ungleich-public/public-health-ch
6
1
Fork 0
Code Issues Pull requests 1 Projects Releases Wiki Activity

Merge pull request #32 from loleg/wagtail-2.8

Browse source 
Wagtail 2.9 upgrade
This commit is contained in:
datalets 2020-05-19 14:42:56 +02:00 committed by GitHub
commit 5f2b31ecef
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
330 changed files with 9859 additions and 2139 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
Makefile
View file

@ -1,8 +1,13 @@
export COMPOSE_FILE=./docker-compose.yml export COMPOSE_FILE=./docker-compose.yml
export COMPOSE_PROJECT_NAME=publichealth export COMPOSE_PROJECT_NAME=publichealth
export EMAIL=change_me@localhost.localhost
default: build default: build
local-loaddata:
sed -i 's/\"is_default_site\": true/\"is_default_site\": false/g' publichealth.home.json
python manage.py loaddata publichealth.home.json
upgrade: upgrade:
docker-compose pull docker-compose pull
@ -19,12 +24,10 @@ run-here:
run: run:
docker-compose up -d # detach by default docker-compose up -d # detach by default
restart:
docker-compose stop web
docker-compose up -d web
stop: stop:
docker-compose stop docker-compose stop web
restart: stop run
migrate: migrate:
docker-compose exec web ./manage.py migrate docker-compose exec web ./manage.py migrate
@ -36,19 +39,20 @@ apply-migrations: migrations migrate
setup: setup:
docker-compose exec web ./manage.py migrate docker-compose exec web ./manage.py migrate
docker-compose exec web ./manage.py createsuperuser docker-compose exec web ./manage.py createsuperuser --username admin --email $(EMAIL) --noinput
docker-compose exec web ./manage.py compress
docker-compose exec web ./manage.py collectstatic
release: rebuild:
docker-compose pull docker-compose pull
sudo docker-compose build web docker-compose build web
docker-compose stop web docker-compose stop web
docker-compose kill web docker-compose kill web
docker-compose up -d web
compress:
docker-compose exec web ./manage.py collectstatic --noinput -i media docker-compose exec web ./manage.py collectstatic --noinput -i media
docker-compose exec web ./manage.py compress docker-compose exec web ./manage.py compress
release: rebuild compress run
reindex: reindex:
docker-compose exec web ./manage.py update_index docker-compose exec web ./manage.py update_index
@ -67,10 +71,13 @@ django-shell:
docker-compose exec web ./manage.py shell docker-compose exec web ./manage.py shell
logs: logs:
docker-compose exec web tail /var/log/wagtail/publichealth.log /var/log/wagtail/wagtail.log /var/log/wagtail/error.log
docker-logs:
docker-compose logs -f --tail=500 docker-compose logs -f --tail=500
backup-data: backup-data:
docker-compose exec web ./manage.py dumpdata --natural-foreign -e auth.permission -e contenttypes -e wagtailcore.GroupCollectionPermission -e wagtailimages.rendition -e sessions -e feedler.feedlysettings > ~/publichealth.home.json docker-compose exec web ./manage.py dumpdata --natural-foreign -e auth.permission -e contenttypes -e wagtailcore.GroupCollectionPermission -e wagtailcore.GroupPagePermission -e wagtailimages.rendition -e sessions -e feedler.feedlysettings > ~/publichealth.home.json
zip ~/publichealth.home.json.`date +"%d%m%Y-%H%M"`.zip ~/publichealth.home.json zip ~/publichealth.home.json.`date +"%d%m%Y-%H%M"`.zip ~/publichealth.home.json
rm ~/publichealth.home.json rm ~/publichealth.home.json
@ -81,9 +88,8 @@ backup-images:
backup: backup-data backup-images backup: backup-data backup-images
django-loaddata: loaddata:
gunzip ~/publichealth.home.json.gz docker-compose exec web ./manage.py loaddata publichealth.home.json
docker-compose exec web ./manage.py loaddata ~/publichealth.home.json
restore: django-loaddata restart restore: django-loaddata restart

1
Pipfile
View file

@ -21,6 +21,7 @@ django-el-pagination = "*"
django-libsass = "*" django-libsass = "*"
django-redis = "*" django-redis = "*"
django-social-share = "*" django-social-share = "*"
django-contrib-comments = "*"
elasticsearch = ">=5.0.0,<6.0.0" elasticsearch = ">=5.0.0,<6.0.0"
guess_language-spirit = "*" guess_language-spirit = "*"
gunicorn = "*" gunicorn = "*"

