packages_clean + when: os_security_packages_clean | bool - name: get yum-repository-files shell: 'find /etc/yum.repos.d/ -type f -name *.repo' changed_when: False register: yum_repos -- name: check if rhnplugin.conf exists - stat: - path: '/etc/yum/pluginconf.d/rhnplugin.conf' - register: rhnplugin_file - # for the 'default([])' see here: # https://github.com/dev-sec/ansible-os-hardening/issues/99 and # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause -- name: activate gpg-check for yum-repos + # + # failed_when is needed because by default replace module will fail if the file doesn't exists. + # status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. + # All other errors will still be raised. +- name: activate gpg-check for config files replace: dest: '{{ item }}' regexp: '^\s*gpgcheck: 0' replace: 'gpgcheck: 1' + register: status + failed_when: status.rc is defined and status.rc != 257 with_flattened: - '/etc/yum.conf' - - '{{ yum_repos.stdout_lines| default([]) }}' - -- name: activate gpg-check for yum rhn if it exists - replace: - dest: '/etc/yum/pluginconf.d/rhnplugin.conf' - regexp: '^\s*gpgcheck: 0' - replace: 'gpgcheck: 1' - when: rhnplugin_file.stat.exists + - '/etc/dnf/dnf.conf' + - '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104 + - '/etc/yum/pluginconf.d/rhnplugin.conf' - name: remove deprecated or insecure packages | package-01 - package-09 yum: - name: '{{ item }}' + name: '{{ os_security_packages_list }}' state: 'absent' - with_items: - - '{{ os_security_packages_list }}' - when: os_security_packages_clean + when: os_security_packages_clean | bool diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2 index 4f3040f..b65d03a 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + log_file = /var/log/audit/audit.log log_format = RAW log_group = root @@ -10,7 +12,7 @@ dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 6 -max_log_file_action = keep_logs +max_log_file_action = {{ os_auditd_max_log_file_action }} space_left = 75 space_left_action = SYSLOG action_mail_acct = root diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2 index bf8c0b4..6cea59a 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2 @@ -1,4 +1,5 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} + # /etc/default/ufw # diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2 index c6603fb..fbef29c 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2 @@ -1,4 +1,5 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} + # This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored. # # A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/` @@ -10,7 +11,7 @@ # # Modules for certains builds, contains support modules and some CPU-specific optimizations. -{% if ansible_architecture == 'x86_64' %} +{% if ansible_facts.architecture == 'x86_64' %} # Optimize for x86_64 cryptographic features twofish-x86_64-3way twofish-x86_64 @@ -19,7 +20,7 @@ salsa20-x86_64 blowfish-x86_64 {% endif %} -{% if 'amd' in ansible_processor %} +{% if 'amd' in ansible_facts.processor %} # AMD-specific optimizations kvm-amd {% else %} diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/rhel_libuser.conf.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/libuser.conf.j2 similarity index 96% rename from ansible/roles/dev-sec.os-hardening/templates/etc/rhel_libuser.conf.j2 rename to ansible/roles/dev-sec.os-hardening/templates/etc/libuser.conf.j2 index 89c41cc..20ea2e6 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/rhel_libuser.conf.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/libuser.conf.j2 @@ -1,6 +1,6 @@ -# See libuser.conf(5) for more information. +{{ ansible_managed | comment }} -# {{ ansible_managed | comment }} +# See libuser.conf(5) for more information. # Do not modify the default module list if you care about unattended calls # to programs (i.e., scripts) working! diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2 index f2ceb32..cc4c275 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2 @@ -1,4 +1,5 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} + # Configuration control definitions for the login package. # # Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited. @@ -7,6 +8,7 @@ # #-- Modified for Linux. --marekm +{% if os_useradd_mail_dir is defined %} # *REQUIRED for useradd/userdel/usermod* # # Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence. @@ -19,136 +21,141 @@ # # See default PAM configuration files provided for login, su, etc. # This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported -MAIL_DIR /var/mail -#MAIL_FILE .mail +MAIL_DIR {{ os_useradd_mail_dir }} +{% endif %} +{% if os_useradd_create_home is defined %} +# If useradd should create home directories for users by default +CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }} + +{% endif %} # Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module. -FAILLOG_ENAB yes +FAILLOG_ENAB yes # Enable display of unknown usernames when login failures are recorded. # # *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern -LOG_UNKFAIL_ENAB no +LOG_UNKFAIL_ENAB no # Enable logging of successful logins -LOG_OK_LOGINS yes +LOG_OK_LOGINS yes # Enable "syslog" logging of su activity - in addition to sulog file logging. -SYSLOG_SU_ENAB yes +SYSLOG_SU_ENAB yes # Enable "syslog" logging of newgrp and sg. -SYSLOG_SG_ENAB yes +SYSLOG_SG_ENAB yes # If defined, all su activity is logged to this file. -#SULOG_FILE /var/log/sulog +#SULOG_FILE /var/log/sulog # If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01". -#TTYTYPE_FILE /etc/ttytype +#TTYTYPE_FILE /etc/ttytype # If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so... -FTMP_FILE /var/log/btmp +FTMP_FILE /var/log/btmp # If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh". -SU_NAME su +SU_NAME su # If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory. -#HUSHLOGIN_FILE /etc/hushlogins -HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins +HUSHLOGIN_FILE .hushlogin # *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }} +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }} # Terminal permissions # -------------------- # Login tty will be assigned this group ownership. # If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`. -TTYGROUP tty +TTYGROUP tty # Login tty will be set to this permission. # In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal # Users can still allow other people to write them by issuing the `mesg y` command. -TTYPERM 0600 +TTYPERM 0600 # Login conf initializations # -------------------------- # Terminal ERASE character ('\010' = backspace). Only used on System V. -ERASECHAR 0177 +ERASECHAR 0177 # Terminal KILL character ('\025' = CTRL/U). Only used on System V. -KILLCHAR 025 +KILLCHAR 025 # The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories. # If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`. # Prefix these values with `0` to get octal, `0x` to get hexadecimal. # `022` is the "historical" value in Debian for UMASK # `027`, or even `077`, could be considered better for privacy. -UMASK {{ os_env_umask }} +UMASK {{ os_env_umask }} # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name. # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user. -USERGROUPS_ENAB yes +USERGROUPS_ENAB yes # Password aging controls # ----------------------- # Maximum number of days a password may be used. -PASS_MAX_DAYS {{ os_auth_pw_max_age }} +PASS_MAX_DAYS {{ os_auth_pw_max_age }} # Minimum number of days allowed between password changes. -PASS_MIN_DAYS {{ os_auth_pw_min_age }} +PASS_MIN_DAYS {{ os_auth_pw_min_age }} # Number of days warning given before a password expires. -PASS_WARN_AGE 7 +PASS_WARN_AGE 7 # Min/max values for automatic uid selection in useradd -UID_MIN {{ os_auth_uid_min }} -UID_MAX 60000 +UID_MIN {{ os_auth_uid_min }} +UID_MAX 60000 # System accounts -SYS_UID_MIN {{ os_auth_sys_uid_min }} -SYS_UID_MAX {{ os_auth_sys_uid_max }} +SYS_UID_MIN {{ os_auth_sys_uid_min }} +SYS_UID_MAX {{ os_auth_sys_uid_max }} # Min/max values for automatic gid selection in groupadd -GID_MIN {{ os_auth_gid_min }} -GID_MAX 60000 +GID_MIN {{ os_auth_gid_min }} +GID_MAX 60000 # System accounts -SYS_GID_MIN {{ os_auth_sys_gid_min }} -SYS_GID_MAX {{ os_auth_sys_gid_max }} +SYS_GID_MIN {{ os_auth_sys_gid_min }} +SYS_GID_MAX {{ os_auth_sys_gid_max }} # Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES. -LOGIN_RETRIES {{ os_auth_retries }} +LOGIN_RETRIES {{ os_auth_retries }} # Max time in seconds for login -LOGIN_TIMEOUT {{ os_auth_timeout }} +LOGIN_TIMEOUT {{ os_auth_timeout }} # Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". {% if os_chfn_restrict %} -CHFN_RESTRICT {{ os_chfn_restrict }} +CHFN_RESTRICT {{ os_chfn_restrict }} {% endif %} # Should login be allowed if we can't cd to the home directory? -DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }} +DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }} # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). -#USERDEL_CMD /usr/sbin/userdel_local +#USERDEL_CMD /usr/sbin/userdel_local # Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell. -#FAKE_SHELL /bin/fakeshell +#FAKE_SHELL /bin/fakeshell # If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices. # This variable is used by login and su. -#CONSOLE /etc/consoles -#CONSOLE console:tty01:tty02:tty03:tty04 +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 # List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none. # Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader... # This variable is used by login and su. -#CONSOLE_GROUPS floppy:audio:cdrom +#CONSOLE_GROUPS floppy:audio:cdrom # If set to `MD5`, MD5-based algorithm will be used for encrypting password # If set to `SHA256`, SHA256-based algorithm will be used for encrypting password @@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }} # # Note: It is recommended to use a value consistent with # the PAM modules configuration. -MD5_CRYPT_ENAB no -ENCRYPT_METHOD SHA512 +MD5_CRYPT_ENAB no +ENCRYPT_METHOD SHA512 # Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds. # With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users. # If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 # Obsoleted by PAM @@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512 # This variable is deprecated. You should use ENCRYPT_METHOD. # #MD5_CRYPT_ENAB no - - diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2 index d84b438..cc7d487 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} #%PAM-1.0 {% if os_auth_retries > 0 %} @@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so {% if (os_auth_pam_passwdqc_enable|bool) %} - {%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %} + {%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %} password required pam_pwquality.so {{ os_auth_pam_pwquality_options }} {%- else %} password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }} diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2 index 60f4353..9f78818 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} # Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default. ulimit -S -c 0 > /dev/null 2>&1 diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2 index 6c7394c..2d58bf4 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2 @@ -1,5 +1,4 @@ -# {{ ansible_managed | comment }} - +{{ ansible_managed | comment }} # A list of TTYs, from which root can log in # see `man securetty` for reference diff --git a/ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2 b/ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2 index 1d2e466..e5c3f76 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed | comment }} +{{ ansible_managed | comment }} # color => new RH6.0 bootup # verbose => old-style bootup diff --git a/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2 b/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2 index bbfaedf..f81d743 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + Name: passwdqc password strength enforcement Default: yes Priority: 1024 diff --git a/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2 b/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2 index 2b61950..5e813b9 100644 --- a/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2 +++ b/ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + Name: tally2 lockout after failed attempts enforcement Default: yes Priority: 1024 diff --git a/ansible/roles/dev-sec.os-hardening/tests/test.yml b/ansible/roles/dev-sec.os-hardening/tests/test.yml index 162fc8a..3816755 100644 --- a/ansible/roles/dev-sec.os-hardening/tests/test.yml +++ b/ansible/roles/dev-sec.os-hardening/tests/test.yml @@ -4,10 +4,22 @@ roles: - ansible-os-hardening pre_tasks: + - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora + set_fact: + ansible_python_interpreter: "/usr/bin/python3" + when: ansible_facts.distribution == 'Fedora' + - name: Run the equivalent of "apt-get update" as a separate step apt: update_cache: yes - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' + - name: install required tools on fedora + dnf: + name: + - python + - findutils + - procps-ng + when: ansible_facts.distribution == 'Fedora' - name: create recursing symlink to test minimize access shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" vars: @@ -20,7 +32,7 @@ os_auth_allow_homeless: true os_security_suid_sgid_blacklist: ['/bin/umount'] os_security_suid_sgid_whitelist: ['/usr/bin/rlogin'] - os_filesystem_whitelist: ['vfat'] + os_filesystem_whitelist: [] sysctl_config: net.ipv4.ip_forward: 0 net.ipv6.conf.all.forwarding: 0 @@ -52,23 +64,26 @@ net.ipv6.conf.default.accept_ra_rtr_pref: 0 net.ipv6.conf.default.accept_ra_pinfo: 0 net.ipv6.conf.default.accept_ra_defrtr: 0 - net.ipv6.conf.default.autoconf: 0 + net.ipv6.conf.default.conf: 0 net.ipv6.conf.default.dad_transmits: 0 net.ipv6.conf.default.max_addresses: 1 kernel.sysrq: 0 fs.suid_dumpable: 0 kernel.randomize_va_space: 2 - - name: wrapper playbook for kitchen testing "ansible-os-hardening" hosts: localhost vars: - - os_auditd_enabled: false + os_auditd_enabled: false pre_tasks: + - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora + set_fact: + ansible_python_interpreter: "/usr/bin/python3" + when: ansible_facts.distribution == 'Fedora' + - name: Run the equivalent of "apt-get update" as a separate step apt: update_cache: yes - when: ansible_os_family == 'Debian' + when: ansible_facts.os_family == 'Debian' roles: - ansible-os-hardening - diff --git a/ansible/roles/dev-sec.os-hardening/vars/Amazon.yml b/ansible/roles/dev-sec.os-hardening/vars/Amazon.yml index fa53dd2..f7900a3 100644 --- a/ansible/roles/dev-sec.os-hardening/vars/Amazon.yml +++ b/ansible/roles/dev-sec.os-hardening/vars/Amazon.yml @@ -1,6 +1,6 @@ --- # system accounts that do not get their login disabled and pasword changed -os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user'] +os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user'] sysctl_rhel_config: # ExecShield protection against buffer overflows diff --git a/ansible/roles/dev-sec.os-hardening/vars/Debian.yml b/ansible/roles/dev-sec.os-hardening/vars/Debian.yml index be28470..7d4e2a0 100644 --- a/ansible/roles/dev-sec.os-hardening/vars/Debian.yml +++ b/ansible/roles/dev-sec.os-hardening/vars/Debian.yml @@ -1,13 +1,10 @@ +--- + os_packages_pam_ccreds: 'libpam-ccreds' os_packages_pam_passwdqc: 'libpam-passwdqc' os_packages_pam_cracklib: 'libpam-cracklib' -passwdqc_path: '/usr/share/pam-configs/passwdqc' -tally2_path: '/usr/share/pam-configs/tally2' os_nologin_shell_path: '/usr/sbin/nologin' -auditd_package: 'auditd' -modprobe_package: 'kmod' - # Different distros use different standards for /etc/shadow perms, e.g. # RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. # You must provide key/value pairs for owner, group, and mode if overriding. @@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100 os_auth_sys_uid_max: 999 os_auth_sys_gid_min: 100 os_auth_sys_gid_max: 999 + +# defaults for useradd +os_useradd_mail_dir: /var/mail + +modprobe_package: 'kmod' +auditd_package: 'auditd' + +tally2_path: '/usr/share/pam-configs/tally2' +passwdqc_path: '/usr/share/pam-configs/passwdqc' diff --git a/ansible/roles/dev-sec.os-hardening/vars/Fedora.yml b/ansible/roles/dev-sec.os-hardening/vars/Fedora.yml new file mode 100644 index 0000000..bce4328 --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/vars/Fedora.yml @@ -0,0 +1,31 @@ +--- + +os_packages_pam_ccreds: 'pam_ccreds' +os_packages_pam_passwdqc: 'pam_passwdqc' +os_packages_pam_cracklib: 'pam_cracklib' +os_nologin_shell_path: '/sbin/nologin' + +# Different distros use different standards for /etc/shadow perms, e.g. +# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. +# You must provide key/value pairs for owner, group, and mode if overriding. +os_shadow_perms: + owner: root + group: root + mode: '0000' + +os_passwd_perms: + owner: root + group: root + mode: '0644' + +os_env_umask: '027' + +os_auth_uid_min: 1000 +os_auth_gid_min: 1000 +os_auth_sys_uid_min: 201 +os_auth_sys_uid_max: 999 +os_auth_sys_gid_min: 201 +os_auth_sys_gid_max: 999 + +modprobe_package: 'module-init-tools' +auditd_package: 'audit' diff --git a/ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml b/ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml index 887473a..994e1b9 100644 --- a/ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml +++ b/ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml @@ -1,6 +1,8 @@ -os_packages_pam_ccreds: 'pam_ccreds' -os_packages_pam_passwdqc: 'pam_passwdqc' -os_packages_pam_cracklib: 'pam_cracklib' +--- + +os_packages_pam_ccreds: 'pam_ccreds' +os_packages_pam_passwdqc: 'pam_passwdqc' +os_packages_pam_cracklib: 'pam_cracklib' os_nologin_shell_path: '/sbin/nologin' # Different distros use different standards for /etc/shadow perms, e.g. diff --git a/ansible/roles/dev-sec.os-hardening/vars/RedHat.yml