ungleich-public/public-health-ch
6
1
Fork 0
Code Issues Pull requests 1 Projects Releases Wiki Activity

Merge branch 'master' into new_makefile

Browse source
This commit is contained in:
PCoder 2021-06-22 08:24:19 +05:30
commit 0f6cb6bbdb
269 changed files with 5516 additions and 6577 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.bowerrc
View file

@ -1,3 +0,0 @@
{
"directory": "publichealth/static/libs"
}

3
.buildpacks
View file

@ -1,3 +0,0 @@
https://github.com/heroku/heroku-buildpack-nodejs
https://github.com/ejholmes/heroku-buildpack-bower
https://github.com/heroku/heroku-buildpack-python

2
Pipfile
View file

@ -30,6 +30,6 @@ Pillow = ">=4.0.0"
puput = ">=1.0.0" puput = ">=1.0.0"
python-dotenv = "*" python-dotenv = "*"
stellar = "*" stellar = "*"
wagtail = ">=2.0" wagtail = ">=2.0,<2.13"
whitenoise = "*" whitenoise = "*"
django-toolbelt = "*" django-toolbelt = "*"

795
Pipfile.lock generated
View file

File diff suppressed because it is too large Load diff

47
README.md
View file

@ -15,7 +15,7 @@ To set up a full development environment, follow all these instructions.
**Frontend setup** **Frontend setup**
Make sure a recent version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave)), then: Use the LTS version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave) with `nave use lts`), then:
``` ```
npm install -g yarn grunt-cli npm install -g yarn grunt-cli
@ -32,10 +32,16 @@ If you are only working on the frontend, you can start a local webserver and wor
**Backend setup** **Backend setup**
If not using Vagrant: after installing Python 3, from the project folder, deploy system packages and create a virtual environment as detailed (for Ubuntu users) below: If not using Vagrant: after installing Python 3, from the project folder, deploy system packages (here shown for Ubuntu users) for the development libraries of Python, libJPEG and libPQ (Postgres Client):
``` ```
sudo apt-get install python3-venv python3-dev libjpeg-dev sudo apt-get install python3-dev libjpeg-dev libpq-dev
```
Create a virtual environment as below:
```
sudo apt-get install python3-venv
pyvenv env pyvenv env
. env/bin/activate . env/bin/activate
@ -77,7 +83,14 @@ Now access the admin panel with the user account you created earlier: http://loc
## Troubleshooting ## Troubleshooting
- Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake` Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake`
Trouble installing packages with npm or yarn? Add IPv6 addresses to your hosts:
2606:4700:10::6814:162e nodejs.org
2606:4700::6810:1823 registry.npmjs.org
2606:4700::6810:1123 registry.yarnpkg.com
2a0a:e5c0:2:10::8c52:790a codeload.github.com
## Production notes ## Production notes
@ -85,58 +98,46 @@ We use [Ansible](https://www.ansible.com) and [Docker Compose](https://docs.dock
To use Docker Compose to manually deploy the site, copy `ansible/roles/web/templates/docker-compose.j2` to `/docker-compose.yml` and fill in all `{{ variables }}`. This can also be done automatically in Ansible. To use Docker Compose to manually deploy the site, copy `ansible/roles/web/templates/docker-compose.j2` to `/docker-compose.yml` and fill in all `{{ variables }}`. This can also be done automatically in Ansible.
Install or update the following roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) to use our scripts: To update all roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) used in our install scripts:
``` ```
ansible-galaxy install \ ansible-galaxy install `ls ansible/roles -x -I wagtail` --force
dev-sec.nginx-hardening \
dev-sec.ssh-hardening \
dev-sec.os-hardening \
geerlingguy.nodejs
``` ```
To check that the scripts and roles are correctly installed, use this command to do a "dry run": To check that the scripts and roles are correctly installed, use this command to do a "dry run":
``` ```
ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon --list-tasks
``` ```
If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration: If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration:
``` ```
ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config" ansible-playbook ansible/web.yaml -i ansible/inventories/lagoon --tags "nginx_template_config"
``` ```
To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site: To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
``` ```
ansible-playbook ansible/*.yaml -i ansible/inventories/production ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon
``` ```
For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands): For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands):
``` ```
ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion=<v*.*.*> ansible-playbook ansible/site.yaml -i ansible/inventories/lagoon --tags release -v -e gitversion=<v*.*.*>
``` ```
You can also use the `gitrepo` parameter to use a different fork of the source code. You can also use the `gitrepo` parameter to use a different fork of the source code.
Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook. Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook.
The typical order of deployment is:
- internet.yaml
- docker.yaml
- node.yaml
- web.yaml
- wagtail.yaml
### Production releases ### Production releases
For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.: For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.:
``` ```
ansible-playbook -i ansible/inventories/production --tags release ansible/wagtail.yaml ansible-playbook -i ansible/inventories/lagoon --tags release ansible/wagtail.yaml
ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release" ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release"
``` ```

3
ansible/internet.yaml → ansible/alpha.yaml
View file

@ -3,13 +3,10 @@
gather_facts: True gather_facts: True
vars: vars:
ssh_server_ports: "{{ vault_ssh_server_ports }}" ssh_server_ports: "{{ vault_ssh_server_ports }}"
nginx_add_header: []
sysctl_overwrite: sysctl_overwrite:
# Enable IPv4 traffic forwarding. # Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1 net.ipv4.ip_forward: 1
roles: roles:
- role: dev-sec.os-hardening - role: dev-sec.os-hardening
- role: dev-sec.ssh-hardening - role: dev-sec.ssh-hardening
- role: nginxinc.nginx
- role: dev-sec.nginx-hardening
- role: jnv.unattended-upgrades - role: jnv.unattended-upgrades

0
ansible/inventories/production/group_vars/webservers/vars.yaml → ansible/inventories/carbon/group_vars/webservers/vars.yaml
View file

48
ansible/inventories/carbon/group_vars/webservers/vault.yaml Normal file
View file

@ -0,0 +1,48 @@
$ANSIBLE_VAULT;1.1;AES256
32616665363039353938346565666133353839663266373534373330363932316531363932656135
6166636334613037346432353262333738353930316362610a633337373066313236656562666531
61636661666636636132306134393733303537363933376166363338306163633466363966343439
3731346464663438390a353135366630313438376264656632656261623563333538333661623766
61656336643236303137656166363936653533626165346338386165636438396332636366663262
63656231303834343130363864396233623161386533383531333366643865323932613931623133
30306432636666666535643533313935356232613035633935383532616565356163303164313464
33373936343135346431653034303839346364346434353930306363323165646666633062363661
37313638383935656234336136353662353139333462656433383164393030326464393934646236
33666262656365356663366638636661653734656633383664646230313832336263306134666239
65336335636264383330646365633565373531633866613162666139343761633639613134323064
32656162393965353133663930373564643766366136313465663933323761366164623036376236
64383666366562616337346237313761313237613264346336373538346465376361363037353332
36343530353138353862363632613536386139333630623237343763303439393761326165393330
65346262303231623331643963643432626562363962363530633331646139393330646330386139
63356330363538313932663034636638333062313063343830386435613264303165316334386336
61626666376164356237633165316462343165313638623061343730346462343462363332313230
38633230393665626362333661666439633938346339316130393839356362613231616465373335
64623466386634653464393434336261313237313064656534353437346461656634626539636336
32366136636333363637373430643538666533613031643234613635316461366362633635643232
65653732383637306635373637363162333339646530616663396137383333636336333936303734
65653065363164306337623338623437353231343062626138353834643239323261383237353266
63383534656233393166396330393161356265306439643463616535333533643261616136643533
36663564303566393632633530366533393833643262363338616533323263393234373163623265
65306330323865323364353235663261383365333462343933333165383239386566663731303963
62313636623837333233373863393835323564633264666536356434663662636163383566613131
39383930313663313034653462323330366531656130383761353339653933636661663439333138
32633339303166393035393039323433386630376433646466653763383632303766343837363234
38633662613431656330393130666437363963373863323433376566393634383332636662646565
33656337393835353231623935613236353633633037663632663634393064376662373963633035
33613139393031613363376162366138626132313430633865363461326634656362323039303238
62306137343132633736663662306532353831333033613662383762613938346465366661393366
64616436323364313165623633343434653531616232643036326238333565623132393465336433
37336337346434323033393732336465323731326263663332346466623138636265633236626565
32393639643563613761303464353265376464363266353631656238346233303330373136313332
62623239636636306134623831386136666466333263663637326262373030653837353464363434
33376238303736393536626463623033333738343030633634323765626332366230323133626161
61356137663232393534616466353662353731343632653839326437313632653334656539653030
39623830396363396566313466366335366666643235666666393036666437333737643033353337
33333263393566633935333136353465366363353930383535633064346366646538323634383537
30636535336236313131666665313832363937613461306635386539366434323465346235326265
34393166623564376439396531653539313563356364383733363131303662623163313736366261
34326565626233646162303532626136363237373531643966653437326436363038613961663064
34383232316634653130393230633665616537363130326366303938306636363534636534383231
37656432663134303630663533376339336236356466646366303939616239613462363232383734
65663062386264376330656130313135373138303431633063633135373339653437613930626263
633861393035376438633031393935356530

13
ansible/inventories/carbon/webservers Normal file
View file

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
65373566353363396261353836316461353537636561316565353137306636373330306361396438
3435646636363566346635323838346138306239653735320a306263616264343862393065626234
61633866336565363137353231656534356538333661663961333938336233396439333564666334
3934373332383231380a316436663639323062373636363635656664663564363866373665376337
34653036396639313735326436663966393538316136663839623938343164626335626661336432
62333061376565613731663932326539333137386662653264616338333662613939656538663039
36623062366332346166663937626537613738633839666330623034653561663536646364653939
61313230326564653632353966343135353762356663653931653331633633653735623066386462
34326666313634633635353761633936313264393163333566353937623235313635656166323966
37373339353236633566376539373632663862626232383065666464633337336562333966383161
66613765643266636435353866636165393666313439373361323338653839643136343364356130
37363764653366633738

28
ansible/inventories/files/carbon/cloudflare.key Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCX+OAurxr0r4KC
l6nyf/xZGEu3G/LZEWiFYhYTHZZAVyeUtYBzjGiLiswbtnsFu4bDutvfX3OSynWd
TMBwc0sj8PO0+cJ5Bd9VGA2+PdEHpVWSXfc1c3a4s7C8xwrpxBfsxe3WtQ+lEfI2
y8h+zVES0af2KDbg/xuipTnsIHRWt1mF7uRw/3R9vYXF44HQbE9c+NOv6knY3sax
xdTq7gKifM1JNIjocEo/r7kgTLW/S5fGbZaffjWopZeXwehXMvK2RR43awkOMg4w
xjhzO6wqC3Wlo9WQ7s3TfcZNE39ipa+lCo/eVzTphYm2gKW/MCG506lR7/s2mudw
p/gAyM5tAgMBAAECggEAA3qMGyrL9FTo07dytEfaDWoLyvsQod0O+5qlWbZVgE8z
wJOFB2AWlox3Tp0XOigy61u6zmVUyRk+/E+g9LysOCblqpCwXcJ/fGcADYjvC3yX
4FwBSCUb+cS3OM2vl26d2OrQ88ISQ8Y3jqnh2DE3+Ap6N0gatXzGyQAnkBr6vsS2
TTEud/nQsaznD4rUaNcfDFHs8IbYGiDUleFuhsZTj44tUg9whIpDCKba4IAAdU5k
cyvWktd2XGlSuKUZsYuNrcydKZqhjleZq88/VccHtjP8O9L4+63BLost+VcznI3Y
vVT9eqhQwIZYIVsI0tj5X4EWXEyPDsluM/P5GnopMQKBgQDHppcwWhYsB80Jf4FO
TZAxvASMbMlxCdn3jhXt6mmucssqpiu9jQywnYFdEKGG5id40Cq4aJqZFo4534Og
0gTTWsYAJ94dpYDHrC/iqT9WOB8HQVO6UVVzfZu2L25EUQkW9dqEIGufeHtVdK6N
hm0ak1HfnoYhh7wVth+GuK4ICQKBgQDC3VrGsRJLeiHZAL/lIFzGUvG7MnEWE259
Kf+GfnOa4hDDnd7bzK4L+3Ll8Nvo+Og1VZqnJlvMX6IqVO2lv/RgfBGYuCD1I/Og
b6sZ2+X0S3OYUYGn1hkiiidB8QUALh30Q2JrTs6IPl6XZdPiX8LKi7U0UXJvgnm9
nLJMZtyERQKBgQC5yiopobu+T6gbbZ8r+fv0fE4TS20OFyfSOlPn6dtcrpCn6KkN
pMOpW3k13LMj8OvMfpMyto0fZyEFdB1uu+InuPJG1NLa7dfweCi7mdpJ5sHhI4bB
/MwzRDFyEaNgSbTWvAUULYNZjGnhdUq2guDm+S8YlNGnREPgRHIEEbpJ2QKBgENK
OvmX1fB4aU3NQ3a02TSnGdCB16k+5o2UPifMbNFUNWPHlVijcoqytveOV/I4Wb9p
IzGLPnHxqEcj8rik85eJ4G2zT7Y3Rv7k8NnKJLtafr1fj/1MInvZ5zqPJyHryu45
grf5i7pihzmSsTtfxB07Z0R8x56YGMAQZ0WY05ddAoGACVilm2mfLenQDT8bUvor
++zrdk2zdvDRLgYiWu/+O7UhJF8P0ozCYmqeTsgcjKuqgqyfuBNwTKmUeaPbvmxr
CM+gKBmuinQNNF3OjkoRv77fMkMS1+uUZ03iPjIgLz6J4cobdKRvcjVxLfPgyrJp
n0R2KghPhNb9l/XIgqeJNGw=
-----END PRIVATE KEY-----