567
Pipfile.lock generated
View file

@ -1,7 +1,7 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "670dd22850b5e780924acfba7cfdff5652cf2c97365d58aa7d0c44c3e16feca3" "sha256": "b30c946ad74676a15cd9f3aaa0bf918a2f094e4b9b578ea447e456133a02e48d"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": {}, "requires": {},
@ -16,18 +16,18 @@
"default": { "default": {
"beautifulsoup4": { "beautifulsoup4": {
"hashes": [ "hashes": [
"sha256:11a9a27b7d3bddc6d86f59fb76afb70e921a25ac2d6cc55b40d072bd68435a76", "sha256:05fd825eb01c290877657a56df4c6e4c311b3965bda790c613a3d6fb01a5462a",
"sha256:7015e76bf32f1f574636c4288399a6de66ce08fb7b2457f628a8d70c0fbabb11", "sha256:9fbb4d6e48ecd30bcacc5b63b94088192dcda178513b2ae3c394229f8911b887",
"sha256:808b6ac932dccb0a4126558f7dfdcf41710dd44a4ef497a0bb59a77f9f078e89" "sha256:e1505eeed31b0f4ce2dbb3bc8eb256c04cc2b3b72af7d551a4ab6efd5cbe5dae"
], ],
"version": "==4.6.0" "version": "==4.8.2"
}, },
"certifi": { "certifi": {
"hashes": [ "hashes": [
"sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3", "sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304",
"sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f" "sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519"
], ],
"version": "==2019.11.28" "version": "==2020.4.5.1"
}, },
"chardet": { "chardet": {
"hashes": [ "hashes": [
@ -38,10 +38,10 @@
}, },
"click": { "click": {
"hashes": [ "hashes": [
"sha256:2335065e6395b9e67ca716de5f7526736bfa6ceead690adf616d925bdc622b13", "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a",
"sha256:5b94b49521f6456670fdb30cd82a4eca9412788a93fa6dd6df72c94d5a8ff2d7" "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc"
], ],
"version": "==7.0" "version": "==7.1.2"
}, },
"concurrentloghandler": { "concurrentloghandler": {
"hashes": [ "hashes": [
@ -52,10 +52,10 @@
}, },
"contextlib2": { "contextlib2": {
"hashes": [ "hashes": [
"sha256:509f9419ee91cdd00ba34443217d5ca51f5a364a404e1dce9e8979cea969ca48", "sha256:01f490098c18b19d2bd5bb5dc445b2054d2fa97f09a4280ba2c5f3c394c8162e",
"sha256:f5260a6e679d2ff42ec91ec5252f4eeffdcf21053db9113bd0a8e4d953769c00" "sha256:3355078a159fbb44ee60ea80abd0d87b80b78c248643b49aa6d94673b413609b"
], ],
"version": "==0.5.5" "version": "==0.6.0.post1"
}, },
"dj-database-url": { "dj-database-url": {
"hashes": [ "hashes": [
@ -73,26 +73,26 @@
}, },
"django": { "django": {
"hashes": [ "hashes": [
"sha256:1226168be1b1c7efd0e66ee79b0e0b58b2caa7ed87717909cd8a57bb13a7079a", "sha256:69897097095f336d5aeef45b4103dceae51c00afa6d3ae198a2a18e519791b7a",
"sha256:9a4635813e2d498a3c01b10c701fe4a515d76dd290aaa792ccb65ca4ccb6b038" "sha256:6ecd229e1815d4fc5240fc98f1cca78c41e7a8cd3e3f2eefadc4735031077916"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.2.10" "version": "==2.2.12"
}, },
"django-anymail": { "django-anymail": {
"hashes": [ "hashes": [
"sha256:7930d5f841c9be7e044a9e6bf3492aedf7aa641716b6c1f8f52411658f674131", "sha256:7af1076f383fb3b62b301949ea8f7d87a41376015309ffc35a246a1726060429",
"sha256:dfa4a00a1608d40893cf818ed3632046a0bb01cf2a2bb3a64d31ff146151533a" "sha256:a2bd7a40aa91a1033892630652d3ca8148de70fa2927eb4eebde239fe705f0f4"
], ],
"index": "pypi", "index": "pypi",
"version": "==7.0.0" "version": "==7.1.0"
}, },
"django-appconf": { "django-appconf": {
"hashes": [ "hashes": [
"sha256:35f13ca4d567f132b960e2cd4c832c2d03cb6543452d34e29b7ba10371ba80e3", "sha256:1b1d0e1069c843ebe8ae5aa48ec52403b1440402b320c3e3a206a0907e97bb06",
"sha256:c98a7af40062e996b921f5962a1c4f3f0c979fa7885f7be4710cceb90ebe13a6" "sha256:be58deb54a43d77d2e1621fe59f787681376d3cd0b8bd8e4758ef6c3a6453380"
], ],
"version": "==1.0.3" "version": "==1.0.4"
}, },
"django-colorful": { "django-colorful": {
"hashes": [ "hashes": [
@ -109,57 +109,66 @@
], ],
"version": "==2.4" "version": "==2.4"
}, },
"django-crispy-forms": { "django-contrib-comments": {
"hashes": [ "hashes": [
"sha256:5952bab971110d0b86c278132dae0aa095beee8f723e625c3d3fa28888f1675f", "sha256:b83320a86081a76bc0570e6cc0f924c0ced40b46ae9f5dd783ab2c745b449529",
"sha256:705ededc554ad8736157c666681165fe22ead2dec0d5446d65fc9dd976a5a876" "sha256:d1232bade3094de07dcc205fc833204384e71ba9d30caadcb5bb2882ce8e8d31"
], ],
"index": "pypi", "index": "pypi",
"version": "==1.7.2" "version": "==1.9.2"
},
"django-crispy-forms": {
"hashes": [
"sha256:ad943285508f0ed0e271d00399b9399c22b8795a4f969029bce0fd29522a8e2d",
"sha256:fbe9c2c9698b6590afe37940cb08194d1e722015f6bc5bee83f679362406ea30"
],
"index": "pypi",
"version": "==1.9.1"
}, },
"django-el-pagination": { "django-el-pagination": {
"hashes": [ "hashes": [
"sha256:4ef652f65350b754028f0c23d72dcd60461215b589f269bc23f78ee00b96d0f8" "sha256:46cb7311b4c7a35690ff0a972e71c782f3cfcd42968ef78993b7980377e9860e"
], ],
"index": "pypi", "index": "pypi",
"version": "==3.2.4" "version": "==3.3.0"
}, },
"django-libsass": { "django-libsass": {
"hashes": [ "hashes": [
"sha256:49db3334b87e1f7955c4f9fb9945bc296f8bfd27a14d6d89706e4b0e5dc5de1c" "sha256:38fab4ce1245542f3afd7248dc48f8a0b261f5f6c61e7cc43969a9c9079b5ffd",
"sha256:3e74fd8e75ac0e6ebc0443efc3e530167981bf279fecc2294094c820ae266fbb"
], ],
"index": "pypi", "index": "pypi",
"version": "==0.7" "version": "==0.8"
}, },
"django-modelcluster": { "django-modelcluster": {
"hashes": [ "hashes": [
"sha256:09483ff1ede3cd87b56b0e6f732d33334c843adc6506dfed26c02998222751fe", "sha256:09e4242119f04e81bfab25c77b09cb6e9d469dc14b14e71f04cd358c7256bc2a",
"sha256:de1b5cd348fd4929491ef2a9ba29d9b5a3fccd3bf6a15218fa1aa5be49d06070" "sha256:6f857bb0251c0982afeb35474aeedb3ec72260df81a0262188df8108067467ba"
], ],
"version": "==4.4.1" "version": "==5.0.1"
}, },
"django-redis": { "django-redis": {
"hashes": [ "hashes": [
"sha256:af0b393864e91228dd30d8c85b5c44d670b5524cb161b7f9e41acc98b6e5ace7", "sha256:a5b1e3ffd3198735e6c529d9bdf38ca3fcb3155515249b98dc4d966b8ddf9d2b",
"sha256:f46115577063d00a890867c6964ba096057f07cb756e78e0503b89cd18e4e083" "sha256:e1aad4cc5bd743d8d0b13d5cae0cef5410eaace33e83bff5fc3a139ad8db50b4"
], ],
"index": "pypi", "index": "pypi",
"version": "==4.10.0" "version": "==4.11.0"
}, },
"django-social-share": { "django-social-share": {
"hashes": [ "hashes": [
"sha256:27ce07b885e087ee7fa0fffc82d295b06a7b0bcf18d693ff8a619337bf7069e5", "sha256:605f96810a4f736df8113c8da6f65307e4f53bec5c7af28ba08095e49778c3de",
"sha256:3627eb7fc8425dd45dabb7dfa17da5edec976e0d2c609c342aa763c7a24a69f0" "sha256:74a472a61b33992f03db339a76978cdc379a41d86437451ab64e686f3a6ddb63"
], ],
"index": "pypi", "index": "pypi",
"version": "==1.3.2" "version": "==1.4.0"
}, },
"django-taggit": { "django-taggit": {
"hashes": [ "hashes": [
"sha256:710b4d15ec1996550cc68a0abbc41903ca7d832540e52b1336e6858737e410d8", "sha256:4186a6ce1e1e9af5e2db8dd3479c5d31fa11a87d216a2ce5089ba3afde24a2c5",
"sha256:bb8f27684814cd1414b2af75b857b5e26a40912631904038a7ecacd2bfafc3ac" "sha256:bd1ec80b813d60adadaa94dcce4bfd971cb4ae717b07e69fedbd38d417deb6e9"
], ],
"version": "==0.24.0" "version": "==1.2.0"
}, },
"django-toolbelt": { "django-toolbelt": {
"hashes": [ "hashes": [
@ -204,11 +213,11 @@
}, },
"gunicorn": { "gunicorn": {
"hashes": [ "hashes": [
"sha256:aa8e0b40b4157b36a5df5e599f45c9c76d6af43845ba3b3b0efe2c70473c2471", "sha256:1904bb2b8a43658807108d59c3f3d56c2b6121a701161de0ddf9ad140073c626",
"sha256:fa2662097c66f920f53f70621c6c58ca4a3c4d3434205e608e121b5b3b71f4f3" "sha256:cd4a810dd51bf497552cf3f863b575dabd73d6ad6a91075b65936b151cbf4f9c"
], ],
"index": "pypi", "index": "pypi",
"version": "==19.9.0" "version": "==20.0.4"
}, },
"html5lib": { "html5lib": {
"hashes": [ "hashes": [
@ -219,178 +228,178 @@
}, },
"humanize": { "humanize": {
"hashes": [ "hashes": [
"sha256:3478104dcb9e111991ad141b15c9bf9522aa00ccfc5144561d639b3372e1d064", "sha256:07dd1293bac6c77daa5ccdc22c0b41b2315bee0e339a9f035ba86a9f1a272002",
"sha256:38ace9b66bcaeb7f8186b9dbf0b3448e00148e5b4fbaf726f96c789e52c3e741" "sha256:42ae7d54b398c01bd100847f6cb0fc9e381c21be8ad3f8e2929135e48dbff026"
], ],
"version": "==1.0.0" "version": "==2.4.0"
}, },
"idna": { "idna": {
"hashes": [ "hashes": [
"sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407", "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb",
"sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c" "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa"
], ],
"version": "==2.8" "version": "==2.9"
},
"l18n": {
"hashes": [
"sha256:46e72c980d06a7511726f1da10a32fa524f7e2937c0af5ad52d39577024a4382"
],
"version": "==2018.5"
}, },
"libsass": { "libsass": {
"hashes": [ "hashes": [
"sha256:1877d9ac68fd13dddb15406ef4872ba833fd828e87a2ac27f74bfba45390f4ce", "sha256:107c409524c6a4ed14410fa9dafa9ee59c6bd3ecae75d73af749ab2b75685726",
"sha256:2457723fe04f4e690105f758aa125e809afc840812965095fa3f4edccd6275ef", "sha256:3bc0d68778b30b5fa83199e18795314f64b26ca5871e026343e63934f616f7f7",
"sha256:2974772e7984b27a51a6d91ebc140183ddd574a9663bd02154ddfb75f13a3eed", "sha256:5c8ff562b233734fbc72b23bb862cc6a6f70b1e9bf85a58422aa75108b94783b",
"sha256:2d067ce4f393fee2ce52bb810a364deac5454dfdb7945d31d1f4265f21f03ab8", "sha256:74f6fb8da58179b5d86586bc045c16d93d55074bc7bb48b6354a4da7ac9f9dfd",
"sha256:57d0b99c4e3512233a44141f1bf852570d359724a606dfc4550eccd0f570460d", "sha256:7555d9b24e79943cfafac44dbb4ca7e62105c038de7c6b999838c9ff7b88645d",
"sha256:5b604e4f5befdecc76240c2ba243fd7e23c642ffc2dd86cbfd094a44ead6b08d", "sha256:794f4f4661667263e7feafe5cc866e3746c7c8a9192b2aa9afffdadcbc91c687",
"sha256:5dd647ffa1319a2a18572f41fee3bb561d7f77d8d4784074a00b2eb22c61a859", "sha256:8cf72552b39e78a1852132e16b706406bc76029fe3001583284ece8d8752a60a",
"sha256:78f3f14e47612be4fa4b161278f2a3e880a19b6a3367f749e9ae240434b7e7f5", "sha256:98f6dee9850b29e62977a963e3beb3cfeb98b128a267d59d2c3d675e298c8d57",
"sha256:8d423e4b4c0e219488104b4ec4267688dbd816f3ae806beb4201918eff059b2d", "sha256:a43f3830d83ad9a7f5013c05ce239ca71744d0780dad906587302ac5257bce60",
"sha256:a20473b0427d82e37fa68f0b3a8d219f0bb5ca6d3f7d93b0f5342219285e7064", "sha256:b077261a04ba1c213e932943208471972c5230222acb7fa97373e55a40872cbb",
"sha256:c1f76c2a0993914f3c3088e9b6c7031f22e879c5d27a060cdc8c5aa1318eb9b6", "sha256:b7452f1df274b166dc22ee2e9154c4adca619bcbbdf8041a7aa05f372a1dacbc",
"sha256:c99fbc950f1955e8b6370aafdb9d84d324e4984a2e00a2b47f04dbcc3706a9d1", "sha256:e6a547c0aa731dcb4ed71f198e814bee0400ce04d553f3f12a53bc3a17f2a481",
"sha256:cb50f385117535f7671ac7ff3144c1ef0b8e088778c58d269ce6f31b87bfad72", "sha256:fd19c8f73f70ffc6cbcca8139da08ea9a71fc48e7dfc4bb236ad88ab2d6558f1"
"sha256:f0f033a8154be60e1a2e1f79ee849ea69a1d62e5d476a78f69e4c7d8fd7c20e1",
"sha256:f2572b73b2e13e74b28388ae86c4fabb853ddbfc12279b4444243bd614710ce8",
"sha256:f8790db67e00c5bc7be1bdd81ed477563a4b191e839193ecc0c2c5ec679ec481"
], ],
"index": "pypi", "index": "pypi",
"version": "==0.19.2" "version": "==0.20.0"
}, },
"pillow": { "pillow": {
"hashes": [ "hashes": [
"sha256:00fdeb23820f30e43bba78eb9abb00b7a937a655de7760b2e09101d63708b64e", "sha256:04766c4930c174b46fd72d450674612ab44cca977ebbcc2dde722c6933290107",
"sha256:01f948e8220c85eae1aa1a7f8edddcec193918f933fb07aaebe0bfbbcffefbf1", "sha256:0e2a3bceb0fd4e0cb17192ae506d5f082b309ffe5fc370a5667959c9b2f85fa3",
"sha256:08abf39948d4b5017a137be58f1a52b7101700431f0777bec3d897c3949f74e6", "sha256:0f01e63c34f0e1e2580cc0b24e86a5ccbbfa8830909a52ee17624c4193224cd9",
"sha256:099a61618b145ecb50c6f279666bbc398e189b8bc97544ae32b8fcb49ad6b830", "sha256:12e4bad6bddd8546a2f9771485c7e3d2b546b458ae8ff79621214119ac244523",
"sha256:2c1c61546e73de62747e65807d2cc4980c395d4c5600ecb1f47a650c6fa78c79", "sha256:1f694e28c169655c50bb89a3fa07f3b854d71eb47f50783621de813979ba87f3",
"sha256:2ed9c4f694861642401f27dc3cb99772be67cd190e84845c749dae0a06c3bfae", "sha256:3d25dd8d688f7318dca6d8cd4f962a360ee40346c15893ae3b95c061cdbc4079",
"sha256:338581b30b908e111be578f0297255f6b57a51358cd16fa0e6f664c9a1f88bff", "sha256:4b02b9c27fad2054932e89f39703646d0c543f21d3cc5b8e05434215121c28cd",
"sha256:38c7d48a21cd06fdeee93987147b9b1c55b73b4cfcbf83240568bfbd5adee447", "sha256:9744350687459234867cbebfe9df8f35ef9e1538f3e729adbd8fde0761adb705",
"sha256:43fd026f613c8e48a25eba1a92f4d2ad7f3903c95d8c33a11611a7717d2ab654", "sha256:a0b49960110bc6ff5fead46013bcb8825d101026d466f3a4de3476defe0fb0dd",
"sha256:4548236844327a718ce3bb182ab32a16fa2050c61e334e959f554cac052fb0df", "sha256:ae2b270f9a0b8822b98655cb3a59cdb1bd54a34807c6c56b76dd2e786c3b7db3",
"sha256:5090857876c58885cfa388dc649e5db30aae98a068c26f3fd0ac9d7d9a4d9572", "sha256:b37bb3bd35edf53125b0ff257822afa6962649995cbdfde2791ddb62b239f891",
"sha256:5bbba34f97a26a93f5e8dec469ca4ddd712451418add43da946dbaed7f7a98d2", "sha256:b532bcc2f008e96fd9241177ec580829dee817b090532f43e54074ecffdcd97f",
"sha256:65a28969a025a0eb4594637b6103201dc4ed2a9508bdab56ac33e43e3081c404", "sha256:b67a6c47ed963c709ed24566daa3f95a18f07d3831334da570c71da53d97d088",
"sha256:892bb52b70bd5ea9dbbc3ac44f38e84f5a04e9d8b1bff48159d96cb795b81159", "sha256:b943e71c2065ade6fef223358e56c167fc6ce31c50bc7a02dd5c17ee4338e8ac",
"sha256:8a9becd5cbd5062f973bcd2e7bc79483af310222de112b6541f8af1f93a3cc42", "sha256:ccc9ad2460eb5bee5642eaf75a0438d7f8887d484490d5117b98edd7f33118b7",
"sha256:972a7aaeb7c4a2795b52eef52ee991ef040b31009f36deca6207a986607b55f3", "sha256:d23e2aa9b969cf9c26edfb4b56307792b8b374202810bd949effd1c6e11ebd6d",
"sha256:97b119c436bfa96a92ac2ca525f7025836d4d4e64b1c9f9eff8dbaf3ff1d86f3", "sha256:eaa83729eab9c60884f362ada982d3a06beaa6cc8b084cf9f76cae7739481dfa",
"sha256:9ba37698e242223f8053cc158f130aee046a96feacbeab65893dbe94f5530118", "sha256:ee94fce8d003ac9fd206496f2707efe9eadcb278d94c271f129ab36aa7181344",
"sha256:b1b0e1f626a0f079c0d3696db70132fb1f29aa87c66aecb6501a9b8be64ce9f7", "sha256:f455efb7a98557412dc6f8e463c1faf1f1911ec2432059fa3e582b6000fc90e2",
"sha256:c14c1224fd1a5be2733530d648a316974dbbb3c946913562c6005a76f21ca042", "sha256:f46e0e024346e1474083c729d50de909974237c72daca05393ee32389dabe457",
"sha256:c79a8546c48ae6465189e54e3245a97ddf21161e33ff7eaa42787353417bb2b6", "sha256:f54be399340aa602066adb63a86a6a5d4f395adfdd9da2b9a0162ea808c7b276",
"sha256:ceb76935ac4ebdf6d7bc845482a4450b284c6ccfb281e34da51d510658ab34d8", "sha256:f784aad988f12c80aacfa5b381ec21fd3f38f851720f652b9f33facc5101cf4d"
"sha256:e22bffaad04b4d16e1c091baed7f2733fc1ebb91e0c602abf1b6834d17158b1f",
"sha256:ec883b8e44d877bda6f94a36313a1c6063f8b1997aa091628ae2f34c7f97c8d5",
"sha256:f1baa54d50ec031d1a9beb89974108f8f2c0706f49798f4777df879df0e1adb6",
"sha256:f53a5385932cda1e2c862d89460992911a89768c65d176ff8c50cddca4d29bed"
], ],
"index": "pypi", "index": "pypi",
"version": "==6.2.0" "version": "==7.1.2"
}, },
"psutil": { "psutil": {
"hashes": [ "hashes": [
"sha256:094f899ac3ef72422b7e00411b4ed174e3c5a2e04c267db6643937ddba67a05b", "sha256:1413f4158eb50e110777c4f15d7c759521703bd6beb58926f1d562da40180058",
"sha256:10b7f75cc8bd676cfc6fa40cd7d5c25b3f45a0e06d43becd7c2d2871cbb5e806", "sha256:298af2f14b635c3c7118fd9183843f4e73e681bb6f01e12284d4d70d48a60953",
"sha256:1b1575240ca9a90b437e5a40db662acd87bbf181f6aa02f0204978737b913c6b", "sha256:60b86f327c198561f101a92be1995f9ae0399736b6eced8f24af41ec64fb88d4",
"sha256:21231ef1c1a89728e29b98a885b8e0a8e00d09018f6da5cdc1f43f988471a995", "sha256:685ec16ca14d079455892f25bd124df26ff9137664af445563c1bd36629b5e0e",
"sha256:28f771129bfee9fc6b63d83a15d857663bbdcae3828e1cb926e91320a9b5b5cd", "sha256:73f35ab66c6c7a9ce82ba44b1e9b1050be2a80cd4dcc3352cc108656b115c74f",
"sha256:70387772f84fa5c3bb6a106915a2445e20ac8f9821c5914d7cbde148f4d7ff73", "sha256:75e22717d4dbc7ca529ec5063000b2b294fc9a367f9c9ede1f65846c7955fd38",
"sha256:b560f5cd86cf8df7bcd258a851ca1ad98f0d5b8b98748e877a0aec4e9032b465", "sha256:a02f4ac50d4a23253b68233b07e7cdb567bd025b982d5cf0ee78296990c22d9e",
"sha256:b74b43fecce384a57094a83d2778cdfc2e2d9a6afaadd1ebecb2e75e0d34e10d", "sha256:d008ddc00c6906ec80040d26dc2d3e3962109e40ad07fd8a12d0284ce5e0e4f8",
"sha256:e85f727ffb21539849e6012f47b12f6dd4c44965e56591d8dec6e8bc9ab96f4a", "sha256:d84029b190c8a66a946e28b4d3934d2ca1528ec94764b180f7d6ea57b0e75e26",
"sha256:fd2e09bb593ad9bdd7429e779699d2d47c1268cbde4dda95fcd1bd17544a0217", "sha256:e2d0c5b07c6fe5a87fa27b7855017edb0d52ee73b71e6ee368fae268605cc3f5",
"sha256:ffad8eb2ac614518bbe3c0b8eb9dffdb3a8d2e3a7d5da51c5b974fb723a5c5aa" "sha256:f344ca230dd8e8d5eee16827596f1c22ec0876127c28e800d7ae20ed44c4b310"
], ],
"version": "==5.6.7" "version": "==5.7.0"
}, },
"psycopg2": { "psycopg2": {
"hashes": [ "hashes": [
"sha256:4212ca404c4445dc5746c0d68db27d2cbfb87b523fe233dc84ecd24062e35677", "sha256:132efc7ee46a763e68a815f4d26223d9c679953cd190f1f218187cb60decf535",
"sha256:47fc642bf6f427805daf52d6e52619fe0637648fe27017062d898f3bf891419d", "sha256:2327bf42c1744a434ed8ed0bbaa9168cac7ee5a22a9001f6fc85c33b8a4a14b7",
"sha256:72772181d9bad1fa349792a1e7384dde56742c14af2b9986013eb94a240f005b", "sha256:27c633f2d5db0fc27b51f1b08f410715b59fa3802987aec91aeb8f562724e95c",
"sha256:8396be6e5ff844282d4d49b81631772f80dabae5658d432202faf101f5283b7c", "sha256:2c0afb40cfb4d53487ee2ebe128649028c9a78d2476d14a67781e45dc287f080",
"sha256:893c11064b347b24ecdd277a094413e1954f8a4e8cdaf7ffbe7ca3db87c103f0", "sha256:2df2bf1b87305bd95eb3ac666ee1f00a9c83d10927b8144e8e39644218f4cf81",
"sha256:92a07dfd4d7c325dd177548c4134052d4842222833576c8391aab6f74038fc3f", "sha256:440a3ea2c955e89321a138eb7582aa1d22fe286c7d65e26a2c5411af0a88ae72",
"sha256:965c4c93e33e6984d8031f74e51227bd755376a9df6993774fd5b6fb3288b1f4", "sha256:6a471d4d2a6f14c97a882e8d3124869bc623f3df6177eefe02994ea41fd45b52",
"sha256:9ab75e0b2820880ae24b7136c4d230383e07db014456a476d096591172569c38", "sha256:6b306dae53ec7f4f67a10942cf8ac85de930ea90e9903e2df4001f69b7833f7e",
"sha256:b0845e3bdd4aa18dc2f9b6fb78fbd3d9d371ad167fd6d1b7ad01c0a6cdad4fc6", "sha256:a0984ff49e176062fcdc8a5a2a670c9bb1704a2f69548bce8f8a7bad41c661bf",
"sha256:dca2d7203f0dfce8ea4b3efd668f8ea65cd2b35112638e488a4c12594015f67b", "sha256:ac5b23d0199c012ad91ed1bbb971b7666da651c6371529b1be8cbe2a7bf3c3a9",
"sha256:ed686e5926929887e2c7ae0a700e32c6129abb798b4ad2b846e933de21508151", "sha256:acf56d564e443e3dea152efe972b1434058244298a94348fc518d6dd6a9fb0bb",
"sha256:ef6df7e14698e79c59c7ee7cf94cd62e5b869db369ed4b1b8f7b729ea825712a", "sha256:d3b29d717d39d3580efd760a9a46a7418408acebbb784717c90d708c9ed5f055",
"sha256:f898e5cc0a662a9e12bde6f931263a1bbd350cfb18e1d5336a12927851825bb6" "sha256:f7d46240f7a1ae1dd95aab38bd74f7428d46531f69219954266d669da60c0818"
], ],
"version": "==2.8.4" "version": "==2.8.5"
}, },
"psycopg2-binary": { "psycopg2-binary": {
"hashes": [ "hashes": [
"sha256:080c72714784989474f97be9ab0ddf7b2ad2984527e77f2909fcd04d4df53809", "sha256:008da3ab51adc70a5f1cfbbe5db3a22607ab030eb44bcecf517ad11a0c2b3cac",
"sha256:110457be80b63ff4915febb06faa7be002b93a76e5ba19bf3f27636a2ef58598", "sha256:07cf82c870ec2d2ce94d18e70c13323c89f2f2a2628cbf1feee700630be2519a",
"sha256:171352a03b22fc099f15103959b52ee77d9a27e028895d7e5fde127aa8e3bac5", "sha256:08507efbe532029adee21b8d4c999170a83760d38249936038bd0602327029b5",
"sha256:19d013e7b0817087517a4b3cab39c084d78898369e5c46258aab7be4f233d6a1", "sha256:107d9be3b614e52a192719c6bf32e8813030020ea1d1215daa86ded9a24d8b04",
"sha256:249b6b21ae4eb0f7b8423b330aa80fab5f821b9ffc3f7561a5e2fd6bb142cf5d", "sha256:17a0ea0b0eabf07035e5e0d520dabc7950aeb15a17c6d36128ba99b2721b25b1",
"sha256:2ac0731d2d84b05c7bb39e85b7e123c3a0acd4cda631d8d542802c88deb9e87e", "sha256:3286541b9d85a340ee4ed42732d15fc1bb441dc500c97243a768154ab8505bb5",
"sha256:2b6d561193f0dc3f50acfb22dd52ea8c8dfbc64bcafe3938b5f209cc17cb6f00", "sha256:3939cf75fc89c5e9ed836e228c4a63604dff95ad19aed2bbf71d5d04c15ed5ce",
"sha256:2bd23e242e954214944481124755cbefe7c2cf563b1a54cd8d196d502f2578bf", "sha256:40abc319f7f26c042a11658bf3dd3b0b3bceccf883ec1c565d5c909a90204434",
"sha256:3e1239242ca60b3725e65ab2f13765fc199b03af9eaf1b5572f0e97bdcee5b43", "sha256:51f7823f1b087d2020d8e8c9e6687473d3d239ba9afc162d9b2ab6e80b53f9f9",
"sha256:3eb70bb697abbe86b1d2b1316370c02ba320bfd1e9e35cf3b9566a855ea8e4e5", "sha256:6bb2dd006a46a4a4ce95201f836194eb6a1e863f69ee5bab506673e0ca767057",
"sha256:51a2fc7e94b98bd1bb5d4570936f24fc2b0541b63eccadf8fdea266db8ad2f70", "sha256:702f09d8f77dc4794651f650828791af82f7c2efd8c91ae79e3d9fe4bb7d4c98",
"sha256:52f1bdafdc764b7447e393ed39bb263eccb12bfda25a4ac06d82e3a9056251f6", "sha256:7036ccf715925251fac969f4da9ad37e4b7e211b1e920860148a10c0de963522",
"sha256:5b3581319a3951f1e866f4f6c5e42023db0fae0284273b82e97dfd32c51985cd", "sha256:7b832d76cc65c092abd9505cc670c4e3421fd136fb6ea5b94efbe4c146572505",
"sha256:63c1b66e3b2a3a336288e4bcec499e0dc310cd1dceaed1c46fa7419764c68877", "sha256:8f74e631b67482d504d7e9cf364071fc5d54c28e79a093ff402d5f8f81e23bfa",
"sha256:8123a99f24ecee469e5c1339427bcdb2a33920a18bb5c0d58b7c13f3b0298ba3", "sha256:930315ac53dc65cbf52ab6b6d27422611f5fb461d763c531db229c7e1af6c0b3",
"sha256:85e699fcabe7f817c0f0a412d4e7c6627e00c412b418da7666ff353f38e30f67", "sha256:96d3038f5bd061401996614f65d27a4ecb62d843eb4f48e212e6d129171a721f",
"sha256:8dbff4557bbef963697583366400822387cccf794ccb001f1f2307ed21854c68", "sha256:a20299ee0ea2f9cca494396ac472d6e636745652a64a418b39522c120fd0a0a4",
"sha256:908d21d08d6b81f1b7e056bbf40b2f77f8c499ab29e64ec5113052819ef1c89b", "sha256:a34826d6465c2e2bbe9d0605f944f19d2480589f89863ed5f091943be27c9de4",
"sha256:af39d0237b17d0a5a5f638e9dffb34013ce2b1d41441fd30283e42b22d16858a", "sha256:a69970ee896e21db4c57e398646af9edc71c003bc52a3cc77fb150240fefd266",
"sha256:af51bb9f055a3f4af0187149a8f60c9d516cf7d5565b3dac53358796a8fb2a5b", "sha256:b9a8b391c2b0321e0cd7ec6b4cfcc3dd6349347bd1207d48bcb752aa6c553a66",
"sha256:b2ecac57eb49e461e86c092761e6b8e1fd9654dbaaddf71a076dcc869f7014e2", "sha256:ba13346ff6d3eb2dca0b6fa0d8a9d999eff3dcd9b55f3a890f12b0b6362b2b38",
"sha256:cd37cc170678a4609becb26b53a2bc1edea65177be70c48dd7b39a1149cabd6e", "sha256:bb0608694a91db1e230b4a314e8ed00ad07ed0c518f9a69b83af2717e31291a3",
"sha256:d17e3054b17e1a6cb8c1140f76310f6ede811e75b7a9d461922d2c72973f583e", "sha256:c8830b7d5f16fd79d39b21e3d94f247219036b29b30c8270314c46bf8b732389",
"sha256:d305313c5a9695f40c46294d4315ed3a07c7d2b55e48a9010dad7db7a66c8b7f", "sha256:cac918cd7c4c498a60f5d2a61d4f0a6091c2c9490d81bc805c963444032d0dab",
"sha256:dd0ef0eb1f7dd18a3f4187226e226a7284bda6af5671937a221766e6ef1ee88f", "sha256:cc30cb900f42c8a246e2cb76539d9726f407330bc244ca7729c41a44e8d807fb",
"sha256:e1adff53b56db9905db48a972fb89370ad5736e0450b96f91bcf99cadd96cfd7", "sha256:ccdc6a87f32b491129ada4b87a43b1895cf2c20fdb7f98ad979647506ffc41b6",
"sha256:f0d43828003c82dbc9269de87aa449e9896077a71954fbbb10a614c017e65737", "sha256:d1a8b01f6a964fec702d6b6dac1f91f2b9f9fe41b310cbb16c7ef1fac82df06d",
"sha256:f78e8b487de4d92640105c1389e5b90be3496b1d75c90a666edd8737cc2dbab7" "sha256:e004db88e5a75e5fdab1620fb9f90c9598c2a195a594225ac4ed2a6f1c23e162",
"sha256:eb2f43ae3037f1ef5e19339c41cf56947021ac892f668765cd65f8ab9814192e",
"sha256:fa466306fcf6b39b8a61d003123d442b23707d635a5cb05ac4e1b62cc79105cd"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.8.3" "version": "==2.8.5"
}, },
"puput": { "puput": {
"hashes": [ "hashes": [
"sha256:4d952767b60b0a4969b0146a548586e9485b55ea3b047589d89d3dafd1fd0d0b", "sha256:7562bd70b0cbeedb02b0991b72ce7a947b4167bb23dc5fe20d7b38f399bc7f95"
"sha256:ffdcde19b0e08cc1d0a97da6df110a6428db9d2505ba387033ad5ba197eec05d"
], ],
"index": "pypi", "index": "pypi",
"version": "==1.0.5" "version": "==1.1.0"
}, },
"python-dotenv": { "python-dotenv": {
"hashes": [ "hashes": [
"sha256:debd928b49dbc2bf68040566f55cdb3252458036464806f4094487244e2a4093", "sha256:25c0ff1a3e12f4bde8d592cc254ab075cfe734fc5dd989036716fd17ee7e5ec7",
"sha256:f157d71d5fec9d4bd5f51c82746b6344dffa680ee85217c123f4a0c8117c4544" "sha256:3b9909bc96b0edc6b01586e1eed05e71174ef4e04c71da5786370cebea53ad74"
], ],
"index": "pypi", "index": "pypi",
"version": "==0.10.3" "version": "==0.13.0"
}, },
"pytz": { "pytz": {
"hashes": [ "hashes": [
"sha256:1c557d7d0e871de1f5ccd5833f60fb2550652da6be2693c1e02300743d21500d", "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
"sha256:b02c06db6cf09c12dd25137e563b31700d3b80fcc4ad23abb7a315f2789819be" "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
], ],
"version": "==2019.3" "version": "==2020.1"
}, },
"pyyaml": { "pyyaml": {
"hashes": [ "hashes": [
"sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6", "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97",
"sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf", "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76",
"sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5", "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2",
"sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e", "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648",
"sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811", "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf",
"sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e", "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f",
"sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d", "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2",
"sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20", "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee",
"sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689", "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d",
"sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994", "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c",
"sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615" "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a"
], ],
"version": "==5.3" "version": "==5.3.1"
}, },
"rcssmin": { "rcssmin": {
"hashes": [ "hashes": [
@ -400,17 +409,17 @@
}, },
"redis": { "redis": {
"hashes": [ "hashes": [
"sha256:0dcfb335921b88a850d461dc255ff4708294943322bd55de6cfd68972490ca1f", "sha256:2ef11f489003f151777c064c5dbc6653dfb9f3eade159bcadc524619fddc2242",
"sha256:b205cffd05ebfd0a468db74f0eedbff8df1a7bfc47521516ade4692991bb0833" "sha256:6d65e84bc58091140081ee9d9c187aab0480097750fac44239307a3bdf0b1251"
], ],
"version": "==3.4.1" "version": "==3.5.2"
}, },
"requests": { "requests": {
"hashes": [ "hashes": [
"sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4", "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
"sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31" "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
], ],
"version": "==2.22.0" "version": "==2.23.0"
}, },
"rjsmin": { "rjsmin": {
"hashes": [ "hashes": [
@ -432,10 +441,10 @@
}, },
"schema": { "schema": {
"hashes": [ "hashes": [
"sha256:10b550886f5ff402e1fdef85bd7be761b0e09a35a43633311807a57a5bc4db50", "sha256:3a03c2e2b22e6a331ae73750ab1da46916da6ca861b16e6f073ac1d1eba43b71",
"sha256:c9dc8f4624e287c7d1435f8fd758f6a0aabbb7eff442db9192cd46f0e2b6d959" "sha256:b536f2375b49fdf56f36279addae98bd86a8afbd58b3c32ce363c464bed5fc1c"
], ],
"version": "==0.7.1" "version": "==0.7.2"
}, },
"six": { "six": {
"hashes": [ "hashes": [
@ -444,24 +453,58 @@
], ],
"version": "==1.14.0" "version": "==1.14.0"
}, },
"soupsieve": {
"hashes": [
"sha256:1634eea42ab371d3d346309b93df7870a88610f0725d47528be902a0d95ecc55",
"sha256:a59dc181727e95d25f781f0eb4fd1825ff45590ec8ff49eadfd7f1a537cc0232"
],
"version": "==2.0.1"
},
"sqlalchemy": { "sqlalchemy": {
"hashes": [ "hashes": [
"sha256:64a7b71846db6423807e96820993fa12a03b89127d278290ca25c0b11ed7b4fb" "sha256:128bc917ed20d78143a45024455ff0aed7d3b96772eba13d5dbaf9cc57e5c41b",
"sha256:156a27548ba4e1fed944ff9fcdc150633e61d350d673ae7baaf6c25c04ac1f71",
"sha256:27e2efc8f77661c9af2681755974205e7462f1ae126f498f4fe12a8b24761d15",
"sha256:2a12f8be25b9ea3d1d5b165202181f2b7da4b3395289000284e5bb86154ce87c",
"sha256:31c043d5211aa0e0773821fcc318eb5cbe2ec916dfbc4c6eea0c5188971988eb",
"sha256:65eb3b03229f684af0cf0ad3bcc771970c1260a82a791a8d07bffb63d8c95bcc",
"sha256:6cd157ce74a911325e164441ff2d9b4e244659a25b3146310518d83202f15f7a",
"sha256:703c002277f0fbc3c04d0ae4989a174753a7554b2963c584ce2ec0cddcf2bc53",
"sha256:869bbb637de58ab0a912b7f20e9192132f9fbc47fc6b5111cd1e0f6cdf5cf9b0",
"sha256:8a0e0cd21da047ea10267c37caf12add400a92f0620c8bc09e4a6531a765d6d7",
"sha256:8d01e949a5d22e5c4800d59b50617c56125fc187fbeb8fa423e99858546de616",
"sha256:925b4fe5e7c03ed76912b75a9a41dfd682d59c0be43bce88d3b27f7f5ba028fb",
"sha256:9cb1819008f0225a7c066cac8bb0cf90847b2c4a6eb9ebb7431dbd00c56c06c5",
"sha256:a87d496884f40c94c85a647c385f4fd5887941d2609f71043e2b73f2436d9c65",
"sha256:a9030cd30caf848a13a192c5e45367e3c6f363726569a56e75dc1151ee26d859",
"sha256:a9e75e49a0f1583eee0ce93270232b8e7bb4b1edc89cc70b07600d525aef4f43",
"sha256:b50f45d0e82b4562f59f0e0ca511f65e412f2a97d790eea5f60e34e5f1aabc9a",
"sha256:b7878e59ec31f12d54b3797689402ee3b5cfcb5598f2ebf26491732758751908",
"sha256:ce1ddaadee913543ff0154021d31b134551f63428065168e756d90bdc4c686f5",
"sha256:ce2646e4c0807f3461be0653502bb48c6e91a5171d6e450367082c79e12868bf",
"sha256:ce6c3d18b2a8ce364013d47b9cad71db815df31d55918403f8db7d890c9d07ae",
"sha256:e4e2664232005bd306f878b0f167a31f944a07c4de0152c444f8c61bbe3cfb38",
"sha256:e8aa395482728de8bdcca9cc0faf3765ab483e81e01923aaa736b42f0294f570",
"sha256:eb4fcf7105bf071c71068c6eee47499ab8d4b8f5a11fc35147c934f0faa60f23",
"sha256:ed375a79f06cad285166e5be74745df1ed6845c5624aafadec4b7a29c25866ef",
"sha256:f35248f7e0d63b234a109dd72fbfb4b5cb6cb6840b221d0df0ecbf54ab087654",
"sha256:f502ef245c492b391e0e23e94cba030ab91722dcc56963c85bfd7f3441ea2bbe",
"sha256:fe01bac7226499aedf472c62fa3b85b2c619365f3f14dd222ffe4f3aa91e5f98"
], ],
"version": "==1.3.13" "version": "==1.3.17"
}, },
"sqlalchemy-utils": { "sqlalchemy-utils": {
"hashes": [ "hashes": [
"sha256:4e637c88bf3ac5f99b7d72342092a1f636bea1287b2e3e17d441b0413771f86e" "sha256:680068c4b671225c183815e19b6f4adc765a9989dd5d9e8e9c900ede30cc7434"
], ],
"version": "==0.36.1" "version": "==0.36.5"
}, },
"sqlparse": { "sqlparse": {
"hashes": [ "hashes": [
"sha256:40afe6b8d4b1117e7dff5504d7a8ce07d9a1b15aeeade8a2d10f130a834f8177", "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
"sha256:7c3dca29c022744e95b547e867cee89f4fce4373f3549ccd8797d8eb52cdb873" "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
], ],
"version": "==0.3.0" "version": "==0.3.1"
}, },
"static3": { "static3": {
"hashes": [ "hashes": [
@ -485,18 +528,18 @@
}, },
"urllib3": { "urllib3": {
"hashes": [ "hashes": [
"sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527",
"sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115"
], ],
"version": "==1.25.8" "version": "==1.25.9"
}, },
"wagtail": { "wagtail": {
"hashes": [ "hashes": [
"sha256:8b66ecf74d40ccc7070944ff2e5a3ae33e42ecf92eb98b92c155410e48f4c974", "sha256:23c5514d530ad2dbe81360e53abd38cfe4b42671e03018a9dd95ee941b4327f4",
"sha256:f0793d4de7d9064df04f6086e93992a5c1b07fb97f76996ea1a550bce3d57a16" "sha256:ec5305aba6bf75ca9313287ddf159b43ac4e7cdff771cfe0a9413b481baa433f"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.6.1" "version": "==2.9"
}, },
"webencodings": { "webencodings": {
"hashes": [ "hashes": [
@ -507,41 +550,41 @@
}, },
"whitenoise": { "whitenoise": {
"hashes": [ "hashes": [
"sha256:59d880d25d0e90bcc6554fe0504a11195bd2e59b3d690b6fb42a8040d4e67ef5", "sha256:0f9137f74bd95fa54329ace88d8dc695fbe895369a632e35f7a136e003e41d73",
"sha256:c9b7c47fdc1dba4d37bf2787a01a844dc7a521e174fcd22a2d429e0be65e1782" "sha256:62556265ec1011bd87113fb81b7516f52688887b7a010ee899ff1fd18fd22700"
], ],
"index": "pypi", "index": "pypi",
"version": "==4.1.3" "version": "==5.0.1"
}, },
"willow": { "willow": {
"hashes": [ "hashes": [
"sha256:76a8874304356b7d86923405f5ca1df125c3540fb55b32747e7a33ba59bc1744", "sha256:4f84c46f65b6a1982e63dbd4d94c6bae705ff21f839164c31e105c3e251bec37",
"sha256:818ee11803c90a0a6d49c94b0453d6266be1ef83ae00de72731c45fae4d3e78c" "sha256:8897a6827c0bb7dee2ac908af53f0d358720bd6032ed20bab3175507e34d739a"
], ],
"version": "==1.1" "version": "==1.3"
},
"xlsxwriter": {
"hashes": [
"sha256:488e1988ab16ff3a9cd58c7656d0a58f8abe46ee58b98eecea78c022db28656b",
"sha256:97ab487b81534415c5313154203f3e8a637d792b1e6a8201e8f7f71da0203c2a"
],
"version": "==1.2.8"
} }
}, },
"develop": { "develop": {
"appdirs": { "appdirs": {
"hashes": [ "hashes": [
"sha256:9e5896d1372858f8dd3344faf4e5014d21849c756c8d5701f78f8a103b372d92", "sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41",
"sha256:d8b24664561d0d34ddfaec54636d502d7cea6e29c3eaf68f3df6180863e2166e" "sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128"
], ],
"version": "==1.4.3" "version": "==1.4.4"
}, },
"asgiref": { "asgiref": {
"hashes": [ "hashes": [
"sha256:7e06d934a7718bf3975acbf87780ba678957b87c7adc056f13b6215d610695a0", "sha256:8036f90603c54e93521e5777b2b9a39ba1bad05773fcf2d208f0299d1df58ce5",
"sha256:ea448f92fc35a0ef4b1508f53a04c4670255a3f33d22a81c8fc9c872036adbe5" "sha256:9ca8b952a0a9afa61d30aa6d3d9b570bb3fd6bafcf7ec9e6bed43b936133db1c"
], ],
"version": "==3.2.3" "version": "==3.2.7"
},
"atomicwrites": {
"hashes": [
"sha256:03472c30eb2c5d1ba9227e4c2ca66ab8287fbfbbda3888aa93dc2e28fc6811b4",
"sha256:75a9445bac02d8d058d5e1fe689654ba5a6556a1dfd8ce6ec55a0ed79866cfa6"
],
"version": "==1.3.0"
}, },
"attrs": { "attrs": {
"hashes": [ "hashes": [
@ -558,19 +601,19 @@
}, },
"django": { "django": {
"hashes": [ "hashes": [
"sha256:1226168be1b1c7efd0e66ee79b0e0b58b2caa7ed87717909cd8a57bb13a7079a", "sha256:69897097095f336d5aeef45b4103dceae51c00afa6d3ae198a2a18e519791b7a",
"sha256:9a4635813e2d498a3c01b10c701fe4a515d76dd290aaa792ccb65ca4ccb6b038" "sha256:6ecd229e1815d4fc5240fc98f1cca78c41e7a8cd3e3f2eefadc4735031077916"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.2.10" "version": "==2.2.12"
}, },
"django-debug-toolbar": { "django-debug-toolbar": {
"hashes": [ "hashes": [
"sha256:17c53cd6bf4e7d69902aedf9a1d26c5d3b7369b54c5718744704f27b5a72f35d", "sha256:eabbefe89881bbe4ca7c980ff102e3c35c8e8ad6eb725041f538988f2f39a943",
"sha256:9a23ada2e43cd989195db3c18710b5d7451134a0d48127ab64c1d2ad81700342" "sha256:ff94725e7aae74b133d0599b9bf89bd4eb8f5d2c964106e61d11750228c8774c"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.0" "version": "==2.2"
}, },
"filelock": { "filelock": {
"hashes": [ "hashes": [
@ -581,33 +624,25 @@
}, },
"importlib-metadata": { "importlib-metadata": {
"hashes": [ "hashes": [
"sha256:aa18d7378b00b40847790e7c27e11673d7fed219354109d0e7b9e5b25dc3ad26", "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f",
"sha256:d5f18a79777f3aa179c145737780282e27b508fc8fd688cb17c7a813e8bd39af" "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e"
], ],
"markers": "python_version < '3.8'", "markers": "python_version < '3.8'",
"version": "==0.23" "version": "==1.6.0"
},
"importlib-resources": {
"hashes": [
"sha256:6e2783b2538bd5a14678284a3962b0660c715e5a0f10243fd5e00a4b5974f50b",
"sha256:d3279fd0f6f847cced9f7acc19bd3e5df54d34f93a2e7bb5f238f81545787078"
],
"markers": "python_version < '3.7'",
"version": "==1.0.2"
}, },
"more-itertools": { "more-itertools": {
"hashes": [ "hashes": [
"sha256:5dd8bcf33e5f9513ffa06d5ad33d78f31e1931ac9a18f33d37e77a180d393a7c", "sha256:558bb897a2232f5e4f8e2399089e35aecb746e1f9191b6584a151647e89267be",
"sha256:b1ddb932186d8a6ac451e1d95844b382f55e12686d51ca0c68b6f61f2ab7a507" "sha256:7818f596b1e87be009031c7653d01acc46ed422e6656b394b0f765ce66ed4982"
], ],
"version": "==8.2.0" "version": "==8.3.0"
}, },
"packaging": { "packaging": {
"hashes": [ "hashes": [
"sha256:170748228214b70b672c581a3dd610ee51f733018650740e98c7df862a583f73", "sha256:3c292b474fda1671ec57d46d739d072bfd495a4f51ad01a055121d81e952b7a3",
"sha256:e665345f9eef0c621aa0bf2f8d78cf6d21904eef16a93f020240b704a57f1334" "sha256:82f77b9bee21c1bafbf35a84905d604d5d1223801d639cf3ed140bd651c08752"
], ],
"version": "==20.1" "version": "==20.3"
}, },
"pluggy": { "pluggy": {
"hashes": [ "hashes": [
@ -625,18 +660,18 @@
}, },
"pyparsing": { "pyparsing": {
"hashes": [ "hashes": [
"sha256:4c830582a84fb022400b85429791bc551f1f4871c33f23e44f353119e92f969f", "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:c342dccb5250c08d45fd6f8b4a559613ca603b57498511740e65cd11a2e7dcec" "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
], ],
"version": "==2.4.6" "version": "==2.4.7"
}, },
"pytest": { "pytest": {
"hashes": [ "hashes": [
"sha256:95d13143cc14174ca1a01ec68e84d76ba5d9d493ac02716fd9706c949a505210", "sha256:95c710d0a72d91c13fae35dce195633c929c3792f54125919847fdcdf7caa0d3",
"sha256:b78fe2881323bd44fd9bd76e5317173d4316577e7b1cddebae9136a4495ec865" "sha256:eb2b5e935f6a019317e455b6da83dd8650ac9ffd2ee73a7b657a30873d67a698"
], ],
"index": "pypi", "index": "pypi",
"version": "==5.1.2" "version": "==5.4.2"
}, },
"pytest-splinter": { "pytest-splinter": {
"hashes": [ "hashes": [
@ -647,10 +682,10 @@
}, },
"pytz": { "pytz": {
"hashes": [ "hashes": [
"sha256:1c557d7d0e871de1f5ccd5833f60fb2550652da6be2693c1e02300743d21500d", "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
"sha256:b02c06db6cf09c12dd25137e563b31700d3b80fcc4ad23abb7a315f2789819be" "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048"
], ],
"version": "==2019.3" "version": "==2020.1"
}, },
"selenium": { "selenium": {
"hashes": [ "hashes": [
@ -675,53 +710,53 @@
}, },
"sqlparse": { "sqlparse": {
"hashes": [ "hashes": [
"sha256:40afe6b8d4b1117e7dff5504d7a8ce07d9a1b15aeeade8a2d10f130a834f8177", "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
"sha256:7c3dca29c022744e95b547e867cee89f4fce4373f3549ccd8797d8eb52cdb873" "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
], ],
"version": "==0.3.0" "version": "==0.3.1"
}, },
"toml": { "toml": {
"hashes": [ "hashes": [
"sha256:229f81c57791a41d65e399fc06bf0848bab550a9dfd5ed66df18ce5f05e73d5c", "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f",
"sha256:235682dd292d5899d361a811df37e04a8828a5b1da3115886b73cf81ebc9100e" "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88"
], ],
"version": "==0.10.0" "version": "==0.10.1"
}, },
"tox": { "tox": {
"hashes": [ "hashes": [
"sha256:0bc216b6a2e6afe764476b4a07edf2c1dab99ed82bb146a1130b2e828f5bff5e", "sha256:8d97bfaf70053ed3db56f57377288621f1bcc7621446d301927d18df93b1c4c3",
"sha256:c4f6b319c20ba4913dbfe71ebfd14ff95d1853c4231493608182f66e566ecfe1" "sha256:af09c19478e8fc7ce7555b3d802ddf601b82684b874812c5857f774b8aee1b67"
], ],
"index": "pypi", "index": "pypi",
"version": "==3.14.0" "version": "==3.15.0"
}, },
"urllib3": { "urllib3": {
"hashes": [ "hashes": [
"sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527",
"sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115"
], ],
"version": "==1.25.8" "version": "==1.25.9"
}, },
"virtualenv": { "virtualenv": {
"hashes": [ "hashes": [
"sha256:7e4e234e1f27755685dc54063d989756790b0682d60e304db589fa1604938013", "sha256:b4c14d4d73a0c23db267095383c4276ef60e161f94fde0427f2f21a0132dde74",
"sha256:e0099edd03c77e14a8ac9be62e45af28759984075d9409bb2c3a4edeb7420a23" "sha256:fd0e54dec8ac96c1c7c87daba85f0a59a7c37fe38748e154306ca21c73244637"
], ],
"version": "==20.0.2" "version": "==20.0.20"
}, },
"wcwidth": { "wcwidth": {
"hashes": [ "hashes": [
"sha256:8fd29383f539be45b20bd4df0dc29c20ba48654a41e661925e612311e9f3c603", "sha256:cafe2186b3c009a04067022ce1dcd79cb38d8d65ee4f4791b8888d6599d1bbe1",
"sha256:f28b3e8a6483e5d49e7f8949ac1a78314e740333ae305b4ba5defd3e74fb37a8" "sha256:ee73862862a156bf77ff92b09034fc4825dd3af9cf81bc5b360668d425f3c5f1"
], ],
"version": "==0.1.8" "version": "==0.1.9"
}, },
"zipp": { "zipp": {
"hashes": [ "hashes": [
"sha256:5c56e330306215cd3553342cfafc73dda2c60792384117893f3a83f8a1209f50", "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b",
"sha256:d65287feb793213ffe11c0f31b81602be31448f38aeb8ffc2eb286c4f6f6657e" "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96"
], ],
"version": "==2.2.0" "version": "==3.1.0"
} }
} }
} }