b/ansible/roles/dev-sec.os-hardening/vars/RedHat.yml index 9624cc2..dc20124 100644 --- a/ansible/roles/dev-sec.os-hardening/vars/RedHat.yml +++ b/ansible/roles/dev-sec.os-hardening/vars/RedHat.yml @@ -1,8 +1,5 @@ --- -modprobe_package: 'module-init-tools' -auditd_package: 'audit' - os_packages_pam_ccreds: 'pam_ccreds' os_packages_pam_passwdqc: 'pam_passwdqc' os_packages_pam_cracklib: 'pam_cracklib' @@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201 os_auth_sys_uid_max: 999 os_auth_sys_gid_min: 201 os_auth_sys_gid_max: 999 + +# defaults for useradd +os_useradd_mail_dir: /var/spool/mail +os_useradd_create_home: true + +modprobe_package: 'module-init-tools' +auditd_package: 'audit' diff --git a/ansible/roles/dev-sec.os-hardening/vars/Suse.yml b/ansible/roles/dev-sec.os-hardening/vars/Suse.yml new file mode 100644 index 0000000..48203bb --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/vars/Suse.yml @@ -0,0 +1,34 @@ +--- + +os_packages_pam_ccreds: 'pam_ccreds' +os_packages_pam_passwdqc: 'pam_passwdqc' +os_packages_pam_cracklib: 'cracklib' +os_nologin_shell_path: '/sbin/nologin' + +# Different distros use different standards for /etc/shadow perms, e.g. +# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. +# You must provide key/value pairs for owner, group, and mode if overriding. +os_shadow_perms: + owner: root + group: root + mode: '0600' + +os_passwd_perms: + owner: root + group: root + mode: '0644' + +os_env_umask: '027' + +os_auth_uid_min: 1000 +os_auth_gid_min: 1000 +os_auth_sys_uid_min: 100 +os_auth_sys_uid_max: 499 +os_auth_sys_gid_min: 100 +os_auth_sys_gid_max: 499 + +# defaults for useradd +os_useradd_create_home: false + +modprobe_package: 'kmod-compat' +auditd_package: 'audit' diff --git a/ansible/roles/dev-sec.os-hardening/vars/main.yml b/ansible/roles/dev-sec.os-hardening/vars/main.yml index 35687e6..7c8a116 100644 --- a/ansible/roles/dev-sec.os-hardening/vars/main.yml +++ b/ansible/roles/dev-sec.os-hardening/vars/main.yml @@ -108,4 +108,4 @@ os_security_suid_sgid_system_whitelist: - '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome # system accounts that do not get their login disabled and pasword changed -os_always_ignore_users: ['root','sync','shutdown','halt'] +os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt'] diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md b/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..43f045d --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,40 @@ +--- +name: Bug report +about: Create a report to help us improve + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Actual behavior** + +```paste below + +``` +**Example Playbook** + +```paste below + +``` + +**OS / Environment** + + +**Ansible Version** + +```paste below + +``` + +**Role Version** + +```paste below + +``` + +**Additional context** +Add any other context about the problem here. diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md b/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..066b2d9 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,17 @@ +--- +name: Feature request +about: Suggest an idea for this project + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml new file mode 100644 index 0000000..99857c7 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml @@ -0,0 +1,34 @@ +name: Create Changelog + +on: + pull_request: + types: [closed] + + release: + types: [published] + + issues: + types: [closed, edited] + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: Generate changelog for master branch + steps: + - uses: actions/checkout@v1 + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: push + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml new file mode 100644 index 0000000..951f439 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml @@ -0,0 +1,51 @@ +name: New release + +on: + push: + branches: + - master + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: create release draft + steps: + - uses: actions/checkout@v1 + + - name: 'Get Previous tag' + id: previoustag + uses: "WyriHaximus/github-action-get-previous-tag@master" + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - name: calculate next version + id: version + uses: patrickjahns/version-drafter-action@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + since_tag: ${{ steps.previoustag.outputs.tag }} + # wait for https://github.com/CharMixer/auto-changelog-action/pull/3 + #future_release: ${{ steps.version.outputs.next-version }} + + - name: Read CHANGELOG.md + id: package + uses: juliangruber/read-file-action@v1 + with: + path: ./CHANGELOG.md + + - name: Create Release draft + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + release_name: ${{ steps.version.outputs.next-version }} + tag_name: ${{ steps.version.outputs.next-version }} + body: | + ${{ steps.package.outputs.content }} + draft: true diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml index 3d60452..fb0a6b1 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml @@ -17,7 +17,7 @@ provisioner: require_ansible_omnibus: true ansible_verbose: true ansible_diff: true - hosts: all + roles_path: ../ansible-ssh-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml index 7ce9037..2a1dff0 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml @@ -20,56 +20,34 @@ provisioner: http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> -transport: - max_ssh_sessions: 5 - platforms: -- name: ubuntu-12.04 - driver_config: - box: opscode-ubuntu-12.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box -- name: ubuntu-14.04 - driver_config: - box: opscode-ubuntu-14.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box - name: ubuntu-16.04 driver_config: - box: opscode-ubuntu-16.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box -- name: centos-6.4 -- name: centos-7.2 + box: bento/ubuntu-16.04 +- name: ubuntu-18.04 driver_config: - box: opscode-centos-7.2 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box -- name: centos-6.5 + box: bento/ubuntu-18.04 +- name: centos-6 driver_config: - box: opscode-centos-6.5 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box -- name: centos-6.8 - driver_config: - box: bento/centos-6.8 + box: bento/centos-6 - name: centos-7 driver_config: - box: bento/centos-7.2 -- name: oracle-6.4 + box: bento/centos-7 +- name: oracle-6 driver_config: - box: oracle-6.4 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box -- name: oracle-6.5 - driver_config: - box: oracle-6.5 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box + box: bento/oracle-6 - name: oracle-7 driver_config: - box: boxcutter/ol72 -- name: debian-7 + box: bento/oracle-7 +- name: debian-9 driver_config: - box: debian-7 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box -- name: debian-8 + box: bento/debian-9 +- name: debian-10 driver_config: - box: debian-8 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + box: bento/debian-10 +- name: amazon + driver_config: + box: bento/amazonlinux-2 verifier: name: inspec diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml index 99495d5..e243825 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml @@ -6,9 +6,6 @@ driver: http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> -transport: - max_ssh_sessions: 5 - provisioner: name: ansible_playbook hosts: all @@ -17,12 +14,12 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true - hosts: all + roles_path: ../ansible-ssh-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> playbook: tests/default.yml - ansible_diff: true + ansible_extra_flags: - "--skip-tags=sysctl" @@ -51,10 +48,6 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service -- name: ubuntu1404-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1404-ansible:latest - platform: ubuntu - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest @@ -62,14 +55,13 @@ platforms: run_command: /sbin/init provision_command: - systemctl enable ssh.service -- name: debian7-ansible-latest +- name: ubuntu1804-ansible-latest driver: - image: rndmh3ro/docker-debian7-ansible:latest - platform: debian -- name: debian8-ansible-latest - driver: - image: rndmh3ro/docker-debian8-ansible:latest - platform: debian + image: rndmh3ro/docker-ubuntu1804-ansible:latest + platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest @@ -78,6 +70,14 @@ platforms: provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service +- name: debian10-ansible-latest + driver: + image: rndmh3ro/docker-debian10-ansible + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest @@ -86,6 +86,15 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service +- name: fedora-ansible-latest + driver: + image: rndmh3ro/docker-fedora-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - dnf install -y python + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec diff --git a/ansible/roles/dev-sec.ssh-hardening/.travis.yml b/ansible/roles/dev-sec.ssh-hardening/.travis.yml index c10066a..c21539a 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.travis.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.travis.yml @@ -25,17 +25,9 @@ env: init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - distro: ubuntu1404 + - distro: ubuntu1804 version: latest - init: /sbin/init - - - distro: debian7 - version: latest - init: /sbin/init - - - distro: debian8 - version: latest - init: /sbin/init + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro: debian9 @@ -43,29 +35,42 @@ env: init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: debian10 + version: latest + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: amazon init: /lib/systemd/systemd version: latest run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: fedora + init: /lib/systemd/systemd + version: latest + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + before_install: # Pull container - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: + - pip install --user ansible-lint + - ansible-lint ./ + - container_id=$(mktemp) # Run container in detached state. - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml' - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff' # Verify role # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit' # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md index cd8cec4..22e13f7 100644 --- a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md @@ -1,6 +1,217 @@ -# Change Log +# Changelog + +## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD) + +**Implemented enhancements:** + +- add changelog and release workflow [\#282](https://github.com/dev-sec/ansible-ssh-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix: Ansible part of Fedora build [\#281](https://github.com/dev-sec/ansible-ssh-hardening/pull/281) ([kostasns](https://github.com/kostasns)) +- Add changelog action [\#280](https://github.com/dev-sec/ansible-ssh-hardening/pull/280) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix: Amazon linux build [\#279](https://github.com/dev-sec/ansible-ssh-hardening/pull/279) ([kostasns](https://github.com/kostasns)) +- feat: Allow to set custom list of HostKeyAlgorithms [\#278](https://github.com/dev-sec/ansible-ssh-hardening/pull/278) ([kostasns](https://github.com/kostasns)) +- fix\(ansible\_facts\): replace few remaining facts from 'ansible\_' to using 'ansible\_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns)) + +## [8.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.0.0) (2020-04-21) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/7.0.0...8.0.0) + +**Implemented enhancements:** + +- Remove dependency on bash [\#265](https://github.com/dev-sec/ansible-ssh-hardening/issues/265) +- Possibility to use other value than yes/no for AllowTCPforwarding [\#255](https://github.com/dev-sec/ansible-ssh-hardening/issues/255) +- Add support for Debian Buster in ansible-ssh-hardening [\#248](https://github.com/dev-sec/ansible-ssh-hardening/issues/248) +- Some options not configurable via the role [\#239](https://github.com/dev-sec/ansible-ssh-hardening/issues/239) +- PermitUserEnvironment should not be conflated with AcceptEnv [\#232](https://github.com/dev-sec/ansible-ssh-hardening/issues/232) +- Disable also dynamic MOTD via PAM if enabled - refs \#271 [\#273](https://github.com/dev-sec/ansible-ssh-hardening/pull/273) ([ancoron](https://github.com/ancoron)) +- Use sha2 HMACs on RHEL 6 / CentOS 6. [\#270](https://github.com/dev-sec/ansible-ssh-hardening/pull/270) ([foonix](https://github.com/foonix)) +- Removing 2fa [\#269](https://github.com/dev-sec/ansible-ssh-hardening/pull/269) ([dennisse](https://github.com/dennisse)) +- Renaming Ansible variables discovered from systems [\#268](https://github.com/dev-sec/ansible-ssh-hardening/pull/268) ([PovilasGT](https://github.com/PovilasGT)) +- Do not use bash to get ssh version [\#266](https://github.com/dev-sec/ansible-ssh-hardening/pull/266) ([kljensen](https://github.com/kljensen)) +- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable [\#257](https://github.com/dev-sec/ansible-ssh-hardening/pull/257) ([brnck](https://github.com/brnck)) +- Support KEX for OpenSSH 8.0+ & quantum resistant KEX [\#254](https://github.com/dev-sec/ansible-ssh-hardening/pull/254) ([lunarthegrey](https://github.com/lunarthegrey)) +- SFTP: set default umask to 0027 [\#252](https://github.com/dev-sec/ansible-ssh-hardening/pull/252) ([Slamdunk](https://github.com/Slamdunk)) +- Separate PermitUserEnviroment from AcceptEnv [\#251](https://github.com/dev-sec/ansible-ssh-hardening/pull/251) ([szEvEz](https://github.com/szEvEz)) +- Feature: Debian 10 \(Buster\) support [\#249](https://github.com/dev-sec/ansible-ssh-hardening/pull/249) ([jaredledvina](https://github.com/jaredledvina)) +- fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz)) +- refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz)) +- RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen)) +- Added ssh\_syslog\_facility, ssh\_log\_level and ssh\_strict\_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec)) + +**Fixed bugs:** + +- HostKey comment "\# Req 20" breaks key based auth [\#262](https://github.com/dev-sec/ansible-ssh-hardening/issues/262) +- SSH fails to start/connect if custom server ports is set on CentOS 7.6 [\#212](https://github.com/dev-sec/ansible-ssh-hardening/issues/212) +- Google 2fa authentication problem [\#170](https://github.com/dev-sec/ansible-ssh-hardening/issues/170) +- vars: remove empty main.yml file [\#274](https://github.com/dev-sec/ansible-ssh-hardening/pull/274) ([paulfantom](https://github.com/paulfantom)) +- Only manage moduli when hardening server [\#267](https://github.com/dev-sec/ansible-ssh-hardening/pull/267) ([jbronn](https://github.com/jbronn)) +- Remove comment from sshd config HostKey param [\#263](https://github.com/dev-sec/ansible-ssh-hardening/pull/263) ([abtreece](https://github.com/abtreece)) + +## [7.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/7.0.0) (2019-09-15) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.2.0...7.0.0) + +**Implemented enhancements:** + +- Add new option ssh\_server\_match\_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230) +- set UsePAM to yes by default [\#233](https://github.com/dev-sec/ansible-ssh-hardening/pull/233) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- Unable to connect after applying the role \(Ubuntu 18.04, AWS EC2\) [\#229](https://github.com/dev-sec/ansible-ssh-hardening/issues/229) + +**Closed issues:** + +- Can't connect to new instance created from hardened image [\#189](https://github.com/dev-sec/ansible-ssh-hardening/issues/189) + +**Merged pull requests:** + +- changed string comparison to version comparison [\#234](https://github.com/dev-sec/ansible-ssh-hardening/pull/234) ([gobind-singh](https://github.com/gobind-singh)) + +## [6.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.2.0) (2019-08-05) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.3...6.2.0) + +**Implemented enhancements:** + +- added support for `ssh\_server\_match\_address` \(\#230\) [\#231](https://github.com/dev-sec/ansible-ssh-hardening/pull/231) ([MatthiasLohr](https://github.com/MatthiasLohr)) + +## [6.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.3) (2019-06-09) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.2...6.1.3) + +**Implemented enhancements:** + +- Fix squash\_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo)) +- Fix deprecation warnings in Ansible 2.8 [\#227](https://github.com/dev-sec/ansible-ssh-hardening/pull/227) ([Normo](https://github.com/Normo)) + +**Fixed bugs:** + +- deprecation warnings in Ansible 2.8 [\#226](https://github.com/dev-sec/ansible-ssh-hardening/issues/226) + +## [6.