29
ansible/inventories/files/carbon/cloudflare.pem Normal file
View file

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIUK7EkF7xtZ1tTux+Q2ygKgP5cAScwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTE5MTAxNzE1MzAwMFoXDTM0MTAxMzE1MzAwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/jgLq8a9K+Cgpep8n/8WRhLtxvy2RFohWIW
Ex2WQFcnlLWAc4xoi4rMG7Z7BbuGw7rb319zksp1nUzAcHNLI/DztPnCeQXfVRgN
vj3RB6VVkl33NXN2uLOwvMcK6cQX7MXt1rUPpRHyNsvIfs1REtGn9ig24P8boqU5
7CB0VrdZhe7kcP90fb2FxeOB0GxPXPjTr+pJ2N7GscXU6u4ConzNSTSI6HBKP6+5
IEy1v0uXxm2Wn341qKWXl8HoVzLytkUeN2sJDjIOMMY4czusKgt1paPVkO7N033G
TRN/YqWvpQqP3lc06YWJtoClvzAhudOpUe/7NprncKf4AMjObQIDAQABo4IBgjCC
AX4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQqrDW0atPbYUVW62/oonVTxNlU3TAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTCBggYDVR0RBHsweYISKi5wdWJsaWMtaGVhbHRoLmNoggkqLnNwaGMuY2iCFmdl
c3VuZGhlaXRzbWFuaWZlc3QuY2iCEW1hbmlmZXN0ZXNhbnRlLmNoghJuZ28tYWxs
aWFuei1lYmsuY2iCEHB1YmxpYy1oZWFsdGguY2iCB3NwaGMuY2gwOAYDVR0fBDEw
LzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3Js
MA0GCSqGSIb3DQEBCwUAA4IBAQCnkhHew7PXdOcJduzRTtBX1oBRpAiky92RkM5/
jweojEt3I8QIjs1m/7ZUYCQW8grmBRS75x6geKy9prmHoRcRB0Akc6QfDSRBYaK/
AADSmShPYPFenicVDMOt9hSAYBHihmf5muPIZ/4yrK+FLPpPZibKi7ODmBzZ6Slz
NILCxV8Yz0PG7hGQru8ey0YEno2RBLIIhkzJs80X79r25mdUNVnvk98AbXwF2eyl
njNs7/eKemEe5Ia7OD9R33L/c36hr5HPTnXEfmcUqSeLq0mpoy8xWgsg7ykLUqmy
j6QT71+TT4P1WYYEXwTl0mPqD51Kn7AZCgmq8RMZ83/ocGF9
-----END CERTIFICATE-----

0
ansible/files/cloudflare.key → ansible/inventories/files/lagoon/cloudflare.key
View file

0
ansible/files/cloudflare.pem → ansible/inventories/files/lagoon/cloudflare.pem
View file

90
ansible/inventories/files/nations/cloudflare.key Normal file
View file

@ -0,0 +1,90 @@
$ANSIBLE_VAULT;1.1;AES256
37396437326330653831623831646432643031303962636636353931303064636262343439383238
3965386661613063656436346661363633613866646435630a333962393066636239643165643666
37346330313165643263656230373633363135376535376536373961633366613339333263376230
3164363738313339310a336235336465623835333262333866636434653066313736356138353461
30303332303264643839393462346236316464376138653832633331303365646565343237386662
61393166313138396334313132663165653131313532663331323237626163633764346162303564
64343034363139326238383633353463616135366636613262356366663364616438366432343463
61353135663234663231643865616430636466306161323336363866383838393931363134316532
62616336346134306363643533303030343531363930346361313864323166343536366564353166
39643762656364623765626334313663313337326537353664323464363661323665646665656634
33313332336461663333393632383330616434626362613832663030303334326662323562646535
34616139343436383866323362363633333632363666626561396534633734393432333363333330
66643864383133303634333432306332623534643232353963323665623833316237316231303831
33393431623136323239346261626430643266653262373262396530623338383232646263366361
65316336393661626537343666373332613030633138376533373331643966616630393036343462
34623664623339383030373666346131633836393338616462303563643038383463353462643862
64303037343765616666663635333264363039376463623766353833623337643639343631353931
61373361636231386334643337356664333061333834656632363762313466613661666234383133
66333766363264373939336133303830333136336439303136326539383231323235656262363338
66653666616634653233343032326461396361643266666565633933303532653035663130663736
37323434393639646435386432656563363961333265353065653564343037326131333333666237
31363461656632613931656239326132346338346264643232643165613936643863626130616631
61663439366338383033613135306533393933353933326561386537613263616132616337353534
39336565656631323530303965323466636663643266373165303937336465646132663839313136
30316330393535346265323763376639323363333734323334366234323531373763613439353035
64383361346638653364656338623465663532383836643433323330343834313564363331323834
61353333366465636266316264306262326263343139313631326161663165313561393162616236
39626439656436336134346232653662373336623734666239316365303265373061343234306439
61363236396231383265366264386236313736643962316562373962383832306231336363346537
35613032353832383463663366396539333263616262386337353235653632633764303730313062
32636430653136656538306630316235666331346466633834616632333139663232323464386239
66653362303139373261656533373866646363373965323962623063313532396664393436363135
35333333306563626239653938653732613630323464363034346638393631386531613963316338
64303833316466333439323065323539343933303861626665396565373761333634653435376562
65626165393937643261626266626430643962633963373839663736373332643162343332373762
64633166653665333933393937383763313166646462356232346332363632363833373366316463
35343536613264613230353334666630373964386165663162623533303136366338626531306533
35623565356234653763356134376635303634353961653831666438643265313230343530393336
65323762643034376635636234653139366439313233383539666365376130623539613732376636
64366636346366303533656461326263376566613461633436333336346236653932386230656661
61393533623131326164343263643666376334366134326433323630623436333132633962323837
35303034353161363131376266336466663138633961363030356536623834353163623264626233
37643562396232393932633536343232633334303039396163656231313462386435303839656431
30386632336434353638386166306565643930623831393834343237373861393731353334646466
36656237393635373039333161326134333064393863353663323261353430613064313661383064
63316138653131343334646330643435643532386537373163666639646532663366643534343438
33366138373230306161653061393538373664373639346261373230313133353561613236353761
33613333313231336661303635356531323536353836323765306533333864643834616533343161
33396632343938333633343430393364636139626161303834383535656639376633393133643139
61346365373465613861646631353039656465373665623535333936653135353936343035313662
32643537303630633764656563336434313533623166323738353836666565626333326662636139
31303630653039363065616432353334396231303430313166643532343861353262636336656238
33643064373839376261316633646430336663356663393366303032376131333437653630663736
30386235386261306633303538323464626464303962303133333933393164653933396430393464
35313234356534323032323161326630313738316466386139313138653738373232386462313961
32316464316532306330333932613537376562613761323737396537346466663037303839653430
35363237306334386631396537306332646563386538626533323337313438393439323035363064
37346434643966326366636238383262373231613566303462373539336333346166323138623033
33393533396438653439663430653930343233356131393562396232393537326562616131643261
63666237393835326635623265636434373031666639356563333436666362633363303466383366
66343464616666383531653966636130336530623532616566333737396338386165623961636438
36383564326661343865366230313731343232646331663464663932313663333065623965613565
65343138376561656537313663373135633463636537633131306237363062346239343162363332
39303365373561316465363134393635623636363839653839643866636164663932633165326662
36303362333862306531363238643266623631643337656636373139653531616538656132646631
64656236366235393235353865636232363239336136376430376236623537643833356163383133
63626434393736303233656433353734303763326362363436633939333433333932663131336530
66663936666464313135376466633364663231636531346331383739323735363132326162383830
34386163656131326365333534306437616435303239333233356430636166643361623333636436
34363065636335336230633565373366303666393961303066623662306461623365333431663964
39303366343964373438316135393164383262633438633665346562626337336666646463343461
62386632616563643162383465656631623731616562663733356266346637343936366439623736
61313037373834306438363430373636383466613334386165656238343038353831633139363362
31333735306631613732363661326136663938666135626232636531616435626364633263353662
61313239326239316130353236316434623261363565343831336339613965336664666132376637
30313436306239633461633931306633333562396639643836663937303965353831383065653261
61623839346438316364373634376665633831366434373135646537643735613230346564363630
61356666323937393164643636393262373039613139663437353939383839326162346463393562
61316365346361383266326135616638323762326661373764346437386539313466633337323939
37653938373236333763626135313237363761623539663038303234623634343836313861653336
61303365656633643435633061643761656339623231303065306435366535386434343635343538
33343037626165633039663632646532386364626635306138623938656563336433636130613033
32363233343061383065653231646439396465353337656636356166383263356665626238356139
66636537313461393865336639626163306438623630303663633163363339323863616339336432
61356138353363366639383764633862393234626533373736366130326334333861636537633537
38383233313063646539613931323837373530343935623562666431633431396538383331396632
35326266333930343236333937363030356231303061393362373536303337633964646132393862
39393963326136666361663363653936356333663565316331663331376636303966376637343236
64636531306635323731663334396663306262333730653335363364633839333339

122
ansible/inventories/files/nations/cloudflare.pem Normal file
View file

@ -0,0 +1,122 @@
$ANSIBLE_VAULT;1.1;AES256
36363564613066383633626239613031613162623365303031383037303365383835353462343835
3031636161616532613464623932343761323932653831640a306336386331326363396335376231
37363230353662383430633763396264623066636563366365633631623137626463303662396134
6665306336636535360a313035303031303431353437363263646539386132666561653433363939
38373463303933303133393730353831393862366232323532373635663435623638613762616537
33343931333939626139353439343965373935616436663864363234326235363530616334636465
34343836313761353332353232613964356363306538366633623131636264396434366666336134
32643230333666363139313165626636306562646236663964656466643735663961303565316265
38316436356262666334393264363966633737346635663135356633306463336437383030383264
66653435626566303637353039373539373961643338376464626165366434363431373364313636
38366632313532653539326138396434666434613731303662643134346535386435393531626639
62666436636366316338313630663665623736326465336432396366356239666261373863656536
35613138646635353362393963383665653764306137306462343063316137656137616135363663
37373937626564343233376562623430393231376636323563353637386230323161323230396531
64303136363562306162326664373639323866393833656266366662666434343963333038616566
64383462306237346564323238373963363630326266626330383261626231346439373138323531
35323430643063653638636164623334336630633661353331363831636665616666313438396334
61386138613738653038633233653565336435393530363730613637353438363434373637373362
65326435666264376433653865323730303664303231363963323539353532653364626562333162
30656539336631633065346166383835633261393463623866313866343764626333313432643530
31613666613462663662616131333531666533343661346333383539343638393336366235666437
37313264323434326538303736666535616362613334396133313363336532343335636631646331
38656633393863303934313466333530333737376235396233323839393030396530323862363763
30616561303165386331356562333164373830663531366662643463303466383765663032613166
64313465303362316465373134663264616234346530373031643830386166653038616134353632
64376637643534373864373030323232356430316434323765363861303462366232666136626663
39626261396263316434366462376563326439396438373966303933643931383730373834616166
36646134336336353334623165656361623436346465396463393530633463373930393139626365
61306339313662643130303733613636623433646332646335306163386637626532646630623139
37323366366231363864663132373964363837356236623162306336343631333361616635376430
32386465376334396134626133313764326637613966626364343831636234363437333662666339
33393331666562306264346339663965343364353938646634393432363363393131616234663237
33363461613233643461623338396335333032316566623233633538653566336138386464656533
37303835306234613163376362353964383935623465396362616164616233323437336566666136
31383536656438386536333766616334633739353731303766666433323230613339653265646463
66633161663339656433653535373865353463306135653739656330363064633563613531336365
36646262353566336135316462666138313732333864353431383762646662346362313863613932
62613038626661396637396366636264373537373966333938663931663532353862636561393764
66313065393963306564393637616231386137633465306164343234373665383265326462373961
35333766613232376234363336663865343663656631353565366461343964643265623064616562
64656462313333376534313333646630383462343935333439623061343464316139313331663966
30613236333239396137346361613830633738386162306633303033613938643138646465636364
36626236396633306162623461393764643661353634303237303862666136323337333362383538
38613866643032653565616266363637643036326465393734633239386535373038653464396563
39623561363862393131623764366261323932643733383066373436346236326630383966383433
35373835323436396235636337303564646433386431356165383337343334316432613065316133
66303937626631396334323838636436393533356535346436613531376330313230623439363136
33333839343239353762663130623735643262363036376433373963333937326533323466383235
61363639393835633035396634316538386463333461383334346438303134396433613665303664
38613532383562613862333765616665643134616532373762643432663337643132663233326664
66356530633561343862326666313264323637313239366161663031343265303833376539653430
37643435313265306135393736396535336333373665613836633465373761373266613031633636
65623363623134323430386632653232303461636162323466386564346565636532373438323839
66386463333635653535623139643235383437313761363532316561343939336166383562666335
31626561633264323766303565653566393164646638353861653838363466646639633361646536
65656235626330333538666365383230373563373230353263666361633965396133393430323165
30333066656231333738633264396162363063646532656265663232346135373330613566323131
36323966373832663564383433383235356664306439323764303638623736633262623533366532
61353938323462633637313263663238626535366234393864343533383561356532363564323963
63663033633866366366633161383238663537303339386239373035343061613066346532333533
32363964666235653062316164393634393337326136363235343231386633323436373762633337
65336430366539363461363165346537346134616135346139633235366334363266336566663738
36643331376161383532316366363766303463656137333864336163326238626138643939613237
30323062326465306561313364323630343238393531613963353065663861363336616331643065
39623533303861363263333461633637623164333762316665323835353334323364666466623839
62323839326339383231346233323636663261316439653035313265326237326266393331646365
33643639386131333063663463323534383737636563346463316433646361363338616631376431
63653434303736366266373937626261646230653363636661613034363863343539363832366361
34643832376662336632363533323666303530343933636234376631646536336261336566336264
39633637343537323865356266383864303462303538373565623566316635663366626438626237
66366438656634336364623639653736353836343739646237633734373834636530633238653132
38363833333937623738323935373034626464316536646435613036663938643436366566323036
39376339666131653365376265626131626136313663306339316230303934353231343437306161
35656634353732386337323364343431333631356664343333353963663537373431333562356330
65636238663438653864633938636664373637313163633766613963343563366464623437323530
61376133623531326435313737396261393130646239323239336530353466303362336136306136
36386564633236326530643236626630313561653630616564616139623033303438363235343136
63333164653332323630666535663237376632323339383563333639343931333536353032653761
61616364313739663462333336306164623365383236616539386132373733613763386166373235
30323834316532616464323539383362653161303461333465383333353465356133623862323464
34623661653263613366623933393330313038663837363834336561306538363335613263643362
32636665383662613835356630636537303561663532383039633163326566336631313564643936
37633031663133343164333032386262343861653665653663323732393130636263343932666636
35613335386237323832663832346438633764383039616138656636633565316566636335643734
36653931633336343665353762326336376435653963386666626534636533306632646162356561
61656336373730666663306536336461356130663866623431646330346161376634303732313461
37656362346636343063396662636633383633306231616363396635343533346139616438306433
62663262656430326533613864383232356564336565643733633336626466633265366132653962
32373963386264343132623338363263383136663963623463353239386133333932316663306331
66396265396235383630323830353962376266393933396563666434333534633931626534663865
37363839633135646435383535663965363437363231613162393864323161663330633266363033
38373634323733356464313461626261633136646661613833306362306339386434666362303435
66343430363631326366383437336338636534646664383461653733353531623466373831623631
35393934386235356138633833333265316464363064626463316139616666613664623136663731
65656637633436643333343738613433323733636465303762623438316162356138663838343765
34353433353066383634643536366562633864623039383032303365323261313966646262323332
66373235343265356639656434353865393239343965366462346435353165346333326131656565
30613061636636353233316637313338326635643238353937323236353032386461646363633563
30343636376338613363303964356334666439633136336530303964316563313561623034666631
65313464306535313863663937303565323164383537336334383437343234316437643338343231
61326365383534643931623361373339333666626463306336623464393062313762393064346634
39643030353063396635616139666130633235636434383861333938343039373731643166313364
64306239666639363739323137663231653761356239633236343936313939346562633530666532
31343032623139363130633136353036646231326339623037336533353064356165303932666536
66646537333663313034336236373037306636343632643636663634626235323038306134306564
34656631623439636633333830623462616364653431323035393331333331396163633539393364
38633662366631633431653864373739333039663966383765303863343036633337636636643436
35393962333732383732663063316532393332666332623934326166393236393936646337346564
39373935383136356362623339363432396632396534623030656333663165643363633038336465
35653430613738306232636632356135343533306139393334333439646136353432386365633137
63326639613166343262343037303536363230613666313932616565373932333538326633396137
37366562383662646461633639343338333766643564376431333332326564626434666338313466
63396137353862653835613339646532343561373261393432393632396235326466373338333762
39313637316462333333376539623261343139386164653664636133313434353937376230303865
38323061663833666563366133653635323466326231346637656337366333393863366332333338
31636239633436646633623165333833343737383137303263326361346531623237323937313762
31323261656331656362323364313231373930666639383730633234643738663330326436303334
34373439373538323364396433613033656333346261656338646237313236303261346636636362
62386162323163626635363039383031663738666430653964346430646532656162373933356338
33323631623936623236373932613133646631306566333061616538356434363165636464636235
62643461383139633361326463306162333530363365663064353266343734353361