48
README.md
View file

@ -89,58 +89,54 @@ Install or update the following roles from [Ansible Galaxy](https://docs.ansible
``` ```
ansible-galaxy install \ ansible-galaxy install \
dev-sec.nginx-hardening dev-sec.ssh-hardening dev-sec.os-hardening \ dev-sec.nginx-hardening \
geerlingguy.nodejs geerlingguy.certbot dev-sec.ssh-hardening \
dev-sec.os-hardening \
geerlingguy.nodejs
``` ```
To check that the scripts and roles are correctly installed, use this command to do a "dry run": To check that the scripts and roles are correctly installed, use this command to do a "dry run":
``` ```
ansible-playbook -s ansible/*.yaml -i ansible/inventories/production --syntax-check --list-tasks ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks
```
If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration:
```
ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config"
``` ```
To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site: To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site:
``` ```
ansible-playbook -s ansible/<*.yaml> -i ansible/inventories/production ansible-playbook ansible/*.yaml -i ansible/inventories/production
``` ```
For an update release with a specific version, use: For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands):
``` ```
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release -e gitversion=<v*.*.*> ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion=<v*.*.*>
``` ```
We use a StackScript to deploy to Linode, the basic system set up is to have a user in the sudoers and docker group, and a few basic system packages ready. You can also use the `gitrepo` parameter to use a different fork of the source code.
For example, on Ubuntu: Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook.
``` The typical order of deployment is:
apt-get install -q -y zip git nginx python-virtualenv python-dev
```
The order of deployment is: - internet.yaml
- docker.yaml
- docker.yaml (base system)
- node.yaml - node.yaml
- site.yaml - web.yaml
- harden.yaml - wagtail.yaml
- certbot.yaml
The last line adds support for Let's Encrypt, which you can configure and enable (updating your Nginx setup) with:
```
sudo /opt/certbot/certbot-auto --nginx certonly
```
If you do **not** wish to use SSL, delete the last part of your nginx site configuration (/etc/nginx/sites-enabled/...).
### Production releases ### Production releases
For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.: For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.:
``` ```
ansible-playbook -s ansible/site.yaml -i ansible/inventories/production --tags release ansible-playbook -i ansible/inventories/production --tags release ansible/wagtail.yaml
ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release" ssh -i .keys/ansible.pem ansible@<server-ip> "cd <release_dir> && make release"
``` ```

4
ansible.cfg
View file

@ -2,3 +2,7 @@
retry_files_enabled = False retry_files_enabled = False
roles_path = ansible/roles:~/.ansible/roles roles_path = ansible/roles:~/.ansible/roles
vault_password_file = .keys/ansible.vault vault_password_file = .keys/ansible.vault
interpreter_python = /usr/bin/python3
[ssh_connection]
scp_if_ssh=True

13
ansible/certbot.yaml
View file

@ -1,13 +0,0 @@
- hosts: webservers
become: true
become_method: 'sudo'
gather_facts: yes
vars:
certbot_auto_renew_user: ansible
certbot_auto_renew_minute: 20
certbot_auto_renew_hour: 5
certbot_dir: /opt/certbot
certbot_install_from_source: yes
certbot_version: v0.14.2
roles:
- geerlingguy.certbot

4
ansible/docker.yaml
View file

@ -3,7 +3,5 @@
become_method: 'sudo' become_method: 'sudo'
gather_facts: yes gather_facts: yes
roles: roles:
- role: docker-ubuntu - role: geerlingguy.docker
docker_users: ansible docker_users: ansible
- role: docker-compose
docker_compose_version: 1.12.0