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.2) (2019-05-17) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.1...6.1.2) + +**Fixed bugs:** + +- sshd\_custom\_options used in ssh\_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224) + +**Merged pull requests:** + +- use correct variable ssh\_custom\_options in ssh\_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.1) (2019-05-07) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.0...6.1.1) + +**Fixed bugs:** + +- Missing indent for `ChrootDirectory` in `Match Group sftponly` [\#221](https://github.com/dev-sec/ansible-ssh-hardening/issues/221) + +**Merged pull requests:** + +- fix indentation for matches [\#222](https://github.com/dev-sec/ansible-ssh-hardening/pull/222) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.0) (2019-05-04) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.0.0...6.1.0) + +**Implemented enhancements:** + +- PermitRootLogin yes [\#190](https://github.com/dev-sec/ansible-ssh-hardening/issues/190) +- Match Group' in configuration but 'user' not in connection test specification [\#188](https://github.com/dev-sec/ansible-ssh-hardening/issues/188) +- Allow custom values [\#175](https://github.com/dev-sec/ansible-ssh-hardening/issues/175) +- use selinux fact to check if selinux is used [\#220](https://github.com/dev-sec/ansible-ssh-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove eol os and add fedora [\#218](https://github.com/dev-sec/ansible-ssh-hardening/pull/218) ([rndmh3ro](https://github.com/rndmh3ro)) +- document and move custom variables [\#217](https://github.com/dev-sec/ansible-ssh-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix: allow other ssh ports using selinux [\#214](https://github.com/dev-sec/ansible-ssh-hardening/pull/214) ([guilieb](https://github.com/guilieb)) +- Make ansible-lint happy [\#204](https://github.com/dev-sec/ansible-ssh-hardening/pull/204) ([alexclear](https://github.com/alexclear)) +- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups [\#203](https://github.com/dev-sec/ansible-ssh-hardening/pull/203) ([alexclear](https://github.com/alexclear)) +- enable ssh 7.7p1 support [\#202](https://github.com/dev-sec/ansible-ssh-hardening/pull/202) ([rndmh3ro](https://github.com/rndmh3ro)) +- Removed DEPRECATION WARNING for apt, using list instead of with\_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre)) + +**Fixed bugs:** + +- Using more than one rule in a Group or User Match block? [\#207](https://github.com/dev-sec/ansible-ssh-hardening/issues/207) +- fix multiple match rules not working \#207 [\#208](https://github.com/dev-sec/ansible-ssh-hardening/pull/208) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.0.0) (2018-11-18) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/5.0.0...6.0.0) + +**Implemented enhancements:** + +- Ubuntu 18.04 support [\#182](https://github.com/dev-sec/ansible-ssh-hardening/issues/182) +- Update opensshd.conf.js [\#196](https://github.com/dev-sec/ansible-ssh-hardening/pull/196) ([ikr0m](https://github.com/ikr0m)) + +**Fixed bugs:** + +- GSSAPI support broken. Can't be enabled. [\#192](https://github.com/dev-sec/ansible-ssh-hardening/issues/192) +- Unsupported option "rhostsrsaauthentication" "rsaauthentication" [\#184](https://github.com/dev-sec/ansible-ssh-hardening/issues/184) +- Weak kex are controlled by wrong variable ? [\#174](https://github.com/dev-sec/ansible-ssh-hardening/issues/174) +- Can't connect to server by SSH after applying this role [\#115](https://github.com/dev-sec/ansible-ssh-hardening/issues/115) + +**Closed issues:** + +- Support StreamLocalBindUnlink [\#197](https://github.com/dev-sec/ansible-ssh-hardening/issues/197) +- Add molecule testing [\#183](https://github.com/dev-sec/ansible-ssh-hardening/issues/183) + +**Merged pull requests:** + +- Support for custom configuration [\#199](https://github.com/dev-sec/ansible-ssh-hardening/pull/199) ([MatthiasLohr](https://github.com/MatthiasLohr)) +- parameterize PermitRootLogin [\#195](https://github.com/dev-sec/ansible-ssh-hardening/pull/195) ([rndmh3ro](https://github.com/rndmh3ro)) +- set 'GSSAPIAuthentication yes' if variable 'ssh\_gssapi\_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz)) +- Use ansible version compare module [\#187](https://github.com/dev-sec/ansible-ssh-hardening/pull/187) ([BentoumiTech](https://github.com/BentoumiTech)) +- add ubuntu 18.04 support [\#186](https://github.com/dev-sec/ansible-ssh-hardening/pull/186) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [5.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/5.0.0) (2018-09-16) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.4.0...5.0.0) + +**Implemented enhancements:** + +- Fixing the broken Ansible dependency mechanism [\#176](https://github.com/dev-sec/ansible-ssh-hardening/issues/176) +- Include new baseline-tests [\#161](https://github.com/dev-sec/ansible-ssh-hardening/issues/161) +- GlobalKnownHostsFile missing from ssh\_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155) +- Options not compatible with OpenSSH server 7.6 [\#151](https://github.com/dev-sec/ansible-ssh-hardening/issues/151) +- Kitchen travis [\#180](https://github.com/dev-sec/ansible-ssh-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro)) +- update config of kex, macs, ciphers [\#179](https://github.com/dev-sec/ansible-ssh-hardening/pull/179) ([rndmh3ro](https://github.com/rndmh3ro)) +- add debian 9 and a comment [\#178](https://github.com/dev-sec/ansible-ssh-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro)) +- Dependency flag [\#177](https://github.com/dev-sec/ansible-ssh-hardening/pull/177) ([jcheroske](https://github.com/jcheroske)) +- Travis [\#173](https://github.com/dev-sec/ansible-ssh-hardening/pull/173) ([rndmh3ro](https://github.com/rndmh3ro)) +- OpenBSD Support [\#171](https://github.com/dev-sec/ansible-ssh-hardening/pull/171) ([jbronn](https://github.com/jbronn)) +- Implement disabling chroot for sftp [\#166](https://github.com/dev-sec/ansible-ssh-hardening/pull/166) ([towo](https://github.com/towo)) +- New tests [\#163](https://github.com/dev-sec/ansible-ssh-hardening/pull/163) ([rndmh3ro](https://github.com/rndmh3ro)) +- yaml-lint update, refactor tasks [\#162](https://github.com/dev-sec/ansible-ssh-hardening/pull/162) ([rndmh3ro](https://github.com/rndmh3ro)) +- Handle a few deprecated OpenSSH options [\#160](https://github.com/dev-sec/ansible-ssh-hardening/pull/160) ([ageis](https://github.com/ageis)) +- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. [\#157](https://github.com/dev-sec/ansible-ssh-hardening/pull/157) ([gdelafond](https://github.com/gdelafond)) +- Adds sshd config for keyboard-interactive pam device [\#156](https://github.com/dev-sec/ansible-ssh-hardening/pull/156) ([rcII](https://github.com/rcII)) +- Use package state 'present' since 'installed' is deprecated [\#154](https://github.com/dev-sec/ansible-ssh-hardening/pull/154) ([Normo](https://github.com/Normo)) +- conform to current dev-sec/ssh-baseline [\#150](https://github.com/dev-sec/ansible-ssh-hardening/pull/150) ([alval5280](https://github.com/alval5280)) +- new parameter: ssh\_max\_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher)) +- Update syntax to 2.4 [\#148](https://github.com/dev-sec/ansible-ssh-hardening/pull/148) ([thomasjpfan](https://github.com/thomasjpfan)) +- Amazonlinux-Testing [\#147](https://github.com/dev-sec/ansible-ssh-hardening/pull/147) ([rndmh3ro](https://github.com/rndmh3ro)) +- Fixed trailing whitespace [\#146](https://github.com/dev-sec/ansible-ssh-hardening/pull/146) ([zbrojny120](https://github.com/zbrojny120)) +- Add support for Amazon Linux [\#145](https://github.com/dev-sec/ansible-ssh-hardening/pull/145) ([woneill](https://github.com/woneill)) + +**Fixed bugs:** + +- ssh\_server\_weak\_kex variable is not used any where [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167) +- opensshd.conf.j2 template type error [\#159](https://github.com/dev-sec/ansible-ssh-hardening/issues/159) +- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135) + +**Closed issues:** + +- Travis & Debian 9 "Stretch" [\#158](https://github.com/dev-sec/ansible-ssh-hardening/issues/158) + +**Merged pull requests:** + +- remove oracle7 from travis tests for the time being [\#181](https://github.com/dev-sec/ansible-ssh-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro)) ## [4.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.4.0) (2017-12-29) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.1...4.4.0) **Implemented enhancements:** @@ -10,12 +221,11 @@ - allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu)) - Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky)) - corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault)) -- Add Two-Factor Authentication [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs)) +- Feature/2fa auth [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs)) **Fixed bugs:** - ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129) -- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135) **Closed issues:** @@ -31,6 +241,7 @@ - force /bin/sh when getting openssh-version [\#134](https://github.com/dev-sec/ansible-ssh-hardening/pull/134) ([gtz42](https://github.com/gtz42)) ## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1) **Implemented enhancements:** @@ -46,7 +257,8 @@ - role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124) ## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.3.0) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.3.0) **Implemented enhancements:** @@ -58,11 +270,13 @@ - Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1)) - Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin)) -## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.1.3) - ## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.2.0) + +## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.1.3) **Implemented enhancements:** @@ -78,6 +292,7 @@ - Do not use shell when not needed + Lint whitespaces [\#118](https://github.com/dev-sec/ansible-ssh-hardening/pull/118) ([krhubert](https://github.com/krhubert)) ## [4.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.2) (2017-05-31) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.1...4.1.2) **Implemented enhancements:** @@ -93,17 +308,15 @@ - Update readme to include baselines [\#110](https://github.com/dev-sec/ansible-ssh-hardening/issues/110) ## [4.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.1) (2017-05-18) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.0...4.1.1) **Implemented enhancements:** - fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu)) -**Fixed bugs:** - -- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu)) - ## [4.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.0) (2017-05-09) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.0.0...4.1.0) **Implemented enhancements:** @@ -123,6 +336,7 @@ - Adds option to enable password based authentication on the server [\#107](https://github.com/dev-sec/ansible-ssh-hardening/pull/107) ([colin-nolan](https://github.com/colin-nolan)) ## [4.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.0.0) (2017-04-22) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.2.0...4.0.0) **Implemented enhancements:** @@ -145,8 +359,6 @@ **Fixed bugs:** - SELinux-specific task still runs on SELinux-disabled systems [\#74](https://github.com/dev-sec/ansible-ssh-hardening/issues/74) -- List only one Port in ssh config [\#84](https://github.com/dev-sec/ansible-ssh-hardening/pull/84) ([fullyint](https://github.com/fullyint)) -- Fix ssh config to handle custom options per Host [\#83](https://github.com/dev-sec/ansible-ssh-hardening/pull/83) ([fullyint](https://github.com/fullyint)) **Closed issues:** @@ -159,6 +371,7 @@ - Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio)) ## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1.0...3.2.0) **Implemented enhancements:** @@ -173,11 +386,8 @@ - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75) - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61) -**Closed issues:** - -- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) - ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0) **Implemented enhancements:** @@ -185,6 +395,7 @@ - use new ciphers, kex, macs and privilege separation for redhat family 7 or later [\#72](https://github.com/dev-sec/ansible-ssh-hardening/issues/72) ## [3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1) (2016-08-03) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.0.0...3.1) **Implemented enhancements:** @@ -212,11 +423,12 @@ - Add SCP/SFTP to FAQ [\#58](https://github.com/dev-sec/ansible-ssh-hardening/pull/58) ([rndmh3ro](https://github.com/rndmh3ro)) ## [3.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.0.0) (2016-03-13) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/2.0.0...3.0.0) **Implemented enhancements:** -- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([shirokatze](https://github.com/shirokatze)) +- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost)) - add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro)) - update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro)) - add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -235,6 +447,7 @@ - New release 3.0.0 [\#59](https://github.com/dev-sec/ansible-ssh-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro)) ## [2.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/2.0.0) (2015-11-28) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.1...2.0.0) **Closed issues:** @@ -248,6 +461,7 @@ - sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123)) ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1) **Merged pull requests:** @@ -255,10 +469,12 @@ - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) ## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) + [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2) ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.2.0) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0) **Merged pull requests:** @@ -266,16 +482,20 @@ - Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro)) - Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro)) -## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.1) - ## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1.0) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.1.0) + +## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1) **Closed issues:** - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33) +- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23) +- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** @@ -296,6 +516,9 @@ - Debian install script [\#19](https://github.com/dev-sec/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro)) ## [1.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.0.0) (2015-04-30) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/a9591764206b79a4ed324bb8576151ebac0127b1...1.0.0) + **Implemented enhancements:** - Update variable-documentation [\#12](https://github.com/dev-sec/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -304,7 +527,6 @@ - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7) - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6) -- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** @@ -325,4 +547,4 @@ -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/ansible/roles/dev-sec.ssh-hardening/Gemfile b/ansible/roles/dev-sec.ssh-hardening/Gemfile index c11b3bf..3502d8f 100644 --- a/ansible/roles/dev-sec.ssh-hardening/Gemfile +++ b/ansible/roles/dev-sec.ssh-hardening/Gemfile @@ -11,6 +11,7 @@ group :integration do gem 'kitchen-sync' gem 'kitchen-transport-rsync' gem 'kitchen-docker' + gem 'inspec', '~> 3' end group :tools do diff --git a/ansible/roles/dev-sec.ssh-hardening/README.md b/ansible/roles/dev-sec.ssh-hardening/README.md index 1d0b759..cd61aec 100644 --- a/ansible/roles/dev-sec.ssh-hardening/README.md +++ b/ansible/roles/dev-sec.ssh-hardening/README.md @@ -12,7 +12,7 @@ Warning: This role disables root-login on the target server! Please make sure yo ## Requirements -* Ansible > 2.4 +* Ansible > 2.5 ## Role Variables | Name | Default Value | Description | @@ -22,17 +22,18 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_client_port` | '22' |port to which ssh-client should connect| |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!| |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version| +|`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms| |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent | |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| -|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.| -|`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.| +|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login | +|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`| |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.| |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.| |`ssh_pam_support` | true | true if SSH has PAM support.| -|`ssh_use_pam` | false | false to disable pam authentication.| -|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.| +|`ssh_use_pam` | true | false to disable pam authentication.| +|`ssh_gssapi_support` | false | true if SSH has GSSAPI support.| |`ssh_kerberos_support` | true | true if SSH has Kerberos support.| |`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.| |`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.| @@ -46,6 +47,7 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_print_motd` | false | false to disable printing of the MOTD| |`ssh_print_last_log` | false | false to disable display of last login information| |`sftp_enabled` | false | true to enable sftp configuration| +|`sftp_umask` | 0027 | Specifies the umask for sftp| |`sftp_chroot` | true | false to disable chroot for sftp| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`ssh_client_roaming` | false | enable experimental client roaming| @@ -54,8 +56,6 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) | |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | -|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA | -|`ssh_pam_device` | false | `true` to enable public key auth with pam device 2FA | |`ssh_banner` | `false` | `true` to print a banner on login | |`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | @@ -64,15 +64,40 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner | |`ssh_server_enabled` | `true` | `false` to disable the opensshd server | |`ssh_server_hardening` | `true` | `false` to stop harden the server | +|`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | -|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd | +|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings | +|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.| |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.