29
ansible/inventories/lagoon/group_vars/webservers/vars.yaml Normal file
View file

@ -0,0 +1,29 @@
---
django_project_name: publichealth
elasticsearch_heap_size: 1g
memcached_memory_allocation_mb: 256
nginx_worker_processes: 2
nginx_worker_connections: 1024
domain: "{{ vault_domain }}"
allowed_domains: "{{ vault_allowed_domains }}"
django_email_key: "{{ vault_django_email_key }}"
django_email_domain: "{{ vault_django_email_domain }}"
django_email_from: "{{ vault_django_email_from }}"
django_secret_key: "{{ vault_django_secret_key }}"
# Default: postgres://postgres:@postgres:5432/postgres
django_postgres_url: "{{ vault_django_postgres_url }}"
# Default: http://elasticsearch:9200
django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}"
# Default: redis://redis:6379
django_redis_url: "{{ vault_django_redis_url }}"

0
ansible/inventories/production/group_vars/webservers/vault.yaml → ansible/inventories/lagoon/group_vars/webservers/vault.yaml
View file

0
ansible/inventories/production/webservers → ansible/inventories/lagoon/webservers
View file

0
ansible/inventories/evolution/group_vars/webservers/vars.yaml → ansible/inventories/nations/group_vars/webservers/vars.yaml
View file

0
ansible/inventories/evolution/group_vars/webservers/vault.yaml → ansible/inventories/nations/group_vars/webservers/vault.yaml
View file

0
ansible/inventories/evolution/webservers → ansible/inventories/nations/webservers
View file

8
ansible/nginx.yaml Normal file
View file

@ -0,0 +1,8 @@
- hosts: webservers
become: True
gather_facts: True
vars:
nginx_add_header: []
roles:
- role: nginxinc.nginx
- role: dev-sec.nginx-hardening

2
ansible/node.yaml
View file

@ -6,5 +6,5 @@
- role: geerlingguy.nodejs - role: geerlingguy.nodejs
nodejs_install_npm_user: ansible nodejs_install_npm_user: ansible
nodejs_npm_global_packages: nodejs_npm_global_packages:
- name: bower - name: yarn
- name: grunt-cli - name: grunt-cli

2
ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:29:19 2020 install_date: Thu Feb 18 15:39:21 2021
version: 2.1.0 version: 2.1.0

34
ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml vendored
View file

@ -1,34 +0,0 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

22
ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml vendored
View file

@ -25,17 +25,35 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog - name: Generate changelog
uses: charmixer/auto-changelog-action@v1 uses: charmixer/auto-changelog-action@8095796
with:
token: ${{ secrets.GITHUB_TOKEN }}
future_release: ${{ steps.version.outputs.next-version }}
- name: Generate changelog for the release
uses: charmixer/auto-changelog-action@8095796
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }} since_tag: ${{ steps.previoustag.outputs.tag }}
future_release: ${{ steps.version.outputs.next-version }} future_release: ${{ steps.version.outputs.next-version }}
output: CHANGELOGRELEASE.md
- name: push changelog
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: hello@dev-sec.io
- name: Read CHANGELOG.md - name: Read CHANGELOG.md
id: package id: package
uses: juliangruber/read-file-action@v1 uses: juliangruber/read-file-action@v1
with: with:
path: ./CHANGELOG.md path: ./CHANGELOGRELEASE.md
- name: Create Release draft - name: Create Release draft
id: create_release id: create_release

11
ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml
View file

@ -33,6 +33,9 @@ platforms:
- name: centos-6 - name: centos-6
driver_config: driver_config:
box: bento/centos-6.7 box: bento/centos-6.7
provision: true
vagrantfiles:
- rhel6_provision.rb
- name: centos-7 - name: centos-7
driver_config: driver_config:
box: bento/centos-7 box: bento/centos-7
@ -42,6 +45,9 @@ platforms:
- name: oracle-6 - name: oracle-6
driver_config: driver_config:
box: bento/oracle-6 box: bento/oracle-6
provision: true
vagrantfiles:
- rhel6_provision.rb
- name: oracle-7 - name: oracle-7
driver_config: driver_config:
box: bento/oracle-7 box: bento/oracle-7
@ -57,6 +63,11 @@ platforms:
- name: opensuse_tumbleweed - name: opensuse_tumbleweed
driver_config: driver_config:
box: opensuse/Tumbleweed.x86_64 box: opensuse/Tumbleweed.x86_64
provision: true
vagrantfiles:
- suse_provision.rb
provisioner:
ansible_binary_path: "/usr/local/bin"
verifier: verifier:
name: inspec name: inspec

58
ansible/roles/dev-sec.os-hardening/.kitchen.yml
View file

@ -2,7 +2,16 @@
driver: driver:
name: docker name: docker
use_sudo: false use_sudo: false
privileged: true cap_add:
- SYS_ADMIN
volume:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
run_options:
tmpfs:
- /tmp
- /run
- /run/lock
run_command: /sbin/init
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
@ -28,95 +37,108 @@ platforms:
driver: driver:
image: rndmh3ro/docker-centos6-ansible:latest image: rndmh3ro/docker-centos6-ansible:latest
platform: centos platform: centos
provision_command:
- sed -i '/loginuid/d' /etc/pam.d/sshd
- name: centos7-ansible-latest - name: centos7-ansible-latest
driver: driver:
image: rndmh3ro/docker-centos7-ansible:latest image: rndmh3ro/docker-centos7-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: centos8-ansible-latest - name: centos8-ansible-latest
driver: driver:
image: rndmh3ro/docker-centos8-ansible:latest image: rndmh3ro/docker-centos8-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
provisioner:
ansible_binary_path: "/usr/local/bin"
- name: oracle6-ansible-latest - name: oracle6-ansible-latest
driver: driver:
image: rndmh3ro/docker-oracle6-ansible:latest image: rndmh3ro/docker-oracle6-ansible:latest
platform: centos platform: centos
provision_command:
- sed -i '/loginuid/d' /etc/pam.d/sshd
- name: oracle7-ansible-latest - name: oracle7-ansible-latest
driver: driver:
image: rndmh3ro/docker-oracle7-ansible:latest image: rndmh3ro/docker-oracle7-ansible:latest
run_command: /sbin/init
platform: centos platform: centos
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - yum -y install initscripts
- sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: ubuntu1604-ansible-latest - name: ubuntu1604-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest image: rndmh3ro/docker-ubuntu1604-ansible:latest
platform: ubuntu platform: ubuntu
run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: ubuntu1804-ansible-latest - name: ubuntu1804-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1804-ansible:latest image: rndmh3ro/docker-ubuntu1804-ansible:latest
platform: ubuntu platform: ubuntu
run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian9-ansible-latest - name: debian9-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian9-ansible:latest image: rndmh3ro/docker-debian9-ansible:latest
platform: debian platform: debian
run_command: /sbin/init
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian10-ansible-latest - name: debian10-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian10-ansible:latest image: rndmh3ro/docker-debian10-ansible:latest
platform: debian platform: debian
run_command: /sbin/init
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: amazon-ansible-latest - name: amazon-ansible-latest
driver: driver:
image: rndmh3ro/docker-amazon-ansible:latest image: rndmh3ro/docker-amazon-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: fedora-ansible-latest - name: fedora-ansible-latest
driver: driver:
image: rndmh3ro/docker-fedora-ansible:latest image: rndmh3ro/docker-fedora-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- dnf install -y python - dnf install -y python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: opensuse_tumbleweed-ansible-latest - name: opensuse_tumbleweed-ansible-latest
driver: driver:
image: rndmh3ro/docker-opensuse_tumbleweed-ansible image: rndmh3ro/docker-opensuse_tumbleweed-ansible
platform: opensuse platform: opensuse
provision_command: provision_command:
- zypper -n install python-xml rpm-python - zypper -n install python-xml
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- sed -i '/systemd/d' /etc/pam.d/common-session
- systemctl enable sshd.service - systemctl enable sshd.service
verifier: verifier:
name: inspec name: inspec
sudo: true sudo: true
inspec_tests: inspec_tests:
- https://github.com/dev-sec/tests-os-hardening - https://github.com/dev-sec/linux-baseline
controls:
# skip sysctl checks, since they make no sense in docker
- /^(?!sysctl-|package-07).+/
suites: suites:
- name: os - name: os

86
ansible/roles/dev-sec.os-hardening/.travis.yml
View file

@ -2,63 +2,31 @@
services: docker services: docker
env: env:
- distro: centos6 global:
version: latest - version=latest
init: /sbin/init - init=/sbin/init
- run_opts="--cap-add SYS_ADMIN"
- distro: centos7 - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
init: /lib/systemd/systemd jobs:
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=centos6
version: latest volume=":"
run_opts=""
- distro: centos8 - distro=centos7
init: /lib/systemd/systemd - distro=centos8
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=oracle6
version: latest volume=":"
run_opts=""
- distro: fedora # - distro=oracle7
init: /lib/systemd/systemd - distro=ubuntu1604
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=ubuntu1804
version: latest - distro=debian9
init=/lib/systemd/systemd
- distro: oracle6 - distro=debian10
version: latest - distro=amazon
init: /sbin/init - distro=fedora
init=/lib/systemd/systemd
# - distro: oracle7 - distro=opensuse_tumbleweed
# init: /lib/systemd/systemd run_opts="--privileged"
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# version: latest
- distro: ubuntu1604
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: ubuntu1804
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian10
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: amazon
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# - distro: opensuse_tumbleweed
# init: /usr/lib/systemd/systemd
# version: latest
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
before_install: before_install:
# Pull container # Pull container
@ -70,7 +38,7 @@ script:
- container_id=$(mktemp) - container_id=$(mktemp)
# Run container in detached state. # Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Output Ansible version from docker image # Output Ansible version from docker image
- 'docker exec "$(cat ${container_id})" ansible-playbook --version' - 'docker exec "$(cat ${container_id})" ansible-playbook --version'
@ -79,7 +47,7 @@ script:
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
# Verify role # Verify role
- 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit' - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
notifications: notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/ webhooks: https://galaxy.ansible.com/api/v1/notifications/

79
ansible/roles/dev-sec.os-hardening/CHANGELOG.md
View file

@ -1,8 +1,71 @@
# Changelog # Changelog
## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD) ## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-16)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0)
**Implemented enhancements:**
- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha))
- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat))
- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi))
**Fixed bugs:**
- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284)
**Closed issues:**
- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293)
- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292)
- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288)
- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249)
**Merged pull requests:**
- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro))
- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0)
**Implemented enhancements:**
- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91))
**Fixed bugs:**
- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281)
**Closed issues:**
- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269)
**Merged pull requests:**
- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi))
- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3)
**Implemented enhancements:**
- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2)
**Implemented enhancements:**
- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock))
## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1)
**Implemented enhancements:** **Implemented enhancements:**
@ -19,7 +82,7 @@
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233) - Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232) - Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154) - Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg)) - Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg))
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz)) - Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro)) - add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz)) - Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
@ -28,7 +91,7 @@
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd)) - Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov)) - Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina)) - Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove)) - add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina)) - Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
@ -47,7 +110,7 @@
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148) - Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel)) - Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta)) - Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov)) - Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost))
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina)) - Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09) ## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
@ -123,9 +186,7 @@
- Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault)) - Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
- Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo)) - Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
- Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan)) - Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
- Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill)) - Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos)) - Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
**Fixed bugs:** **Fixed bugs:**
@ -148,12 +209,14 @@
- Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155) - Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155)
- Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129) - Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129)
- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
- Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1)) - Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1))
- Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz)) - Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz))
- Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz)) - Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz))
- Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault)) - Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault))
- add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro)) - add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro))
- update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro)) - update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro))
- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:** **Fixed bugs:**
@ -184,7 +247,7 @@
**Implemented enhancements:** **Implemented enhancements:**
- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) - install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
- new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro)) - new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro))
- add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro)) - add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro))
- remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro)) - remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro))

3
ansible/roles/dev-sec.os-hardening/README.md
View file

@ -1,7 +1,6 @@
# os-hardening (Ansible Role) # os-hardening (Ansible Role)
[![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1] [![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1]
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3]
## Description ## Description
@ -81,6 +80,8 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` | | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. | | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. | | `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
| `hidepid_option` | `2` | `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. |
| `proc_mnt_options` | `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` | Mount proc with hardenized options, including `hidepid` with variable value. |
## Packages ## Packages

3
ansible/roles/dev-sec.os-hardening/defaults/main.yml
View file

@ -278,3 +278,6 @@ os_auditd_max_log_file_action: keep_logs
os_selinux_state: enforcing os_selinux_state: enforcing
# Set the SELinux polixy. # Set the SELinux polixy.
os_selinux_policy: targeted os_selinux_policy: targeted
hidepid_option: '2' # allowed values: 0, 1, 2
proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'