90
ansible/files/cloudflare.key Normal file
View file

@ -0,0 +1,90 @@
$ANSIBLE_VAULT;1.1;AES256
36383538613261333830346333313539383062333362643339656131393831326463623563636362
3532393137343535313062636664626632303065343739610a633164383665623566353939373432
38343937306164663238616439636331316630353764633963393233613663363330366539643535
3661636364623732620a383561316265653264613234376539666265303232383263306633646663
39343331636163623665316332326464613539376630633731643963376631333338316666343430
32393436336565333463326138393132343336313034643061313265303930323361353163353334
64626438656333336132653439383334376561333532313532633939323934623862363631373461
63333862383265336638343563373836613633303330613735363935663539303535303065376339
33306239373530353130353466353065366430666137626138666438616333623833326165656432
65666137663833343333333566333132646164633135326237616164666663303634666231643039
32373933396131343732376132336634373239343764326134303261353439393832336162643462
37353435333434633233633634383139623733376636376233393830356164363032353437663938
37393732383933323163386537346562633831353265363436393265306132303164646232326264
64313330663131653530373662376464346639643533633961313063633362643132646330366430
30316236316330633731636466323935376265633839373832663137336638346565613234363036
33616131613761626231653236616332316330633330363039343634643732306138383830623430
66323138306536613036623866326536303137666336626531313763396234613665636462333261
34653039393839333031656634346630626335353665336430373437373537373533326135663662
38656331633337613139633737393466666566303261666662626461323661636232303862386237
39643161656561356630316439396331343538346234643562636137353463373266663634323839
34356430313335306230333866366438623537633562373362316137363363396362343336386631
32633939633339613338613834316365333932356561373334356563393061303635373733323764
65633563363865633063343230316462646132623039353631386462383030303432643230616365
61633437313739373865363362373737376365646461343733326366656165363463313466326530
63613532303633663464623838363665313430323465323031343832363932626531613333376238
39333235623635363565313935306164366237366433353437626237656133343630646238633633
31656135356334356230613733346432643361333562373964303265333830643639373065383362
36313765636362313431306238636431613566363863383737636638303833353032356332623239
61363138383738333262383263326238366264313437653330323936646131623333336431333562
34613938313036353935326433386535373338623165336663353566363132353961356539373962
36653539656237306538626364343965313832323164346235313437666334353133313964656434
32663037626537636266303337373234393431303639643036613166663631663465663664643239
35376463656134616239353639356166363463306632666630666239376639336661323635313165
62623166353365643832356461616330656638363333313262323430376139306161626433633434
33653339363131313337646334373337313535366531626632636261346264326164643364653963
37366233353866313530383662313537633639643336353266653733316662303365393861646462
33346634303163663139373832623934626435323863353830336532313639343964623634393838
65666436393731336366313864633761313335383838383437383666653665346266333562633035
61333833373464663361383766326166333362383161636163326664636364383662333039386166
37323765613233663934313264303438376131336266663331616564396233666666363937366433
65663239343764616462363861633961333166636664343634613663663737363837353330636561
64666266356466623436353464663830323262396663373330346635333433663733616132643761
65326631613832353563303565613030316138666465646136323662363931633666306161626435
34356666646262343330613435383563323333386366333937653835636363353934616332343765
66386465393239653463653861353535633936636665643630366135613739336134353132373263
62613932303239666439656238393932636330386439626133383761316233643834383031653061
35386536393639376266383730323534633132633731643834306633613163383463323330393462
65343233613966343863383561366133306666316233373463663538656336666237353739376466
65663236346631333139386535333839663862386334356330373664616434363465643136343436
30346636313936376362386163616332376333376333383865646661333465306562323533633035
66353366326434363338373937333664663261343232366434656132363362343039353764653262
65373739623863663837396137386539343661326433613439336265623561373466323466356330
37326534383533663131613464633536373030346432633836636266393438316466613139663039
32373736383364363066333766333839376131633539643561303466653438616539313338663032
31666234343564343039656362633035326637306164656363393965336630623364653565343332
62393431346139356136643430643637396565393862353236373235646138313435653965613939
30653830656537303434363533383836656233663264643831643932376163343863656530666533
38326230313839326263366433363332333238336162356130353937333561323530613565623861
39653434356438623435316566323064313437353135333231373537343936326532623031393432
35653334356464623565326336636239393133623730323035363436613033346630316264316631
38383534313738393531643866366332336364623734306365323234323232396434303434633064
31636333653335353931643763626135646663356366393763636664376565333861333430636236
61303666326565396135386633316563356437313236343038363130636533396565656533663638
38656631646231623062393030656334626564356566646666613036366336633865306337613862
32356338393632636363373232373730316232353737333638636330386538613436333661613037
61373764333337343733383861303532343563613433326461316330626234386331363039306563
32613434636663313530326661333035363164636132316365323132633764306232333737356130
61393139356362336131373730303734363965316431313839646639386336313663333562623432
30636465343763663831333633643533376162336363346138616565633936343339643133653639
65633332346437376431656566626565333031323764366165356439363137616166653737343536
34326363663936333462386564343639386139613237626464623831393564616539386238643437
61363433356238343033343031646230306139646332613061666638303538636635646666666237
63343066663931616438396633376231313436313932306138376264616434353837656138666165
63353464396364663338393634343234353232326666383064396363656438396435613334623634
37666362636233656636376430636563303561356662376438663865653862326238323166656337
32666534303863356138393462626266653461623636663534323739393630393635376263333332
30306139313761393234336239326231376533353235633639363930393535616164316561613732
37666565656363393061393162636366393866376136373534393138336665343266623933643932
37343930626138633337396464373537373531326638316434353436393630633234633231356532
64396334623066323862663033666565393966636430653364343438306633363136383634313132
31366565356339386139333035366264616237303936383431653930636237383932633164616431
64663035333833616631613363316230376461623730383537643237623765326132653437356530
35323963353935363366323165343438616266353238336230666635336438666335383330636631
33356433326432363263333530616238303738666161386636633165336436613239383138336234
30376563396135303631653134313966316330383962376635313132666437313138313335333738
31383932326338393164613535656362326236616161383432623563623861643566623335313464
35363330663933613832313135356432393265616661346564396165373862363939316435386565
61356538373061323264613166633165633537616564336161313064323164663366353963643634
64613237396261356531306664663166356133663863313235306466656532376361

95
ansible/files/cloudflare.pem Normal file
View file

@ -0,0 +1,95 @@
$ANSIBLE_VAULT;1.1;AES256
66656362343039396163383261626131396164623138383235326661396334323139343433373331
6333616364656666396338313334633036343566386630390a373032303366666132376635376365
35343932313764356433383664336461373132633066626163333930356634646532653465646164
3637386264663834340a353937613135373531656134366635613430336434613062303262663136
65323866636663333034356437613039313363663733316530613033383165303539646366346333
39396532386333613738333335643738616630343932336565663762316232326662326439653537
31663764346235613737306232336630623036623538343761343834363838323134623631633730
31643434346231636337626639633830613534316663366637656630366532356134636161326462
33383364376230303863663461633639383731376264313964313963393633646265623232323635
63663361663565363738386337356166663031346533373731346463343739626262376236386464
66363432316566363433393033613630626235333834386365663666323439316433643430663636
61616236313038636165303330656466626135306431383934363564616663373761353437373165
65393237363535336466646462343230623337646266303331363733356164623135643866626365
39633663363261353432633938626161346433323636323866633534313434633935343339313763
65653565343232643037396138663162616165613766363261663235323033346362323334343466
36646538623730643364613236613038396664306461316434383533633734326565643265396637
66636465316132333131656130326133336330633365373966303936633563613931343766663331
32383366366564636665383962373764626566366233353931663833353161636661373630626532
38376632636534646562663037313435373335343335336662313132333438343264393334343132
32643732626138376662316339373330353632316131393763653030363638616239626135633131
32646534633932313764633735666237326462363065663437393462313834316432616665643932
39653764323438333239366363333038333963386535623965393430353035363363333366393737
38633362643135356433383739333131313265333964313534323634306363346334363033396566
37616463363430323730333233326134346666396361336237363730353962623337616362646436
31626364353430666437373738343566663966366162633832333931336564356130663062363431
62303161393963623262303738623739666263343939363438336361653632333635343765363536
33373136386430356438636131323434626335326335363532626231373761353839633330373164
66336337663766663333323032323166303036636532616633343863643938393663666164373237
31316430643663343637373938336133383835313331623565393534333537633339343630396634
36653963633030346365336165616430303237376262306539306339613839326566336436663134
35303730356433663763393062623863323836646235376536323838366463643531613631316663
33396161313464336639303865356166646532376563316564663231643536373464643861643063
39353362376638643031343934303937313162343438623538663238333633323036366130356438
38666463353832646666306134336136333066336636643466396530396532396632303632663738
37323330613538353236623964613466316461313135363635633034306561333662343139366231
37393764653533623533663935343537323930366639356365333132353562356537383439383839
38373233363638366531353733323239393161653065326562636562613333383264656531306539
39616166623234393539353430313439346662623335656530303264646539633466383031626633
31343965633437353432343363333234623566613533316333363235646464626237363932303135
63353034623761626433303865653732383764613939616236643665386165333633343237333261
35316330663961323734653230393038303631363463666561613862653562356131616231346461
39646462626365393163333735343733376363303635393136643935386664343930646135346162
63383834653164336137356531383237653836356333613031653037373734663939376663656437
31653865623830333663306538323264646632356533313862383334303237663033656532393733
65356531373739353864656564623739653336653666333136396161366338333865663931656362
64323135313736366330356665663966353633323239636339306566623236356237323837373266
34336135646539666438663635653939323539346438356661333638666639353434643364303131
36353433336161333562353239383239376335633263653966356333656230613134633638636338
31303032393335323037396138303939353336363361393131323036653664346339363539646563
37316238323231396233333665383630666561656631613163353763643938393462323332646562
64303730663861623834616233316331316536336564323466633664633139363232363635326439
62393536323032353033333038316166376632323936633834643337353036396532323338653466
37376532356366393437303161636537636634326230616130383936663231626131393132663933
38623639616262373930653262663232343333643039396531316466663862316164393233313663
61643030396331643535353132373538366164393231653163333934636137646531346533316637
64353136633934316434636432666339383933633366373638653261326532353733626238373365
38396236323838363261366163626664303938343436356531396437326432353230643330616266
62633639313435313637343464333633613932316634373262646565633463666532363230393536
35363738326262343264383337316539336461623461366161363031623064353962366663623831
35353061316334316137363966336565656662626339616465303661343766306332326562336432
35343465356234613839613766326231643433383963663138313262333761303537303431306361
64646538643565313838663430646634316239353739653839663966613339343633306131383431
31383563353931303365633435393031356337376166613538383065353461386166653636643034
39333330633234326438396161323864393936373563353134363838623165373064636239626533
35333730616339363063306263663631626139666537353238623933643437656534386461366366
66393038383035613030343830613061386636353962323764393762633936373935333734613361
39623461343438343162306233316233376637626232353235393537613536383038373932663362
64353133393631663662383537653039646663323838373061646531313263383339656265373039
33336134656531333264313866373363633933363238376439633639346262373464356162333462
30336535333161623837666664396331643535663130643332316561643663363339626161623333
61343761393462623335306539376633373432366362373062613732613932616336336136643037
34373833343262623262313630313536353663316665306332613237316562386332626237313063
30323934373263323539653131623133313837666134303439626561306432653437656236633139
33313464616565333238636337383363373932643939653061623363663938396633623162306662
65333031383730356661313130643165653136326532386530313338396235653032396230383437
61393335353561366562343838636231663236383733396564313536323833616335653966616330
61616236656263373663616663656365643661383031323566336536346330396366353836633137
36373762366130373233306438366566373632353065373434666132313162356239666630386137
39616133303633633739646434353738356633363130373862643838333361386632653863613136
66323837653231363466366461636563663233303432376530303361376339303861633439373135
37396631333635393936386430643934386161326234333966653338663237323564666335656430
38346661383336383538616161613865393731373666643037663364353932353861626234396562
36326563633836306563633535636232373462643466333739343064336466333061653766623161
39373762653739326130653031656566633337643337623531633761663534633139386438346132
32326161376631356131333130326636353239663336666436346530306539363961393639666231
35616435616130666563353031373362633834313031643866313538626338653435333064363366
63316335616166353836393363333662356561363737393630663362373033643364346336376236
33303961353437323739363436633762366664383939653061396266303635643437336465646461
63303165336138663838656130376162616236373261626133346263623235643833303466333835
32663534336336353532643963626130333938333530383062383061303439323339396261306532
65383939613732333434386332386663653235366531336633386236383462646535323932636231
39663837303164623864316133663039666263653537366365363462386336373535646266373363
33343430373033363430346137623030363265373561613761663763653433383163303835653431
6137653862376239353230323534353338356634306630333936

6
ansible/harden.yaml → ansible/internet.yaml
View file

@ -4,8 +4,12 @@
vars: vars:
ssh_server_ports: "{{ vault_ssh_server_ports }}" ssh_server_ports: "{{ vault_ssh_server_ports }}"
nginx_add_header: [] nginx_add_header: []
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
roles: roles:
- role: dev-sec.os-hardening - role: dev-sec.os-hardening
- role: dev-sec.ssh-hardening - role: dev-sec.ssh-hardening
become: yes - role: nginxinc.nginx
- role: dev-sec.nginx-hardening - role: dev-sec.nginx-hardening
- role: jnv.unattended-upgrades

30
ansible/inventories/evolution/group_vars/webservers/vars.yaml Normal file
View file

@ -0,0 +1,30 @@
---
django_project_name: publichealth
elasticsearch_heap_size: 1g
memcached_memory_allocation_mb: 256
nginx_worker_processes: 2
nginx_worker_connections: 1024
email_admin: "{{ vault_email_admin }}"
domain: "{{ vault_domain }}"
allowed_domains: "{{ vault_allowed_domains }}"
django_email_key: "{{ vault_django_email_key }}"
django_email_domain: "{{ vault_django_email_domain }}"
django_email_from: "{{ vault_django_email_from }}"
django_secret_key: "{{ vault_django_secret_key }}"
# Default: postgres://postgres:@postgres:5432/postgres
django_postgres_url: "{{ vault_django_postgres_url }}"
# Default: http://elasticsearch:9200
django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}"
# Default: redis://redis:6379
django_redis_url: "{{ vault_django_redis_url }}"

61
ansible/inventories/evolution/group_vars/webservers/vault.yaml Normal file
View file

@ -0,0 +1,61 @@
$ANSIBLE_VAULT;1.1;AES256
35333039666131666639373965613132326263343464646535653261313834646664383638333438
3066633663663765343734313962366362346232643161320a363333303363646236326536363131
61393333313261346364366238383338626434373363326437346234363031376137313334383562
6261326664363962360a353539376364346632663834653430363261633135343639326336666130
32326337656136623364633930306363376134356562663061346131333336346262643465303064
61383031366139336432633433613935333466643432306537353737353866386630336661623065
37336339336463643335623039393134333032623362656139363537633139336636356232653835
30356237343837306532616661396232363562396631653136626264666431366532353333353035
66623733636330333435303432363739306263376336336364363032383866316230303662626439
32376232366364613736326631633534386134343532303433653231363461343638366135333031
35613730373338366539326564333235393465333465363536623664613430343364323466383532
38383631376633356437623834663765623930656134613965643531653065393964373035306136
63303461633164663938363733663963386537386534313534313937633861626665346333316435
65393830383738663638623631353762643563636466336434356162336636343139633531373563
62616466323831646238626530653238346161643533643235316333646436653739383936663666
34383034343265353031356638643035383633623962616235633931643764306663646438333330
64393033653266633165613934323739316134373239613734396237353934613761316138323162
37396665303262316663643963313833353738343834616536613637623965666134316137626662
31643463393833323863646661363030373938316636663936346562623932313263653062333434
65323135613737646130633432626262373734633538633235303937663434663138303836323761
64626462633438353762636135333165383862633364313931363461643033653232623835306366
38343066623137343835326134343961323537393363363061353135366437356266306130393234
37386539343336663933626232373162613964653034306335386339616165323963666164333163
30366564323662656235653736626430613438333837653464373665613930376430336566303662
32343062643031356265313965383536653362623438363335366666353137643062303137323332
63663530363537393264643634303430616532373036623130383062353864376535656336663538
62643436343436363335366633356463643561383733353462346162356435303137636232363435
35663064623631373762633036393763303763613861343535343231633935313733643066316564
35393737376564303566343035633365353138346632383436386134646637336239363736363265
36373936333133346135386533373434396235616233343733666465313339653332393839646234
66653732343239623464643934646637313934323566663238326135623432353463323366353263
38353838306438643338383335656564313837346138636338343235613765323964393964623530
37626138643365366466633561396336383433366233383762653530653733343839363930343632
62656639306339393463396163653464386362363763313930633463643131636661616233323963
39663163353133663761656132303435326566616532666636383463343735373937643637666565
34326362626131616533646164333662303231383564616131366231323861646130353563393137
66316434363366383939643634316637393832383065316636353663353231393264373939333463
32666336383666333230363238633932323035656537666665363837343634633633316436623461
33616663303063656432346265626638316636393635636331306139383034353637393836386365
38356463316262326362663462313037393464303031373632343866633366393131306437373162
31303231623866363835656233653562313439643535633261653834316339633930376237643830
34313435336532656361346262323837643433663731663236626433343661623531626464303438
63346637306535343436386437356464353439636536393336303539616366306138656636326632
65363736656266643561343264306265333439663435343132633436653334343736386130643836
34323165306438303363346137643061343438613739653665326439653332613261386138386465
36323236633962383737636239343739386236333635333730363135383266643432633135633561
33303133323530616232653362343637653865333130313036346333363763663633616661346432
37326135376330353538333139336666653666636438383230313530366465336262666636323732
62313537306666653234656639353535616237383964353961653332373065393634316130353336
61663734383533613534323761393663333336616431616335383564323839316664316364633965
36396430316430343832643135333334323037656537323361663465633765363038333432306530
37313362393032336435386361373436336338636333623532663264383563396463363734656435
61336534323736396135653361363331383232653166663637656664646264313666343935363362
32626236653031306537623336316165343962316164633963306431323862666431663134306638
31313938643238623232313261633366613632356637386262343861393333303538386166373962
61383837336566386463303036373465363034343166316430663036316236303733303239383639
33306463306164333363366664346464363164383139363434323930653038396363613838346638
30623866326265383663326262326262356636343062626330336666623366656437306536393137
37356265633265613534333639376432633730396239663466316532663733313664346138333930
31663235643162623132

13
ansible/inventories/evolution/webservers Normal file
View file

@ -0,0 +1,13 @@
$ANSIBLE_VAULT;1.1;AES256
61393361636537666237333561613438353833396362323665653635333365313632663138393464
3235343235373336386135306436373332613033303034330a353536663964306266376662366263
63346635333630656238366566666463373536323536396566363163393932613130623366323334
3730333438326538380a623461333435376635373837346166303230383231623331363535623934
38373834393464636633353132356136383363316134356334323737303762393063326532356135
37643535386466656365663432376335666533653737323861393936353236343532663238663430
30376161616161653539633934333366383061373134313866646262613430363930303866613837
66643636393131393766653632386131613663363338376461623836613462643766376363626563
37393938326465633661663938613935653838613063613937663837323435323765326461346261
31616130336662326233623466353933343139666636313333303335306632663465666232373037
33346235663765393337656336653866393233616561613738343337653038653665356535633631
39366432343634303861

90
ansible/inventories/production/group_vars/webservers/vault.yaml
View file

@ -1,46 +1,46 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
31623061306338643731643236656264313365323238383734373466653131336263653365396337 38616339396239313536353234393866336335626538653366333364333239623262656130323965
3864346638623236343833646264393366666230396662300a623038333531393836356163623731 6434363364333433376631373064353330363830633462660a363430303939646338343931393261
38633239636431653935633763316639383562366332346531316632616666346532326239313933 30656361386363303731383364633736393864666466366430303737623034346362343963643163
6135323639373465300a343438306338653633633465363938363865333530343663383838653738 3463343437363230390a366437323666363364333632363165383865306637616133393932313834
62663439333565343565666434646438346566633933333863303361373166616339626630623930 35343935373538356264633136343535373139393862363538386465623862373130353661306564
66646162353034623439653262386130656564613962373234633234346138386132323362323839 33323036383165636666363466313237656330373866383536333561313037376234333761623139
66656533333537303165336634346666306436626236343561343336343135346665666539643232 30373962373361636363653262323464343264303561396165336130353661613937356563663232
65613166373464373035373666646533316365383931623966353939393765343062306230363963 30323432633534656532356362383663326432393533333931303463303036633730336131643165
34306538383064336137313034633764316130653536353035323030326533633431633866646463 63343131663861393535663365376163616235633539393666363339333539613961626462343731
39376234373437313334386465623837613362666337326562396364626332356463313165653661 32613062373061346262333239313837326333326235316564313361386438363363353836353736
32333266396261306565333061323138646531376639666264353366633033646366396634623863 39343234363837333239363335613931663631376263613636386134353135386332376263386465
61653030353061656666326561613736356461363032333937623362363734656466323032303661 37643035323039386330303230633965343466376336323730323066323462326565663066373534
35633635353638613632653639643232313932353232386531353737663436396531396334313837 36633336636331633664323439336163346534383939306635613031303966373761383134373165
63633333393632356166656266643165373238333237363930333132643962636263346466366130 31373137633430643932396461373466343939653337623065613961633966326263663939303562
62343731353939336330316363613238363136366436343732353762626263663736383863356365 37303061646461363939343530386364636438386163383934386564353536323335323032306234
61343361303933346239323165353365626431623938326464396438316332633563663465653337 38663934656530393962393666313833333930333333633032373435616461663433636631336665
63323862393063633965383932393930326266323237643839366231666166636265623637346264 34623434303737633865393364306335396163343263636665633535613837343632343063373631
66326662363735373638343561643239626265643630356239653536623930313564316636303130 31646464343732646136623638343166323533626331326133316339343530656237356434303264
65383661633130323138323330633161386138646564306636643835666333316535636665626464 32353438633866653030353536386238373338663533363237363731396339323533623330396636
37663531646130376564346261363064323434373864663939353835376262346130393338303833 39343333393066343637343466373662376263336638343230363936343862356465613762303431
63626539633332383930373862316237363966363566383735383162396165363662363764366530 31613164623032646637383833396362333232663735643336666364363464666662646664663331
34646135353534306237393233383764376330313234323364363834623438363537386331343934 39643635333038623439356632316433336535616466353566616163336134633037356239623534
63343464353862616339326565626134353661353134306431326666643635383165633964353936 34656162366630373835633238333261333235666131303964366366396335653861373761623237
30646437616436363539346433646463666535303530653533653062376633306332366237373434 34663161313465323736643763363533643664316537363266393337326365316336353533313436
32303964633532336430343662373731356365326366383431616631373132636136653539323037 38353639313135346431633166643535356565653865306337636533313135663433386435653132
64366334386637623436316161613535636130363162363264663033623531633932623462343331 66356264323235363063633061393966383939623564303666333831393663643437386437616638
31343232333064623063326666323038663839643439353166346366663934353565653433366362 38633232666461633734363637666264613366353762393733643062643637363933613034316334
33363432383533663263663761633762366633363563623237636636386337626338653238386533 33333538393832333231376366323862613537303662313063663637303064396431383031356662
33326632646562386134343138663937346464643733616339316162653566323865643633376537 65363462616536636530313033343962303237383337316666643330333835316663393536373036
36343636396263353037316631333933313739316135343766666432373633363166373866333632 65333366353366633062643639393961363061343237373065663839633936613737366238393934
62623734653863303566643331303462363137346233636130333830323333323863356538356139 62616463623266343838306462353931383936646364666531346266383262616635353035613639
37303231663966623034323138666664326236626439383638666664363531303433636662666561 31313266623439313732313039326533396639376431343935323636646433303561313235306363
39626265323136313037383164646636653265373832663931356237343138396638376135346636 65306631336330613666613939353664346165323065323139643133306562303138346136613938
66666536616135386666666464303539616135333064636135346430383431303037393036353435 35333331313831333232333136653664333136663533636338616235653230623431366334346462
65306131333532663038306136303930636661373764343736383364303266356330333661386635 30333236326234313935386531626539626566656165353837623463366163366238616639343336
34666539636239656637353131333330346563386334306535643230353439623762343932303361 62366165383464653665653237363234666136323365386263633437383535356436313037383964
65353163346535396563383862653963326261386531363934356266653461313437633661313035 64656535333639343235343331376565326666386366633166343331656131333664663032363836
33643766613366643065663637663733363563663633393238623633653664386630376637643464 34656261303638633363663162343166643931303332363639356533363533366261306439383339
61316135633961636337303735656365356437653730373965343933333433386132633061363064 31303636386261346562613633393239333731303164663332343763396566666437633564313631
37376337356262613136633431343461333237333063623834616165643637366362393137373339 35363338623335396333353836386137316662633539376337323866353763623863626164326439
37363430393939663734303364343064666533653363656633303966613334356363316436326438 34616334333630383337376562326330363836356338643939333232323061356566663139373533
30336236343731656566656631323737346630363538663361303734613738303462366238386563 34643131633763363430306336396163356430306566626162323332633230636264626236613961
31623135633062666566346561386438663031383232376562623533656437333665376439653932 32376261663761666363646636636136663235656234306334613734383664303832623039323161
66373134303762356238323962343339386161333038353038393936306434643739396464323532 34356238343965633466303631666130313762653533313562336432326662306136363834616237
3236 62633737656133653363386531396330656130633064343034653537306266393738