| |`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` | |`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` | |`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` | +|`ssh_custom_options` | [] | Custom lines for SSH client configuration | +|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration | +|`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd | +|`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd | +|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login | +|`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml` + +## Configuring settings not listed in role-variables + +If you want to configure ssh options that are not listed above, you can use `ssh_custom_options` (for `/etc/ssh/ssh_config`) or `sshd_custom_options` (for `/etc/ssh/sshd_config`) to set them. These options will be set on the **beginning** of the file so you can override options further down in the file. + +Example playbook: + +``` +- hosts: localhost + roles: + - dev-sec.ssh-hardening + vars: + ssh_custom_options: + - "Include /etc/ssh/ssh_config.d/*" + sshd_custom_options: + - "AcceptEnv LANG" +``` ## Example Playbook @@ -97,27 +122,31 @@ bundle install ### Testing with Docker ``` # fast test on one machine -bundle exec kitchen test default-ubuntu-1204 +bundle exec kitchen test ssh-ubuntu1804-ansible-latest # test on all machines bundle exec kitchen test # for development -bundle exec kitchen create default-ubuntu-1204 -bundle exec kitchen converge default-ubuntu-1204 +bundle exec kitchen create ssh-ubuntu1804-ansible-latest +bundle exec kitchen converge ssh-ubuntu1804-ansible-latest +bundle exec kitchen verify ssh-ubuntu1804-ansible-latest + +# cleanup +bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest ``` ### Testing with Virtualbox ``` # fast test on one machine -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204 +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804 # test on all machines KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test # for development -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204 -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204 +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804 +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804 ``` For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) diff --git a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml index 36c8e09..865bf18 100644 --- a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml @@ -30,6 +30,9 @@ ssh_listen_to: ['0.0.0.0'] # sshd # Host keys to look for when starting sshd. ssh_host_key_files: [] # sshd +# Specifies the host key algorithms that the server offers +ssh_host_key_algorithms: [] # sshd + # Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. ssh_max_auth_retries: 2 @@ -48,11 +51,11 @@ ssh_permit_tunnel: false # options: ['StrictHostKeyChecking no'] ssh_remote_hosts: [] -# false to disable root login altogether. Set to true to allow root to login via key-based mechanism. -ssh_allow_root_with_key: false # sshd +# Set this to "without-password" or "yes" to allow root to login +ssh_permit_root_login: 'no' # sshd # false to disable TCP Forwarding. Set to true to allow TCP Forwarding. -ssh_allow_tcp_forwarding: false # sshd +ssh_allow_tcp_forwarding: 'no' # sshd # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. # Set to 'clientspecified' to allow the client to specify which address to bind to. @@ -65,16 +68,13 @@ ssh_allow_agent_forwarding: false # sshd ssh_pam_support: true # false to disable pam authentication. -ssh_use_pam: false # sshd +ssh_use_pam: true # sshd -# false to disable google 2fa authentication -ssh_google_auth: false # sshd - -# false to disable pam device 2FA input -ssh_pam_device: false # sshd +# specify AuthenticationMethods +sshd_authenticationmethods: 'publickey' # true if SSH support GSSAPI -ssh_gssapi_support: true +ssh_gssapi_support: false # true if SSH support Kerberos ssh_kerberos_support: true @@ -139,6 +139,9 @@ sftp_enabled: false # false to disable sftp chroot sftp_chroot: true +# sftp default umask +sftp_umask: 0027 + # change default sftp chroot location sftp_chroot_dir: /home/%u @@ -151,7 +154,11 @@ ssh_server_match_user: false # sshd # list of hashes (containing group and rules) to generate Match Group blocks for. ssh_server_match_group: false # sshd -ssh_server_permit_environment_vars: false +# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for. +ssh_server_match_address: false # sshd + +ssh_server_permit_environment_vars: 'no' +ssh_server_accept_env_vars : '' # maximum number of concurrent unauthenticated connections to the SSH daemon ssh_max_startups: '10:30:100' # sshd @@ -167,6 +174,10 @@ ssh_macs_53_default: - hmac-ripemd160 - hmac-sha1 +ssh_macs_53_el_6_5_default: + - hmac-sha2-512 + - hmac-sha2-256 + ssh_macs_59_default: - hmac-sha2-512 - hmac-sha2-256 @@ -205,6 +216,11 @@ ssh_kex_59_default: ssh_kex_66_default: - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 + +ssh_kex_80_default: + - sntrup4591761x25519-sha512@tinyssh.org + - curve25519-sha256@libssh.org + - diffie-hellman-group-exchange-sha256 # directory where to store ssh_password policy ssh_custom_selinux_dir: '/etc/selinux/local-policies' @@ -220,4 +236,16 @@ ssh_server_revoked_keys: [] # Set to false to turn the role into a no-op. Useful when using # the Ansible role dependency mechanism. -ssh_hardening_enabled: true \ No newline at end of file +ssh_hardening_enabled: true + +# Custom options for SSH client configuration file +ssh_custom_options: [] + +# Custom options for SSH daemon configuration file +sshd_custom_options: [] + +# Logging +sshd_syslog_facility: 'AUTH' +sshd_log_level: 'VERBOSE' + +sshd_strict_modes: yes diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info index c80f7cc..b8b48bf 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info @@ -1 +1,2 @@ -{install_date: 'Mon Dec 17 12:48:22 2018', version: 5.0.0} +install_date: Fri May 15 20:29:21 2020 +version: 8.1.0 diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml index d231975..2f7eb5a 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.' company: Hardening Framework Team license: Apache License 2.0 - min_ansible_version: '2.4' + min_ansible_version: '2.5' platforms: - name: EL versions: @@ -12,14 +12,14 @@ galaxy_info: - 7 - name: Ubuntu versions: - - precise - - trusty - xenial + - bionic - name: Debian versions: - - wheezy - - jessie + - stretch + - buster - name: Amazon + - name: Fedora galaxy_tags: - system - security diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/2fa.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/2fa.yml deleted file mode 100644 index 419a106..0000000 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/2fa.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Install the 2FA packages and setup the config in PAM and SSH -- name: Install google authenticator PAM module - apt: - name: 'libpam-google-authenticator' - state: present - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - -- name: Install google authenticator PAM module - yum: - name: 'google-authenticator' - state: present - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - -- name: Add google auth module to PAM - pamd: - name: 'sshd' - type: 'auth' - control: 'required' - module_path: 'pam_google_authenticator.so' - -- name: Remove password auth from PAM - pamd: - name: 'sshd' - type: 'auth' - control: 'substack' - module_path: 'password-auth' - state: absent - when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon' - -- name: Remove password auth from PAM - replace: - dest: '/etc/pam.d/sshd' - regexp: '^@include common-auth' - replace: '#@include common-auth' - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml index 31371ad..364f6b7 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml @@ -3,61 +3,73 @@ - name: set hostkeys according to openssh-version set_fact: ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] - when: sshd_version.stdout >= '6.3' and not ssh_host_key_files + when: sshd_version is version('6.3', '>=') and not ssh_host_key_files - name: set hostkeys according to openssh-version set_fact: ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] - when: sshd_version.stdout >= '6.0' and not ssh_host_key_files + when: sshd_version is version('6.0', '>=') and not ssh_host_key_files - name: set hostkeys according to openssh-version set_fact: ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] - when: sshd_version.stdout >= '5.3' and not ssh_host_key_files + when: sshd_version is version('5.3', '>=') and not ssh_host_key_files ### - name: set macs according to openssh-version if openssh >= 7.6 set_fact: ssh_macs: '{{ ssh_macs_76_default }}' - when: sshd_version.stdout >= '7.6' and not ssh_macs + when: sshd_version is version('7.6', '>=') and not ssh_macs - name: set macs according to openssh-version if openssh >= 6.6 set_fact: ssh_macs: '{{ ssh_macs_66_default }}' - when: sshd_version.stdout >= '6.6' and not ssh_macs + when: sshd_version is version('6.6', '>=') and not ssh_macs - name: set macs according to openssh-version set_fact: ssh_macs: '{{ ssh_macs_59_default }}' - when: sshd_version.stdout >= '5.9' and not ssh_macs + when: sshd_version is version('5.9', '>=') and not ssh_macs + +- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports) + set_fact: + ssh_macs: '{{ ssh_macs_53_el_6_5_default }}' + when: + - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat'] + - ansible_facts.distribution_version is version('6.5', '>=') + - not ssh_macs - name: set macs according to openssh-version set_fact: ssh_macs: '{{ ssh_macs_53_default }}' - when: sshd_version.stdout >= '5.3' and not ssh_macs + when: sshd_version is version('5.3', '>=') and not ssh_macs ### - name: set ciphers according to openssh-version if openssh >= 6.6 set_fact: ssh_ciphers: '{{ ssh_ciphers_66_default }}' - when: sshd_version.stdout >= '6.6' and not ssh_ciphers + when: sshd_version is version('6.6', '>=') and not ssh_ciphers - name: set ciphers according to openssh-version set_fact: ssh_ciphers: '{{ ssh_ciphers_53_default }}' - when: sshd_version.stdout >= '5.3' and not ssh_ciphers + when: sshd_version is version('5.3', '>=') and not ssh_ciphers ### +- name: set kex according to openssh-version if openssh >= 8.0 + set_fact: + ssh_kex: '{{ ssh_kex_80_default }}' + when: sshd_version is version('8.0', '>=') and not ssh_kex + - name: set kex according to openssh-version if openssh >= 6.6 set_fact: ssh_kex: '{{ ssh_kex_66_default }}' - when: sshd_version.stdout >= '6.6' and not ssh_kex + when: sshd_version is version('6.6', '>=') and not ssh_kex - name: set kex according to openssh-version set_fact: ssh_kex: '{{ ssh_kex_59_default }}' - when: sshd_version.stdout >= '5.9' and not ssh_kex - + when: sshd_version is version('5.9', '>=') and not ssh_kex diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml index 0e971d7..02be78f 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml @@ -2,19 +2,21 @@ - name: Set OS dependent variables include_vars: '{{ item }}' with_first_found: - - '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_distribution }}.yml' - - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_os_family }}.yml' + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' - name: get openssh-version - shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g' - args: - executable: /bin/sh + command: ssh -V + register: sshd_version_raw changed_when: false - register: sshd_version check_mode: no +- name: parse openssh-version + set_fact: + sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}" + - name: include tasks to create crypo-vars include_tasks: crypto.yml @@ -26,7 +28,7 @@ owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' notify: restart sshd - when: ssh_server_hardening + when: ssh_server_hardening | bool - name: create sshd_config and set permissions to root/600 template: @@ -35,9 +37,21 @@ mode: '0600' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - validate: '/usr/sbin/sshd -T -f %s' + validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s' notify: restart sshd - when: ssh_server_hardening + when: ssh_server_hardening | bool + +- name: disable dynamic MOTD + pamd: + name: sshd + type: session + control: optional + module_path: pam_motd.so + state: absent + when: + - ssh_server_hardening | bool + - ssh_pam_support | bool + - not (ssh_print_motd | bool) - name: create ssh_config and set permissions to root/644 template: @@ -46,38 +60,27 @@ mode: '0644' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - when: ssh_client_hardening + when: ssh_client_hardening | bool - name: Check if {{ sshd_moduli_file }} contains weak DH parameters shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} register: sshd_register_moduli changed_when: false check_mode: no + when: ssh_server_hardening | bool - name: remove all small primes shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ; [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true notify: restart sshd - when: sshd_register_moduli.stdout + when: + - ssh_server_hardening | bool + - sshd_register_moduli.stdout - name: include tasks to setup ca keys and principals include_tasks: ca_keys_and_principals.yml - when: ssh_trusted_user_ca_keys_file != '' - -- name: include tasks to setup 2FA - include_tasks: 2fa.yml - when: - - ssh_use_pam - - ssh_challengeresponseauthentication - - ssh_google_auth - -- name: test to see if selinux is installed and running - command: getenforce - register: sestatus - failed_when: false - changed_when: false - check_mode: no + when: ssh_trusted_user_ca_keys_file | length > 0 - name: include selinux specific tasks include_tasks: selinux.yml - when: sestatus.rc == 0 + when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled" diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml index 4046637..32f9d02 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml @@ -1,4 +1,4 @@ --- - include_tasks: hardening.yml - when: ssh_hardening_enabled + when: ssh_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml index d657bdf..43b8d08 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml @@ -1,24 +1,22 @@ --- -- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux +- name: install selinux dependencies when selinux is installed package: - name: '{{ item }}' + name: '{{ ssh_selinux_packages }}' state: present - with_items: - - 'policycoreutils-python' - - 'checkpolicy' - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' -- name: install selinux dependencies when selinux is installed on Debian or Ubuntu - apt: - name: '{{ item }}' +- name: "authorize {{ ssh_server_ports }} ports for selinux" + seport: + ports: '{{ item }}' + proto: tcp + setype: ssh_port_t state: present with_items: - - 'policycoreutils' - - 'checkpolicy' - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + - "{{ ssh_server_ports }}" - name: check if ssh_password module is already installed - shell: 'semodule -l | grep ssh_password' + shell: 'set -o pipefail && semodule -l | grep ssh_password' + args: + executable: /bin/bash register: ssh_password_module failed_when: false changed_when: false @@ -41,17 +39,18 @@ dest: '{{ ssh_custom_selinux_dir }}' - name: check and compile policy - shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password + command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password - name: create selinux policy module package - shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod + command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod - name: install selinux policy - shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp + command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp - when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0 + when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0 # The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed. -- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html) +# See http://danwalsh.livejournal.com/12333.html for more info +- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk command: semodule -r ssh_password - when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0 + when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0 diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 index b644ae3..106b887 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 @@ -2,7 +2,15 @@ # This is the ssh client system-wide configuration file. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. -# + +{% if ssh_custom_options -%} +# Custom configuration that overwrites default configuration +# ========================================================== +{% for line in ssh_custom_options %} +{{ line }} +{% endfor %} +{% endif %} + # Basic configuration # =================== @@ -82,7 +90,7 @@ ForwardX11 no # Never use host-based authentication. It can be exploited. HostbasedAuthentication no -{% if sshd_version.stdout | float < 7.4 -%} +{% if sshd_version is version('7.6', '<') %} RhostsRSAAuthentication no # Enable RSA authentication via identity files. RSAAuthentication yes @@ -111,7 +119,7 @@ Compression yes #EscapeChar ~ #VisualHostKey yes -{% if sshd_version.stdout | float <= 7.1 -%} +{% if sshd_version is version('7.1', '<=') %} # Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled. UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }} {% endif %} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 index ed8a1ba..0a60174 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 @@ -3,11 +3,19 @@ # This is the ssh client system-wide configuration file. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. +{% if sshd_custom_options -%} +# Custom configuration that overwrites default configuration +# ========================================================== +{% for line in sshd_custom_options -%} +{{ line }} +{% endfor %} +{% endif %} + # Basic configuration # =================== -# Either disable or only allowssh root login via certificates. -PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }} +# Either disable or only allow root login via certificates. +PermitRootLogin {{ ssh_permit_root_login }} # Define which port sshd should listen to. Default to `22`. {% for port in ssh_server_ports -%} @@ -24,9 +32,14 @@ ListenAddress {{address}} # List HostKeys here. {% for key in ssh_host_key_files -%} -HostKey {{key}} # Req 20 +HostKey {{key}} {% endfor %} +# Specifies the host key algorithms that the server offers. +{% if sshd_version is version('5.8', '>=') %} +{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} +{% endif %} + # Security configuration # ====================== @@ -34,11 +47,11 @@ HostKey {{key}} # Req 20 Protocol 2 # Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration. -StrictModes yes +StrictModes {{ 'yes' if (sshd_strict_modes|bool) else 'no' }} # Logging, obsoletes QuietMode and FascistLogging -SyslogFacility AUTH -LogLevel VERBOSE +SyslogFacility {{ sshd_syslog_facility }} +LogLevel {{ sshd_log_level }} # Cryptography # ------------ @@ -75,8 +88,11 @@ LogLevel VERBOSE # -------------- # Secure Login directives. -{% if sshd_version.stdout | float < 7.5 -%} -UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} +{% if sshd_version is version('7.4', '<') %} +UseLogin no +{% endif %} +{% if sshd_version is version('7.5', '<') %} +UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} {% endif %} LoginGraceTime 30s @@ -96,14 +112,11 @@ HostbasedAuthentication no {% if ssh_pam_support -%} UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} {% endif %} -{% if ssh_google_auth %} -# Force public key auth then ask for google auth code -AuthenticationMethods publickey,keyboard-interactive -{% endif %} -# Force public key auth then ask for pam device input -{% if ssh_pam_device %} -AuthenticationMethods publickey,keyboard-interactive:pam +# Set AuthenticationMethods per default to publickey +# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2 +{% if sshd_version is version('6.2', '>=') %} +AuthenticationMethods {{ sshd_authenticationmethods }} {% endif %} # Disable password-based authentication, it can allow for potentially easier brute-force attacks. @@ -119,11 +132,9 @@ KerberosTicketCleanup yes #KerberosGetAFSToken no {% endif %} -{% if ssh_gssapi_support -%} # Only enable GSSAPI authentication if it is configured. -GSSAPIAuthentication no +GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }} GSSAPICleanupCredentials yes -{% endif %} # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. {% if ssh_deny_users -%} @@ -142,15 +153,15 @@ DenyGroups {{ssh_deny_groups}} AllowGroups {{ssh_allow_groups}} {% endif %} -{% if ssh_authorized_keys_file %} +{% if ssh_authorized_keys_file -%} AuthorizedKeysFile {{ ssh_authorized_keys_file }} {% endif %} -{% if ssh_trusted_user_ca_keys_file %} +{% if ssh_trusted_user_ca_keys_file -%} TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }} -{% if ssh_authorized_principals_file %} +{% if ssh_authorized_principals_file -%} AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} -{% endif %} +{% endif %} {% endif %} # Network @@ -168,19 +179,23 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} # Disable forwarding tcp connections. # no real advantage without denied shell access -AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }} +{% if sshd_version is version('6.2', '>=') %} +AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }} +{% else %} +AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }} +{% endif %} -# Disable agent formwarding, since local agent could be accessed through forwarded connection. +# Disable agent forwarding, since local agent could be accessed through forwarded connection. # no real advantage without denied shell access AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }} -{% if ssh_gateway_ports|bool %} +{% if ssh_gateway_ports|bool -%} # Port forwardings are forced to bind to the wildcard address GatewayPorts yes -{% elif ssh_gateway_ports == 'clientspecified' %} +{% elif ssh_gateway_ports == 'clientspecified' -%} # Clients allowed to specify which address to bind port forwardings to GatewayPorts clientspecified -{% else %} +{% else -%} # Do not allow remote port forwardings to bind to non-loopback addresses. GatewayPorts no {% endif %} @@ -192,13 +207,10 @@ X11UseLocalhost yes # User environment configuration # ============================== -{% if ssh_server_permit_environment_vars %} -PermitUserEnvironment yes -{% for item in ssh_server_permit_environment_vars %} -AcceptEnv {{ item }} -{% endfor %} -{% else %} -PermitUserEnvironment no +PermitUserEnvironment {{ ssh_server_permit_environment_vars }} + +{% if ssh_server_accept_env_vars -%} +AcceptEnv {{ ssh_server_accept_env_vars }} {% endif %} # Misc. configuration @@ -210,31 +222,31 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }} PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }} -{% if ansible_os_family != 'FreeBSD' %} +{% if ansible_facts.os_family != 'FreeBSD' %} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} {% endif %} Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }} -{% if ansible_os_family == 'Debian' %} +{% if ansible_facts.os_family == 'Debian' -%} DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }} {% endif %} # Reject keys that are explicitly blacklisted RevokedKeys /etc/ssh/revoked_keys -{% if sftp_enabled %} +{% if sftp_enabled -%} # SFTP matching configuration # =========================== # Configuration, in case SFTP is used # override default of no subsystems # Subsystem sftp /opt/app/openssh5/libexec/sftp-server -Subsystem sftp internal-sftp -l INFO -f LOCAL6 +Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }} # These lines must appear at the *end* of sshd_config Match Group sftponly - ForceCommand internal-sftp -l INFO -f LOCAL6 + ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }} {% if sftp_chroot %} ChrootDirectory {{ sftp_chroot_dir }} {% endif %} @@ -245,23 +257,38 @@ Match Group sftponly X11Forwarding no {% endif %} -{% if ssh_server_match_group %} +{% if ssh_server_match_address -%} +# Address matching configuration +# ============================ + +{% for item in ssh_server_match_address -%} +Match Address {{ item.address }} + {% for rule in item.rules %} + {{ rule | indent(4) }} + {% endfor %} +{% endfor %} +{% endif %} + +{% if ssh_server_match_group -%} # Group matching configuration # ============================ -{% for item in ssh_server_match_group %} +{% for item in ssh_server_match_group -%} Match Group {{ item.group }} - {{ item.rules | indent(4) }} + {% for rule in item.rules %} + {{ rule | indent(4) }} + {% endfor %} {% endfor %} {% endif %} - -{% if ssh_server_match_user %} +{% if ssh_server_match_user -%} # User matching configuration # =========================== -{% for item in ssh_server_match_user %} +{% for item in ssh_server_match_user -%} Match User {{ item.user }} - {{ item.rules | indent(4) }} + {% for rule in item.rules %} + {{ rule | indent(4) }} + {% endfor %} {% endfor %} {% endif %} diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml index 312ff72..231d09b 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml @@ -2,20 +2,30 @@ - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings hosts: localhost pre_tasks: - - package: name="{{item}}" state=present - with_items: - - "openssh-clients" - - "openssh-server" + - name: use python3 + set_fact: + ansible_python_interpreter: /usr/bin/python3 + when: ansible_facts.distribution == 'Fedora' + + - package: name="{{ packages }}" state=present + vars: + packages: + - openssh-clients + - openssh-server + - libselinux-python ignore_errors: true - - apt: name="{{item}}" state=present update_cache=true - with_items: - - "openssh-client" - - "openssh-server" + - apt: name="{{packages}}" state=present update_cache=true + vars: + packages: + - "openssh-client" + - "openssh-server" ignore_errors: true - file: path="/var/run/sshd" state=directory - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7') + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + ansible_facts.distribution == "Fedora" or + ansible_facts.distribution == "Amazon" roles: - ansible-ssh-hardening diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml index b71e3d6..b88a6e8 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml @@ -2,30 +2,40 @@ - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings hosts: localhost pre_tasks: - - package: name="{{item}}" state=present - with_items: - - "openssh-clients" - - "openssh-server" + - name: use python3 + set_fact: + ansible_python_interpreter: /usr/bin/python3 + when: ansible_facts.distribution == 'Fedora' + + - package: name="{{ packages }}" state=present + vars: + packages: + - openssh-clients + - openssh-server + - libselinux-python ignore_errors: true - - apt: name="{{item}}" state=present update_cache=true - with_items: - - "openssh-client" - - "openssh-server" + - apt: name="{{packages}}" state=present update_cache=true + vars: + packages: + - "openssh-client" + - "openssh-server" ignore_errors: true - file: path="/var/run/sshd" state=directory - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7') + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + ansible_facts.distribution == "Fedora" or + ansible_facts.distribution == "Amazon" roles: - ansible-ssh-hardening vars: network_ipv6_enable: true - ssh_allow_root_with_key: true - ssh_allow_tcp_forwarding: true + ssh_allow_tcp_forwarding: 'yes' ssh_gateway_ports: true ssh_allow_agent_forwarding: true - ssh_server_permit_environment_vars: ['PWD','HTTP_PROXY'] + ssh_server_permit_environment_vars: 'yes' + ssh_server_accept_env_vars: 'PWD HTTP_PROXY' ssh_client_alive_interval: 100 ssh_client_alive_count: 10 ssh_client_password_login: true @@ -37,6 +47,7 @@ ssh_deny_groups: 'foo bar' ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u' ssh_max_auth_retries: 10 + ssh_permit_root_login: "without-password" ssh_permit_tunnel: true ssh_print_motd: true ssh_print_last_log: true @@ -45,12 +56,21 @@ sftp_enabled: true sftp_chroot: true #ssh_server_enabled: false + ssh_server_match_address: + - address: '192.168.1.1/24' + rules: + - 'AllowTcpForwarding yes' + - 'AllowAgentForwarding no' ssh_server_match_group: - group: 'root' - rules: 'AllowTcpForwarding yes' + rules: + - 'AllowTcpForwarding yes' + - 'AllowAgentForwarding no' ssh_server_match_user: - user: 'root' - rules: 'AllowTcpForwarding yes' + rules: + - 'AllowTcpForwarding yes' + - 'AllowAgentForwarding no' ssh_remote_hosts: - names: ['example.com', 'example2.com'] options: ['Port 2222', 'ForwardAgent yes'] @@ -63,8 +83,13 @@ ssh_trusted_user_ca_keys: - '# ssh-rsa ...' ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u' - ssh_authorized_principals : + ssh_authorized_principals: - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" } + ssh_host_key_algorithms: + - ssh-ed25519 + - rsa-sha2-512 + - rsa-sha2-256 + - ssh-rsa ssh_macs: - hmac-sha2-512 - hmac-sha2-256 @@ -76,3 +101,7 @@ ssh_kex: - diffie-hellman-group-exchange-sha256 - diffie-hellman-group-exchange-sha1 + ssh_custom_options: + - "Include /etc/ssh/ssh_config.d/*" + sshd_custom_options: + - "AcceptEnv LANG" diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml index cd26ce0..df491f3 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml @@ -1,3 +1,6 @@ sshd_service_name: ssh ssh_owner: root ssh_group: root +ssh_selinux_packages: + - policycoreutils-python + - checkpolicy diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml new file mode 100644 index 0000000..b42c9c2 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml @@ -0,0 +1,6 @@ +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_selinux_packages: + - python3-policycoreutils + - checkpolicy diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml index 62dd98f..5694cea 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml @@ -1,3 +1,6 @@ sshd_service_name: sshd ssh_owner: root ssh_group: root +ssh_selinux_packages: + - policycoreutils-python + - checkpolicy diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml index 62dd98f..5694cea 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml @@ -1,3 +1,6 @@ sshd_service_name: sshd ssh_owner: root ssh_group: root +ssh_selinux_packages: + - policycoreutils-python + - checkpolicy diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml new file mode 100644 index 0000000..b42c9c2 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml @@ -0,0 +1,6 @@ +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_selinux_packages: + - python3-policycoreutils + - checkpolicy diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/main.yml b/ansible/roles/dev-sec.ssh-hardening/vars/main.yml deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/docker-compose/.gitignore b/ansible/roles/docker-compose/.gitignore deleted file mode 100644 index 089c44d..0000000 --- a/ansible/roles/docker-compose/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -*.retry -.vagrant -tests/_roles -!tests/_roles/.gitkeep -.DS_Store diff --git a/ansible/roles/docker-compose/.travis.yml b/ansible/roles/docker-compose/.travis.yml deleted file mode 100644 index 1e21436..0000000 --- a/ansible/roles/docker-compose/.travis.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -language: python -python: "2.7" - -sudo: required -dist: trusty - -addons: - apt: - sources: - - sourceline: ppa:ansible/ansible - packages: - - ansible - -before_install: cd tests - -install: -- ansible-galaxy install -r roles.yml - -script: -- ansible-playbook -i localhost test.yml - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/docker-compose/LICENSE b/ansible/roles/docker-compose/LICENSE deleted file mode 100644 index a962b15..0000000 --- a/ansible/roles/docker-compose/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2016 Suzuki Shunsuke - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/ansible/roles/docker-compose/README.md b/ansible/roles/docker-compose/README.md deleted file mode 100644 index 133ffc7..0000000 --- a/ansible/roles/docker-compose/README.md +++ /dev/null @@ -1,39 +0,0 @@ -docker-compose -=============== - -[![Build Status](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose.svg?branch=master)](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose) - -Install Docker Compose. - -https://galaxy.ansible.com/suzuki-shunsuke/docker-compose/ - -Requirements ------------- - -* Docker Engine - -Role Variables --------------- - -* docker_compose_path: the path where docker-compose is installed. The default is /usr/local/bin -* docker_compose_mode: the permission of the docker-compose. The default is 0755 -* docker_compose_version: docker-compose version. The default is `1.11.2` - -Dependencies ------------- - -Nothing. - -Example Playbook ----------------- - -```yaml -- hosts: servers - roles: - - role: suzuki-shunsuke.docker-compose -``` - -License -------- - -MIT diff --git a/ansible/roles/docker-compose/defaults/main.yml b/ansible/roles/docker-compose/defaults/main.yml deleted file mode 100644 index b3c43bf..0000000 --- a/ansible/roles/docker-compose/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# defaults file for docker-compose -docker_compose_path: /usr/local/bin -docker_compose_mode: 0755 -docker_compose_version: 1.11.2 diff --git a/ansible/roles/docker-compose/meta/.galaxy_install_info b/ansible/roles/docker-compose/meta/.galaxy_install_info deleted file mode 100644 index 7beff61..0000000 --- a/ansible/roles/docker-compose/meta/.galaxy_install_info +++ /dev/null @@ -1 +0,0 @@ -{install_date: 'Mon Apr 24 12:06:46 2017', version: 1.2.0} diff --git a/ansible/roles/docker-compose/meta/main.yml b/ansible/roles/docker-compose/meta/main.yml deleted file mode 100644 index 0a6d588..0000000 --- a/ansible/roles/docker-compose/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: Suzuki Shunsuke - description: Install Docker Compose - license: MIT - min_ansible_version: 1.2 - github_branch: master - platforms: - - name: GenericUnix - versions: - - all - galaxy_tags: - - docker - - docker compose - -dependencies: [] diff --git a/ansible/roles/docker-compose/tasks/main.yml b/ansible/roles/docker-compose/tasks/main.yml deleted file mode 100644 index 2cb7b51..0000000 --- a/ansible/roles/docker-compose/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# tasks file for docker-compose -- name: Install docker-compose - get_url: - url: https://github.com/docker/compose/releases/download/{{docker_compose_version}}/docker-compose-{{ansible_system}}-{{ansible_architecture}} - dest: "{{'{}/docker-compose'.format(docker_compose_path)}}" - mode: "{{docker_compose_mode}}" diff --git a/ansible/roles/docker-compose/tests/Vagrantfile b/ansible/roles/docker-compose/tests/Vagrantfile deleted file mode 100644 index 99d36be..0000000 --- a/ansible/roles/docker-compose/tests/Vagrantfile +++ /dev/null @@ -1,12 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure(2) do |config| - config.vm.box = "bento/ubuntu-16.04" - config.vm.provider "virtualbox" do |vb| - vb.memory = "2048" - end - config.vm.provision "ansible" do |ansible| - ansible.playbook = "./test.yml" - end -end diff --git a/ansible/roles/docker-compose/tests/ansible.cfg b/ansible/roles/docker-compose/tests/ansible.cfg deleted file mode 100644 index fe431f6..0000000 --- a/ansible/roles/docker-compose/tests/ansible.cfg +++ /dev/null @@ -1,6 +0,0 @@ -[defaults] -roles_path = ./_roles:../../ - -[ssh_connection] -ssh_args = -o ControlPersist=1800s -o ControlMaster=auto -pipelining = True diff --git a/ansible/roles/docker-compose/tests/localhost b/ansible/roles/docker-compose/tests/localhost deleted file mode 100644 index 3c11959..0000000 --- a/ansible/roles/docker-compose/tests/localhost +++ /dev/null @@ -1,2 +0,0 @@ -[default] -localhost ansible_connection=local diff --git a/ansible/roles/docker-compose/tests/roles.yml b/ansible/roles/docker-compose/tests/roles.yml deleted file mode 100644 index 167337f..0000000 --- a/ansible/roles/docker-compose/tests/roles.yml +++ /dev/null @@ -1 +0,0 @@ -- src: suzuki-shunsuke.docker-ubuntu diff --git a/ansible/roles/docker-compose/tests/test.yml b/ansible/roles/docker-compose/tests/test.yml deleted file mode 100644 index 9150dd4..0000000 --- a/ansible/roles/docker-compose/tests/test.