4
ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:29:23 2020 install_date: Thu Feb 18 15:39:25 2021
version: 6.0.1 version: 6.2.0

7
ansible/roles/dev-sec.os-hardening/rhel6_provision.rb Normal file
View file

@ -0,0 +1,7 @@
Vagrant.configure(2) do |config|
config.vm.provision "shell", inline: <<-SHELL
rpm -i http://mirror.de.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's/\\(mirrorlist=http\\)s/\\1/' /etc/yum.repos.d/epel.repo
yum install -y ansible libselinux-python
SHELL
end

7
ansible/roles/dev-sec.os-hardening/suse_provision.rb Normal file
View file

@ -0,0 +1,7 @@
Vagrant.configure(2) do |config|
config.vm.provision "shell", inline: <<-SHELL
zypper -n install python2-setuptools
mkdir -p /usr/local/lib/python2.7/site-packages/
ln -s /usr/local/bin/pip /usr/bin/
SHELL
end

1
ansible/roles/dev-sec.os-hardening/tasks/apt.yml
View file

@ -3,4 +3,5 @@
apt: apt:
name: '{{ os_security_packages_list }}' name: '{{ os_security_packages_list }}'
state: 'absent' state: 'absent'
purge: 'yes'
when: os_security_packages_clean | bool when: os_security_packages_clean | bool

1
ansible/roles/dev-sec.os-hardening/tasks/auditd.yml
View file

@ -1,5 +1,4 @@
--- ---
- name: install auditd package | package-08 - name: install auditd package | package-08
package: package:
name: '{{ auditd_package }}' name: '{{ auditd_package }}'

5
ansible/roles/dev-sec.os-hardening/tasks/hardening.yml
View file

@ -56,10 +56,9 @@
tags: yum tags: yum
- import_tasks: apt.yml - import_tasks: apt.yml
when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu' when: ansible_facts.distribution in ['Debian', 'Ubuntu']
tags: apt tags: apt
- import_tasks: selinux.yml - import_tasks: selinux.yml
tags: selinux tags: selinux
when: when: ansible_facts.selinux.status == 'enabled'
- ansible_facts.selinux.status == 'enabled'

1
ansible/roles/dev-sec.os-hardening/tasks/limits.yml
View file

@ -1,5 +1,4 @@
--- ---
- block: - block:
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b - name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
file: file:

1
ansible/roles/dev-sec.os-hardening/tasks/main.yml
View file

@ -1,4 +1,3 @@
--- ---
- import_tasks: hardening.yml - import_tasks: hardening.yml
when: os_hardening_enabled | bool when: os_hardening_enabled | bool

8
ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml
View file

@ -48,3 +48,11 @@
group: 'root' group: 'root'
mode: '0750' mode: '0750'
when: '"change_user" not in os_security_users_allow' when: '"change_user" not in os_security_users_allow'
- name: set option hidepid for proc filesystem
mount:
path: /proc
src: proc
fstype: proc
opts: '{{ proc_mnt_options }}'
state: present

10
ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml
View file

@ -12,7 +12,15 @@
- name: remove vfat from fs-list if efi is used - name: remove vfat from fs-list if efi is used
set_fact: set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}" os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir when:
- efi_installed.stat.isdir is defined
- efi_installed.stat.isdir
- name: remove used filesystems from fs-list
set_fact:
os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
# we cannot do this on el6 and below, because these systems don't support the map function
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
- name: disable unused filesystems | os-10 - name: disable unused filesystems | os-10
template: template:

5
ansible/roles/dev-sec.os-hardening/tasks/pam.yml
View file

@ -121,6 +121,7 @@
- name: Gather package facts - name: Gather package facts
package_facts: package_facts:
manager: auto manager: auto
when: ansible_facts.os_family != 'Suse'
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template: template:
@ -129,4 +130,6 @@
mode: '0640' mode: '0640'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
when: "'libuser' in ansible_facts.packages" when:
- ansible_facts.os_family != 'Suse'
- "'libuser' in ansible_facts.packages"

19
ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml
View file

@ -13,15 +13,16 @@
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0544' mode: '0544'
when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat']
ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
- name: install initramfs-tools - name: install initramfs-tools
apt: apt:
name: 'initramfs-tools' name: 'initramfs-tools'
state: 'present' state: 'present'
update_cache: true update_cache: true
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
template: template:
@ -32,7 +33,9 @@
mode: '0440' mode: '0440'
notify: notify:
- update-initramfs - update-initramfs
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading when:
- ansible_facts.os_family == 'Debian'
- os_security_kernel_enable_module_loading
register: initramfs register: initramfs
- name: change sysctls - name: change sysctls
@ -60,14 +63,16 @@
reload: yes reload: yes
ignoreerrors: yes ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}' with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon' ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc'] when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
- name: Apply ufw defaults - name: Apply ufw defaults
template: template:
src: 'etc/default/ufw.j2' src: 'etc/default/ufw.j2'
dest: '/etc/default/ufw' dest: '/etc/default/ufw'
when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu') when:
- ufw_manage_defaults
- ansible_facts.distribution in ['Debian', 'Ubuntu']
tags: ufw tags: ufw

37
ansible/roles/dev-sec.os-hardening/tasks/yum.yml
View file

@ -3,35 +3,42 @@
file: file:
name: '/etc/yum.repos.d/{{ item }}.repo' name: '/etc/yum.repos.d/{{ item }}.repo'
state: 'absent' state: 'absent'
with_items: loop:
- 'CentOS-Debuginfo' - 'CentOS-Debuginfo'
- 'CentOS-Media' - 'CentOS-Media'
- 'CentOS-Vault' - 'CentOS-Vault'
when: os_security_packages_clean | bool when: os_security_packages_clean | bool
- name: get yum-repository-files - name: get yum-repository-files
shell: 'find /etc/yum.repos.d/ -type f -name *.repo' find:
changed_when: False paths: '/etc/yum.repos.d'
patterns: '*.repo'
register: yum_repos register: yum_repos
# for the 'default([])' see here: # for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and # https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
# - name: activate gpg-check for yum-repository-files
# failed_when is needed because by default replace module will fail if the file doesn't exists. replace:
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. path: '{{ item.path }}'
# All other errors will still be raised. regexp: '^\s*gpgcheck.*'
replace: 'gpgcheck=1'
with_items:
- '{{ yum_repos.files | default([]) }}'
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files - name: activate gpg-check for config files
replace: replace:
dest: '{{ item }}' path: '{{ item }}'
regexp: '^\s*gpgcheck: 0' regexp: '^\s*gpgcheck\W.*'
replace: 'gpgcheck: 1' replace: 'gpgcheck=1'
register: status register: status
failed_when: status.rc is defined and status.rc != 257 failed_when: status.rc is defined and status.rc != 257
with_flattened: loop:
- '/etc/yum.conf' - '/etc/yum.conf'
- '/etc/dnf/dnf.conf' - '/etc/dnf/dnf.conf'
- '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
- '/etc/yum/pluginconf.d/rhnplugin.conf' - '/etc/yum/pluginconf.d/rhnplugin.conf'
- name: remove deprecated or insecure packages | package-01 - package-09 - name: remove deprecated or insecure packages | package-01 - package-09

7
ansible/roles/dev-sec.os-hardening/tests/test.yml
View file

@ -13,6 +13,10 @@
apt: apt:
update_cache: yes update_cache: yes
when: ansible_facts.os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
- name: install required tools on debian
apt:
name: procps
when: ansible_facts.os_family == 'Debian'
- name: install required tools on fedora - name: install required tools on fedora
dnf: dnf:
name: name:
@ -20,6 +24,9 @@
- findutils - findutils
- procps-ng - procps-ng
when: ansible_facts.distribution == 'Fedora' when: ansible_facts.distribution == 'Fedora'
- name: install required tools on SuSE
shell: "zypper -n install python-xml"
when: ansible_facts.os_family == 'Suse'
- name: create recursing symlink to test minimize access - name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
vars: vars:

34
ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml vendored
View file

@ -1,34 +0,0 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

25
ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml vendored
View file

@ -25,18 +25,35 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog - name: Generate changelog
uses: charmixer/auto-changelog-action@v1 uses: charmixer/auto-changelog-action@8095796
with:
token: ${{ secrets.GITHUB_TOKEN }}
future_release: ${{ steps.version.outputs.next-version }}
- name: Generate changelog for the release
uses: charmixer/auto-changelog-action@8095796
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }} since_tag: ${{ steps.previoustag.outputs.tag }}
# wait for https://github.com/CharMixer/auto-changelog-action/pull/3 future_release: ${{ steps.version.outputs.next-version }}
#future_release: ${{ steps.version.outputs.next-version }} output: CHANGELOGRELEASE.md
- name: push changelog
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: hello@dev-sec.io
- name: Read CHANGELOG.md - name: Read CHANGELOG.md
id: package id: package
uses: juliangruber/read-file-action@v1 uses: juliangruber/read-file-action@v1
with: with:
path: ./CHANGELOG.md path: ./CHANGELOGRELEASE.md
- name: Create Release draft - name: Create Release draft
id: create_release id: create_release

3
ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml
View file

@ -33,6 +33,9 @@ platforms:
- name: centos-7 - name: centos-7
driver_config: driver_config:
box: bento/centos-7 box: bento/centos-7
- name: centos-8
driver_config:
box: bento/centos-8
- name: oracle-6 - name: oracle-6
driver_config: driver_config:
box: bento/oracle-6 box: bento/oracle-6

61
ansible/roles/dev-sec.ssh-hardening/.kitchen.yml
View file

@ -2,7 +2,16 @@
driver: driver:
name: docker name: docker
use_sudo: false use_sudo: false
privileged: true cap_add:
- SYS_ADMIN
volume:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
run_options:
tmpfs:
- /tmp
- /run
- /run/lock
run_command: /sbin/init
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
@ -28,72 +37,96 @@ platforms:
driver: driver:
image: rndmh3ro/docker-centos6-ansible:latest image: rndmh3ro/docker-centos6-ansible:latest
platform: centos platform: centos
provision_command:
- sed -i '/loginuid/d' /etc/pam.d/sshd
- name: centos7-ansible-latest - name: centos7-ansible-latest
driver: driver:
image: rndmh3ro/docker-centos7-ansible:latest image: rndmh3ro/docker-centos7-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: centos8-ansible-latest
driver:
image: rndmh3ro/docker-centos8-ansible:latest
platform: centos
provision_command:
- sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service
provisioner:
ansible_binary_path: "/usr/local/bin"
- name: oracle6-ansible-latest - name: oracle6-ansible-latest
driver: driver:
image: rndmh3ro/docker-oracle6-ansible:latest image: rndmh3ro/docker-oracle6-ansible:latest
platform: centos platform: centos
provision_command:
- sed -i '/loginuid/d' /etc/pam.d/sshd
- name: oracle7-ansible-latest - name: oracle7-ansible-latest
driver: driver:
image: rndmh3ro/docker-oracle7-ansible:latest image: rndmh3ro/docker-oracle7-ansible:latest
run_command: /sbin/init
platform: centos platform: centos
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: ubuntu1604-ansible-latest - name: ubuntu1604-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest image: rndmh3ro/docker-ubuntu1604-ansible:latest
platform: ubuntu platform: ubuntu
run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: ubuntu1804-ansible-latest - name: ubuntu1804-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1804-ansible:latest image: rndmh3ro/docker-ubuntu1804-ansible:latest
platform: ubuntu platform: ubuntu
run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian9-ansible-latest - name: debian9-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian9-ansible:latest image: rndmh3ro/docker-debian9-ansible:latest
platform: debian platform: debian
run_command: /sbin/init
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian10-ansible-latest - name: debian10-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian10-ansible image: rndmh3ro/docker-debian10-ansible
platform: debian platform: debian
run_command: /sbin/init
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: amazon-ansible-latest - name: amazon-ansible-latest
driver: driver:
image: rndmh3ro/docker-amazon-ansible:latest image: rndmh3ro/docker-amazon-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
- name: fedora-ansible-latest - name: fedora-ansible-latest
driver: driver:
image: rndmh3ro/docker-fedora-ansible:latest image: rndmh3ro/docker-fedora-ansible:latest
platform: centos platform: centos
run_command: /sbin/init
provision_command: provision_command:
- dnf install -y python - dnf install -y python procps-ng
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service
- name: arch-ansible-latest
driver:
image: rndmh3ro/docker-arch-ansible:latest
platform: arch
run_command: /usr/lib/systemd/systemd
provision_command:
- sed -i '/nologin/d' /etc/pam.d/sshd
- systemctl enable sshd.service - systemctl enable sshd.service
verifier: verifier:

80
ansible/roles/dev-sec.ssh-hardening/.travis.yml
View file

@ -2,53 +2,32 @@
services: docker services: docker
env: env:
- distro: centos6 global:
version: latest - version=latest
init: /sbin/init - init=/sbin/init
- run_opts="--cap-add SYS_ADMIN"
- distro: centos7 - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
init: /usr/lib/systemd/systemd jobs:
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=centos6
version: latest volume=":"
run_opts=""
- distro: oracle6 - distro=centos7
version: latest - distro=centos8
init: /sbin/init - distro=oracle6
volume=":"
# - distro: oracle7 run_opts=""
# init: /usr/lib/systemd/systemd # - distro=oracle7
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=ubuntu1604
# version: latest - distro=ubuntu1804
- distro=debian9
- distro: ubuntu1604 init=/lib/systemd/systemd
version: latest - distro=debian10
init: /lib/systemd/systemd - distro=amazon
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro=fedora
init=/lib/systemd/systemd
- distro: ubuntu1804 - distro=arch
version: latest init=/usr/lib/systemd/systemd
init: /lib/systemd/systemd run_opts="--privileged"
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian10
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: amazon
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: fedora
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
before_install: before_install:
# Pull container # Pull container
@ -60,17 +39,14 @@ script:
- container_id=$(mktemp) - container_id=$(mktemp)
# Run container in detached state. # Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Test role. # Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
# Verify role # Verify role
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141 - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
notifications: notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/ webhooks: https://galaxy.ansible.com/api/v1/notifications/