3
ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info
View file

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:14 2018', version: 2.1.0} install_date: Fri May 15 20:29:19 2020
version: 2.1.0

34
ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml vendored Normal file
View file

@ -0,0 +1,34 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

50
ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,50 @@
name: New release
on:
push:
branches:
- master
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: create release draft
steps:
- uses: actions/checkout@v1
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@master"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: calculate next version
id: version
uses: patrickjahns/version-drafter-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }}
future_release: ${{ steps.version.outputs.next-version }}
- name: Read CHANGELOG.md
id: package
uses: juliangruber/read-file-action@v1
with:
path: ./CHANGELOG.md
- name: Create Release draft
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
release_name: ${{ steps.version.outputs.next-version }}
tag_name: ${{ steps.version.outputs.next-version }}
body: |
${{ steps.package.outputs.content }}
draft: true

50
ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml
View file

@ -16,47 +16,47 @@ provisioner:
require_ruby_for_busser: false require_ruby_for_busser: false
ansible_verbose: true ansible_verbose: true
roles_path: ../ansible-os-hardening/ roles_path: ../ansible-os-hardening/
playbook: default.yml playbook: tests/test.yml
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
transport: transport:
max_ssh_sessions: 5 max_ssh_sessions: 1
platforms: platforms:
- name: ubuntu14.04 - name: ubuntu-16.04
driver_config: driver_config:
box: opscode-ubuntu-14.04 box: bento/ubuntu-16.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box - name: ubuntu-18.04
- name: ubuntu16.04
driver_config: driver_config:
box: opscode-ubuntu-16.04 box: bento/ubuntu-18.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box - name: centos-6
- name: ubuntu18.04
driver_config: driver_config:
box: ubuntu/bionic64 box: bento/centos-6.7
- name: centos6 - name: centos-7
driver_config: driver_config:
box: bento/centos-6.9 box: bento/centos-7
- name: centos7 - name: centos-8
driver_config: driver_config:
box: bento/centos-7.3 box: bento/centos-8
- name: oracle6 - name: oracle-6
driver_config: driver_config:
box: oracle-6.5 box: bento/oracle-6
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box - name: oracle-7
- name: oracle7
driver_config: driver_config:
box: boxcutter/ol72 box: bento/oracle-7
- name: debian7 - name: debian-9
driver_config: driver_config:
box: bento/debian-7.11 box: bento/debian-9
- name: debian8 - name: debian-10
driver_config: driver_config:
box: bento/debian-8.8 box: bento/debian-10
- name: debian9 - name: amazon
driver_config: driver_config:
box: bento/debian-9.0 box: bento/amazonlinux-2
- name: opensuse_tumbleweed
driver_config:
box: opensuse/Tumbleweed.x86_64
verifier: verifier:
name: inspec name: inspec

49
ansible/roles/dev-sec.os-hardening/.kitchen.yml
View file

@ -7,7 +7,7 @@ driver:
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
transport: transport:
max_ssh_sessions: 5 max_ssh_sessions: 1
provisioner: provisioner:
name: ansible_playbook name: ansible_playbook
@ -17,7 +17,7 @@ provisioner:
require_ruby_for_busser: false require_ruby_for_busser: false
ansible_verbose: true ansible_verbose: true
ansible_diff: true ansible_diff: true
hosts: all
roles_path: ../ansible-os-hardening/ roles_path: ../ansible-os-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
@ -36,6 +36,14 @@ platforms:
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service - systemctl enable sshd.service
- name: centos8-ansible-latest
driver:
image: rndmh3ro/docker-centos8-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: oracle6-ansible-latest - name: oracle6-ansible-latest
driver: driver:
image: rndmh3ro/docker-oracle6-ansible:latest image: rndmh3ro/docker-oracle6-ansible:latest
@ -48,10 +56,6 @@ platforms:
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service - systemctl enable sshd.service
- name: ubuntu1404-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1404-ansible:latest
platform: ubuntu
- name: ubuntu1604-ansible-latest - name: ubuntu1604-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest image: rndmh3ro/docker-ubuntu1604-ansible:latest
@ -66,14 +70,6 @@ platforms:
run_command: /sbin/init run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian7-ansible-latest
driver:
image: rndmh3ro/docker-debian7-ansible:latest
platform: debian
- name: debian8-ansible-latest
driver:
image: rndmh3ro/docker-debian8-ansible:latest
platform: debian
- name: debian9-ansible-latest - name: debian9-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian9-ansible:latest image: rndmh3ro/docker-debian9-ansible:latest
@ -82,6 +78,14 @@ platforms:
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian10-ansible-latest
driver:
image: rndmh3ro/docker-debian10-ansible:latest
platform: debian
run_command: /sbin/init
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: amazon-ansible-latest - name: amazon-ansible-latest
driver: driver:
image: rndmh3ro/docker-amazon-ansible:latest image: rndmh3ro/docker-amazon-ansible:latest
@ -90,6 +94,23 @@ platforms:
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service - systemctl enable sshd.service
- name: fedora-ansible-latest
driver:
image: rndmh3ro/docker-fedora-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- dnf install -y python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
- name: opensuse_tumbleweed-ansible-latest
driver:
image: rndmh3ro/docker-opensuse_tumbleweed-ansible
platform: opensuse
provision_command:
- zypper -n install python-xml rpm-python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
verifier: verifier:
name: inspec name: inspec

37
ansible/roles/dev-sec.os-hardening/.travis.yml
View file

@ -11,6 +11,16 @@ env:
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest version: latest
- distro: centos8
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: fedora
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
version: latest
- distro: oracle6 - distro: oracle6
version: latest version: latest
init: /sbin/init init: /sbin/init
@ -20,10 +30,6 @@ env:
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# version: latest # version: latest
- distro: ubuntu1404
version: latest
init: /sbin/init
- distro: ubuntu1604 - distro: ubuntu1604
version: latest version: latest
init: /lib/systemd/systemd init: /lib/systemd/systemd
@ -34,16 +40,12 @@ env:
init: /lib/systemd/systemd init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian7 - distro: debian9
version: latest version: latest
init: /sbin/init init: /lib/systemd/systemd
- distro: debian8
version: latest
init: /sbin/init
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9 - distro: debian10
version: latest version: latest
init: /lib/systemd/systemd init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
@ -53,17 +55,28 @@ env:
version: latest version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
# - distro: opensuse_tumbleweed
# init: /usr/lib/systemd/systemd
# version: latest
# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
before_install: before_install:
# Pull container # Pull container
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
script: script:
- pip install --user ansible-lint
- ansible-lint ./
- container_id=$(mktemp) - container_id=$(mktemp)
# Run container in detached state. # Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Output Ansible version from docker image
- 'docker exec "$(cat ${container_id})" ansible-playbook --version'
# Test role. # Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff --skip-tags "sysctl"' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
# Verify role # Verify role
- 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit' - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'

127
ansible/roles/dev-sec.os-hardening/CHANGELOG.md
View file

@ -1,6 +1,113 @@
# Change Log # Changelog
## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD)
**Implemented enhancements:**
- add changelog and release workflow [\#271](https://github.com/dev-sec/ansible-os-hardening/pull/271) ([rndmh3ro](https://github.com/rndmh3ro))
- github action for changelog generation [\#270](https://github.com/dev-sec/ansible-os-hardening/pull/270) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.0) (2020-05-05)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.1...6.0.0)
**Implemented enhancements:**
- Configure audit=1 for more accurate auid auditing [\#253](https://github.com/dev-sec/ansible-os-hardening/issues/253)
- Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233)
- Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232)
- Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154)
- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg))
- Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz))
- add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz))
- Add kernel parameter information to README [\#259](https://github.com/dev-sec/ansible-os-hardening/pull/259) ([jaredledvina](https://github.com/jaredledvina))
- Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
- Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov))
- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
- add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
- Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
- Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
- Changed local var name to a less common one [\#231](https://github.com/dev-sec/ansible-os-hardening/pull/231) ([rgarrigue](https://github.com/rgarrigue))
- Use ansible facts for vars [\#226](https://github.com/dev-sec/ansible-os-hardening/pull/226) ([joshuatalb](https://github.com/joshuatalb))
**Fixed bugs:**
- /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
- `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
- NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
- \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
- Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
- Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
- Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta))
- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov))
- Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina))
## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.2.0...5.2.1)
**Implemented enhancements:**
- Fix deprecation warnings in Ansible 2.8 [\#224](https://github.com/dev-sec/ansible-os-hardening/pull/224) ([Normo](https://github.com/Normo))
- add docs to find-task in minimize access. fix \#219 [\#220](https://github.com/dev-sec/ansible-os-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- `squash\_actions` deprecation warning [\#218](https://github.com/dev-sec/ansible-os-hardening/issues/218)
## [5.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.0) (2019-05-04)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.1.0...5.2.0)
**Implemented enhancements:**
- Speed up "minimize access on found files" task [\#208](https://github.com/dev-sec/ansible-os-hardening/issues/208)
- Fedora support? [\#163](https://github.com/dev-sec/ansible-os-hardening/issues/163)
- remove eol'd OS and add new [\#217](https://github.com/dev-sec/ansible-os-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
- Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
- change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
- Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
**Fixed bugs:**
- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
- RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
- Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
- Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
- Test Kitchen Vagrant Fixes [\#210](https://github.com/dev-sec/ansible-os-hardening/pull/210) ([joshuatalb](https://github.com/joshuatalb))
- \[readme\] Update documentation link [\#207](https://github.com/dev-sec/ansible-os-hardening/pull/207) ([pmav99](https://github.com/pmav99))
- fix ansible lint remarks [\#204](https://github.com/dev-sec/ansible-os-hardening/pull/204) ([rndmh3ro](https://github.com/rndmh3ro))
- add colon to user env paths - fix \#202 [\#203](https://github.com/dev-sec/ansible-os-hardening/pull/203) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix errors produced by ansible-lint [\#159](https://github.com/dev-sec/ansible-os-hardening/pull/159) ([zbrojny120](https://github.com/zbrojny120))
## [5.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.1.0) (2018-10-17)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/5.0.0...5.1.0)
**Implemented enhancements:**
- add ubuntu 1804 support [\#196](https://github.com/dev-sec/ansible-os-hardening/pull/196) ([rndmh3ro](https://github.com/rndmh3ro))
- add option to disable auditd [\#192](https://github.com/dev-sec/ansible-os-hardening/pull/192) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02) ## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.0...5.0.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -34,6 +141,7 @@
- change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro)) - change minimize access method [\#181](https://github.com/dev-sec/ansible-os-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03) ## [4.3.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.0) (2018-01-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.3.1...4.3.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -63,6 +171,7 @@
- move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro)) - move defaults to os-specific vars [\#157](https://github.com/dev-sec/ansible-os-hardening/pull/157) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13) ## [4.3.1](https://github.com/dev-sec/ansible-os-hardening/tree/4.3.1) (2017-09-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.2.0...4.3.1)
**Fixed bugs:** **Fixed bugs:**
@ -70,6 +179,7 @@
- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115) - os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08) ## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.1.0...4.2.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -93,6 +203,7 @@
- remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro)) - remove execshield sysctl-parameter on rhel7 [\#119](https://github.com/dev-sec/ansible-os-hardening/pull/119) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27) ## [4.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.1.0) (2017-06-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/4.0.0...4.1.0)
**Fixed bugs:** **Fixed bugs:**
@ -113,6 +224,7 @@
- add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro)) - add more sysctl settings, allow overwriting [\#120](https://github.com/dev-sec/ansible-os-hardening/pull/120) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14) ## [4.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.0.0) (2017-03-14)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.2.0...4.0.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -124,7 +236,6 @@
**Fixed bugs:** **Fixed bugs:**
- The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105) - The role fails when conditionally included [\#105](https://github.com/dev-sec/ansible-os-hardening/issues/105)
- omit empty variables [\#106](https://github.com/dev-sec/ansible-os-hardening/pull/106) ([rndmh3ro](https://github.com/rndmh3ro))
**Closed issues:** **Closed issues:**
@ -139,6 +250,7 @@
- Dont refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid)) - Dont refer to this role as "playbook" in the role description [\#104](https://github.com/dev-sec/ansible-os-hardening/pull/104) ([ypid](https://github.com/ypid))
## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24) ## [3.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.2.0) (2016-10-24)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1.0...3.2.0)
**Fixed bugs:** **Fixed bugs:**
@ -156,9 +268,11 @@
- add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro)) - add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03) ## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.1...3.1.0)
## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27) ## [3.1](https://github.com/dev-sec/ansible-os-hardening/tree/3.1) (2016-07-27)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/3.0.0...3.1)
**Implemented enhancements:** **Implemented enhancements:**
@ -181,7 +295,6 @@
- Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86) - Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82) - network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
- ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78) - ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)
- Norm-Audit-Hardening-Audit [\#76](https://github.com/dev-sec/ansible-os-hardening/issues/76)
**Merged pull requests:** **Merged pull requests:**
@ -189,6 +302,7 @@
- Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch)) - Permits overriding permissions on /etc/shadow [\#89](https://github.com/dev-sec/ansible-os-hardening/pull/89) ([conorsch](https://github.com/conorsch))
## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13) ## [3.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.0.0) (2016-03-13)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/2.0.0...3.0.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -208,7 +322,6 @@
- Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch)) - Updates "tags" parameters on includes in main.yml [\#66](https://github.com/dev-sec/ansible-os-hardening/pull/66) ([conorsch](https://github.com/conorsch))
- Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro)) - Suid set def var, fix \#64 [\#63](https://github.com/dev-sec/ansible-os-hardening/pull/63) ([rndmh3ro](https://github.com/rndmh3ro))
- ERROR! Include tasks should not specify tags in more than one way [\#60](https://github.com/dev-sec/ansible-os-hardening/pull/60) ([fitz123](https://github.com/fitz123))
**Closed issues:** **Closed issues:**
@ -221,6 +334,7 @@
- Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro)) - Release 3.0.0 [\#75](https://github.com/dev-sec/ansible-os-hardening/pull/75) ([rndmh3ro](https://github.com/rndmh3ro))
## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28) ## [2.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/2.0.0) (2015-11-28)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0) [Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/1.0.0...2.0.0)
**Closed issues:** **Closed issues:**
@ -239,6 +353,9 @@
- improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro)) - improved travis-tests to cover more cases [\#42](https://github.com/dev-sec/ansible-os-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01) ## [1.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/1.0.0) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/06d1464e95cad7ccc24734b934a158b16dfc5014...1.0.0)
**Closed issues:** **Closed issues:**
- ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38) - ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
@ -285,4 +402,4 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

1
ansible/roles/dev-sec.os-hardening/Gemfile
View file

@ -11,6 +11,7 @@ group :integration do
gem 'kitchen-sync' gem 'kitchen-sync'
gem 'kitchen-transport-rsync' gem 'kitchen-transport-rsync'
gem 'kitchen-docker' gem 'kitchen-docker'
gem 'inspec', '~> 3'
end end
group :tools do group :tools do

47
ansible/roles/dev-sec.os-hardening/README.md
View file

@ -35,6 +35,20 @@ It will not:
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable. If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124). Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).
If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip forward sysctl setting.
```yaml
- hosts: localhost
roles:
- dev-sec.os-hardening
vars:
sysctl_overwrite:
# Enable IPv4 traffic forwarding.
net.ipv4.ip_forward: 1
```
## Variables ## Variables
| Name | Default Value | Description | | Name | Default Value | Description |
@ -57,24 +71,27 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
| `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed| | `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|
| `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered| | `os_security_suid_sgid_whitelist`| [] | a list of paths which should not have their SUID/SGID bits altered|
| `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.| | `os_security_suid_sgid_remove_from_unknown`| false | true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.|
| `os_security_packages_clean'`| true | removes packages with known issues. See section packages.| | `os_security_packages_clean`| true | removes packages with known issues. See section packages.|
| `os_selinux_state` | enforcing | Set the SELinux state, can be either disabled, permissive, or enforcing. |
| `os_selinux_policy` | targeted | Set the SELinux polixy. |
| `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix| | `ufw_manage_defaults` | true | true means apply all settings with `ufw_` prefix|
| `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf` | `ufw_ipt_sysctl` | '' | by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
| `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` | | `ufw_default_input_policy` | DROP | set default input policy of ufw to `DROP` |
| `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` | | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
| `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` | | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
| `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. | | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
## Packages ## Packages
We remove the following packages: We remove the following packages:
* xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1) * xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
* inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1) * inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
* tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5) * tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
* ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4) * ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
* telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2) * telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
* rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3) * rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
* prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) * prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
## Disabled filesystems ## Disabled filesystems
@ -92,6 +109,14 @@ We disable the following filesystems, because they're most likely not used:
To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
## Installation
Install the role with ansible-galaxy:
```
ansible-galaxy install dev-sec.os-hardening
```
## Example Playbook ## Example Playbook
```yaml ```yaml
@ -115,7 +140,13 @@ So for example if you want to change the IPv4 traffic forwarding variable to `1`
net.ipv4.ip_forward: 1 net.ipv4.ip_forward: 1
``` ```
Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible. Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.
## Improving Kernel Audit logging
By default, any process that starts before the `auditd` daemon will have an AUID of `4294967295`. To improve this and provide more accurate logging, it's recommended to add the kernel boot parameter `audit=1` to you configuration. Without doing this, you will find that your `auditd` logs fail to properly audit all processes.
For more information, please see this [upstream documentation](https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html) and your system's boot loader documentation for how to configure additional kernel parameters.
## Local Testing ## Local Testing

74
ansible/roles/dev-sec.os-hardening/default.yml
View file

@ -1,74 +0,0 @@
---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
hosts: localhost
roles:
- ansible-os-hardening
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
- name: Install firefox to get Xorg
package:
name: firefox
state: present
vars:
os_security_users_allow: change_user
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_remove_from_unknown: true
os_auth_pam_passwdqc_enable: false
os_desktop_enable: true
os_env_extra_user_paths: ['/home']
os_auth_allow_homeless: true
os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat']
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.icmp_ratelimit: 100
net.ipv4.icmp_ratemask: 88089
net.ipv6.conf.all.disable_ipv6: 1
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
net.ipv4.conf.all.shared_media: 1
net.ipv4.conf.default.shared_media: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.log_martians: 1
net.ipv6.conf.default.router_solicitations: 0
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
kernel.sysrq: 0
fs.suid_dumpable: 0
kernel.randomize_va_space: 2
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
roles:
- ansible-os-hardening

52
ansible/roles/dev-sec.os-hardening/defaults/main.yml
View file

@ -27,7 +27,7 @@ os_security_suid_sgid_remove_from_unknown: false
# remove packages with known issues # remove packages with known issues
os_security_packages_clean: true os_security_packages_clean: true
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server', 'prelink'] os_security_packages_list: ['xinetd', 'inetd', 'ypserv', 'telnet-server', 'rsh-server', 'prelink']
# Allow interactive startup (rhel, centos) # Allow interactive startup (rhel, centos)
os_security_init_prompt: true os_security_init_prompt: true
@ -175,17 +175,6 @@ sysctl_config:
kernel.core_uses_pid: 1 kernel.core_uses_pid: 1
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
kernel.kptr_restrict: 1
# The PTRACE system is used for debugging. With it, a single user process # The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the # can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access # case of malicious software, it is possible to use PTRACE to access
@ -226,6 +215,33 @@ sysctl_config:
fs.protected_hardlinks: 1 fs.protected_hardlinks: 1
fs.protected_symlinks: 1 fs.protected_symlinks: 1
# These settings are set to the maximum supported value in order to
# improve ASLR effectiveness for mmap, at the cost of increased
# address-space fragmentation. | Tail-1
vm.mmap_rnd_bits: 32
vm.mmap_rnd_compat_bits: 16
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
#
# Some off-the-shelf malware exploit kernel addresses exposed
# via /proc/kallsyms so by not making these addresses easily available
# we increase the cost of such attack some what; now such malware has
# to check which kernel Tails is running and then fetch the corresponding
# kernel address map from some external source. This is not hard,
# but certainly not all malware has such functionality. | Tails-2
kernel.kptr_restrict: 2
# kexec is dangerous: it enables replacement of the running kernel. | Tails-3
kernel.kexec_load_disabled: 1
# Do not delete the following line or otherwise the playbook will fail # Do not delete the following line or otherwise the playbook will fail
# at task 'create a combined sysctl-dict if overwrites are defined' # at task 'create a combined sysctl-dict if overwrites are defined'
sysctl_overwrite: sysctl_overwrite:
@ -240,6 +256,12 @@ os_unused_filesystems:
- "squashfs" - "squashfs"
- "udf" - "udf"
- "vfat" - "vfat"
# Obsolete network protocols that should be disabled
# per CIS Oracle Linux 6 Benchmark (2016)
- "tipc" # CIS 3.5.4
- "sctp" # CIS 3.5.2
- "dccp" # CIS 3.5.1
- "rds" # CIS 3.5.3
# whitelist for used filesystems # whitelist for used filesystems
os_filesystem_whitelist: [] os_filesystem_whitelist: []
@ -250,3 +272,9 @@ os_hardening_enabled: true
# Set to false to disable installing and configuring auditd. # Set to false to disable installing and configuring auditd.
os_auditd_enabled: true os_auditd_enabled: true
os_auditd_max_log_file_action: keep_logs
# Set the SELinux state, can be either disabled, permissive, or enforcing.
os_selinux_state: enforcing
# Set the SELinux polixy.
os_selinux_policy: targeted