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: default - roles: - - suzuki-shunsuke.docker-ubuntu - - ansible-docker-compose - tasks: - - command: docker-compose --version - register: result - changed_when: false - - debug: - var: result diff --git a/ansible/roles/docker-compose/vars/main.yml b/ansible/roles/docker-compose/vars/main.yml deleted file mode 100644 index 6349b1c..0000000 --- a/ansible/roles/docker-compose/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# vars file for docker-compose -docker_compose_nonroot: "{{ (ansible_env.HOME == '/root') | ternary('no', 'yes') }}" diff --git a/ansible/roles/docker-ubuntu/.gitignore b/ansible/roles/docker-ubuntu/.gitignore deleted file mode 100644 index 4a96db2..0000000 --- a/ansible/roles/docker-ubuntu/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.retry -.vagrant diff --git a/ansible/roles/docker-ubuntu/.travis.yml b/ansible/roles/docker-ubuntu/.travis.yml deleted file mode 100644 index 90b757f..0000000 --- a/ansible/roles/docker-ubuntu/.travis.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -language: python -python: "2.7" - -sudo: required -dist: trusty - -addons: - apt: - sources: - - sourceline: ppa:ansible/ansible - packages: - - ansible - -before_script: -- ansible --version -- cd tests - -script: -- ansible-playbook -i inventory-local test.yml - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/docker-ubuntu/README.md b/ansible/roles/docker-ubuntu/README.md deleted file mode 100644 index f90078c..0000000 --- a/ansible/roles/docker-ubuntu/README.md +++ /dev/null @@ -1,42 +0,0 @@ -docker-ubuntu -=============== - -[![Build Status](https://travis-ci.org/suzuki-shunsuke/ansible-docker-ubuntu.svg?branch=master)](https://travis-ci.org/suzuki-shunsuke/ansible-docker-ubuntu) - -Install docker on Ubuntu. - -(With modifications by @loleg) - -https://galaxy.ansible.com/suzuki-shunsuke/docker-ubuntu/ - -Requirements ------------- - -Nothing. - -Role Variables --------------- - -* docker_nonroot: Whether the remote_user is root or not. This variable is set automatically, and is used to execute tasks with the become option. -* docker_users: Users who are added the docker group. The default value is an empty array. - -Dependencies ------------- - -Nothing. - -Example Playbook ----------------- - -```yaml -- hosts: servers - roles: - - role: suzuki-shunsuke.docker-ubuntu - docker_users: - - ubuntu -``` - -License -------- - -MIT diff --git a/ansible/roles/docker-ubuntu/defaults/main.yml b/ansible/roles/docker-ubuntu/defaults/main.yml deleted file mode 100644 index efb98ae..0000000 --- a/ansible/roles/docker-ubuntu/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# defaults file for docker-ubuntu -docker_users: [] diff --git a/ansible/roles/docker-ubuntu/handlers/main.yml b/ansible/roles/docker-ubuntu/handlers/main.yml deleted file mode 100644 index d4917f2..0000000 --- a/ansible/roles/docker-ubuntu/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for docker-ubuntu diff --git a/ansible/roles/docker-ubuntu/meta/.galaxy_install_info b/ansible/roles/docker-ubuntu/meta/.galaxy_install_info deleted file mode 100644 index 62464f8..0000000 --- a/ansible/roles/docker-ubuntu/meta/.galaxy_install_info +++ /dev/null @@ -1 +0,0 @@ -{install_date: 'Sun Apr 23 07:58:36 2017', version: 1.0.4} diff --git a/ansible/roles/docker-ubuntu/meta/main.yml b/ansible/roles/docker-ubuntu/meta/main.yml deleted file mode 100644 index 456f946..0000000 --- a/ansible/roles/docker-ubuntu/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -galaxy_info: - author: Suzuki Shunsuke - description: Install docker on Ubuntu - license: MIT - min_ansible_version: 1.2 - github_branch: master - - platforms: - - name: Ubuntu - versions: - - all - - galaxy_tags: - - docker - -dependencies: [] diff --git a/ansible/roles/docker-ubuntu/tasks/main.yml b/ansible/roles/docker-ubuntu/tasks/main.yml deleted file mode 100644 index 2658ae8..0000000 --- a/ansible/roles/docker-ubuntu/tasks/main.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -# tasks file for docker-ubuntu -- name: Install apt-transport-https, ca-certificates - apt: - name: "{{item}}" - update_cache: no - install_recommends: no - with_items: - - apt-transport-https - - ca-certificates - -- name: Add the new GPG key - apt_key: - keyserver: hkp://p80.pool.sks-keyservers.net:80 - id: 58118E89F3A912897C070ADBF76221572C52609D - -- name: Template a sources.list - template: - src: docker.list - dest: /etc/apt/sources.list.d/docker.list - owner: root - group: root - -- name: Install the recommended virtual package - apt: - name: linux-image-extra-virtual - update_cache: no - install_recommends: yes - -- name: Install docker-engine - apt: - name: docker-engine - update_cache: no - install_recommends: yes - -- name: Add users to the docker group - user: - name: "{{item}}" - groups: docker - append: yes - - with_items: "{{docker_users}}" diff --git a/ansible/roles/docker-ubuntu/templates/docker.list b/ansible/roles/docker-ubuntu/templates/docker.list deleted file mode 100644 index f2be97e..0000000 --- a/ansible/roles/docker-ubuntu/templates/docker.list +++ /dev/null @@ -1 +0,0 @@ -deb https://apt.dockerproject.org/repo ubuntu-{{ ansible_distribution_release }} main diff --git a/ansible/roles/docker-ubuntu/tests/Vagrantfile b/ansible/roles/docker-ubuntu/tests/Vagrantfile deleted file mode 100644 index 99d36be..0000000 --- a/ansible/roles/docker-ubuntu/tests/Vagrantfile +++ /dev/null @@ -1,12 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure(2) do |config| - config.vm.box = "bento/ubuntu-16.04" - config.vm.provider "virtualbox" do |vb| - vb.memory = "2048" - end - config.vm.provision "ansible" do |ansible| - ansible.playbook = "./test.yml" - end -end diff --git a/ansible/roles/docker-ubuntu/tests/ansible.cfg b/ansible/roles/docker-ubuntu/tests/ansible.cfg deleted file mode 100644 index ac09f6c..0000000 --- a/ansible/roles/docker-ubuntu/tests/ansible.cfg +++ /dev/null @@ -1,2 +0,0 @@ -[defaults] -roles_path = ../../ diff --git a/ansible/roles/docker-ubuntu/tests/inventory-local b/ansible/roles/docker-ubuntu/tests/inventory-local deleted file mode 100644 index 3c11959..0000000 --- a/ansible/roles/docker-ubuntu/tests/inventory-local +++ /dev/null @@ -1,2 +0,0 @@ -[default] -localhost ansible_connection=local diff --git a/ansible/roles/docker-ubuntu/tests/test.yml b/ansible/roles/docker-ubuntu/tests/test.yml deleted file mode 100644 index 3ea6ad5..0000000 --- a/ansible/roles/docker-ubuntu/tests/test.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- hosts: default - roles: - - ansible-docker-ubuntu - tasks: - - name: Check docker version - command: docker --version - register: result - changed_when: false - - debug: - var: result.stdout diff --git a/ansible/roles/docker-ubuntu/vars/main.yml b/ansible/roles/docker-ubuntu/vars/main.yml deleted file mode 100644 index 0cdbe85..0000000 --- a/ansible/roles/docker-ubuntu/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# vars file for docker-ubuntu -docker_nonroot: "{{ (ansible_env.HOME == '/root') | ternary('no', 'yes') }}" diff --git a/ansible/roles/geerlingguy.certbot/README.md b/ansible/roles/geerlingguy.certbot/README.md deleted file mode 100644 index 597a54a..0000000 --- a/ansible/roles/geerlingguy.certbot/README.md +++ /dev/null @@ -1,140 +0,0 @@ -# Ansible Role: Certbot (for Let's Encrypt) - -[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-certbot.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-certbot) - -Installs and configures Certbot (for Let's Encrypt). - -## Requirements - -If installing from source, Git is required. You can install Git using the `geerlingguy.git` role. - -Generally, installing from source (see section `Source Installation from Git`) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release. - -## Role Variables - -The variable `certbot_install_from_source` controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to `no`. - - certbot_auto_renew: true - certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" - certbot_auto_renew_hour: 3 - certbot_auto_renew_minute: 30 - certbot_auto_renew_options: "--quiet --no-self-upgrade" - -By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. - -### Automatic Certificate Generation - -Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future. - -**For a complete example**: see the fully functional test playbook in [tests/test-standalone-nginx-aws.yml](tests/test-standalone-nginx-aws.yml). - - certbot_create_if_missing: false - certbot_create_method: standalone - -Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`. - - certbot_admin_email: email@example.com - -The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors. - - certbot_certs: [] - # - email: janedoe@example.com - # domains: - # - example1.com - # - example2.com - # - domains: - # - example3.com - -A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. - - certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}" - -The `certbot_create_command` defines the command used to generate the cert. - -#### Standalone Certificate Generation - - certbot_create_standalone_stop_services: - - nginx - -Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated. - -These services will only be stopped the first time a new cert is generated. - -### Source Installation from Git - -You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8). - - certbot_install_from_source: false - certbot_repo: https://github.com/certbot/certbot.git - certbot_version: master - certbot_keep_updated: true - -Certbot Git repository options. To install from source, set `certbot_install_from_source` to `yes`. This clones the configured `certbot_repo`, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs. - - certbot_dir: /opt/certbot - -The directory inside which Certbot will be cloned. - -### Wildcard Certificates - -Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs. - -Michael Porter also has a walkthrough of [Creating A Let’s Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare. - -## Dependencies - -None. - -## Example Playbook - - - hosts: servers - - vars: - certbot_auto_renew_user: your_username_here - certbot_auto_renew_minute: 20 - certbot_auto_renew_hour: 5 - - roles: - - geerlingguy.certbot - -See other examples in the `tests/` directory. - -### Manually creating certificates with certbot - -_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._ - -You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot: - - # Automatically add certs for all Apache virtualhosts (use with caution!). - certbot --apache - - # Generate certs, but don't modify Apache configuration (safer). - certbot --apache certonly - -If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server: - - 1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped. - 2. Register with something like `certbot register --agree-tos --email [your-email@example.com]` - - Note: You won't need to do this step in the future, when generating additional certs on the same server. - 3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com` - 4. Re-start whatever was listening on ports 80 and 443 before. - 5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command. - 6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration. - -### Certbot certificate auto-renewal - -By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing. - -You can test the auto-renewal (without actually renewing the cert) with the command: - - /opt/certbot/certbot-auto renew --dry-run - -See full documentation and options on the [Certbot website](https://certbot.eff.org/). - -## License - -MIT / BSD - -## Author Information - -This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/ansible/roles/geerlingguy.certbot/defaults/main.yml b/ansible/roles/geerlingguy.certbot/defaults/main.yml deleted file mode 100644 index 3186d8e..0000000 --- a/ansible/roles/geerlingguy.certbot/defaults/main.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# Certbot auto-renew cron job configuration (for certificate renewals). -certbot_auto_renew: true -certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}" -certbot_auto_renew_hour: 3 -certbot_auto_renew_minute: 30 -certbot_auto_renew_options: "--quiet --no-self-upgrade" - -# Parameters used when creating new Certbot certs. -certbot_create_if_missing: false -certbot_create_method: standalone -certbot_admin_email: email@example.com -certbot_certs: [] -# - email: janedoe@example.com -# domains: -# - example1.com -# - example2.com -# - domains: -# - example3.com -certbot_create_command: >- - {{ certbot_script }} certonly --standalone --noninteractive --agree-tos - --email {{ cert_item.email | default(certbot_admin_email) }} - -d {{ cert_item.domains | join(',') }} - -certbot_create_standalone_stop_services: - - nginx - # - apache - # - varnish - -# To install from source (on older OSes or if you need a specific or newer -# version of Certbot), set this variable to `yes` and configure other options. -certbot_install_from_source: false -certbot_repo: https://github.com/certbot/certbot.git -certbot_version: master -certbot_keep_updated: true - -# Where to put Certbot when installing from source. -certbot_dir: /opt/certbot diff --git a/ansible/roles/geerlingguy.certbot/meta/.galaxy_install_info b/ansible/roles/geerlingguy.certbot/meta/.galaxy_install_info deleted file mode 100644 index c48efc4..0000000 --- a/ansible/roles/geerlingguy.certbot/meta/.galaxy_install_info +++ /dev/null @@ -1 +0,0 @@ -{install_date: 'Mon Dec 17 12:48:38 2018', version: 3.0.2} diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/molecule.yml b/ansible/roles/geerlingguy.certbot/molecule/default/molecule.yml deleted file mode 100644 index 0339702..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/molecule.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-file: molecule/default/yaml-lint.yml -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible - command: ${MOLECULE_DOCKER_COMMAND:-"sleep infinity"} - privileged: true - pre_build_image: true -provisioner: - name: ansible - lint: - name: ansible-lint - playbooks: - converge: ${MOLECULE_PLAYBOOK:-playbook.yml} -scenario: - name: default -verifier: - name: testinfra - lint: - name: flake8 diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/playbook-source-install.yml b/ansible/roles/geerlingguy.certbot/molecule/default/playbook-source-install.yml deleted file mode 100644 index 77ced51..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/playbook-source-install.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - vars: - certbot_install_from_source: true - certbot_auto_renew_user: root - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install cron (RedHat). - yum: name=cronie state=present - when: ansible_os_family == 'RedHat' - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.git - - geerlingguy.certbot diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/playbook-standalone-nginx-aws.yml b/ansible/roles/geerlingguy.certbot/molecule/default/playbook-standalone-nginx-aws.yml deleted file mode 100644 index 481c688..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/playbook-standalone-nginx-aws.yml +++ /dev/null @@ -1,179 +0,0 @@ ---- -# To run: -# 1. Ensure Ansible and Boto are installed (pip install ansible boto). -# 2. Ensure you have AWS credentials stored where Boto can find them, and they -# are under the profile 'mm'. -# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub. -# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml - -# Play 1: Provision EC2 instance and A record. -- hosts: localhost - connection: local - gather_facts: false - - tasks: - - name: Configure EC2 Security Group. - ec2_group: - profile: mm - name: certbot_test_http - description: HTTP security group for Certbot testing. - region: "us-east-1" - state: present - rules: - - proto: tcp - from_port: 80 - to_port: 80 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 443 - to_port: 443 - cidr_ip: 0.0.0.0/0 - - proto: tcp - from_port: 22 - to_port: 22 - cidr_ip: 0.0.0.0/0 - rules_egress: [] - - - name: Add EC2 Key Pair. - ec2_key: - profile: mm - region: "us-east-1" - name: certbot_test - key_material: "{{ item }}" - with_file: ~/.ssh/id_rsa.pub - - - name: Provision EC2 instance. - ec2: - profile: mm - key_name: certbot_test - instance_tags: - Name: "certbot-standalone-nginx-test" - group: ['default', 'certbot_test_http'] - instance_type: t2.micro - # CentOS Linux 7 x86_64 HVM EBS - image: ami-02e98f78 - region: "us-east-1" - wait: true - wait_timeout: 500 - exact_count: 1 - count_tag: - Name: "certbot-standalone-nginx-test" - register: created_instance - - - name: Add A record for the new EC2 instance IP in Route53. - route53: - profile: mm - command: create - zone: servercheck.in - record: certbot-test.servercheck.in - type: A - ttl: 300 - value: "{{ created_instance.tagged_instances.0.public_ip }}" - wait: true - overwrite: true - - - name: Add EC2 instance to inventory groups. - add_host: - name: "certbot-test.servercheck.in" - groups: "aws,aws_nginx" - ansible_ssh_user: centos - host_key_checking: false - when: created_instance.tagged_instances.0.id is defined - -# Play 2: Configure EC2 instance with Certbot and Nginx. -- hosts: aws_nginx - gather_facts: true - become: true - - vars: - certbot_admin_email: https@servercheck.in - certbot_create_if_missing: true - certbot_create_standalone_stop_services: [] - certbot_certs: - - domains: - - certbot-test.servercheck.in - nginx_vhosts: - - listen: "443 ssl http2" - server_name: "certbot-test.servercheck.in" - root: "/usr/share/nginx/html" - index: "index.html index.htm" - state: "present" - template: "{{ nginx_vhost_template }}" - filename: "certbot_test.conf" - extra_parameters: | - ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - - pre_tasks: - - name: Update apt cache. - apt: update_cache=true cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install dependencies (RedHat). - yum: name={{ item }} state=present - when: ansible_os_family == 'RedHat' - with_items: - - cronie - - epel-release - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.certbot - - geerlingguy.nginx - - tasks: - - name: Flush handlers in case any configs have changed. - meta: flush_handlers - - - name: Test secure connection to SSL domain. - uri: - url: https://certbot-test.servercheck.in/ - status_code: 200 - delegate_to: localhost - become: false - -# Play 3: Tear down EC2 instance and A record. -- hosts: localhost - connection: local - gather_facts: false - - tasks: - - name: Destroy EC2 instance. - ec2: - profile: mm - instance_ids: ["{{ created_instance.tagged_instances.0.id }}"] - region: "us-east-1" - state: absent - wait: true - wait_timeout: 500 - - - name: Delete Security Group. - ec2_group: - profile: mm - name: certbot_test_http - region: "us-east-1" - state: absent - - - name: Delete Key Pair. - ec2_key: - profile: mm - name: certbot_test - region: "us-east-1" - state: absent - - - name: Delete Route53 record. - route53: - profile: mm - state: delete - zone: servercheck.in - record: certbot-test.servercheck.in - type: A - ttl: 300 - # See: https://github.com/ansible/ansible/pull/32297 - value: [] diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/playbook.yml b/ansible/roles/geerlingguy.certbot/molecule/default/playbook.yml deleted file mode 100644 index 9d6e5e7..