164
ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md
View file

@ -1,8 +1,147 @@
# Changelog # Changelog
## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD) ## [9.7.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.7.0) (2020-08-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.6.0...9.7.0)
**Implemented enhancements:**
- add separate option for controlling motd via pam [\#320](https://github.com/dev-sec/ansible-ssh-hardening/pull/320) ([schurzi](https://github.com/schurzi))
## [9.6.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.6.0) (2020-07-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.5.0...9.6.0)
**Implemented enhancements:**
- add SmartOS support [\#294](https://github.com/dev-sec/ansible-ssh-hardening/pull/294) ([aqw](https://github.com/aqw))
**Fixed bugs:**
- fix local kitchen tests [\#318](https://github.com/dev-sec/ansible-ssh-hardening/pull/318) ([schurzi](https://github.com/schurzi))
- fix sftp\_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw))
**Closed issues:**
- Make SSH banner path configurable [\#315](https://github.com/dev-sec/ansible-ssh-hardening/issues/315)
## [9.5.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.5.0) (2020-07-27)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.4.0...9.5.0)
**Implemented enhancements:**
- add ssh\_banner\_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua))
- rework CRYPTO\_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi))
**Fixed bugs:**
- network\_ipv6\_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311)
**Closed issues:**
- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh\*.config [\#275](https://github.com/dev-sec/ansible-ssh-hardening/issues/275)
**Merged pull requests:**
- improve testing in kitchen and travis [\#313](https://github.com/dev-sec/ansible-ssh-hardening/pull/313) ([schurzi](https://github.com/schurzi))
## [9.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.4.0) (2020-07-21)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.3.0...9.4.0)
**Implemented enhancements:**
- Add CentOS 8 support for ansible-ssh-hardening [\#247](https://github.com/dev-sec/ansible-ssh-hardening/issues/247)
- adding specific things for IPv6 support [\#312](https://github.com/dev-sec/ansible-ssh-hardening/pull/312) ([altf4arnold](https://github.com/altf4arnold))
- add support for CentOS8 [\#309](https://github.com/dev-sec/ansible-ssh-hardening/pull/309) ([schurzi](https://github.com/schurzi))
- README: New section on server port and idempotency [\#307](https://github.com/dev-sec/ansible-ssh-hardening/pull/307) ([nununo](https://github.com/nununo))
**Fixed bugs:**
- CBC Ciphers should be disabled by default. [\#308](https://github.com/dev-sec/ansible-ssh-hardening/issues/308)
**Closed issues:**
- Idempotency when changing sshd ports [\#299](https://github.com/dev-sec/ansible-ssh-hardening/issues/299)
- Simplify crypto.yml checks with blocks [\#256](https://github.com/dev-sec/ansible-ssh-hardening/issues/256)
- Possibility for customising host key algorithms? [\#243](https://github.com/dev-sec/ansible-ssh-hardening/issues/243)
## [9.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.3.0) (2020-07-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.2.0...9.3.0)
**Implemented enhancements:**
- Add support for X11 configuration [\#297](https://github.com/dev-sec/ansible-ssh-hardening/issues/297)
- add blocks to crypto.yml checks [\#305](https://github.com/dev-sec/ansible-ssh-hardening/pull/305) ([schurzi](https://github.com/schurzi))
- fix typo in hardening.yml [\#304](https://github.com/dev-sec/ansible-ssh-hardening/pull/304) ([schurzi](https://github.com/schurzi))
- allow customization of X11Forwarding [\#300](https://github.com/dev-sec/ansible-ssh-hardening/pull/300) ([divialth](https://github.com/divialth))
**Fixed bugs:**
- fix package install in tests [\#301](https://github.com/dev-sec/ansible-ssh-hardening/pull/301) ([rndmh3ro](https://github.com/rndmh3ro))
**Closed issues:**
- Typo in hardening.yml [\#303](https://github.com/dev-sec/ansible-ssh-hardening/issues/303)
- Task create sshd\_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302)
## [9.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.2.0) (2020-06-25)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.1...9.2.0)
**Implemented enhancements:**
- Add RHEL 8 Support [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261)
- Add option to create 'LocalPort' match blocks [\#295](https://github.com/dev-sec/ansible-ssh-hardening/pull/295) ([aisbergg](https://github.com/aisbergg))
- Add archlinux support [\#291](https://github.com/dev-sec/ansible-ssh-hardening/pull/291) ([djesionek](https://github.com/djesionek))
- Harmonize style [\#290](https://github.com/dev-sec/ansible-ssh-hardening/pull/290) ([aisbergg](https://github.com/aisbergg))
**Merged pull requests:**
- add centos 8 to meta [\#298](https://github.com/dev-sec/ansible-ssh-hardening/pull/298) ([rndmh3ro](https://github.com/rndmh3ro))
## [9.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.1) (2020-06-06)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.0...9.1.1)
**Implemented enhancements:**
- unify changelog and release actions [\#289](https://github.com/dev-sec/ansible-ssh-hardening/pull/289) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- AllowTCPForwarding set to `no` although I have `ssh\_allow\_tcp\_forwarding: yes` [\#286](https://github.com/dev-sec/ansible-ssh-hardening/issues/286)
- `ssh\_allow\_tcp\_forwarding`: use quotes for values [\#288](https://github.com/dev-sec/ansible-ssh-hardening/pull/288) ([jeanmonet](https://github.com/jeanmonet))
## [9.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.0) (2020-06-02)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.0.0...9.1.0)
**Implemented enhancements:**
- allow customization of login gracetime and max sessins [\#287](https://github.com/dev-sec/ansible-ssh-hardening/pull/287) ([chris-rock](https://github.com/chris-rock))
## [9.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.0.0) (2020-05-18)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.1.0...9.0.0)
**Breaking changes:**
- make ssh client-side compression configurable [\#284](https://github.com/dev-sec/ansible-ssh-hardening/pull/284) ([aqw](https://github.com/aqw))
**Fixed bugs:**
- Disable Ubuntu dynamic login MOTD [\#271](https://github.com/dev-sec/ansible-ssh-hardening/issues/271)
**Closed issues:**
- Ubuntu disable dynamic MOTD failing [\#283](https://github.com/dev-sec/ansible-ssh-hardening/issues/283)
## [8.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.1.0) (2020-05-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...8.1.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -377,7 +516,6 @@
**Implemented enhancements:** **Implemented enhancements:**
- CentOS 7 selinux dependencies [\#76](https://github.com/dev-sec/ansible-ssh-hardening/issues/76) - CentOS 7 selinux dependencies [\#76](https://github.com/dev-sec/ansible-ssh-hardening/issues/76)
- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro))
- Parameterise Banner and DebianBanner as defaults [\#77](https://github.com/dev-sec/ansible-ssh-hardening/pull/77) ([tsenart](https://github.com/tsenart)) - Parameterise Banner and DebianBanner as defaults [\#77](https://github.com/dev-sec/ansible-ssh-hardening/pull/77) ([tsenart](https://github.com/tsenart))
**Fixed bugs:** **Fixed bugs:**
@ -386,6 +524,10 @@
- Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75) - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75)
- Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61) - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61)
**Closed issues:**
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03) ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0)
@ -401,6 +543,7 @@
**Implemented enhancements:** **Implemented enhancements:**
- Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63) - Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63)
- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro))
- Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111)) - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111))
- add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro)) - add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro))
- add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro)) - add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
@ -462,19 +605,19 @@
## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2.1)
**Merged pull requests:** **Merged pull requests:**
- Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.0)
## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2)
**Merged pull requests:** **Merged pull requests:**
@ -493,9 +636,7 @@
**Closed issues:** **Closed issues:**
- ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33) - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
- UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23) - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:** **Merged pull requests:**
@ -527,6 +668,7 @@
- add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7) - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7)
- Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6) - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:** **Merged pull requests:**