3
ansible/roles/dev-sec.os-hardening/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: update-initramfs
command: 'update-initramfs -u'

3
ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info
View file

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:33 2018', version: 5.1.0} install_date: Fri May 15 20:29:23 2020
version: 6.0.1

11
ansible/roles/dev-sec.os-hardening/meta/main.yml
View file

@ -1,7 +1,7 @@
--- ---
galaxy_info: galaxy_info:
author: "Sebastian Gumprich" author: "Sebastian Gumprich"
description: 'This Ansible role provides numerous security-related configurations, providing all-round base protection.' description: 'This role provides numerous security-related configurations, providing all-round base protection.'
company: Hardening Framework Team company: Hardening Framework Team
license: Apache License 2.0 license: Apache License 2.0
min_ansible_version: '2.5' min_ansible_version: '2.5'
@ -10,17 +10,18 @@ galaxy_info:
versions: versions:
- 6 - 6
- 7 - 7
- 8
- name: Ubuntu - name: Ubuntu
versions: versions:
- precise
- trusty
- xenial - xenial
- bionic - bionic
- name: Debian - name: Debian
versions: versions:
- wheezy - stretch
- jessie - buster
- name: Amazon - name: Amazon
- name: Fedora
- name: openSUSE
galaxy_tags: galaxy_tags:
- system - system
- security - security

6
ansible/roles/dev-sec.os-hardening/tasks/apt.yml
View file

@ -1,8 +1,6 @@
--- ---
- name: remove deprecated or insecure packages | package-01 - package-09 - name: remove deprecated or insecure packages | package-01 - package-09
apt: apt:
name: '{{ item }}' name: '{{ os_security_packages_list }}'
state: 'absent' state: 'absent'
with_items: when: os_security_packages_clean | bool
- '{{ os_security_packages_list }}'
when: 'os_security_packages_clean'

12
ansible/roles/dev-sec.os-hardening/tasks/find_files.yml
View file

@ -1,12 +0,0 @@
- name: find directories for minimizing access
find:
paths: '{{ outer_item }}'
recurse: yes
register: minimize_access_directories
- name: minimize access on found files
file:
path: '{{ item.path }}'
mode: 'go-w'
state: file
with_items: '{{ minimize_access_directories.files }}'

21
ansible/roles/dev-sec.os-hardening/tasks/hardening.yml
View file

@ -1,21 +1,21 @@
--- ---
- name: Set OS family dependent variables - name: Set OS family dependent variables
include_vars: '{{ ansible_os_family }}.yml' include_vars: '{{ ansible_facts.os_family }}.yml'
tags: always tags: always
- name: Set OS dependent variables - name: Set OS dependent variables
include_vars: '{{ item }}' include_vars: '{{ item }}'
with_first_found: with_first_found:
- files: - files:
- '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml' - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_distribution }}.yml' - '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml' - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml'
skip: true skip: true
tags: always tags: always
- import_tasks: auditd.yml - import_tasks: auditd.yml
tags: auditd tags: auditd
when: os_auditd_enabled when: os_auditd_enabled | bool
- import_tasks: limits.yml - import_tasks: limits.yml
tags: limits tags: limits
@ -39,7 +39,7 @@
tags: securetty tags: securetty
- import_tasks: suid_sgid.yml - import_tasks: suid_sgid.yml
when: os_security_suid_sgid_enforce when: os_security_suid_sgid_enforce | bool
tags: suid_sgid tags: suid_sgid
- import_tasks: sysctl.yml - import_tasks: sysctl.yml
@ -52,9 +52,14 @@
tags: rhosts tags: rhosts
- import_tasks: yum.yml - import_tasks: yum.yml
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
tags: yum tags: yum
- import_tasks: apt.yml - import_tasks: apt.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu'
tags: apt tags: apt
- import_tasks: selinux.yml
tags: selinux
when:
- ansible_facts.selinux.status == 'enabled'

10
ansible/roles/dev-sec.os-hardening/tasks/limits.yml
View file

@ -9,14 +9,14 @@
mode: '0755' mode: '0755'
state: 'directory' state: 'directory'
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b - name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
pam_limits: pam_limits:
dest: '/etc/security/limits.d/10.hardcore.conf' dest: '/etc/security/limits.d/10.hardcore.conf'
domain: '*' domain: '*'
limit_type: hard limit_type: hard
limit_item: core limit_item: core
value: 0 value: '0'
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
- name: set 10.hardcore.conf perms to 0400 and root ownership - name: set 10.hardcore.conf perms to 0400 and root ownership
file: file:
@ -25,10 +25,10 @@
group: 'root' group: 'root'
mode: '0440' mode: '0440'
when: 'not os_security_kernel_enable_core_dump' when: not os_security_kernel_enable_core_dump | bool
- name: remove 10.hardcore.conf config file - name: remove 10.hardcore.conf config file
file: file:
path: /etc/security/limits.d/10.hardcore.conf path: /etc/security/limits.d/10.hardcore.conf
state: absent state: absent
when: 'os_security_kernel_enable_core_dump' when: os_security_kernel_enable_core_dump | bool

1
ansible/roles/dev-sec.os-hardening/tasks/login_defs.yml
View file

@ -6,4 +6,3 @@
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0444' mode: '0444'

4
ansible/roles/dev-sec.os-hardening/tasks/main.yml
View file

@ -1,4 +1,4 @@
--- ---
- include_tasks: hardening.yml - import_tasks: hardening.yml
when: os_hardening_enabled when: os_hardening_enabled | bool

27
ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml
View file

@ -1,16 +1,31 @@
--- ---
# Using a two-pass approach for checking directories in order to support symlinks. # If the find-task throws an error on /usr/bin/X11 like "File system loop detected"
- include_tasks: find_files.yml # the other files inside /usr/bin (and all other directories) are
loop_control: # still getting found and the permissions minimized in the next task.
loop_var: outer_item # This is also the reason why there's ignore_errors: true on the task.
loop: # also see: https://github.com/dev-sec/ansible-os-hardening/issues/219
- name: find files with write-permissions for group
shell: "find -L {{ item }} -perm /go+w -type f" # noqa 305
with_flattened:
- '/usr/local/sbin' - '/usr/local/sbin'
- '/usr/local/bin' - '/usr/local/bin'
- '/usr/sbin' - '/usr/sbin'
- '/usr/bin' - '/usr/bin'
- '/sbin' - '/sbin'
- '/bin' - '/bin'
- '{{ os_env_extra_user_paths }}' - "{{ os_env_extra_user_paths }}" # noqa 104
register: minimize_access_directories
ignore_errors: true
changed_when: false
- name: minimize access on found files
file:
path: '{{ item.1 }}'
mode: 'go-w'
state: file
with_subelements:
- "{{ minimize_access_directories.results }}"
- stdout_lines
- name: change shadow ownership to root and mode to 0600 | os-02 - name: change shadow ownership to root and mode to 0600 | os-02
file: file:

5
ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: install modprobe to disable filesystems | os-10 - name: install modprobe to disable filesystems | os-10
package: package:
name: '{{modprobe_package}}' name: '{{ modprobe_package }}'
state: 'present' state: 'present'
- name: check if efi is installed - name: check if efi is installed
@ -20,5 +20,4 @@
dest: '/etc/modprobe.d/dev-sec.conf' dest: '/etc/modprobe.d/dev-sec.conf'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0640' mode: '0644'

57
ansible/roles/dev-sec.os-hardening/tasks/pam.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: update pam on Debian systems - name: update pam on Debian systems
command: 'pam-auth-update --package' command: 'pam-auth-update --package'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' when: ansible_facts.distribution in ['Debian', 'Ubuntu']
changed_when: False changed_when: False
environment: environment:
DEBIAN_FRONTEND: noninteractive DEBIAN_FRONTEND: noninteractive
@ -19,14 +19,18 @@
apt: apt:
name: '{{ os_packages_pam_cracklib }}' name: '{{ os_packages_pam_cracklib }}'
state: 'absent' state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking - name: install the package for strong password checking
apt: apt:
name: '{{ os_packages_pam_passwdqc }}' name: '{{ os_packages_pam_passwdqc }}'
state: 'present' state: 'present'
update_cache: 'yes' update_cache: 'yes'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: configure passwdqc - name: configure passwdqc
template: template:
@ -35,19 +39,26 @@
mode: '0644' mode: '0644'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- os_auth_pam_passwdqc_enable
- name: remove passwdqc - name: remove passwdqc
apt: apt:
name: '{{ os_packages_pam_passwdqc }}' name: '{{ os_packages_pam_passwdqc }}'
state: 'absent' state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- name: install tally2 - name: install tally2
apt: apt:
name: 'libpam-modules' name: 'libpam-modules'
state: 'present' state: 'present'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: configure tally2 - name: configure tally2
template: template:
@ -56,31 +67,47 @@
mode: '0644' mode: '0644'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0 when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries > 0
- name: delete tally2 when retries is 0 - name: delete tally2 when retries is 0
file: file:
path: '{{ tally2_path }}' path: '{{ tally2_path }}'
state: 'absent' state: 'absent'
when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0 when:
- ansible_facts.distribution in ['Debian', 'Ubuntu']
- not os_auth_pam_passwdqc_enable
- os_auth_retries == 0
- name: remove pam_cracklib, because it does not play nice with passwdqc - name: remove pam_cracklib, because it does not play nice with passwdqc
yum: yum:
name: '{{ os_packages_pam_cracklib }}' name: '{{ os_packages_pam_cracklib }}'
state: 'absent' state: 'absent'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: install the package for strong password checking - name: install the package for strong password checking
yum: yum:
name: '{{ os_packages_pam_passwdqc }}' name: '{{ os_packages_pam_passwdqc }}'
state: 'present' state: 'present'
when: (ansible_os_family == 'RedHat' and ansible_distribution_version < '7' and not ansible_distribution == 'Amazon') and os_auth_pam_passwdqc_enable when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution_major_version|int is version('7', '<')
- ansible_facts.distribution != 'Amazon'
- os_auth_pam_passwdqc_enable
- name: remove passwdqc - name: remove passwdqc
yum: yum:
name: '{{ os_packages_pam_passwdqc }}' name: '{{ os_packages_pam_passwdqc }}'
state: 'absent' state: 'absent'
when: ansible_os_family == 'RedHat' and not os_auth_pam_passwdqc_enable when:
- ansible_facts.os_family == 'RedHat'
- not os_auth_pam_passwdqc_enable
- name: configure passwdqc and tally via central system-auth confic - name: configure passwdqc and tally via central system-auth confic
template: template:
@ -89,11 +116,17 @@
mode: '0640' mode: '0640'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
when: ansible_facts.os_family == 'RedHat'
- name: Gather package facts
package_facts:
manager: auto
- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template: template:
src: 'etc/rhel_libuser.conf.j2' src: 'etc/libuser.conf.j2'
dest: '/etc/libuser.conf' dest: '/etc/libuser.conf'
mode: '0640' mode: '0640'
owner: 'root' owner: 'root'
group: 'root' group: 'root'
when: "'libuser' in ansible_facts.packages"

4
ansible/roles/dev-sec.os-hardening/tasks/profile.yml
View file

@ -6,10 +6,10 @@
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0750' mode: '0750'
when: not os_security_kernel_enable_core_dump when: not os_security_kernel_enable_core_dump | bool
- name: remove pinerolo_profile.sh from profile.d - name: remove pinerolo_profile.sh from profile.d
file: file:
path: /etc/profile.d/pinerolo_profile.sh path: /etc/profile.d/pinerolo_profile.sh
state: absent state: absent
when: os_security_kernel_enable_core_dump when: os_security_kernel_enable_core_dump | bool

6
ansible/roles/dev-sec.os-hardening/tasks/rhosts.yml
View file

@ -3,13 +3,13 @@
command: "awk -F: '{print $1}' /etc/passwd" command: "awk -F: '{print $1}' /etc/passwd"
changed_when: False changed_when: False
check_mode: False check_mode: False
register: users register: users_accounts
- name: delete rhosts-files from system | os-09 - name: delete rhosts-files from system | os-09
file: file:
dest: '~{{ item }}/.rhosts' dest: '~{{ item }}/.rhosts'
state: 'absent' state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}' with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'
- name: delete hosts.equiv from system | os-01 - name: delete hosts.equiv from system | os-01
file: file:
@ -20,4 +20,4 @@
file: file:
dest: '~{{ item }}/.netrc' dest: '~{{ item }}/.netrc'
state: 'absent' state: 'absent'
with_flattened: '{{ users.stdout_lines | default([]) }}' with_flattened: '{{ users_accounts.stdout_lines | default([]) }}'

5
ansible/roles/dev-sec.os-hardening/tasks/selinux.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: configure selinux | selinux-01
selinux:
policy: "{{ os_selinux_policy }}"
state: "{{ os_selinux_state }}"

6
ansible/roles/dev-sec.os-hardening/tasks/suid_sgid.yml
View file

@ -13,13 +13,13 @@
- name: find binaries with suid/sgid set | os-06 - name: find binaries with suid/sgid set | os-06
shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null shell: find / -xdev \( -perm -4000 -o -perm -2000 \) -type f ! -path '/proc/*' -print 2>/dev/null
register: sbit_binaries register: sbit_binaries
when: os_security_suid_sgid_remove_from_unknown when: os_security_suid_sgid_remove_from_unknown | bool
changed_when: False changed_when: False
- name: gather files from which to remove suids/sgids and remove system white-listed files | os-06 - name: gather files from which to remove suids/sgids and remove system white-listed files | os-06
set_fact: set_fact:
suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}' suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown when: os_security_suid_sgid_remove_from_unknown | bool
- name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06 - name: remove suid/sgid bit from all binaries except in system and user whitelist | os-06
file: file:
@ -29,4 +29,4 @@
follow: 'yes' follow: 'yes'
with_flattened: with_flattened:
- '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}' - '{{ suid | default([]) | difference(os_security_suid_sgid_whitelist) }}'
when: os_security_suid_sgid_remove_from_unknown when: os_security_suid_sgid_remove_from_unknown | bool

62
ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml
View file

@ -13,14 +13,15 @@
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0544' mode: '0544'
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' or ansible_distribution == 'Amazon' when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or
ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
- name: install initramfs-tools - name: install initramfs-tools
apt: apt:
name: 'initramfs-tools' name: 'initramfs-tools'
state: 'present' state: 'present'
update_cache: true update_cache: true
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
template: template:
@ -29,41 +30,44 @@
owner: 'root' owner: 'root'
group: 'root' group: 'root'
mode: '0440' mode: '0440'
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading notify:
- update-initramfs
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
register: initramfs register: initramfs
- name: update-initramfs - name: change sysctls
command: 'update-initramfs -u' block:
when: initramfs.changed - name: create a combined sysctl-dict if overwrites are defined
set_fact:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
when: sysctl_overwrite | default()
- name: create a combined sysctl-dict if overwrites are defined - name: Change various sysctl-settings, look at the sysctl-vars file for documentation
set_fact: sysctl:
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' name: '{{ item.key }}'
when: sysctl_overwrite | default() value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_config }}'
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation - name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
sysctl: sysctl:
name: '{{ item.key }}' name: '{{ item.key }}'
value: '{{ item.value }}' value: '{{ item.value }}'
sysctl_set: yes state: present
state: present reload: yes
reload: yes ignoreerrors: yes
ignoreerrors: yes with_dict: '{{ sysctl_rhel_config }}'
with_dict: '{{ sysctl_config }}' when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc']
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
state: present
reload: yes
ignoreerrors: yes
with_dict: '{{ sysctl_rhel_config }}'
when: ((ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7') or ansible_distribution == 'Amazon'
- name: Apply ufw defaults - name: Apply ufw defaults
template: template:
src: 'etc/default/ufw.j2' src: 'etc/default/ufw.j2'
dest: '/etc/default/ufw' dest: '/etc/default/ufw'
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu')
tags: ufw tags: ufw

8
ansible/roles/dev-sec.os-hardening/tasks/user_accounts.yml
View file

@ -10,17 +10,19 @@
- name: calculate UID_MAX from UID_MIN by substracting 1 - name: calculate UID_MAX from UID_MIN by substracting 1
set_fact: set_fact:
uid_max: '{{ uid_min.stdout | int - 1 }}' uid_max: '{{ uid_min.stdout | int - 1 }}'
when: uid_min is defined when: uid_min.stdout|int > 0
- name: set UID_MAX on Debian-systems if no login.defs exist - name: set UID_MAX on Debian-systems if no login.defs exist
set_fact: set_fact:
uid_max: '999' uid_max: '999'
when: ansible_os_family == 'Debian' and not uid_min when:
- ansible_facts.os_family == 'Debian'
- uid_max is not defined
- name: set UID_MAX on other systems if no login.defs exist - name: set UID_MAX on other systems if no login.defs exist
set_fact: set_fact:
uid_max: '499' uid_max: '499'
when: not uid_min when: uid_max is not defined
- name: get all system accounts - name: get all system accounts
command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd command: awk -F'':'' '{ if ( $3 <= {{ uid_max|quote }} ) print $1}' /etc/passwd

32
ansible/roles/dev-sec.os-hardening/tasks/yum.yml
View file

@ -7,41 +7,35 @@
- 'CentOS-Debuginfo' - 'CentOS-Debuginfo'
- 'CentOS-Media' - 'CentOS-Media'
- 'CentOS-Vault' - 'CentOS-Vault'
when: os_security_packages_clean when: os_security_packages_clean | bool
- name: get yum-repository-files - name: get yum-repository-files
shell: 'find /etc/yum.repos.d/ -type f -name *.repo' shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
changed_when: False changed_when: False
register: yum_repos register: yum_repos
- name: check if rhnplugin.conf exists
stat:
path: '/etc/yum/pluginconf.d/rhnplugin.conf'
register: rhnplugin_file
# for the 'default([])' see here: # for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and # https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repos #
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files
replace: replace:
dest: '{{ item }}' dest: '{{ item }}'
regexp: '^\s*gpgcheck: 0' regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1' replace: 'gpgcheck: 1'
register: status
failed_when: status.rc is defined and status.rc != 257
with_flattened: with_flattened:
- '/etc/yum.conf' - '/etc/yum.conf'
- '{{ yum_repos.stdout_lines| default([]) }}' - '/etc/dnf/dnf.conf'
- '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
- name: activate gpg-check for yum rhn if it exists - '/etc/yum/pluginconf.d/rhnplugin.conf'
replace:
dest: '/etc/yum/pluginconf.d/rhnplugin.conf'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
when: rhnplugin_file.stat.exists
- name: remove deprecated or insecure packages | package-01 - package-09 - name: remove deprecated or insecure packages | package-01 - package-09
yum: yum:
name: '{{ item }}' name: '{{ os_security_packages_list }}'
state: 'absent' state: 'absent'
with_items: when: os_security_packages_clean | bool
- '{{ os_security_packages_list }}'
when: os_security_packages_clean

4
ansible/roles/dev-sec.os-hardening/templates/etc/audit/auditd.conf.j2
View file

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
log_file = /var/log/audit/audit.log log_file = /var/log/audit/audit.log
log_format = RAW log_format = RAW
log_group = root log_group = root
@ -10,7 +12,7 @@ dispatcher = /sbin/audispd
name_format = NONE name_format = NONE
##name = mydomain ##name = mydomain
max_log_file = 6 max_log_file = 6
max_log_file_action = keep_logs max_log_file_action = {{ os_auditd_max_log_file_action }}
space_left = 75 space_left = 75
space_left_action = SYSLOG space_left_action = SYSLOG
action_mail_acct = root action_mail_acct = root

3
ansible/roles/dev-sec.os-hardening/templates/etc/default/ufw.j2
View file

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# /etc/default/ufw # /etc/default/ufw
# #

7
ansible/roles/dev-sec.os-hardening/templates/etc/initramfs-tools/modules.j2
View file

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored. # This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
# #
# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/` # A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
@ -10,7 +11,7 @@
# #
# Modules for certains builds, contains support modules and some CPU-specific optimizations. # Modules for certains builds, contains support modules and some CPU-specific optimizations.
{% if ansible_architecture == 'x86_64' %} {% if ansible_facts.architecture == 'x86_64' %}
# Optimize for x86_64 cryptographic features # Optimize for x86_64 cryptographic features
twofish-x86_64-3way twofish-x86_64-3way
twofish-x86_64 twofish-x86_64
@ -19,7 +20,7 @@ salsa20-x86_64
blowfish-x86_64 blowfish-x86_64
{% endif %} {% endif %}
{% if 'amd' in ansible_processor %} {% if 'amd' in ansible_facts.processor %}
# AMD-specific optimizations # AMD-specific optimizations
kvm-amd kvm-amd
{% else %} {% else %}

4
ansible/roles/dev-sec.os-hardening/templates/etc/rhel_libuser.conf.j2 → ansible/roles/dev-sec.os-hardening/templates/etc/libuser.conf.j2
View file

@ -1,6 +1,6 @@
# See libuser.conf(5) for more information. {{ ansible_managed | comment }}
# {{ ansible_managed | comment }} # See libuser.conf(5) for more information.
# Do not modify the default module list if you care about unattended calls # Do not modify the default module list if you care about unattended calls
# to programs (i.e., scripts) working! # to programs (i.e., scripts) working!