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/playbook.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - - vars: - certbot_auto_renew_user: root - - pre_tasks: - - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 - when: ansible_os_family == 'Debian' - changed_when: false - - - name: Install dependencies (RedHat). - yum: name={{ item }} state=present - when: ansible_os_family == 'RedHat' - with_items: - - cronie - - epel-release - - - name: Install cron (Debian). - apt: name=cron state=present - when: ansible_os_family == 'Debian' - - roles: - - geerlingguy.certbot diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/requirements.yml b/ansible/roles/geerlingguy.certbot/molecule/default/requirements.yml deleted file mode 100644 index 0b31312..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.git -- src: geerlingguy.nginx diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/tests/test_default.py b/ansible/roles/geerlingguy.certbot/molecule/default/tests/test_default.py deleted file mode 100644 index eedd64a..0000000 --- a/ansible/roles/geerlingguy.certbot/molecule/default/tests/test_default.py +++ /dev/null @@ -1,14 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_hosts_file(host): - f = host.file('/etc/hosts') - - assert f.exists - assert f.user == 'root' - assert f.group == 'root' diff --git a/ansible/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml b/ansible/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml deleted file mode 100644 index 65c43bc..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/create-cert-standalone.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Check if certificate already exists. - stat: - path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem - register: letsencrypt_cert - -- name: Stop services to allow certbot to generate a cert. - service: - name: "{{ item }}" - state: stopped - when: not letsencrypt_cert.stat.exists - with_items: "{{ certbot_create_standalone_stop_services }}" - -- name: Generate new certificate if one doesn't exist. - shell: "{{ certbot_create_command }}" - when: not letsencrypt_cert.stat.exists - -- name: Start services after cert has been generated. - service: - name: "{{ item }}" - state: started - when: not letsencrypt_cert.stat.exists - with_items: "{{ certbot_create_standalone_stop_services }}" diff --git a/ansible/roles/geerlingguy.certbot/tasks/include-vars.yml b/ansible/roles/geerlingguy.certbot/tasks/include-vars.yml deleted file mode 100644 index 0a70e50..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/include-vars.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Load a variable file based on the OS type, or a default if not found. - include_vars: "{{ item }}" - with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - - "default.yml" diff --git a/ansible/roles/geerlingguy.certbot/tasks/install-from-source.yml b/ansible/roles/geerlingguy.certbot/tasks/install-from-source.yml deleted file mode 100644 index daee685..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/install-from-source.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Clone Certbot into configured directory. - git: - repo: "{{ certbot_repo }}" - dest: "{{ certbot_dir }}" - version: "{{ certbot_version }}" - update: "{{ certbot_keep_updated }}" - force: true - -- name: Set Certbot script variable. - set_fact: - certbot_script: "{{ certbot_dir }}/certbot-auto" - -- name: Ensure certbot-auto is executable. - file: - path: "{{ certbot_script }}" - mode: 0755 diff --git a/ansible/roles/geerlingguy.certbot/tasks/install-with-package.yml b/ansible/roles/geerlingguy.certbot/tasks/install-with-package.yml deleted file mode 100644 index 10490ff..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/install-with-package.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Install Certbot. - package: "name={{ certbot_package }} state=present" - -- name: Set Certbot script variable. - set_fact: - certbot_script: "{{ certbot_package }}" diff --git a/ansible/roles/geerlingguy.certbot/tasks/main.yml b/ansible/roles/geerlingguy.certbot/tasks/main.yml deleted file mode 100644 index 680aeda..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- import_tasks: include-vars.yml - -- import_tasks: install-with-package.yml - when: not certbot_install_from_source - -- import_tasks: install-from-source.yml - when: certbot_install_from_source - -- include_tasks: create-cert-standalone.yml - with_items: "{{ certbot_certs }}" - when: - - certbot_create_if_missing - - certbot_create_method == 'standalone' - loop_control: - loop_var: cert_item - -- import_tasks: renew-cron.yml - when: certbot_auto_renew diff --git a/ansible/roles/geerlingguy.certbot/tasks/renew-cron.yml b/ansible/roles/geerlingguy.certbot/tasks/renew-cron.yml deleted file mode 100644 index 394a30e..0000000 --- a/ansible/roles/geerlingguy.certbot/tasks/renew-cron.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Add cron job for certbot renewal (if configured). - cron: - name: Certbot automatic renewal. - job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}" - minute: "{{ certbot_auto_renew_minute }}" - hour: "{{ certbot_auto_renew_hour }}" - user: "{{ certbot_auto_renew_user }}" diff --git a/ansible/roles/geerlingguy.certbot/vars/Ubuntu-16.04.yml b/ansible/roles/geerlingguy.certbot/vars/Ubuntu-16.04.yml deleted file mode 100644 index 83cf124..0000000 --- a/ansible/roles/geerlingguy.certbot/vars/Ubuntu-16.04.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -certbot_package: letsencrypt diff --git a/ansible/roles/geerlingguy.certbot/vars/default.yml b/ansible/roles/geerlingguy.certbot/vars/default.yml deleted file mode 100644 index d88f2dc..0000000 --- a/ansible/roles/geerlingguy.certbot/vars/default.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -certbot_package: certbot diff --git a/ansible/roles/geerlingguy.docker/.ansible-lint b/ansible/roles/geerlingguy.docker/.ansible-lint new file mode 100644 index 0000000..4778564 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '306' diff --git a/ansible/roles/geerlingguy.docker/.github/FUNDING.yml b/ansible/roles/geerlingguy.docker/.github/FUNDING.yml new file mode 100644 index 0000000..96b4938 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/ansible/roles/geerlingguy.docker/.github/stale.yml b/ansible/roles/geerlingguy.docker/.github/stale.yml new file mode 100644 index 0000000..c7ff127 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/stale.yml @@ -0,0 +1,56 @@ +# Configuration for probot-stale - https://github.com/probot/stale + +# Number of days of inactivity before an Issue or Pull Request becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an Issue or Pull Request with the stale label is closed. +# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale. +daysUntilClose: 30 + +# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled) +onlyLabels: [] + +# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable +exemptLabels: + - pinned + - security + - planned + +# Set to true to ignore issues in a project (defaults to false) +exemptProjects: false + +# Set to true to ignore issues in a milestone (defaults to false) +exemptMilestones: false + +# Set to true to ignore issues with an assignee (defaults to false) +exemptAssignees: false + +# Label to use when marking as stale +staleLabel: stale + +# Limit the number of actions per hour, from 1-30. Default is 30 +limitPerRun: 30 + +pulls: + markComment: |- + This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale. + + unmarkComment: >- + This pull request is no longer marked for closure. + + closeComment: >- + This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details. + +issues: + markComment: |- + This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! + + Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. + + unmarkComment: >- + This issue is no longer marked for closure. + + closeComment: >- + This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. diff --git a/ansible/roles/geerlingguy.certbot/.gitignore b/ansible/roles/geerlingguy.docker/.gitignore similarity index 100% rename from ansible/roles/geerlingguy.certbot/.gitignore rename to ansible/roles/geerlingguy.docker/.gitignore diff --git a/ansible/roles/geerlingguy.certbot/.travis.yml b/ansible/roles/geerlingguy.docker/.travis.yml similarity index 63% rename from ansible/roles/geerlingguy.certbot/.travis.yml rename to ansible/roles/geerlingguy.docker/.travis.yml index d644cb5..a0001c3 100644 --- a/ansible/roles/geerlingguy.certbot/.travis.yml +++ b/ansible/roles/geerlingguy.docker/.travis.yml @@ -4,20 +4,18 @@ services: docker env: global: - - ROLE_NAME: certbot + - ROLE_NAME: docker matrix: + - MOLECULE_DISTRO: centos8 - MOLECULE_DISTRO: centos7 - MOLECULE_DOCKER_COMMAND: /usr/lib/systemd/systemd - - MOLECULE_DISTRO: centos6 - MOLECULE_PLAYBOOK: playbook-source-install.yml + - MOLECULE_DISTRO: ubuntu1804 - MOLECULE_DISTRO: ubuntu1604 - - MOLECULE_DISTRO: ubuntu1404 - MOLECULE_PLAYBOOK: playbook-source-install.yml + - MOLECULE_DISTRO: debian10 - MOLECULE_DISTRO: debian9 install: # Install test dependencies. - - pip install molecule docker + - pip install molecule yamllint ansible-lint docker before_script: # Use actual Ansible Galaxy role name for the project directory. diff --git a/ansible/roles/geerlingguy.certbot/molecule/default/yaml-lint.yml b/ansible/roles/geerlingguy.docker/.yamllint similarity index 82% rename from ansible/roles/geerlingguy.certbot/molecule/default/yaml-lint.yml rename to ansible/roles/geerlingguy.docker/.yamllint index a3dbc38..7aeec5a 100644 --- a/ansible/roles/geerlingguy.certbot/molecule/default/yaml-lint.yml +++ b/ansible/roles/geerlingguy.docker/.yamllint @@ -2,5 +2,5 @@ extends: default rules: line-length: - max: 120 + max: 200 level: warning diff --git a/ansible/roles/geerlingguy.certbot/LICENSE b/ansible/roles/geerlingguy.docker/LICENSE similarity index 100% rename from ansible/roles/geerlingguy.certbot/LICENSE rename to ansible/roles/geerlingguy.docker/LICENSE diff --git a/ansible/roles/geerlingguy.docker/README.md b/ansible/roles/geerlingguy.docker/README.md new file mode 100644 index 0000000..036b560 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/README.md @@ -0,0 +1,97 @@ +# Ansible Role: Docker + +[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker) + +An Ansible Role that installs [Docker](https://www.docker.com) on Linux. + +## Requirements + +None. + +## Role Variables + +Available variables are listed below, along with default values (see `defaults/main.yml`): + + # Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). + docker_edition: 'ce' + docker_package: "docker-{{ docker_edition }}" + docker_package_state: present + +The `docker_edition` should be either `ce` (Community Edition) or `ee` (Enterprise Edition). You can also specify a specific version of Docker to install using the distribution-specific format: Red Hat/CentOS: `docker-{{ docker_edition }}-`; Debian/Ubuntu: `docker-{{ docker_edition }}=`. + +You can control whether the package is installed, uninstalled, or at the latest version by setting `docker_package_state` to `present`, `absent`, or `latest`, respectively. Note that the Docker daemon will be automatically restarted if the Docker package is updated. This is a side effect of flushing all handlers (running any of the handlers that have been notified by this and any other role up to this point in the play). + + docker_service_state: started + docker_service_enabled: true + docker_restart_handler_state: restarted + +Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. + + docker_install_compose: true + docker_compose_version: "1.25.4" + docker_compose_path: /usr/local/bin/docker-compose + +Docker Compose installation options. + + docker_apt_release_channel: stable + docker_apt_arch: amd64 + docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" + docker_apt_ignore_key_error: True + docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + +(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release. + +You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. +Usually in combination with changing `docker_apt_repository` as well. + + docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo + docker_yum_repo_enable_edge: '0' + docker_yum_repo_enable_test: '0' + docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg + +(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`. + +You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. +Usually in combination with changing `docker_yum_repository` as well. + + docker_users: + - user1 + - user2 + +A list of system users to be added to the `docker` group (so they can use Docker on the server). + +## Use with Ansible (and `docker` Python library) + +Many users of this role wish to also use Ansible to then _build_ Docker images and manage Docker containers on the server where Docker is installed. In this case, you can easily add in the `docker` Python library using the `geerlingguy.pip` role: + +```yaml +- hosts: all + + vars: + pip_install_packages: + - name: docker + + roles: + - geerlingguy.pip + - geerlingguy.docker +``` + +## Dependencies + +None. + +## Example Playbook + +```yaml +- hosts: all + roles: + - geerlingguy.docker +``` + +## License + +MIT / BSD + +## Author Information + +This role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). diff --git a/ansible/roles/geerlingguy.docker/defaults/main.yml b/ansible/roles/geerlingguy.docker/defaults/main.yml new file mode 100644 index 0000000..ba5ba8a --- /dev/null +++ b/ansible/roles/geerlingguy.docker/defaults/main.yml @@ -0,0 +1,31 @@ +--- +# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). +docker_edition: 'ce' +docker_package: "docker-{{ docker_edition }}" +docker_package_state: present + +# Service options. +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted + +# Docker Compose options. +docker_install_compose: true +docker_compose_version: "1.25.4" +docker_compose_path: /usr/local/bin/docker-compose + +# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed. +docker_apt_release_channel: stable +docker_apt_arch: amd64 +docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" +docker_apt_ignore_key_error: true +docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + +# Used only for RedHat/CentOS/Fedora. +docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo +docker_yum_repo_enable_edge: '0' +docker_yum_repo_enable_test: '0' +docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg + +# A list of users who will be added to the docker group. +docker_users: [] diff --git a/ansible/roles/geerlingguy.docker/handlers/main.yml b/ansible/roles/geerlingguy.docker/handlers/main.yml new file mode 100644 index 0000000..7847bc1 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart docker + service: "name=docker state={{ docker_restart_handler_state }}" diff --git a/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info new file mode 100644 index 0000000..412c30a --- /dev/null +++ b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Fri May 15 20:32:50 2020 +version: 2.7.0 diff --git a/ansible/roles/geerlingguy.certbot/meta/main.yml b/ansible/roles/geerlingguy.docker/meta/main.yml similarity index 62% rename from ansible/roles/geerlingguy.certbot/meta/main.yml rename to ansible/roles/geerlingguy.docker/meta/main.yml index e9b4a60..82065cd 100644 --- a/ansible/roles/geerlingguy.certbot/meta/main.yml +++ b/ansible/roles/geerlingguy.docker/meta/main.yml @@ -3,31 +3,31 @@ dependencies: [] galaxy_info: author: geerlingguy - description: "Installs and configures Certbot (for Let's Encrypt)." + description: Docker for Linux. company: "Midwestern Mac, LLC" license: "license (BSD, MIT)" min_ansible_version: 2.4 platforms: - name: EL versions: - - 6 - 7 + - 8 - name: Fedora versions: - all - - name: Ubuntu - versions: - - all - name: Debian versions: - - all + - stretch + - buster + - name: Ubuntu + versions: + - xenial + - bionic galaxy_tags: - - networking - - system - web - - certbot - - letsencrypt - - encryption - - certificates - - ssl - - https + - system + - containers + - docker + - orchestration + - compose + - server diff --git a/ansible/roles/geerlingguy.docker/molecule/default/converge.yml b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml new file mode 100644 index 0000000..dad331d --- /dev/null +++ b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml @@ -0,0 +1,12 @@ +--- +- name: Converge + hosts: all + become: true + + pre_tasks: + - name: Update apt cache. + apt: update_cache=yes cache_valid_time=600 + when: ansible_os_family == 'Debian' + + roles: + - role: geerlingguy.docker diff --git a/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml new file mode 100644 index 0000000..2da47dd --- /dev/null +++ b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml @@ -0,0 +1,21 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: | + set -e + yamllint . + ansible-lint +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/ansible/roles/geerlingguy.docker/tasks/docker-compose.yml b/ansible/roles/geerlingguy.docker/tasks/docker-compose.yml new file mode 100644 index 0000000..92cf4f2 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/tasks/docker-compose.yml @@ -0,0 +1,20 @@ +--- +- name: Check current docker-compose version. + command: docker-compose --version + register: docker_compose_current_version + changed_when: false + failed_when: false + +- name: Delete existing docker-compose version if it's different. + file: + path: "{{ docker_compose_path }}" + state: absent + when: > + docker_compose_current_version.stdout is defined + and docker_compose_version not in docker_compose_current_version.stdout + +- name: Install Docker Compose (if configured). + get_url: + url: https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-Linux-x86_64 + dest: "{{ docker_compose_path }}" + mode: 0755 diff --git a/ansible/roles/geerlingguy.docker/tasks/docker-users.yml b/ansible/roles/geerlingguy.docker/tasks/docker-users.yml new file mode 100644 index 0000000..b3b6e0f --- /dev/null +++ b/ansible/roles/geerlingguy.docker/tasks/docker-users.yml @@ -0,0 +1,7 @@ +--- +- name: Ensure docker users are added to the docker group. + user: + name: "{{ item }}" + groups: docker + append: true + with_items: "{{ docker_users }}" diff --git a/ansible/roles/geerlingguy.docker/tasks/main.yml b/ansible/roles/geerlingguy.docker/tasks/main.yml new file mode 100644 index 0000000..56449ef --- /dev/null +++ b/ansible/roles/geerlingguy.docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Docker. + package: + name: "{{ docker_package }}" + state: "{{ docker_package_state }}" + notify: restart docker + +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" + +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers + +- include_tasks: docker-compose.yml + when: docker_install_compose | bool + +- include_tasks: docker-users.yml + when: docker_users | length > 0 diff --git a/ansible/roles/geerlingguy.docker/tasks/setup-Debian.yml b/ansible/roles/geerlingguy.docker/tasks/setup-Debian.yml new file mode 100644 index 0000000..d701135 --- /dev/null +++ b/ansible/roles/geerlingguy.docker/tasks/setup-Debian.yml @@ -0,0 +1,40 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-engine + state: absent + +- name: Ensure dependencies are installed. + apt: + name: + - apt-transport-https + - ca-certificates + - gnupg2 + state: present + +- name: Add Docker apt key. + apt_key: + url: "{{ docker_apt_gpg_key }}" + id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 + state: present + register: add_repository_key + ignore_errors: "{{ docker_apt_ignore_key_error }}" + +- name: Ensure curl is present (on older systems without SNI). + package: name=curl state=present + when: add_repository_key is failed + +- name: Add Docker apt key (alternative for older systems without SNI). + shell: > + curl -sSL {{ docker_apt_gpg_key }} | sudo apt-key add - + args: + warn: false + when: add_repository_key is failed + +- name: Add Docker repository. + apt_repository: + repo: "{{ docker_apt_repository }}" + state: present + update_cache: true diff --git a/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml new file mode 100644 index 0000000..800c0bc --- /dev/null +++ b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml @@ -0,0 +1,41 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-common + - docker-engine + state: absent + +- name: Add Docker GPG key. + rpm_key: + key: "{{ docker_yum_gpg_key }}" + state: present + +- name: Add Docker repository. + get_url: + url: "{{ docker_yum_repo_url }}" + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + owner: root + group: root + mode: 0644 + +- name: Configure Docker Edge repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-edge' + option: enabled + value: '{{ docker_yum_repo_enable_edge }}' + +- name: Configure Docker Test repo. + ini_file: + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + section: 'docker-{{ docker_edition }}-test' + option: enabled + value: '{{ docker_yum_repo_enable_test }}' + +- name: Install containerd separately (CentOS 8). + package: + name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm + state: present + when: ansible_distribution_major_version | int == 8 diff --git a/ansible/roles/geerlingguy.nodejs/.ansible-lint b/ansible/roles/geerlingguy.nodejs/.ansible-lint new file mode 100644 index 0000000..0af17d0 --- /dev/null +++ b/ansible/roles/geerlingguy.nodejs/.ansible-lint @@ -0,0 +1,3 @@ +skip_list: + - '405' + - '204' diff --git a/ansible/roles/geerlingguy.nodejs/.github/FUNDING.yml b/ansible/roles/geerlingguy.nodejs/.github/FUNDING.yml new file mode 100644 index 0000000..96b4938 --- /dev/null +++ b/ansible/roles/geerlingguy.nodejs/.github/FUNDING.yml @@ -0,0 +1,4 @@ +# These are supported funding model platforms +--- +github: geerlingguy +patreon: geerlingguy diff --git a/ansible/roles/geerlingguy.nodejs/.gitignore b/ansible/roles/geerlingguy.nodejs/.gitignore index c9b2377..f56f5b5 100644 --- a/ansible/roles/geerlingguy.nodejs/.gitignore +++ b/ansible/roles/geerlingguy.nodejs/.gitignore @@ -1,2 +1,3 @@ *.retry -tests/test.sh +*/__pycache__ +*.pyc diff --git a/ansible/roles/geerlingguy.nodejs/.travis.yml b/ansible/roles/geerlingguy.nodejs/.travis.yml index 0861896..1fa9d69 100644 --- a/ansible/roles/geerlingguy.nodejs/.travis.yml +++ b/ansible/roles/geerlingguy.nodejs/.travis.yml @@ -1,41 +1,33 @@ --- +language: python services: docker env: - # Defaults. - - distro: centos7 - - distro: centos6 - - distro: ubuntu1804 - - distro: ubuntu1604 - - distro: debian9 - - distro: debian8 + global: + - ROLE_NAME: nodejs + matrix: + - MOLECULE_DISTRO: centos8 + - MOLECULE_DISTRO: centos7 + - MOLECULE_DISTRO: ubuntu1804 + - MOLECULE_DISTRO: ubuntu1604 + - MOLECULE_DISTRO: debian9 - # Latest release. - - distro: centos7 - playbook: test-latest.yml - - distro: ubuntu1604 - playbook: test-latest.yml + - MOLECULE_DISTRO: centos7 + MOLECULE_PLAYBOOK: playbook-latest.yml + +install: + # Install test dependencies. + - pip install molecule yamllint ansible-lint docker + +before_script: + # Use actual Ansible Galaxy role name for the project directory. + - cd ../ + - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME + - cd geerlingguy.$ROLE_NAME script: - # Configure test script so we can run extra tests after playbook is run. - - export container_id=$(date +%s) - - export cleanup=false - - # Download test shim. - - wget -O ${PWD}/tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/ - - chmod +x ${PWD}/tests/test.sh - # Run tests. - - ${PWD}/tests/test.sh - - # Ensure Node.js is installed. - - 'docker exec --tty ${container_id} env TERM=xterm which node' - - 'docker exec --tty ${container_id} env TERM=xterm node -v' - - # Ensure npm packages are installed globally. - - 'docker exec --tty ${container_id} env TERM=xterm bash --login -c "npm list -g --depth=0 jslint"' - - 'docker exec --tty ${container_id} env TERM=xterm bash --login -c "npm list -g --depth=0 node-sass"' - - 'docker exec --tty ${container_id} env TERM=xterm bash --login -c "npm list -g --depth=0 yo"' + - molecule test notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/geerlingguy.nodejs/.yamllint b/ansible/roles/geerlingguy.nodejs/.yamllint new file mode 100644 index 0000000..76d1459 --- /dev/null +++ b/ansible/roles/geerlingguy.nodejs/.yamllint @@ -0,0 +1,6 @@ +--- +extends: default +rules: + line-length: + max: 220 + level: warning diff --git a/ansible/roles/geerlingguy.nodejs/README.md b/ansible/roles/geerlingguy.nodejs/README.md index fa703d9..f8ffbab 100644 --- a/ansible/roles/geerlingguy.nodejs/README.md +++ b/ansible/roles/geerlingguy.nodejs/README.md @@ -12,9 +12,9 @@ None. Available variables are listed below, along with default values (see `defaults/main.yml`): - nodejs_version: "6.x" + nodejs_version: "12.x" -The Node.js version to install. "6.x" is the default and works on most supported OSes. Other versions such as "0.12", "4.x", "5.x", "6.x", etc. should work on the latest versions of Debian/Ubuntu and RHEL/CentOS. +The Node.js version to install. "12.x" is the default and works on most supported OSes. Other versions such as "8.x", "10.x", "13.x", etc. should work on the latest versions of Debian/Ubuntu and RHEL/CentOS. nodejs_install_npm_user: "{{ ansible_ssh_user }}" diff --git a/ansible/roles/geerlingguy.nodejs/defaults/main.yml b/ansible/roles/geerlingguy.nodejs/defaults/main.yml index 4732748..301cfb5 100644 --- a/ansible/roles/geerlingguy.nodejs/defaults/main.yml +++ b/ansible/roles/geerlingguy.nodejs/defaults/main.yml @@ -1,7 +1,7 @@ --- -# Set the version of Node.js to install ("0.12", "4.x", "5.x", "6.x", "8.x", "9.x"). +# Set the version of Node.js to install (8.x", "10.x", "12.x", "13.x", etc.). # Version numbers from Nodesource: https://github.com/nodesource/distributions -nodejs_version: "6.x" +nodejs_version: "12.x" # The user for whom the npm packages will be installed. # nodejs_install_npm_user: username @@ -9,7 +9,8 @@ nodejs_version: "6.x" # The directory for global installations. npm_config_prefix: "/usr/local/lib/npm" -# Set to true to suppress the UID/GID switching when running package scripts. If set explicitly to false, then installing as a non-root user will fail. +# Set to true to suppress the UID/GID switching when running package scripts. If +# set explicitly to false, then installing as a non-root user will fail. npm_config_unsafe_perm: "false" # Define a list of global packages to be installed with NPM. diff --git a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info index f5f936f..86d7774 100644 --- a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info +++ b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info @@ -1 +1,2 @@ -{install_date: 'Mon Dec 17 12:48:27 2018', version: 4.2.2} +install_date: Fri May 15 20:27:04 2020 +version: 5.1.1 diff --git a/ansible/roles/geerlingguy.nodejs/meta/main.yml b/ansible/roles/geerlingguy.nodejs/meta/main.yml index b567a2f..164f7db 100644 --- a/ansible/roles/geerlingguy.nodejs/meta/main.yml +++ b/ansible/roles/geerlingguy.nodejs/meta/main.yml @@ -10,16 +10,17 @@ galaxy_info: platforms: - name: EL versions: - - 6 - - 7 + - 6 + - 7 + - 8 - name: Debian versions: - - all + - all - name: Ubuntu versions: - - trusty - - xenial - - bionic + - trusty + - xenial + - bionic galaxy_tags: - development - web diff --git a/ansible/roles/geerlingguy.nodejs/tests/test-latest.yml b/ansible/roles/geerlingguy.nodejs/molecule/default/converge.yml similarity index 72% rename from ansible/roles/geerlingguy.nodejs/tests/test-latest.yml rename to ansible/roles/geerlingguy.nodejs/molecule/default/converge.yml index 8aee413..d1d5863 100644 --- a/ansible/roles/geerlingguy.nodejs/tests/test-latest.yml +++ b/ansible/roles/geerlingguy.nodejs/molecule/default/converge.yml @@ -1,8 +1,9 @@ --- -- hosts: all +- name: Converge + hosts: all + become: true vars: - nodejs_version: "9.x" nodejs_install_npm_user: root npm_config_prefix: /root/.npm-global npm_config_unsafe_perm: "true" @@ -14,8 +15,8 @@ pre_tasks: - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 + apt: update_cache=true cache_valid_time=600 when: ansible_os_family == 'Debian' roles: - - role_under_test + - role: geerlingguy.nodejs diff --git a/ansible/roles/geerlingguy.nodejs/molecule/default/molecule.yml b/ansible/roles/geerlingguy.nodejs/molecule/default/molecule.yml new file mode 100644 index 0000000..38eb962 --- /dev/null +++ b/ansible/roles/geerlingguy.nodejs/molecule/default/molecule.yml @@ -0,0 +1,20 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: | + yamllint . + ansible-lint +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} diff --git a/ansible/roles/geerlingguy.nodejs/tests/test.yml b/ansible/roles/geerlingguy.nodejs/molecule/default/playbook-latest.yml similarity index 63% rename from ansible/roles/geerlingguy.nodejs/tests/test.yml rename to ansible/roles/geerlingguy.nodejs/molecule/default/playbook-latest.yml index 72832e0..1213795 100644 --- a/ansible/roles/geerlingguy.nodejs/tests/test.yml +++ b/ansible/roles/geerlingguy.nodejs/molecule/default/playbook-latest.yml @@ -1,20 +1,23 @@ --- -- hosts: all +- name: Converge + hosts: all + become: true vars: + nodejs_version: "13.x" nodejs_install_npm_user: root npm_config_prefix: /root/.npm-global npm_config_unsafe_perm: "true" nodejs_npm_global_packages: - node-sass - name: jslint - version: 0.9.6 + version: 0.12.0 - name: yo pre_tasks: - name: Update apt cache. - apt: update_cache=yes cache_valid_time=600 + apt: update_cache=true cache_valid_time=600 when: ansible_os_family == 'Debian' roles: - - role_under_test + - role: geerlingguy.nodejs diff --git a/ansible/roles/geerlingguy.nodejs/tasks/main.yml b/ansible/roles/geerlingguy.nodejs/tasks/main.yml index 6b125c1..5622c35 100644 --- a/ansible/roles/geerlingguy.nodejs/tasks/main.yml +++ b/ansible/roles/geerlingguy.nodejs/tasks/main.yml @@ -27,13 +27,14 @@ npm: name: "{{ item.name | default(item) }}" version: "{{ item.version | default('latest') }}" - global: yes + global: true state: latest environment: NPM_CONFIG_PREFIX: "{{ npm_config_prefix }}" NODE_PATH: "{{ npm_config_prefix }}/lib/node_modules" NPM_CONFIG_UNSAFE_PERM: "{{ npm_config_unsafe_perm }}" with_items: "{{ nodejs_npm_global_packages }}" + tags: ['skip_ansible_lint'] - name: Install packages defined in a given package.json. npm: diff --git a/ansible/roles/geerlingguy.nodejs/tasks/setup-Debian.yml b/ansible/roles/geerlingguy.nodejs/tasks/setup-Debian.yml index c939617..442e134 100644 --- a/ansible/roles/geerlingguy.nodejs/tasks/setup-Debian.yml +++ b/ansible/roles/geerlingguy.nodejs/tasks/setup-Debian.yml @@ -1,6 +1,10 @@ --- -- name: Ensure apt-transport-https is installed. - apt: name=apt-transport-https state=present +- name: Ensure dependencies are present. + apt: + name: + - apt-transport-https + - gnupg2 + state: present - name: Add Nodesource apt key. apt_key: @@ -20,6 +24,9 @@ - name: Update apt cache if repo was added. apt: update_cache=yes when: node_repo.changed + tags: ['skip_ansible_lint'] - name: Ensure Node.js and npm are installed. - apt: "name=nodejs={{ nodejs_version|regex_replace('x', '') }}* state=present" + apt: + name: "nodejs={{ nodejs_version|regex_replace('x', '') }}*" + state: present diff --git a/ansible/roles/geerlingguy.nodejs/tasks/setup-RedHat.yml b/ansible/roles/geerlingguy.nodejs/tasks/setup-RedHat.yml index f2b9ee7..e39771a 100644 --- a/ansible/roles/geerlingguy.nodejs/tasks/setup-RedHat.yml +++ b/ansible/roles/geerlingguy.nodejs/tasks/setup-RedHat.yml @@ -1,13 +1,7 @@ --- -- name: Set up the Nodesource RPM directory for Node.js > 0.10. +- name: Set up the Nodesource RPM directory. set_fact: nodejs_rhel_rpm_dir: "pub_{{ nodejs_version }}" - when: nodejs_version != '0.10' - -- name: Set up the Nodesource RPM variable for Node.js == 0.10. - set_fact: - nodejs_rhel_rpm_dir: "pub" - when: nodejs_version == '0.10' - name: Import Nodesource RPM key (CentOS < 7). rpm_key: @@ -15,7 +9,7 @@ state: present when: ansible_distribution_major_version|int < 7 -- name: Import Nodesource RPM key (CentOS 7+).. +- name: Import Nodesource RPM key (CentOS 7+). rpm_key: key: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL state: present @@ -33,5 +27,16 @@ state: present when: ansible_distribution_major_version|int >= 7 +- name: Ensure Node.js AppStream module is disabled (CentOS 8+). + command: yum module disable -y nodejs + args: + warn: false + register: module_disable + changed_when: "'Nothing to do.' not in module_disable.stdout" + when: ansible_distribution_major_version|int >= 8 + - name: Ensure Node.js and npm are installed. - yum: "name=nodejs-{{ nodejs_version|regex_replace('x', '') }}* state=present enablerepo='nodesource'" + yum: + name: "nodejs-{{ nodejs_version|regex_replace('x', '') }}*" + state: present + enablerepo: nodesource diff --git a/ansible/roles/geerlingguy.nodejs/templates/npm.sh.j2 b/ansible/roles/geerlingguy.nodejs/templates/npm.sh.j2 index 67caa78..aaeecee 100644 --- a/ansible/roles/geerlingguy.nodejs/templates/npm.sh.j2 +++ b/ansible/roles/geerlingguy.nodejs/templates/npm.sh.j2 @@ -1,3 +1,3 @@ -export PATH={{ npm_config_prefix }}/bin:$PATH +export PATH=$PATH:{{ npm_config_prefix }}/bin export NPM_CONFIG_PREFIX={{ npm_config_prefix }} export NODE_PATH=$NODE_PATH:{{ npm_config_prefix }}/lib/node_modules diff --git a/ansible/roles/geerlingguy.nodejs/tests/README.md b/ansible/roles/geerlingguy.nodejs/tests/README.md deleted file mode 100644 index 6fb2117..0000000 --- a/ansible/roles/geerlingguy.nodejs/tests/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# Ansible Role tests - -To run the test playbook(s) in this directory: - - 1. Install and start Docker. - 1. Download the test shim (see .travis.yml file for the URL) into `tests/test.sh`: - - `wget -O tests/test.sh https://gist.githubusercontent.com/geerlingguy/73ef1e5ee45d8694570f334be385e181/raw/` - 1. Make the test shim executable: `chmod +x tests/test.sh`. - 1. Run (from the role root directory) `distro=[distro] playbook=[playbook] ./tests/test.sh` - -If you don't want the container to be automatically deleted after the test playbook is run, add the following environment variables: `cleanup=false container_id=$(date +%s)`