27
ansible/roles/dev-sec.ssh-hardening/README.md
View file

@ -1,12 +1,11 @@
# ssh-hardening (Ansible Role) # ssh-hardening (Ansible Role)
[![Build Status](http://img.shields.io/travis/dev-sec/ansible-ssh-hardening.svg)][1] [![Build Status](http://img.shields.io/travis/dev-sec/ansible-ssh-hardening.svg)][1]
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
[![Ansible Galaxy](https://img.shields.io/badge/galaxy-ssh--hardening-660198.svg)][3] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-ssh--hardening-660198.svg)][3]
## Description ## Description
This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline). This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline).
Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server. Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.
@ -17,10 +16,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
## Role Variables ## Role Variables
| Name | Default Value | Description | | Name | Default Value | Description |
| -------------- | ------------- | -----------------------------------| | -------------- | ------------- | -----------------------------------|
|`network_ipv6_enable` | false |true if IPv6 is needed| |`network_ipv6_enable` | false |true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).|
|`ssh_server_ports` | ['22'] |ports on which ssh-server should listen| |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen|
|`ssh_client_port` | '22' |port to which ssh-client should connect| |`ssh_client_port` | '22' |port to which ssh-client should connect|
|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!| |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!|
|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version| |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
|`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms| |`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms|
|`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
@ -28,9 +27,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
|`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login | |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`| |`ssh_allow_tcp_forwarding` | no | `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`. <br> *Note*: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes. |
|`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.| |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
|`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.| |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
|`ssh_x11_forwarding` | false | false to disable X11 Forwarding. Set to true to allow X11 Forwarding.|
|`ssh_pam_support` | true | true if SSH has PAM support.| |`ssh_pam_support` | true | true if SSH has PAM support.|
|`ssh_use_pam` | true | false to disable pam authentication.| |`ssh_use_pam` | true | false to disable pam authentication.|
|`ssh_gssapi_support` | false | true if SSH has GSSAPI support.| |`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
@ -45,9 +45,10 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_authorized_principals_file` | '' | specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. | |`ssh_authorized_principals_file` | '' | specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. |
|`ssh_authorized_principals` | [] | list of hashes containing file paths and authorized principals, see default_custom.yml for all options. Only used if ssh_authorized_principals_file is set. | |`ssh_authorized_principals` | [] | list of hashes containing file paths and authorized principals, see default_custom.yml for all options. Only used if ssh_authorized_principals_file is set. |
|`ssh_print_motd` | false | false to disable printing of the MOTD| |`ssh_print_motd` | false | false to disable printing of the MOTD|
|`ssh_print_pam_motd` | false | false to disable printing of the MOTD via pam (Debian and Ubuntu)|
|`ssh_print_last_log` | false | false to disable display of last login information| |`ssh_print_last_log` | false | false to disable display of last login information|
|`sftp_enabled` | false | true to enable sftp configuration| |`sftp_enabled` | false | true to enable sftp configuration|
|`sftp_umask` | 0027 | Specifies the umask for sftp| |`sftp_umask` | '0027' | Specifies the umask for sftp|
|`sftp_chroot` | true | false to disable chroot for sftp| |`sftp_chroot` | true | false to disable chroot for sftp|
|`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
|`ssh_client_roaming` | false | enable experimental client roaming| |`ssh_client_roaming` | false | enable experimental client roaming|
@ -57,16 +58,21 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
|`ssh_banner` | `false` | `true` to print a banner on login | |`ssh_banner` | `false` | `true` to print a banner on login |
|`ssh_banner_path`| '/etc/sshd/banner.txt' | path to the SSH banner file |
|`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_hardening` | `true` | `false` to stop harden the client |
|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. | |`ssh_client_compression` | `false` | Specifies whether the client requests compression. |
|`ssh_compression` | `false` | Specifies whether server-side compression is enabled after the user has authenticated successfully. |
|`ssh_login_grace_time` | `30s` | specifies the time allowed for successful authentication to the SSH server |
|`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. | |`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. |
|`ssh_max_sessions` | `10` | Specifies the maximum number of open sessions permitted from a given connection. |
|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner | |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
|`ssh_server_enabled` | `true` | `false` to disable the opensshd server | |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
|`ssh_server_hardening` | `true` | `false` to stop harden the server | |`ssh_server_hardening` | `true` | `false` to stop harden the server |
|`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_local_port` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings | |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
@ -99,6 +105,12 @@ Example playbook:
- "AcceptEnv LANG" - "AcceptEnv LANG"
``` ```
## Changing the default port and idempotency
This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port.
If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable.
## Example Playbook ## Example Playbook
- hosts: localhost - hosts: localhost
@ -120,6 +132,7 @@ bundle install
``` ```
### Testing with Docker ### Testing with Docker
``` ```
# fast test on one machine # fast test on one machine
bundle exec kitchen test ssh-ubuntu1804-ansible-latest bundle exec kitchen test ssh-ubuntu1804-ansible-latest

105
ansible/roles/dev-sec.ssh-hardening/defaults/main.yml
View file

@ -1,48 +1,55 @@
# true if IPv6 is needed # true if IPv6 is needed
network_ipv6_enable: false # sshd + ssh network_ipv6_enable: false # sshd + ssh
# true if sshd should be started and enabled # true if sshd should be started and enabled
ssh_server_enabled: true # sshd ssh_server_enabled: true # sshd
# true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8 # true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8
ssh_use_dns: false # sshd ssh_use_dns: false # sshd
# true or value if compression is needed # true or value if compression is needed
ssh_compression: false # sshd ssh_client_compression: false # ssh
ssh_compression: false # sshd
# For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server. # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server.
ssh_client_hardening: true # ssh ssh_client_hardening: true # ssh
ssh_server_hardening: true # sshd ssh_server_hardening: true # sshd
# If true, password login is allowed # If true, password login is allowed
ssh_client_password_login: false # ssh ssh_client_password_login: false # ssh
ssh_server_password_login: false # sshd ssh_server_password_login: false # sshd
# ports on which ssh-server should listen # ports on which ssh-server should listen
ssh_server_ports: ['22'] # sshd ssh_server_ports: ['22'] # sshd
# port to which ssh-client should connect # port to which ssh-client should connect
ssh_client_port: '22' # ssh ssh_client_port: '22' # ssh
# one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! # one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons!
ssh_listen_to: ['0.0.0.0'] # sshd ssh_listen_to: ['0.0.0.0'] # sshd
# Host keys to look for when starting sshd. # Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd ssh_host_key_files: [] # sshd
# Specifies the host key algorithms that the server offers # Specifies the host key algorithms that the server offers
ssh_host_key_algorithms: [] # sshd ssh_host_key_algorithms: [] # sshd
# specifies the time allowed for successful authentication to the SSH server
ssh_login_grace_time: 30s
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. # Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2 ssh_max_auth_retries: 2
ssh_client_alive_interval: 300 # sshd # Specifies the maximum number of open sessions permitted from a given connection
ssh_client_alive_count: 3 # sshd ssh_max_sessions: 10
ssh_client_alive_interval: 300 # sshd
ssh_client_alive_count: 3 # sshd
# Allow SSH Tunnels # Allow SSH Tunnels
ssh_permit_tunnel: false ssh_permit_tunnel: false
# Hosts with custom options. # ssh # Hosts with custom options. # ssh
# Example: # Example:
# ssh_remote_hosts: # ssh_remote_hosts:
# - names: ['example.com', 'example2.com'] # - names: ['example.com', 'example2.com']
@ -52,23 +59,26 @@ ssh_permit_tunnel: false
ssh_remote_hosts: [] ssh_remote_hosts: []
# Set this to "without-password" or "yes" to allow root to login # Set this to "without-password" or "yes" to allow root to login
ssh_permit_root_login: 'no' # sshd ssh_permit_root_login: 'no' # sshd
# false to disable TCP Forwarding. Set to true to allow TCP Forwarding. # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: 'no' # sshd ssh_allow_tcp_forwarding: 'no' # sshd
# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
# Set to 'clientspecified' to allow the client to specify which address to bind to. # Set to 'clientspecified' to allow the client to specify which address to bind to.
ssh_gateway_ports: false # sshd ssh_gateway_ports: false # sshd
# false to disable Agent Forwarding. Set to true to allow Agent Forwarding. # false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
ssh_allow_agent_forwarding: false # sshd ssh_allow_agent_forwarding: false # sshd
# false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
ssh_x11_forwarding: false # sshd
# true if SSH has PAM support # true if SSH has PAM support
ssh_pam_support: true ssh_pam_support: true
# false to disable pam authentication. # false to disable pam authentication.
ssh_use_pam: true # sshd ssh_use_pam: true # sshd
# specify AuthenticationMethods # specify AuthenticationMethods
sshd_authenticationmethods: 'publickey' sshd_authenticationmethods: 'publickey'
@ -80,29 +90,29 @@ ssh_gssapi_support: false
ssh_kerberos_support: true ssh_kerberos_support: true
# if specified, login is disallowed for user names that match one of the patterns. # if specified, login is disallowed for user names that match one of the patterns.
ssh_deny_users: '' # sshd ssh_deny_users: '' # sshd
# if specified, login is allowed only for user names that match one of the patterns. # if specified, login is allowed only for user names that match one of the patterns.
ssh_allow_users: '' # sshd ssh_allow_users: '' # sshd
# if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. # if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
ssh_deny_groups: '' # sshd ssh_deny_groups: '' # sshd
# if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
ssh_allow_groups: '' # sshd ssh_allow_groups: '' # sshd
# change default file that contains the public keys that can be used for user authentication. # change default file that contains the public keys that can be used for user authentication.
ssh_authorized_keys_file: '' # sshd ssh_authorized_keys_file: '' # sshd
# specifies the file containing trusted certificate authorities public keys used to sign user certificates. # specifies the file containing trusted certificate authorities public keys used to sign user certificates.
ssh_trusted_user_ca_keys_file: '' # sshd ssh_trusted_user_ca_keys_file: '' # sshd
# set the trusted certificate authorities public keys used to sign user certificates. # set the trusted certificate authorities public keys used to sign user certificates.
# Example: # Example:
# ssh_trusted_user_ca_keys: # ssh_trusted_user_ca_keys:
# - 'ssh-rsa ... comment1' # - 'ssh-rsa ... comment1'
# - 'ssh-rsa ... comment2' # - 'ssh-rsa ... comment2'
ssh_trusted_user_ca_keys: [] # sshd ssh_trusted_user_ca_keys: [] # sshd
# specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. # specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set.
# Example: # Example:
@ -112,26 +122,30 @@ ssh_trusted_user_ca_keys: [] # sshd
# replaced by the username of that user. After expansion, the path is taken to be # replaced by the username of that user. After expansion, the path is taken to be
# an absolute path or one relative to the user's home directory. # an absolute path or one relative to the user's home directory.
# #
ssh_authorized_principals_file: '' # sshd ssh_authorized_principals_file: '' # sshd
# list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set. # list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set.
# Example: # Example:
# ssh_authorized_principals: # ssh_authorized_principals:
# - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" } # - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
# - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] } # - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] }
ssh_authorized_principals: [] # sshd ssh_authorized_principals: [] # sshd
# false to disable printing of the MOTD # false to disable printing of the MOTD
ssh_print_motd: false # sshd ssh_print_motd: false # sshd
ssh_print_pam_motd: false # sshd
# false to disable display of last login information # false to disable display of last login information
ssh_print_last_log: false # sshd ssh_print_last_log: false # sshd
# false to disable serving /etc/ssh/banner.txt before authentication is allowed # false to disable serving ssh warning banner before authentication is allowed
ssh_banner: false # sshd ssh_banner: false # sshd
# path to file with ssh warning banner
ssh_banner_path: '/etc/ssh/banner.txt'
# false to disable distribution version leakage during initial protocol handshake # false to disable distribution version leakage during initial protocol handshake
ssh_print_debian_banner: false # sshd (Debian OS family only) ssh_print_debian_banner: false # sshd (Debian OS family only)
# true to enable sftp configuration # true to enable sftp configuration
sftp_enabled: false sftp_enabled: false
@ -140,7 +154,7 @@ sftp_enabled: false
sftp_chroot: true sftp_chroot: true
# sftp default umask # sftp default umask
sftp_umask: 0027 sftp_umask: '0027'
# change default sftp chroot location # change default sftp chroot location
sftp_chroot_dir: /home/%u sftp_chroot_dir: /home/%u
@ -148,20 +162,23 @@ sftp_chroot_dir: /home/%u
# enable experimental client roaming # enable experimental client roaming
ssh_client_roaming: false ssh_client_roaming: false
# list of hashes (containing user and rules) to generate Match User blocks for. # list of hashes (containing user and rules) to generate Match User blocks for
ssh_server_match_user: false # sshd ssh_server_match_user: false # sshd
# list of hashes (containing group and rules) to generate Match Group blocks for. # list of hashes (containing group and rules) to generate Match Group blocks for
ssh_server_match_group: false # sshd ssh_server_match_group: false # sshd
# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for. # list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for
ssh_server_match_address: false # sshd ssh_server_match_address: false # sshd
# list of hashes (containing port and rules) to generate Match LocalPort blocks for
ssh_server_match_local_port: false # sshd
ssh_server_permit_environment_vars: 'no' ssh_server_permit_environment_vars: 'no'
ssh_server_accept_env_vars : '' ssh_server_accept_env_vars: ''
# maximum number of concurrent unauthenticated connections to the SSH daemon # maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100' # sshd ssh_max_startups: '10:30:100' # sshd
ssh_ps53: 'yes' ssh_ps53: 'yes'
ssh_ps59: 'sandbox' ssh_ps59: 'sandbox'
@ -249,3 +266,7 @@ sshd_syslog_facility: 'AUTH'
sshd_log_level: 'VERBOSE' sshd_log_level: 'VERBOSE'
sshd_strict_modes: yes sshd_strict_modes: yes
# disable CRYPTO_POLICY to take settings from sshd configuration
# see: https://access.redhat.com/solutions/4410591
sshd_disable_crypto_policy: true

17
ansible/roles/dev-sec.ssh-hardening/files/sshd Normal file
View file

@ -0,0 +1,17 @@
# Configuration file for the sshd service.
# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
# System-wide crypto policy:
# To opt-out, uncomment the following line
CRYPTO_POLICY=

6
ansible/roles/dev-sec.ssh-hardening/handlers/main.yml
View file

@ -1,4 +1,6 @@
- name: restart sshd - name: restart sshd
service: name={{ sshd_service_name }} state=restarted service:
when: "(ssh_server_enabled|bool)" name: '{{ sshd_service_name }}'
state: restarted
when: ssh_server_enabled | bool
become: yes become: yes

4
ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:29:21 2020 install_date: Thu Feb 18 15:39:23 2021
version: 8.1.0 version: 9.7.0

3
ansible/roles/dev-sec.ssh-hardening/meta/main.yml
View file

@ -10,6 +10,7 @@ galaxy_info:
versions: versions:
- 6 - 6
- 7 - 7
- 8
- name: Ubuntu - name: Ubuntu
versions: versions:
- xenial - xenial
@ -20,6 +21,8 @@ galaxy_info:
- buster - buster
- name: Amazon - name: Amazon
- name: Fedora - name: Fedora
- name: Archlinux
- name: SmartOS
galaxy_tags: galaxy_tags:
- system - system
- security - security

10
ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml
View file

@ -1,5 +1,5 @@
--- ---
- name: Set ssh CA pub keys - name: set ssh CA pub keys
template: template:
src: 'trusted_user_ca_keys.j2' src: 'trusted_user_ca_keys.j2'
dest: '{{ ssh_trusted_user_ca_keys_file }}' dest: '{{ ssh_trusted_user_ca_keys_file }}'
@ -8,20 +8,20 @@
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
notify: restart sshd notify: restart sshd
- name: Create ssh authorized principals directories - name: create ssh authorized principals directories
file: file:
path: '{{ item.path | dirname }}' path: '{{ item.path | dirname }}'
mode: '{{ item.directorymode | default(0700) }}' mode: '{{ item.directorymode | default(0700) }}'
owner: '{{ item.directoryowner | default(ssh_owner) }}' owner: '{{ item.directoryowner | default(ssh_owner) }}'
group: '{{ item.directorygroup | default(ssh_group) }}' group: '{{ item.directorygroup | default(ssh_group) }}'
state: directory state: directory
with_items: '{{ ssh_authorized_principals }}' loop: '{{ ssh_authorized_principals }}'
- name: Set ssh authorized principals - name: set ssh authorized principals
template: template:
src: 'authorized_principals.j2' src: 'authorized_principals.j2'
dest: '{{ item.path }}' dest: '{{ item.path }}'
mode: '{{ item.filemode | default(0600) }}' mode: '{{ item.filemode | default(0600) }}'
owner: '{{ item.owner| default(ssh_owner) }}' owner: '{{ item.owner| default(ssh_owner) }}'
group: '{{ item.group | default(ssh_group) }}' group: '{{ item.group | default(ssh_group) }}'
with_items: '{{ ssh_authorized_principals }}' loop: '{{ ssh_authorized_principals }}'

75
ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml
View file

@ -1,75 +0,0 @@
---
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version
set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
###
- name: set macs according to openssh-version if openssh >= 7.6