101
ansible/roles/dev-sec.os-hardening/templates/etc/login.defs.j2
View file

@ -1,4 +1,5 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# Configuration control definitions for the login package. # Configuration control definitions for the login package.
# #
# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited. # Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
@ -7,6 +8,7 @@
# #
#-- Modified for Linux. --marekm #-- Modified for Linux. --marekm
{% if os_useradd_mail_dir is defined %}
# *REQUIRED for useradd/userdel/usermod* # *REQUIRED for useradd/userdel/usermod*
# #
# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence. # Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
@ -19,136 +21,141 @@
# #
# See default PAM configuration files provided for login, su, etc. # See default PAM configuration files provided for login, su, etc.
# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported # This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
MAIL_DIR /var/mail MAIL_DIR {{ os_useradd_mail_dir }}
#MAIL_FILE .mail {% endif %}
{% if os_useradd_create_home is defined %}
# If useradd should create home directories for users by default
CREATE_HOME {{ 'yes' if os_useradd_create_home else 'no' }}
{% endif %}
# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module. # Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
FAILLOG_ENAB yes FAILLOG_ENAB yes
# Enable display of unknown usernames when login failures are recorded. # Enable display of unknown usernames when login failures are recorded.
# #
# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern # *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
LOG_UNKFAIL_ENAB no LOG_UNKFAIL_ENAB no
# Enable logging of successful logins # Enable logging of successful logins
LOG_OK_LOGINS yes LOG_OK_LOGINS yes
# Enable "syslog" logging of su activity - in addition to sulog file logging. # Enable "syslog" logging of su activity - in addition to sulog file logging.
SYSLOG_SU_ENAB yes SYSLOG_SU_ENAB yes
# Enable "syslog" logging of newgrp and sg. # Enable "syslog" logging of newgrp and sg.
SYSLOG_SG_ENAB yes SYSLOG_SG_ENAB yes
# If defined, all su activity is logged to this file. # If defined, all su activity is logged to this file.
#SULOG_FILE /var/log/sulog #SULOG_FILE /var/log/sulog
# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01". # If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
#TTYTYPE_FILE /etc/ttytype #TTYTYPE_FILE /etc/ttytype
# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so... # If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
FTMP_FILE /var/log/btmp FTMP_FILE /var/log/btmp
# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh". # If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
SU_NAME su SU_NAME su
# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory. # If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
#HUSHLOGIN_FILE /etc/hushlogins #HUSHLOGIN_FILE /etc/hushlogins
HUSHLOGIN_FILE .hushlogin HUSHLOGIN_FILE .hushlogin
# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files) # *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin{{ os_env_extra_user_paths| join (':') }} ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:{{ os_env_extra_user_paths | join (':') }}
# Terminal permissions # Terminal permissions
# -------------------- # --------------------
# Login tty will be assigned this group ownership. # Login tty will be assigned this group ownership.
# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`. # If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
TTYGROUP tty TTYGROUP tty
# Login tty will be set to this permission. # Login tty will be set to this permission.
# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal # In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing the `mesg y` command. # Users can still allow other people to write them by issuing the `mesg y` command.
TTYPERM 0600 TTYPERM 0600
# Login conf initializations # Login conf initializations
# -------------------------- # --------------------------
# Terminal ERASE character ('\010' = backspace). Only used on System V. # Terminal ERASE character ('\010' = backspace). Only used on System V.
ERASECHAR 0177 ERASECHAR 0177
# Terminal KILL character ('\025' = CTRL/U). Only used on System V. # Terminal KILL character ('\025' = CTRL/U). Only used on System V.
KILLCHAR 025 KILLCHAR 025
# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories. # The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`. # If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
# Prefix these values with `0` to get octal, `0x` to get hexadecimal. # Prefix these values with `0` to get octal, `0x` to get hexadecimal.
# `022` is the "historical" value in Debian for UMASK # `022` is the "historical" value in Debian for UMASK
# `027`, or even `077`, could be considered better for privacy. # `027`, or even `077`, could be considered better for privacy.
UMASK {{ os_env_umask }} UMASK {{ os_env_umask }}
# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name. # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user. # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
USERGROUPS_ENAB yes USERGROUPS_ENAB yes
# Password aging controls # Password aging controls
# ----------------------- # -----------------------
# Maximum number of days a password may be used. # Maximum number of days a password may be used.
PASS_MAX_DAYS {{ os_auth_pw_max_age }} PASS_MAX_DAYS {{ os_auth_pw_max_age }}
# Minimum number of days allowed between password changes. # Minimum number of days allowed between password changes.
PASS_MIN_DAYS {{ os_auth_pw_min_age }} PASS_MIN_DAYS {{ os_auth_pw_min_age }}
# Number of days warning given before a password expires. # Number of days warning given before a password expires.
PASS_WARN_AGE 7 PASS_WARN_AGE 7
# Min/max values for automatic uid selection in useradd # Min/max values for automatic uid selection in useradd
UID_MIN {{ os_auth_uid_min }} UID_MIN {{ os_auth_uid_min }}
UID_MAX 60000 UID_MAX 60000
# System accounts # System accounts
SYS_UID_MIN {{ os_auth_sys_uid_min }} SYS_UID_MIN {{ os_auth_sys_uid_min }}
SYS_UID_MAX {{ os_auth_sys_uid_max }} SYS_UID_MAX {{ os_auth_sys_uid_max }}
# Min/max values for automatic gid selection in groupadd # Min/max values for automatic gid selection in groupadd
GID_MIN {{ os_auth_gid_min }} GID_MIN {{ os_auth_gid_min }}
GID_MAX 60000 GID_MAX 60000
# System accounts # System accounts
SYS_GID_MIN {{ os_auth_sys_gid_min }} SYS_GID_MIN {{ os_auth_sys_gid_min }}
SYS_GID_MAX {{ os_auth_sys_gid_max }} SYS_GID_MAX {{ os_auth_sys_gid_max }}
# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES. # Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
LOGIN_RETRIES {{ os_auth_retries }} LOGIN_RETRIES {{ os_auth_retries }}
# Max time in seconds for login # Max time in seconds for login
LOGIN_TIMEOUT {{ os_auth_timeout }} LOGIN_TIMEOUT {{ os_auth_timeout }}
# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed. # Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh". # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
{% if os_chfn_restrict %} {% if os_chfn_restrict %}
CHFN_RESTRICT {{ os_chfn_restrict }} CHFN_RESTRICT {{ os_chfn_restrict }}
{% endif %} {% endif %}
# Should login be allowed if we can't cd to the home directory? # Should login be allowed if we can't cd to the home directory?
DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }} DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
# If defined, this command is run when removing a user. # If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by # It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument). # the user to be removed (passed as the first argument).
#USERDEL_CMD /usr/sbin/userdel_local #USERDEL_CMD /usr/sbin/userdel_local
# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell. # Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
#FAKE_SHELL /bin/fakeshell #FAKE_SHELL /bin/fakeshell
# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices. # If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
# This variable is used by login and su. # This variable is used by login and su.
#CONSOLE /etc/consoles #CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04 #CONSOLE console:tty01:tty02:tty03:tty04
# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none. # List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader... # Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
# This variable is used by login and su. # This variable is used by login and su.
#CONSOLE_GROUPS floppy:audio:cdrom #CONSOLE_GROUPS floppy:audio:cdrom
# If set to `MD5`, MD5-based algorithm will be used for encrypting password # If set to `MD5`, MD5-based algorithm will be used for encrypting password
# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password # If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
@ -158,15 +165,15 @@ DEFAULT_HOME {{ 'yes' if os_auth_allow_homeless else 'no' }}
# #
# Note: It is recommended to use a value consistent with # Note: It is recommended to use a value consistent with
# the PAM modules configuration. # the PAM modules configuration.
MD5_CRYPT_ENAB no MD5_CRYPT_ENAB no
ENCRYPT_METHOD SHA512 ENCRYPT_METHOD SHA512
# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds. # Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users. # With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used. # If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used. # If MIN > MAX, the highest value will be used.
#SHA_CRYPT_MIN_ROUNDS 5000 #SHA_CRYPT_MIN_ROUNDS 5000
#SHA_CRYPT_MAX_ROUNDS 5000 #SHA_CRYPT_MAX_ROUNDS 5000
# Obsoleted by PAM # Obsoleted by PAM
@ -207,5 +214,3 @@ ENCRYPT_METHOD SHA512
# This variable is deprecated. You should use ENCRYPT_METHOD. # This variable is deprecated. You should use ENCRYPT_METHOD.
# #
#MD5_CRYPT_ENAB no #MD5_CRYPT_ENAB no

4
ansible/roles/dev-sec.os-hardening/templates/etc/pam.d/rhel_system_auth.j2
View file

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
#%PAM-1.0 #%PAM-1.0
{% if os_auth_retries > 0 %} {% if os_auth_retries > 0 %}
@ -18,7 +18,7 @@ account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so account required pam_permit.so
{% if (os_auth_pam_passwdqc_enable|bool) %} {% if (os_auth_pam_passwdqc_enable|bool) %}
{%- if ((ansible_os_family == 'RedHat' and ansible_distribution_version >= '7') or ansible_distribution == 'Amazon') %} {%- if ((ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_version|int is version('7', '>=')) or ansible_facts.distribution == 'Amazon') %}
password required pam_pwquality.so {{ os_auth_pam_pwquality_options }} password required pam_pwquality.so {{ os_auth_pam_pwquality_options }}
{%- else %} {%- else %}
password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }} password requisite pam_passwdqc.so {{ os_auth_pam_passwdqc_options }}

2
ansible/roles/dev-sec.os-hardening/templates/etc/profile.d/profile.conf.j2
View file

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default. # Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
ulimit -S -c 0 > /dev/null 2>&1 ulimit -S -c 0 > /dev/null 2>&1

3
ansible/roles/dev-sec.os-hardening/templates/etc/securetty.j2
View file

@ -1,5 +1,4 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# A list of TTYs, from which root can log in # A list of TTYs, from which root can log in
# see `man securetty` for reference # see `man securetty` for reference

2
ansible/roles/dev-sec.os-hardening/templates/etc/sysconfig/rhel_sysconfig_init.j2
View file

@ -1,4 +1,4 @@
# {{ ansible_managed | comment }} {{ ansible_managed | comment }}
# color => new RH6.0 bootup # color => new RH6.0 bootup
# verbose => old-style bootup # verbose => old-style bootup

2
ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_passwdqd.j2
View file

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: passwdqc password strength enforcement Name: passwdqc password strength enforcement
Default: yes Default: yes
Priority: 1024 Priority: 1024

2
ansible/roles/dev-sec.os-hardening/templates/usr/share/pam-configs/pam_tally2.j2
View file

@ -1,3 +1,5 @@
{{ ansible_managed | comment }}
Name: tally2 lockout after failed attempts enforcement Name: tally2 lockout after failed attempts enforcement
Default: yes Default: yes
Priority: 1024 Priority: 1024

29
ansible/roles/dev-sec.os-hardening/tests/test.yml
View file

@ -4,10 +4,22 @@
roles: roles:
- ansible-os-hardening - ansible-os-hardening
pre_tasks: pre_tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update" as a separate step - name: Run the equivalent of "apt-get update" as a separate step
apt: apt:
update_cache: yes update_cache: yes
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
- name: install required tools on fedora
dnf:
name:
- python
- findutils
- procps-ng
when: ansible_facts.distribution == 'Fedora'
- name: create recursing symlink to test minimize access - name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
vars: vars:
@ -20,7 +32,7 @@
os_auth_allow_homeless: true os_auth_allow_homeless: true
os_security_suid_sgid_blacklist: ['/bin/umount'] os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin'] os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat'] os_filesystem_whitelist: []
sysctl_config: sysctl_config:
net.ipv4.ip_forward: 0 net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0 net.ipv6.conf.all.forwarding: 0
@ -52,23 +64,26 @@
net.ipv6.conf.default.accept_ra_rtr_pref: 0 net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0 net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0 net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0 net.ipv6.conf.default.conf: 0
net.ipv6.conf.default.dad_transmits: 0 net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1 net.ipv6.conf.default.max_addresses: 1
kernel.sysrq: 0 kernel.sysrq: 0
fs.suid_dumpable: 0 fs.suid_dumpable: 0
kernel.randomize_va_space: 2 kernel.randomize_va_space: 2
- name: wrapper playbook for kitchen testing "ansible-os-hardening" - name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost hosts: localhost
vars: vars:
- os_auditd_enabled: false os_auditd_enabled: false
pre_tasks: pre_tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update" as a separate step - name: Run the equivalent of "apt-get update" as a separate step
apt: apt:
update_cache: yes update_cache: yes
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
roles: roles:
- ansible-os-hardening - ansible-os-hardening

2
ansible/roles/dev-sec.os-hardening/vars/Amazon.yml
View file

@ -1,6 +1,6 @@
--- ---
# system accounts that do not get their login disabled and pasword changed # system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt', 'ec2-user'] os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
sysctl_rhel_config: sysctl_rhel_config:
# ExecShield protection against buffer overflows # ExecShield protection against buffer overflows

16
ansible/roles/dev-sec.os-hardening/vars/Debian.yml
View file

@ -1,13 +1,10 @@
---
os_packages_pam_ccreds: 'libpam-ccreds' os_packages_pam_ccreds: 'libpam-ccreds'
os_packages_pam_passwdqc: 'libpam-passwdqc' os_packages_pam_passwdqc: 'libpam-passwdqc'
os_packages_pam_cracklib: 'libpam-cracklib' os_packages_pam_cracklib: 'libpam-cracklib'
passwdqc_path: '/usr/share/pam-configs/passwdqc'
tally2_path: '/usr/share/pam-configs/tally2'
os_nologin_shell_path: '/usr/sbin/nologin' os_nologin_shell_path: '/usr/sbin/nologin'
auditd_package: 'auditd'
modprobe_package: 'kmod'
# Different distros use different standards for /etc/shadow perms, e.g. # Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640. # RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding. # You must provide key/value pairs for owner, group, and mode if overriding.
@ -29,3 +26,12 @@ os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 999 os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 100 os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 999 os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/mail
modprobe_package: 'kmod'
auditd_package: 'auditd'
tally2_path: '/usr/share/pam-configs/tally2'
passwdqc_path: '/usr/share/pam-configs/passwdqc'

31
ansible/roles/dev-sec.os-hardening/vars/Fedora.yml Normal file
View file

@ -0,0 +1,31 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: root
mode: '0000'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

8
ansible/roles/dev-sec.os-hardening/vars/Oracle Linux.yml
View file

@ -1,6 +1,8 @@
os_packages_pam_ccreds: 'pam_ccreds' ---
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib' os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib'
os_nologin_shell_path: '/sbin/nologin' os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g. # Different distros use different standards for /etc/shadow perms, e.g.

10
ansible/roles/dev-sec.os-hardening/vars/RedHat.yml
View file

@ -1,8 +1,5 @@
--- ---
modprobe_package: 'module-init-tools'
auditd_package: 'audit'
os_packages_pam_ccreds: 'pam_ccreds' os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc' os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'pam_cracklib' os_packages_pam_cracklib: 'pam_cracklib'
@ -29,3 +26,10 @@ os_auth_sys_uid_min: 201
os_auth_sys_uid_max: 999 os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 201 os_auth_sys_gid_min: 201
os_auth_sys_gid_max: 999 os_auth_sys_gid_max: 999
# defaults for useradd
os_useradd_mail_dir: /var/spool/mail
os_useradd_create_home: true
modprobe_package: 'module-init-tools'
auditd_package: 'audit'

34
ansible/roles/dev-sec.os-hardening/vars/Suse.yml Normal file
View file

@ -0,0 +1,34 @@
---
os_packages_pam_ccreds: 'pam_ccreds'
os_packages_pam_passwdqc: 'pam_passwdqc'
os_packages_pam_cracklib: 'cracklib'
os_nologin_shell_path: '/sbin/nologin'
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: root
mode: '0600'
os_passwd_perms:
owner: root
group: root
mode: '0644'
os_env_umask: '027'
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 499
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 499
# defaults for useradd
os_useradd_create_home: false
modprobe_package: 'kmod-compat'
auditd_package: 'audit'

2
ansible/roles/dev-sec.os-hardening/vars/main.yml
View file

@ -108,4 +108,4 @@ os_security_suid_sgid_system_whitelist:
- '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome - '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome
# system accounts that do not get their login disabled and pasword changed # system accounts that do not get their login disabled and pasword changed
os_always_ignore_users: ['root','sync','shutdown','halt'] os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt']

40
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View file

@ -0,0 +1,40 @@
---
name: Bug report
about: Create a report to help us improve
---
**Describe the bug**
A clear and concise description of what the bug is.
**Expected behavior**
A clear and concise description of what you expected to happen.
**Actual behavior**
<!--- Paste verbatim command output between quotes -->
```paste below
```
**Example Playbook**
<!--- Paste an example playbook that can be used to reproduce the problem between quotes -->
```paste below
```
**OS / Environment**
<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
**Ansible Version**
<!--- Paste verbatim output from "ansible --version" between quotes -->
```paste below
```
**Role Version**
<!--- Paste version of the role between quotes -->
```paste below
```
**Additional context**
Add any other context about the problem here.

17
ansible/roles/dev-sec.ssh-hardening/.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View file

@ -0,0 +1,17 @@
---
name: Feature request
about: Suggest an idea for this project
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

34
ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml vendored Normal file
View file

@ -0,0 +1,34 @@
name: Create Changelog
on:
pull_request:
types: [closed]
release:
types: [published]
issues:
types: [closed, edited]
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: Generate changelog for master branch
steps:
- uses: actions/checkout@v1
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: push
uses: github-actions-x/commit@v2.6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
push-branch: 'master'
commit-message: 'update changelog'
force-add: 'true'
files: CHANGELOG.md
name: dev-sec CI
email: github@gumpri.ch

51
ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,51 @@
name: New release
on:
push:
branches:
- master
jobs:
generate_changelog:
runs-on: ubuntu-latest
name: create release draft
steps:
- uses: actions/checkout@v1
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@master"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: calculate next version
id: version
uses: patrickjahns/version-drafter-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate changelog
uses: charmixer/auto-changelog-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
since_tag: ${{ steps.previoustag.outputs.tag }}
# wait for https://github.com/CharMixer/auto-changelog-action/pull/3
#future_release: ${{ steps.version.outputs.next-version }}
- name: Read CHANGELOG.md
id: package
uses: juliangruber/read-file-action@v1
with:
path: ./CHANGELOG.md
- name: Create Release draft
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
release_name: ${{ steps.version.outputs.next-version }}
tag_name: ${{ steps.version.outputs.next-version }}
body: |
${{ steps.package.outputs.content }}
draft: true

2
ansible/roles/dev-sec.ssh-hardening/.kitchen.aws.yml
View file

@ -17,7 +17,7 @@ provisioner:
require_ansible_omnibus: true require_ansible_omnibus: true
ansible_verbose: true ansible_verbose: true
ansible_diff: true ansible_diff: true
hosts: all
roles_path: ../ansible-ssh-hardening/ roles_path: ../ansible-ssh-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>

54
ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml
View file

@ -20,56 +20,34 @@ provisioner:
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
platforms: platforms:
- name: ubuntu-12.04
driver_config:
box: opscode-ubuntu-12.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
- name: ubuntu-14.04
driver_config:
box: opscode-ubuntu-14.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
- name: ubuntu-16.04 - name: ubuntu-16.04
driver_config: driver_config:
box: opscode-ubuntu-16.04 box: bento/ubuntu-16.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box - name: ubuntu-18.04
- name: centos-6.4
- name: centos-7.2
driver_config: driver_config:
box: opscode-centos-7.2 box: bento/ubuntu-18.04
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box - name: centos-6
- name: centos-6.5
driver_config: driver_config:
box: opscode-centos-6.5 box: bento/centos-6
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
- name: centos-6.8
driver_config:
box: bento/centos-6.8
- name: centos-7 - name: centos-7
driver_config: driver_config:
box: bento/centos-7.2 box: bento/centos-7
- name: oracle-6.4 - name: oracle-6
driver_config: driver_config:
box: oracle-6.4 box: bento/oracle-6
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
- name: oracle-6.5
driver_config:
box: oracle-6.5
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
- name: oracle-7 - name: oracle-7
driver_config: driver_config:
box: boxcutter/ol72 box: bento/oracle-7
- name: debian-7 - name: debian-9
driver_config: driver_config:
box: debian-7 box: bento/debian-9
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box - name: debian-10
- name: debian-8
driver_config: driver_config:
box: debian-8 box: bento/debian-10
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box - name: amazon
driver_config:
box: bento/amazonlinux-2
verifier: verifier:
name: inspec name: inspec