set_fact:
ssh_macs: '{{ ssh_macs_76_default }}'
when: sshd_version is version('7.6', '>=') and not ssh_macs
- name: set macs according to openssh-version if openssh >= 6.6
set_fact:
ssh_macs: '{{ ssh_macs_66_default }}'
when: sshd_version is version('6.6', '>=') and not ssh_macs
- name: set macs according to openssh-version
set_fact:
ssh_macs: '{{ ssh_macs_59_default }}'
when: sshd_version is version('5.9', '>=') and not ssh_macs
- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
set_fact:
ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
when:
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
- ansible_facts.distribution_version is version('6.5', '>=')
- not ssh_macs
- name: set macs according to openssh-version
set_fact:
ssh_macs: '{{ ssh_macs_53_default }}'
when: sshd_version is version('5.3', '>=') and not ssh_macs
###
- name: set ciphers according to openssh-version if openssh >= 6.6
set_fact:
ssh_ciphers: '{{ ssh_ciphers_66_default }}'
when: sshd_version is version('6.6', '>=') and not ssh_ciphers
- name: set ciphers according to openssh-version
set_fact:
ssh_ciphers: '{{ ssh_ciphers_53_default }}'
when: sshd_version is version('5.3', '>=') and not ssh_ciphers
###
- name: set kex according to openssh-version if openssh >= 8.0
set_fact:
ssh_kex: '{{ ssh_kex_80_default }}'
when: sshd_version is version('8.0', '>=') and not ssh_kex
- name: set kex according to openssh-version if openssh >= 6.6
set_fact:
ssh_kex: '{{ ssh_kex_66_default }}'
when: sshd_version is version('6.6', '>=') and not ssh_kex
- name: set kex according to openssh-version
set_fact:
ssh_kex: '{{ ssh_kex_59_default }}'
when: sshd_version is version('5.9', '>=') and not ssh_kex

10
ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: set ciphers according to openssh-version if openssh >= 5.3
set_fact:
ssh_ciphers: '{{ ssh_ciphers_53_default }}'
when: sshd_version is version('5.3', '>=')
- name: set ciphers according to openssh-version if openssh >= 6.6
set_fact:
ssh_ciphers: '{{ ssh_ciphers_66_default }}'
when: sshd_version is version('6.6', '>=')

21
ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: set hostkeys according to openssh-version if openssh >= 5.3
set_fact:
ssh_host_key_files:
- "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
when: sshd_version is version('5.3', '>=')
- name: set hostkeys according to openssh-version if openssh >= 6.0
set_fact:
ssh_host_key_files:
- "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
- "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
when: sshd_version is version('6.0', '>=')
- name: set hostkeys according to openssh-version if openssh >= 6.3
set_fact:
ssh_host_key_files:
- "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
- "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
- "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key"
when: sshd_version is version('6.3', '>=')

15
ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: set kex according to openssh-version if openssh >= 5.9
set_fact:
ssh_kex: '{{ ssh_kex_59_default }}'
when: sshd_version is version('5.9', '>=')
- name: set kex according to openssh-version if openssh >= 6.6
set_fact:
ssh_kex: '{{ ssh_kex_66_default }}'
when: sshd_version is version('6.6', '>=')
- name: set kex according to openssh-version if openssh >= 8.0
set_fact:
ssh_kex: '{{ ssh_kex_80_default }}'
when: sshd_version is version('8.0', '>=')

27
ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml Normal file
View file

@ -0,0 +1,27 @@
---
- name: set macs according to openssh-version if openssh >= 5.3
set_fact:
ssh_macs: '{{ ssh_macs_53_default }}'
when: sshd_version is version('5.3', '>=')
- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
set_fact:
ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
when:
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
- ansible_facts.distribution_version is version('6.5', '>=')
- name: set macs according to openssh-version if openssh >= 5.9
set_fact:
ssh_macs: '{{ ssh_macs_59_default }}'
when: sshd_version is version('5.9', '>=')
- name: set macs according to openssh-version if openssh >= 6.6
set_fact:
ssh_macs: '{{ ssh_macs_66_default }}'
when: sshd_version is version('6.6', '>=')
- name: set macs according to openssh-version if openssh >= 7.6
set_fact:
ssh_macs: '{{ ssh_macs_76_default }}'
when: sshd_version is version('7.6', '>=')

48
ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml
View file

@ -1,11 +1,11 @@
--- ---
- name: Set OS dependent variables - name: set OS dependent variables
include_vars: '{{ item }}' include_vars: '{{ item }}'
with_first_found: with_first_found:
- '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.distribution }}.yml' - '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_facts.os_family }}.yml' - '{{ ansible_facts.os_family }}.yml'
- name: get openssh-version - name: get openssh-version
command: ssh -V command: ssh -V
@ -17,8 +17,21 @@
set_fact: set_fact:
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}" sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
- name: include tasks to create crypo-vars - name: set default for ssh_host_key_files if not supplied
include_tasks: crypto.yml include_tasks: crypto_hostkeys.yml
when: not ssh_host_key_files
- name: set default for ssh_macs if not supplied
include_tasks: crypto_macs.yml
when: not ssh_macs
- name: set default for ssh_ciphers if not supplied
include_tasks: crypto_ciphers.yml
when: not ssh_ciphers
- name: set default for ssh_kex if not supplied
include_tasks: crypto_kex.yml
when: not ssh_kex
- name: create revoked_keys and set permissions to root/600 - name: create revoked_keys and set permissions to root/600
template: template:
@ -37,7 +50,7 @@
mode: '0600' mode: '0600'
owner: '{{ ssh_owner }}' owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s' validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
notify: restart sshd notify: restart sshd
when: ssh_server_hardening | bool when: ssh_server_hardening | bool
@ -48,10 +61,11 @@
control: optional control: optional
module_path: pam_motd.so module_path: pam_motd.so
state: absent state: absent
backup: yes
when: when:
- ssh_server_hardening | bool - ssh_server_hardening | bool
- ssh_pam_support | bool - ssh_pam_support | bool
- not (ssh_print_motd | bool) - not (ssh_print_pam_motd | bool)
- name: create ssh_config and set permissions to root/644 - name: create ssh_config and set permissions to root/644
template: template:
@ -62,7 +76,7 @@
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
when: ssh_client_hardening | bool when: ssh_client_hardening | bool
- name: Check if {{ sshd_moduli_file }} contains weak DH parameters - name: check if {{ sshd_moduli_file }} contains weak DH parameters
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
register: sshd_register_moduli register: sshd_register_moduli
changed_when: false changed_when: false
@ -84,3 +98,17 @@
- name: include selinux specific tasks - name: include selinux specific tasks
include_tasks: selinux.yml include_tasks: selinux.yml
when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled" when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"
- name: gather package facts
package_facts:
check_mode: no
when:
- sshd_disable_crypto_policy | bool
- name: disable SSH server CRYPTO_POLICY
copy:
src: sshd
dest: /etc/sysconfig/sshd
when:
- sshd_disable_crypto_policy | bool
- ('crypto-policies' in ansible_facts.packages)

1
ansible/roles/dev-sec.ssh-hardening/tasks/main.yml
View file

@ -1,4 +1,3 @@
--- ---
- include_tasks: hardening.yml - include_tasks: hardening.yml
when: ssh_hardening_enabled | bool when: ssh_hardening_enabled | bool

59
ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml
View file

@ -4,14 +4,13 @@
name: '{{ ssh_selinux_packages }}' name: '{{ ssh_selinux_packages }}'
state: present state: present
- name: "authorize {{ ssh_server_ports }} ports for selinux" - name: authorize {{ ssh_server_ports }} ports for selinux
seport: seport:
ports: '{{ item }}' ports: '{{ item }}'
proto: tcp proto: tcp
setype: ssh_port_t setype: ssh_port_t
state: present state: present
with_items: loop: '{{ ssh_server_ports }}'
- "{{ ssh_server_ports }}"
- name: check if ssh_password module is already installed - name: check if ssh_password module is already installed
shell: 'set -o pipefail && semodule -l | grep ssh_password' shell: 'set -o pipefail && semodule -l | grep ssh_password'
@ -22,35 +21,41 @@
changed_when: false changed_when: false
check_mode: no check_mode: no
# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed. # The following tasks only get executed when selinux is in state enforcing,
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 # UsePam is 'no' and the ssh_password module is not installed. See this issue for
- block: # more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
- name: Create selinux custom policy drop folder - when:
file: - not (ssh_use_pam | bool)
path: '{{ ssh_custom_selinux_dir }}' - ('ssh_password' not in ssh_password_module.stdout)
state: 'directory' block:
owner: 'root' - name: create selinux custom policy drop folder
group: 'root' file:
mode: '0750' path: '{{ ssh_custom_selinux_dir }}'
state: 'directory'
owner: 'root'
group: 'root'
mode: '0750'
- name: Distributing custom selinux policies - name: distributing custom selinux policies
copy: copy:
src: 'ssh_password' src: 'ssh_password'
dest: '{{ ssh_custom_selinux_dir }}' dest: '{{ ssh_custom_selinux_dir }}'
- name: check and compile policy - name: check and compile policy
command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
- name: create selinux policy module package - name: create selinux policy module package
command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
- name: install selinux policy - name: install selinux policy
command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed. # The following tasks only get executed when selinux is installed, UsePam is
# See http://danwalsh.livejournal.com/12333.html for more info # 'yes' and the ssh_password module is installed. See
# http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
command: semodule -r ssh_password command: semodule -r ssh_password
when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0 when:
- ssh_use_pam | bool
- ('ssh_password' in ssh_password_module.stdout)

2
ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2
View file

@ -1,4 +1,4 @@
# {{ansible_managed|comment}} {{ ansible_managed | comment }}
{% for principal in item.principals %} {% for principal in item.principals %}
{{ principal }} {{ principal }}

26
ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2
View file

@ -1,9 +1,10 @@
# {{ansible_managed|comment}} #jinja2: trim_blocks: "true", lstrip_blocks: "true"
{{ ansible_managed | comment }}
# This is the ssh client system-wide configuration file. # This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
{% if ssh_custom_options -%} {% if ssh_custom_options %}
# Custom configuration that overwrites default configuration # Custom configuration that overwrites default configuration
# ========================================================== # ==========================================================
{% for line in ssh_custom_options %} {% for line in ssh_custom_options %}
@ -17,14 +18,14 @@
# Address family should always be limited to the active network configuration. # Address family should always be limited to the active network configuration.
AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }}
{% for host in ssh_remote_hosts -%} {% for host in ssh_remote_hosts %}
{% if loop.first %} {% if loop.first %}
# Host-specific configuration # Host-specific configuration
{% endif %} {% endif %}
Host {{ host.names | join(' ') }} Host {{ host.names | join(' ') }}
{{ host.options | join("\n") | indent(2) }} {{ host.options | join('\n') | indent(2) }}
{% endfor -%} {% endfor %}
# Global defaults for all Hosts # Global defaults for all Hosts
Host * Host *
@ -60,16 +61,16 @@ StrictHostKeyChecking ask
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
# #
{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} {# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #}
{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
# Weak HMAC is sometimes required if older package versions are used # Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
# #
{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} {# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #}
{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} {{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
# Alternative setting, if OpenSSH version is below v5.9 # Alternative setting, if OpenSSH version is below v5.9
#MACs hmac-ripemd160 #MACs hmac-ripemd160
@ -79,8 +80,8 @@ StrictHostKeyChecking ask
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} {# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} {{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
# Disable agent forwarding, since local agent could be accessed through forwarded connection. # Disable agent forwarding, since local agent could be accessed through forwarded connection.
ForwardAgent no ForwardAgent no
@ -113,8 +114,7 @@ PermitLocalCommand no
# Misc. configuration # Misc. configuration
# =================== # ===================
# Enable compression. More pressure on the CPU, less on the network. Compression {{ 'yes' if (ssh_client_compression|bool) else 'no' }}
Compression yes
#EscapeChar ~ #EscapeChar ~
#VisualHostKey yes #VisualHostKey yes

117
ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2
View file

@ -1,12 +1,13 @@
# {{ansible_managed|comment}} #jinja2: trim_blocks: "true", lstrip_blocks: "true"
{{ ansible_managed | comment }}
# This is the ssh client system-wide configuration file. # This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
{% if sshd_custom_options -%} {% if sshd_custom_options %}
# Custom configuration that overwrites default configuration # Custom configuration that overwrites default configuration
# ========================================================== # ==========================================================
{% for line in sshd_custom_options -%} {% for line in sshd_custom_options %}
{{ line }} {{ line }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -18,26 +19,26 @@
PermitRootLogin {{ ssh_permit_root_login }} PermitRootLogin {{ ssh_permit_root_login }}
# Define which port sshd should listen to. Default to `22`. # Define which port sshd should listen to. Default to `22`.
{% for port in ssh_server_ports -%} {% for port in ssh_server_ports %}
Port {{port}} Port {{ port }}
{% endfor %} {% endfor %}
# Address family should always be limited to the active network configuration. # Address family should always be limited to the active network configuration.
AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }} AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }}
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone. # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
{% for address in ssh_listen_to -%} {% for address in ssh_listen_to %}
ListenAddress {{address}} ListenAddress {{ address }}
{% endfor %} {% endfor %}
# List HostKeys here. # List HostKeys here.
{% for key in ssh_host_key_files -%} {% for key in ssh_host_key_files %}
HostKey {{key}} HostKey {{ key }}
{% endfor %} {% endfor %}
# Specifies the host key algorithms that the server offers. # Specifies the host key algorithms that the server offers.
{% if sshd_version is version('5.8', '>=') %} {% if sshd_version is version('5.8', '>=') %}
{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} {{ "HostKeyAlgorithms " ~ ssh_host_key_algorithms|join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
{% endif %} {% endif %}
# Security configuration # Security configuration
@ -62,16 +63,16 @@ LogLevel {{ sshd_log_level }}
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
# #
{# This outputs "Ciphers <list-of-ciphers>" if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} {# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #}
{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} {{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
# Weak HMAC is sometimes required if older package versions are used # Weak HMAC is sometimes required if older package versions are used
# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
# #
{# This outputs "MACs <list-of-macs>" if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} {# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #}
{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} {{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
# Alternative setting, if OpenSSH version is below v5.9 # Alternative setting, if OpenSSH version is below v5.9
#MACs hmac-ripemd160 #MACs hmac-ripemd160
@ -81,8 +82,8 @@ LogLevel {{ sshd_log_level }}
# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
{# This outputs "KexAlgorithms <list-of-algos>" if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} {# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} {{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
# Authentication # Authentication
# -------------- # --------------
@ -92,13 +93,17 @@ LogLevel {{ sshd_log_level }}
UseLogin no UseLogin no
{% endif %} {% endif %}
{% if sshd_version is version('7.5', '<') %} {% if sshd_version is version('7.5', '<') %}
UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} UsePrivilegeSeparation {{
(ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6')
or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon')
| ternary(ssh_ps53, ssh_ps59)
}}
{% endif %} {% endif %}
LoginGraceTime 30s LoginGraceTime {{ ssh_login_grace_time }}
MaxAuthTries {{ssh_max_auth_retries}} MaxAuthTries {{ ssh_max_auth_retries }}
MaxSessions 10 MaxSessions {{ ssh_max_sessions }}
MaxStartups {{ssh_max_startups}} MaxStartups {{ ssh_max_startups }}
# Enable public key authentication # Enable public key authentication
PubkeyAuthentication yes PubkeyAuthentication yes
@ -109,7 +114,7 @@ IgnoreUserKnownHosts yes
HostbasedAuthentication no HostbasedAuthentication no
# Enable PAM to enforce system wide rules # Enable PAM to enforce system wide rules
{% if ssh_pam_support -%} {% if ssh_pam_support %}
UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
{% endif %} {% endif %}
@ -124,7 +129,7 @@ PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
PermitEmptyPasswords no PermitEmptyPasswords no
ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }} ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }}
{% if ssh_kerberos_support -%} {% if ssh_kerberos_support %}
# Only enable Kerberos authentication if it is configured. # Only enable Kerberos authentication if it is configured.
KerberosAuthentication no KerberosAuthentication no
KerberosOrLocalPasswd no KerberosOrLocalPasswd no
@ -137,29 +142,29 @@ GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
{% if ssh_deny_users -%} {% if ssh_deny_users %}
DenyUsers {{ssh_deny_users}} DenyUsers {{ ssh_deny_users }}
{% endif %} {% endif %}
{% if ssh_allow_users -%} {% if ssh_allow_users %}
AllowUsers {{ssh_allow_users}} AllowUsers {{ ssh_allow_users }}
{% endif %} {% endif %}
{% if ssh_deny_groups -%} {% if ssh_deny_groups %}
DenyGroups {{ssh_deny_groups}} DenyGroups {{ ssh_deny_groups }}
{% endif %} {% endif %}
{% if ssh_allow_groups -%} {% if ssh_allow_groups %}
AllowGroups {{ssh_allow_groups}} AllowGroups {{ ssh_allow_groups }}
{% endif %} {% endif %}
{% if ssh_authorized_keys_file -%} {% if ssh_authorized_keys_file %}
AuthorizedKeysFile {{ ssh_authorized_keys_file }} AuthorizedKeysFile {{ ssh_authorized_keys_file }}
{% endif %} {% endif %}
{% if ssh_trusted_user_ca_keys_file -%} {% if ssh_trusted_user_ca_keys_file %}
TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }} TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
{% if ssh_authorized_principals_file -%} {% if ssh_authorized_principals_file %}
AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
{% endif %} {% endif %}
{% endif %} {% endif %}
@ -171,8 +176,8 @@ AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
TCPKeepAlive no TCPKeepAlive no
# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail. # Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
ClientAliveInterval {{ssh_client_alive_interval}} ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax {{ssh_client_alive_count}} ClientAliveCountMax {{ ssh_client_alive_count }}
# Disable tunneling # Disable tunneling
PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
@ -189,19 +194,19 @@ AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in (
# no real advantage without denied shell access # no real advantage without denied shell access
AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }} AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
{% if ssh_gateway_ports|bool -%} {% if ssh_gateway_ports|bool %}
# Port forwardings are forced to bind to the wildcard address # Port forwardings are forced to bind to the wildcard address
GatewayPorts yes GatewayPorts yes
{% elif ssh_gateway_ports == 'clientspecified' -%} {% elif ssh_gateway_ports == 'clientspecified' %}
# Clients allowed to specify which address to bind port forwardings to # Clients allowed to specify which address to bind port forwardings to
GatewayPorts clientspecified GatewayPorts clientspecified
{% else -%} {% else %}
# Do not allow remote port forwardings to bind to non-loopback addresses. # Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no GatewayPorts no
{% endif %} {% endif %}
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. # Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
X11Forwarding no X11Forwarding {{ 'yes' if (ssh_x11_forwarding|bool) else 'no' }}
X11UseLocalhost yes X11UseLocalhost yes
# User environment configuration # User environment configuration
@ -209,7 +214,7 @@ X11UseLocalhost yes
PermitUserEnvironment {{ ssh_server_permit_environment_vars }} PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
{% if ssh_server_accept_env_vars -%} {% if ssh_server_accept_env_vars %}
AcceptEnv {{ ssh_server_accept_env_vars }} AcceptEnv {{ ssh_server_accept_env_vars }}
{% endif %} {% endif %}
@ -226,16 +231,16 @@ PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
{% endif %} {% endif %}
Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }} Banner {{ ssh_banner_path if (ssh_banner|bool) else 'none' }}
{% if ansible_facts.os_family == 'Debian' -%} {% if ansible_facts.os_family == 'Debian' %}
DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }} DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
{% endif %} {% endif %}
# Reject keys that are explicitly blacklisted # Reject keys that are explicitly blacklisted
RevokedKeys /etc/ssh/revoked_keys RevokedKeys /etc/ssh/revoked_keys
{% if sftp_enabled -%} {% if sftp_enabled %}
# SFTP matching configuration # SFTP matching configuration
# =========================== # ===========================
# Configuration, in case SFTP is used # Configuration, in case SFTP is used
@ -256,39 +261,51 @@ Match Group sftponly
PermitRootLogin no PermitRootLogin no
X11Forwarding no X11Forwarding no
{% endif %} {% endif %}
{% if ssh_server_match_address %}
{% if ssh_server_match_address -%}
# Address matching configuration # Address matching configuration
# ============================ # ============================
{% for item in ssh_server_match_address -%} {% for item in ssh_server_match_address %}
Match Address {{ item.address }} Match Address {{ item.address }}
{% for rule in item.rules %} {% for rule in item.rules %}
{{ rule | indent(4) }} {{ rule | indent(4) }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ssh_server_match_group %}
{% if ssh_server_match_group -%}
# Group matching configuration # Group matching configuration
# ============================ # ============================
{% for item in ssh_server_match_group -%} {% for item in ssh_server_match_group %}
Match Group {{ item.group }} Match Group {{ item.group }}
{% for rule in item.rules %} {% for rule in item.rules %}
{{ rule | indent(4) }} {{ rule | indent(4) }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ssh_server_match_user %}
{% if ssh_server_match_user -%}
# User matching configuration # User matching configuration
# =========================== # ===========================
{% for item in ssh_server_match_user -%} {% for item in ssh_server_match_user %}
Match User {{ item.user }} Match User {{ item.user }}
{% for rule in item.rules %} {% for rule in item.rules %}
{{ rule | indent(4) }} {{ rule | indent(4) }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ssh_server_match_local_port %}
# LocalPort matching configuration
# ================================
{% for item in ssh_server_match_local_port %}
Match LocalPort {{ item.port }}
{% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}

5
ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2
View file

@ -1,4 +1,5 @@
# {{ansible_managed|comment}} {{ ansible_managed | comment }}
{% for key in ssh_server_revoked_keys %} {% for key in ssh_server_revoked_keys %}
{{key}} {{ key }}
{% endfor %} {% endfor %}

6
ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2
View file

@ -1,5 +1,5 @@
# {{ansible_managed|comment}} {{ ansible_managed | comment }}
{% for item in ssh_trusted_user_ca_keys %} {% for key in ssh_trusted_user_ca_keys %}
{{ item }} {{ key }}
{% endfor %} {% endfor %}

45
ansible/roles/dev-sec.ssh-hardening/tests/default.yml
View file

@ -7,25 +7,48 @@
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora' when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present - yum:
vars: name:
packages:
- openssh-clients - openssh-clients
- openssh-server - openssh-server
- libselinux-python - libselinux-python
state: present
update_cache: true
ignore_errors: true ignore_errors: true
- apt: name="{{packages}}" state=present update_cache=true
vars: - dnf:
packages: name:
- "openssh-client" - openssh-clients
- "openssh-server" - openssh-server
- procps-ng
state: present
update_cache: true
ignore_errors: true ignore_errors: true
- file: path="/var/run/sshd" state=directory
- apt:
name:
- openssh-client
- openssh-server
state: present
update_cache: true
ignore_errors: true
- file:
path: "/var/run/sshd"
state: directory
- pacman:
name:
- "openssh"
- "awk"
state: present
update_cache: true
ignore_errors: true
- name: create ssh host keys - name: create ssh host keys
command: "ssh-keygen -A" command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon" ansible_facts.distribution == "Amazon"
roles: roles:
- ansible-ssh-hardening - ansible-ssh-hardening

52
ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml
View file

@ -7,23 +7,47 @@
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora' when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present - yum:
vars: name:
packages:
- openssh-clients - openssh-clients
- openssh-server - openssh-server
- libselinux-python - libselinux-python
state: present
update_cache: true
ignore_errors: true ignore_errors: true
- apt: name="{{packages}}" state=present update_cache=true
vars: - dnf:
packages: name:
- "openssh-client" - openssh-clients
- "openssh-server" - openssh-server
- procps-ng
state: present
update_cache: true
ignore_errors: true ignore_errors: true
- file: path="/var/run/sshd" state=directory
- apt:
name:
- openssh-client
- openssh-server
state: present
update_cache: true
ignore_errors: true
- file:
path: "/var/run/sshd"
state: directory
- pacman:
name:
- "openssh"
- "awk"
state: present
update_cache: true
ignore_errors: true
- name: create ssh host keys - name: create ssh host keys
command: "ssh-keygen -A" command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon" ansible_facts.distribution == "Amazon"
@ -56,6 +80,9 @@
sftp_enabled: true sftp_enabled: true
sftp_chroot: true sftp_chroot: true
#ssh_server_enabled: false #ssh_server_enabled: false
ssh_server_ports:
- 22
- 222
ssh_server_match_address: ssh_server_match_address:
- address: '192.168.1.1/24' - address: '192.168.1.1/24'
rules: rules:
@ -71,6 +98,11 @@
rules: rules:
- 'AllowTcpForwarding yes' - 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no' - 'AllowAgentForwarding no'
ssh_server_match_local_port:
- port: 222
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_remote_hosts: ssh_remote_hosts:
- names: ['example.com', 'example2.com'] - names: ['example.com', 'example2.com']
options: ['Port 2222', 'ForwardAgent yes'] options: ['Port 2222', 'ForwardAgent yes']

10
ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml Normal file
View file

@ -0,0 +1,10 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
# CRYPTO_POLICY is not supported on Archlinux
# and the package check only works in Ansible >2.10
sshd_disable_crypto_policy: false

3
ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: ssh sshd_service_name: ssh
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root

3
ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root

3
ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: wheel ssh_group: wheel

3
ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: wheel ssh_group: wheel

3
ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root

3
ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root

3
ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml
View file

@ -1,3 +1,6 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root

8
ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml Normal file
View file

@ -0,0 +1,8 @@
---
sshd_path: /usr/lib/ssh/sshd
ssh_host_keys_dir: '/var/ssh'
sshd_service_name: ssh
ssh_owner: root
ssh_group: root
ssh_pam_support: false

1
ansible/roles/geerlingguy.docker/.ansible-lint
View file

@ -1,2 +1,3 @@
skip_list: skip_list:
- '306' - '306'
- '106'

2
ansible/roles/geerlingguy.docker/.github/stale.yml vendored
View file

@ -1,5 +1,5 @@
# Configuration for probot-stale - https://github.com/probot/stale # Configuration for probot-stale - https://github.com/probot/stale
---
# Number of days of inactivity before an Issue or Pull Request becomes stale # Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90 daysUntilStale: 90

72
ansible/roles/geerlingguy.docker/.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,72 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 7 * * 0"
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint ansible-lint
- name: Lint code.
run: |
yamllint .
ansible-lint
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- ubuntu2004
- ubuntu1804
- debian10
- debian9
- fedora31
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

38
ansible/roles/geerlingguy.docker/.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,38 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.docker'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.docker'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

31
ansible/roles/geerlingguy.docker/.travis.yml
View file

@ -1,31 +0,0 @@
---
language: python
services: docker
env:
global:
- ROLE_NAME: docker
matrix:
- MOLECULE_DISTRO: centos8
- MOLECULE_DISTRO: centos7
- MOLECULE_DISTRO: ubuntu1804
- MOLECULE_DISTRO: ubuntu1604
- MOLECULE_DISTRO: debian10
- MOLECULE_DISTRO: debian9
install:
# Install test dependencies.
- pip install molecule yamllint ansible-lint docker
before_script:
# Use actual Ansible Galaxy role name for the project directory.
- cd ../
- mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
- cd geerlingguy.$ROLE_NAME
script:
# Run tests.
- molecule test
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

5
ansible/roles/geerlingguy.docker/.yamllint
View file

@ -1,6 +1,11 @@
--- ---
extends: default extends: default
rules: rules:
line-length: line-length:
max: 200 max: 200
level: warning level: warning
ignore: |
.github/stale.yml
.travis.yml

10
ansible/roles/geerlingguy.docker/README.md
View file

@ -1,6 +1,6 @@
# Ansible Role: Docker # Ansible Role: Docker
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker) [![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI)
An Ansible Role that installs [Docker](https://www.docker.com) on Linux. An Ansible Role that installs [Docker](https://www.docker.com) on Linux.
@ -28,7 +28,7 @@ You can control whether the package is installed, uninstalled, or at the latest
Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`.
docker_install_compose: true docker_install_compose: true
docker_compose_version: "1.25.4" docker_compose_version: "1.26.0"
docker_compose_path: /usr/local/bin/docker-compose docker_compose_path: /usr/local/bin/docker-compose
Docker Compose installation options. Docker Compose installation options.
@ -39,17 +39,17 @@ Docker Compose installation options.
docker_apt_ignore_key_error: True docker_apt_ignore_key_error: True
docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release. (Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release.
You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_apt_repository` as well. Usually in combination with changing `docker_apt_repository` as well.
docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_edge: '0' docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0' docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg
(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`. (Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`.
You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror.
Usually in combination with changing `docker_yum_repository` as well. Usually in combination with changing `docker_yum_repository` as well.

6
ansible/roles/geerlingguy.docker/defaults/main.yml
View file

@ -11,10 +11,10 @@ docker_restart_handler_state: restarted
# Docker Compose options. # Docker Compose options.
docker_install_compose: true docker_install_compose: true
docker_compose_version: "1.25.4" docker_compose_version: "1.26.0"
docker_compose_path: /usr/local/bin/docker-compose docker_compose_path: /usr/local/bin/docker-compose
# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed. # Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
docker_apt_release_channel: stable docker_apt_release_channel: stable
docker_apt_arch: amd64 docker_apt_arch: amd64
docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
@ -23,7 +23,7 @@ docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution |
# Used only for RedHat/CentOS/Fedora. # Used only for RedHat/CentOS/Fedora.
docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo
docker_yum_repo_enable_edge: '0' docker_yum_repo_enable_nightly: '0'
docker_yum_repo_enable_test: '0' docker_yum_repo_enable_test: '0'
docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg

4
ansible/roles/geerlingguy.docker/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:32:50 2020 install_date: Sat Feb 20 13:56:42 2021
version: 2.7.0 version: 3.0.0

2
ansible/roles/geerlingguy.docker/meta/main.yml
View file

@ -2,6 +2,7 @@
dependencies: [] dependencies: []
galaxy_info: galaxy_info:
role_name: docker
author: geerlingguy author: geerlingguy
description: Docker for Linux. description: Docker for Linux.
company: "Midwestern Mac, LLC" company: "Midwestern Mac, LLC"
@ -23,6 +24,7 @@ galaxy_info:
versions: versions:
- xenial - xenial
- bionic - bionic
- focal
galaxy_tags: galaxy_tags:
- web - web
- system - system

12
ansible/roles/geerlingguy.docker/molecule/default/converge.yml
View file

@ -8,5 +8,17 @@
apt: update_cache=yes cache_valid_time=600 apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Wait for systemd to complete initialization. # noqa 303
command: systemctl is-system-running
register: systemctl_status
until: >
'running' in systemctl_status.stdout or
'degraded' in systemctl_status.stdout
retries: 30
delay: 5
when: ansible_service_mgr == 'systemd'
changed_when: false
failed_when: systemctl_status.rc > 1
roles: roles:
- role: geerlingguy.docker - role: geerlingguy.docker

4
ansible/roles/geerlingguy.docker/molecule/default/molecule.yml
View file

@ -3,10 +3,6 @@ dependency:
name: galaxy name: galaxy
driver: driver:
name: docker name: docker
lint: |
set -e
yamllint .
ansible-lint
platforms: platforms:
- name: instance - name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"

23
ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml
View file

@ -20,12 +20,13 @@
group: root group: root
mode: 0644 mode: 0644
- name: Configure Docker Edge repo. - name: Configure Docker Nightly repo.
ini_file: ini_file:
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
section: 'docker-{{ docker_edition }}-edge' section: 'docker-{{ docker_edition }}-nightly'
option: enabled option: enabled
value: '{{ docker_yum_repo_enable_edge }}' value: '{{ docker_yum_repo_enable_nightly }}'
mode: 0644
- name: Configure Docker Test repo. - name: Configure Docker Test repo.
ini_file: ini_file:
@ -33,9 +34,17 @@
section: 'docker-{{ docker_edition }}-test' section: 'docker-{{ docker_edition }}-test'
option: enabled option: enabled
value: '{{ docker_yum_repo_enable_test }}' value: '{{ docker_yum_repo_enable_test }}'
mode: 0644
- name: Install containerd separately (CentOS 8). - name: Configure containerd on RHEL 8.
package: block:
name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm - name: Ensure container-selinux is installed.
state: present package:
name: container-selinux
state: present
- name: Ensure containerd.io is installed.
package:
name: containerd.io
state: present
when: ansible_distribution_major_version | int == 8 when: ansible_distribution_major_version | int == 8

2
ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info
View file

@ -1,2 +1,2 @@
install_date: Fri May 15 20:27:04 2020 install_date: Thu Feb 18 15:39:27 2021
version: 5.1.1 version: 5.1.1

2
ansible/roles/jnv.unattended-upgrades/.ansible-lint Normal file
View file

@ -0,0 +1,2 @@
skip_list:
- '503'

17
ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml vendored Normal file
View file

@ -0,0 +1,17 @@
name: Ansible Lint check
# visit https://github.com/marketplace/actions/ansible-lint for infos
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:
targets: "."

8
ansible/roles/jnv.unattended-upgrades/README.md
View file

@ -46,8 +46,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
* Default: `false` (don't send any e-mail) * Default: `false` (don't send any e-mail)
* `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade. * `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
* Default: `false` * Default: `false`
* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. * `unattended_remove_unused_dependencies`: do automatic removal of all unused dependencies after the upgrade.
* Default: `false` * Default: `false`
* `unattended_remove_new_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade.
* Default: `true`
* `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade. * `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
* Default: `false` * Default: `false`
* `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade. * `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade.
@ -56,6 +58,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai
* Default: disabled * Default: disabled
* `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive. * `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive.
* Default: `false` * Default: `false`
* `unattended_syslog_enable`: Write events to syslog, which is useful in environments where syslog messages are sent to a central store.
* Default: `false`
* `unattended_syslog_facility`: Write events to the specified syslog facility, or the daemon facility if not specified. Will only have affect if `unattended_syslog_enable` is set to `true`.
* Default: `daemon`
* `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root. * `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root.
* Possible options: * Possible options:
* `0`: no report * `0`: no report

Some files were not shown because too many files have changed in this diff Show more