41
ansible/roles/dev-sec.ssh-hardening/.kitchen.yml
View file

@ -6,9 +6,6 @@ driver:
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
transport:
max_ssh_sessions: 5
provisioner: provisioner:
name: ansible_playbook name: ansible_playbook
hosts: all hosts: all
@ -17,12 +14,12 @@ provisioner:
require_ruby_for_busser: false require_ruby_for_busser: false
ansible_verbose: true ansible_verbose: true
ansible_diff: true ansible_diff: true
hosts: all
roles_path: ../ansible-ssh-hardening/ roles_path: ../ansible-ssh-hardening/
http_proxy: <%= ENV['http_proxy'] || nil %> http_proxy: <%= ENV['http_proxy'] || nil %>
https_proxy: <%= ENV['https_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %>
playbook: tests/default.yml playbook: tests/default.yml
ansible_diff: true
ansible_extra_flags: ansible_extra_flags:
- "--skip-tags=sysctl" - "--skip-tags=sysctl"
@ -51,10 +48,6 @@ platforms:
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service - systemctl enable sshd.service
- name: ubuntu1404-ansible-latest
driver:
image: rndmh3ro/docker-ubuntu1404-ansible:latest
platform: ubuntu
- name: ubuntu1604-ansible-latest - name: ubuntu1604-ansible-latest
driver: driver:
image: rndmh3ro/docker-ubuntu1604-ansible:latest image: rndmh3ro/docker-ubuntu1604-ansible:latest
@ -62,14 +55,13 @@ platforms:
run_command: /sbin/init run_command: /sbin/init
provision_command: provision_command:
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian7-ansible-latest - name: ubuntu1804-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian7-ansible:latest image: rndmh3ro/docker-ubuntu1804-ansible:latest
platform: debian platform: ubuntu
- name: debian8-ansible-latest run_command: /sbin/init
driver: provision_command:
image: rndmh3ro/docker-debian8-ansible:latest - systemctl enable ssh.service
platform: debian
- name: debian9-ansible-latest - name: debian9-ansible-latest
driver: driver:
image: rndmh3ro/docker-debian9-ansible:latest image: rndmh3ro/docker-debian9-ansible:latest
@ -78,6 +70,14 @@ platforms:
provision_command: provision_command:
- apt install -y systemd-sysv - apt install -y systemd-sysv
- systemctl enable ssh.service - systemctl enable ssh.service
- name: debian10-ansible-latest
driver:
image: rndmh3ro/docker-debian10-ansible
platform: debian
run_command: /sbin/init
provision_command:
- apt install -y systemd-sysv
- systemctl enable ssh.service
- name: amazon-ansible-latest - name: amazon-ansible-latest
driver: driver:
image: rndmh3ro/docker-amazon-ansible:latest image: rndmh3ro/docker-amazon-ansible:latest
@ -86,6 +86,15 @@ platforms:
provision_command: provision_command:
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service - systemctl enable sshd.service
- name: fedora-ansible-latest
driver:
image: rndmh3ro/docker-fedora-ansible:latest
platform: centos
run_command: /sbin/init
provision_command:
- dnf install -y python
- sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
- systemctl enable sshd.service
verifier: verifier:
name: inspec name: inspec

33
ansible/roles/dev-sec.ssh-hardening/.travis.yml
View file

@ -25,17 +25,9 @@ env:
init: /lib/systemd/systemd init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: ubuntu1404 - distro: ubuntu1804
version: latest version: latest
init: /sbin/init init: /lib/systemd/systemd
- distro: debian7
version: latest
init: /sbin/init
- distro: debian8
version: latest
init: /sbin/init
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian9 - distro: debian9
@ -43,29 +35,42 @@ env:
init: /lib/systemd/systemd init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: debian10
version: latest
init: /lib/systemd/systemd
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: amazon - distro: amazon
init: /lib/systemd/systemd init: /lib/systemd/systemd
version: latest version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
- distro: fedora
init: /lib/systemd/systemd
version: latest
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
before_install: before_install:
# Pull container # Pull container
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
script: script:
- pip install --user ansible-lint
- ansible-lint ./
- container_id=$(mktemp) - container_id=$(mktemp)
# Run container in detached state. # Run container in detached state.
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
# Test role. # Test role.
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff'
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff'
# Verify role # Verify role
# remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141 # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit' - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit'
# remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21 # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21
- 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit' - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit'
notifications: notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/ webhooks: https://galaxy.ansible.com/api/v1/notifications/

274
ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md
View file

@ -1,6 +1,217 @@
# Change Log # Changelog
## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD)
**Implemented enhancements:**
- add changelog and release workflow [\#282](https://github.com/dev-sec/ansible-ssh-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: Ansible part of Fedora build [\#281](https://github.com/dev-sec/ansible-ssh-hardening/pull/281) ([kostasns](https://github.com/kostasns))
- Add changelog action [\#280](https://github.com/dev-sec/ansible-ssh-hardening/pull/280) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: Amazon linux build [\#279](https://github.com/dev-sec/ansible-ssh-hardening/pull/279) ([kostasns](https://github.com/kostasns))
- feat: Allow to set custom list of HostKeyAlgorithms [\#278](https://github.com/dev-sec/ansible-ssh-hardening/pull/278) ([kostasns](https://github.com/kostasns))
- fix\(ansible\_facts\): replace few remaining facts from 'ansible\_' to using 'ansible\_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns))
## [8.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.0.0) (2020-04-21)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/7.0.0...8.0.0)
**Implemented enhancements:**
- Remove dependency on bash [\#265](https://github.com/dev-sec/ansible-ssh-hardening/issues/265)
- Possibility to use other value than yes/no for AllowTCPforwarding [\#255](https://github.com/dev-sec/ansible-ssh-hardening/issues/255)
- Add support for Debian Buster in ansible-ssh-hardening [\#248](https://github.com/dev-sec/ansible-ssh-hardening/issues/248)
- Some options not configurable via the role [\#239](https://github.com/dev-sec/ansible-ssh-hardening/issues/239)
- PermitUserEnvironment should not be conflated with AcceptEnv [\#232](https://github.com/dev-sec/ansible-ssh-hardening/issues/232)
- Disable also dynamic MOTD via PAM if enabled - refs \#271 [\#273](https://github.com/dev-sec/ansible-ssh-hardening/pull/273) ([ancoron](https://github.com/ancoron))
- Use sha2 HMACs on RHEL 6 / CentOS 6. [\#270](https://github.com/dev-sec/ansible-ssh-hardening/pull/270) ([foonix](https://github.com/foonix))
- Removing 2fa [\#269](https://github.com/dev-sec/ansible-ssh-hardening/pull/269) ([dennisse](https://github.com/dennisse))
- Renaming Ansible variables discovered from systems [\#268](https://github.com/dev-sec/ansible-ssh-hardening/pull/268) ([PovilasGT](https://github.com/PovilasGT))
- Do not use bash to get ssh version [\#266](https://github.com/dev-sec/ansible-ssh-hardening/pull/266) ([kljensen](https://github.com/kljensen))
- Add 'all', 'local', 'yes', 'no' options support for AllowTcpForwarding variable [\#257](https://github.com/dev-sec/ansible-ssh-hardening/pull/257) ([brnck](https://github.com/brnck))
- Support KEX for OpenSSH 8.0+ & quantum resistant KEX [\#254](https://github.com/dev-sec/ansible-ssh-hardening/pull/254) ([lunarthegrey](https://github.com/lunarthegrey))
- SFTP: set default umask to 0027 [\#252](https://github.com/dev-sec/ansible-ssh-hardening/pull/252) ([Slamdunk](https://github.com/Slamdunk))
- Separate PermitUserEnviroment from AcceptEnv [\#251](https://github.com/dev-sec/ansible-ssh-hardening/pull/251) ([szEvEz](https://github.com/szEvEz))
- Feature: Debian 10 \(Buster\) support [\#249](https://github.com/dev-sec/ansible-ssh-hardening/pull/249) ([jaredledvina](https://github.com/jaredledvina))
- fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
- refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz))
- RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen))
- Added ssh\_syslog\_facility, ssh\_log\_level and ssh\_strict\_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))
**Fixed bugs:**
- HostKey comment "\# Req 20" breaks key based auth [\#262](https://github.com/dev-sec/ansible-ssh-hardening/issues/262)
- SSH fails to start/connect if custom server ports is set on CentOS 7.6 [\#212](https://github.com/dev-sec/ansible-ssh-hardening/issues/212)
- Google 2fa authentication problem [\#170](https://github.com/dev-sec/ansible-ssh-hardening/issues/170)
- vars: remove empty main.yml file [\#274](https://github.com/dev-sec/ansible-ssh-hardening/pull/274) ([paulfantom](https://github.com/paulfantom))
- Only manage moduli when hardening server [\#267](https://github.com/dev-sec/ansible-ssh-hardening/pull/267) ([jbronn](https://github.com/jbronn))
- Remove comment from sshd config HostKey param [\#263](https://github.com/dev-sec/ansible-ssh-hardening/pull/263) ([abtreece](https://github.com/abtreece))
## [7.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/7.0.0) (2019-09-15)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.2.0...7.0.0)
**Implemented enhancements:**
- Add new option ssh\_server\_match\_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230)
- set UsePAM to yes by default [\#233](https://github.com/dev-sec/ansible-ssh-hardening/pull/233) ([rndmh3ro](https://github.com/rndmh3ro))
**Fixed bugs:**
- Unable to connect after applying the role \(Ubuntu 18.04, AWS EC2\) [\#229](https://github.com/dev-sec/ansible-ssh-hardening/issues/229)
**Closed issues:**
- Can't connect to new instance created from hardened image [\#189](https://github.com/dev-sec/ansible-ssh-hardening/issues/189)
**Merged pull requests:**
- changed string comparison to version comparison [\#234](https://github.com/dev-sec/ansible-ssh-hardening/pull/234) ([gobind-singh](https://github.com/gobind-singh))
## [6.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.2.0) (2019-08-05)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.3...6.2.0)
**Implemented enhancements:**
- added support for `ssh\_server\_match\_address` \(\#230\) [\#231](https://github.com/dev-sec/ansible-ssh-hardening/pull/231) ([MatthiasLohr](https://github.com/MatthiasLohr))
## [6.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.3) (2019-06-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.2...6.1.3)
**Implemented enhancements:**
- Fix squash\_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo))
- Fix deprecation warnings in Ansible 2.8 [\#227](https://github.com/dev-sec/ansible-ssh-hardening/pull/227) ([Normo](https://github.com/Normo))
**Fixed bugs:**
- deprecation warnings in Ansible 2.8 [\#226](https://github.com/dev-sec/ansible-ssh-hardening/issues/226)
## [6.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.2) (2019-05-17)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.1...6.1.2)
**Fixed bugs:**
- sshd\_custom\_options used in ssh\_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224)
**Merged pull requests:**
- use correct variable ssh\_custom\_options in ssh\_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.1) (2019-05-07)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.1.0...6.1.1)
**Fixed bugs:**
- Missing indent for `ChrootDirectory` in `Match Group sftponly` [\#221](https://github.com/dev-sec/ansible-ssh-hardening/issues/221)
**Merged pull requests:**
- fix indentation for matches [\#222](https://github.com/dev-sec/ansible-ssh-hardening/pull/222) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.0) (2019-05-04)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/6.0.0...6.1.0)
**Implemented enhancements:**
- PermitRootLogin yes [\#190](https://github.com/dev-sec/ansible-ssh-hardening/issues/190)
- Match Group' in configuration but 'user' not in connection test specification [\#188](https://github.com/dev-sec/ansible-ssh-hardening/issues/188)
- Allow custom values [\#175](https://github.com/dev-sec/ansible-ssh-hardening/issues/175)
- use selinux fact to check if selinux is used [\#220](https://github.com/dev-sec/ansible-ssh-hardening/pull/220) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove eol os and add fedora [\#218](https://github.com/dev-sec/ansible-ssh-hardening/pull/218) ([rndmh3ro](https://github.com/rndmh3ro))
- document and move custom variables [\#217](https://github.com/dev-sec/ansible-ssh-hardening/pull/217) ([rndmh3ro](https://github.com/rndmh3ro))
- fix: allow other ssh ports using selinux [\#214](https://github.com/dev-sec/ansible-ssh-hardening/pull/214) ([guilieb](https://github.com/guilieb))
- Make ansible-lint happy [\#204](https://github.com/dev-sec/ansible-ssh-hardening/pull/204) ([alexclear](https://github.com/alexclear))
- Fix ssh and sshd config files to satisfy inspec reqs on all Testkitchen setups [\#203](https://github.com/dev-sec/ansible-ssh-hardening/pull/203) ([alexclear](https://github.com/alexclear))
- enable ssh 7.7p1 support [\#202](https://github.com/dev-sec/ansible-ssh-hardening/pull/202) ([rndmh3ro](https://github.com/rndmh3ro))
- Removed DEPRECATION WARNING for apt, using list instead of with\_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre))
**Fixed bugs:**
- Using more than one rule in a Group or User Match block? [\#207](https://github.com/dev-sec/ansible-ssh-hardening/issues/207)
- fix multiple match rules not working \#207 [\#208](https://github.com/dev-sec/ansible-ssh-hardening/pull/208) ([rndmh3ro](https://github.com/rndmh3ro))
## [6.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.0.0) (2018-11-18)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/5.0.0...6.0.0)
**Implemented enhancements:**
- Ubuntu 18.04 support [\#182](https://github.com/dev-sec/ansible-ssh-hardening/issues/182)
- Update opensshd.conf.js [\#196](https://github.com/dev-sec/ansible-ssh-hardening/pull/196) ([ikr0m](https://github.com/ikr0m))
**Fixed bugs:**
- GSSAPI support broken. Can't be enabled. [\#192](https://github.com/dev-sec/ansible-ssh-hardening/issues/192)
- Unsupported option "rhostsrsaauthentication" "rsaauthentication" [\#184](https://github.com/dev-sec/ansible-ssh-hardening/issues/184)
- Weak kex are controlled by wrong variable ? [\#174](https://github.com/dev-sec/ansible-ssh-hardening/issues/174)
- Can't connect to server by SSH after applying this role [\#115](https://github.com/dev-sec/ansible-ssh-hardening/issues/115)
**Closed issues:**
- Support StreamLocalBindUnlink [\#197](https://github.com/dev-sec/ansible-ssh-hardening/issues/197)
- Add molecule testing [\#183](https://github.com/dev-sec/ansible-ssh-hardening/issues/183)
**Merged pull requests:**
- Support for custom configuration [\#199](https://github.com/dev-sec/ansible-ssh-hardening/pull/199) ([MatthiasLohr](https://github.com/MatthiasLohr))
- parameterize PermitRootLogin [\#195](https://github.com/dev-sec/ansible-ssh-hardening/pull/195) ([rndmh3ro](https://github.com/rndmh3ro))
- set 'GSSAPIAuthentication yes' if variable 'ssh\_gssapi\_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz))
- Use ansible version compare module [\#187](https://github.com/dev-sec/ansible-ssh-hardening/pull/187) ([BentoumiTech](https://github.com/BentoumiTech))
- add ubuntu 18.04 support [\#186](https://github.com/dev-sec/ansible-ssh-hardening/pull/186) ([rndmh3ro](https://github.com/rndmh3ro))
## [5.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/5.0.0) (2018-09-16)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.4.0...5.0.0)
**Implemented enhancements:**
- Fixing the broken Ansible dependency mechanism [\#176](https://github.com/dev-sec/ansible-ssh-hardening/issues/176)
- Include new baseline-tests [\#161](https://github.com/dev-sec/ansible-ssh-hardening/issues/161)
- GlobalKnownHostsFile missing from ssh\_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155)
- Options not compatible with OpenSSH server 7.6 [\#151](https://github.com/dev-sec/ansible-ssh-hardening/issues/151)
- Kitchen travis [\#180](https://github.com/dev-sec/ansible-ssh-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
- update config of kex, macs, ciphers [\#179](https://github.com/dev-sec/ansible-ssh-hardening/pull/179) ([rndmh3ro](https://github.com/rndmh3ro))
- add debian 9 and a comment [\#178](https://github.com/dev-sec/ansible-ssh-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
- Dependency flag [\#177](https://github.com/dev-sec/ansible-ssh-hardening/pull/177) ([jcheroske](https://github.com/jcheroske))
- Travis [\#173](https://github.com/dev-sec/ansible-ssh-hardening/pull/173) ([rndmh3ro](https://github.com/rndmh3ro))
- OpenBSD Support [\#171](https://github.com/dev-sec/ansible-ssh-hardening/pull/171) ([jbronn](https://github.com/jbronn))
- Implement disabling chroot for sftp [\#166](https://github.com/dev-sec/ansible-ssh-hardening/pull/166) ([towo](https://github.com/towo))
- New tests [\#163](https://github.com/dev-sec/ansible-ssh-hardening/pull/163) ([rndmh3ro](https://github.com/rndmh3ro))
- yaml-lint update, refactor tasks [\#162](https://github.com/dev-sec/ansible-ssh-hardening/pull/162) ([rndmh3ro](https://github.com/rndmh3ro))
- Handle a few deprecated OpenSSH options [\#160](https://github.com/dev-sec/ansible-ssh-hardening/pull/160) ([ageis](https://github.com/ageis))
- Added support for TrustedUserCAKeys and AuthorizedPrincipalsFile. [\#157](https://github.com/dev-sec/ansible-ssh-hardening/pull/157) ([gdelafond](https://github.com/gdelafond))
- Adds sshd config for keyboard-interactive pam device [\#156](https://github.com/dev-sec/ansible-ssh-hardening/pull/156) ([rcII](https://github.com/rcII))
- Use package state 'present' since 'installed' is deprecated [\#154](https://github.com/dev-sec/ansible-ssh-hardening/pull/154) ([Normo](https://github.com/Normo))
- conform to current dev-sec/ssh-baseline [\#150](https://github.com/dev-sec/ansible-ssh-hardening/pull/150) ([alval5280](https://github.com/alval5280))
- new parameter: ssh\_max\_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher))
- Update syntax to 2.4 [\#148](https://github.com/dev-sec/ansible-ssh-hardening/pull/148) ([thomasjpfan](https://github.com/thomasjpfan))
- Amazonlinux-Testing [\#147](https://github.com/dev-sec/ansible-ssh-hardening/pull/147) ([rndmh3ro](https://github.com/rndmh3ro))
- Fixed trailing whitespace [\#146](https://github.com/dev-sec/ansible-ssh-hardening/pull/146) ([zbrojny120](https://github.com/zbrojny120))
- Add support for Amazon Linux [\#145](https://github.com/dev-sec/ansible-ssh-hardening/pull/145) ([woneill](https://github.com/woneill))
**Fixed bugs:**
- ssh\_server\_weak\_kex variable is not used any where [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167)
- opensshd.conf.j2 template type error [\#159](https://github.com/dev-sec/ansible-ssh-hardening/issues/159)
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
**Closed issues:**
- Travis & Debian 9 "Stretch" [\#158](https://github.com/dev-sec/ansible-ssh-hardening/issues/158)
**Merged pull requests:**
- remove oracle7 from travis tests for the time being [\#181](https://github.com/dev-sec/ansible-ssh-hardening/pull/181) ([rndmh3ro](https://github.com/rndmh3ro))
## [4.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.4.0) (2017-12-29) ## [4.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.4.0) (2017-12-29)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.1...4.4.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.1...4.4.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -10,12 +221,11 @@
- allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu)) - allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu))
- Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky)) - Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky))
- corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault)) - corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault))
- Add Two-Factor Authentication [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs)) - Feature/2fa auth [\#123](https://github.com/dev-sec/ansible-ssh-hardening/pull/123) ([lazzurs](https://github.com/lazzurs))
**Fixed bugs:** **Fixed bugs:**
- ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129) - ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)
- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
**Closed issues:** **Closed issues:**
@ -31,6 +241,7 @@
- force /bin/sh when getting openssh-version [\#134](https://github.com/dev-sec/ansible-ssh-hardening/pull/134) ([gtz42](https://github.com/gtz42)) - force /bin/sh when getting openssh-version [\#134](https://github.com/dev-sec/ansible-ssh-hardening/pull/134) ([gtz42](https://github.com/gtz42))
## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14) ## [4.3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.1) (2017-08-14)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.3.0...4.3.1)
**Implemented enhancements:** **Implemented enhancements:**
@ -46,7 +257,8 @@
- role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124) - role creates duplicate parameter/values after run [\#124](https://github.com/dev-sec/ansible-ssh-hardening/issues/124)
## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03) ## [4.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.3.0) (2017-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.3.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.3.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -58,11 +270,13 @@
- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1)) - Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
- Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin)) - Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.2.0...4.1.3)
## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30) ## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.2.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.3...4.2.0)
## [4.1.3](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.3) (2017-06-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.2...4.1.3)
**Implemented enhancements:** **Implemented enhancements:**
@ -78,6 +292,7 @@
- Do not use shell when not needed + Lint whitespaces [\#118](https://github.com/dev-sec/ansible-ssh-hardening/pull/118) ([krhubert](https://github.com/krhubert)) - Do not use shell when not needed + Lint whitespaces [\#118](https://github.com/dev-sec/ansible-ssh-hardening/pull/118) ([krhubert](https://github.com/krhubert))
## [4.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.2) (2017-05-31) ## [4.1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.2) (2017-05-31)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.1...4.1.2) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.1...4.1.2)
**Implemented enhancements:** **Implemented enhancements:**
@ -93,17 +308,15 @@
- Update readme to include baselines [\#110](https://github.com/dev-sec/ansible-ssh-hardening/issues/110) - Update readme to include baselines [\#110](https://github.com/dev-sec/ansible-ssh-hardening/issues/110)
## [4.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.1) (2017-05-18) ## [4.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.1) (2017-05-18)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.0...4.1.1) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.1.0...4.1.1)
**Implemented enhancements:** **Implemented enhancements:**
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu)) - fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
**Fixed bugs:**
- fix validation error [\#113](https://github.com/dev-sec/ansible-ssh-hardening/pull/113) ([pwyliu](https://github.com/pwyliu))
## [4.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.0) (2017-05-09) ## [4.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.1.0) (2017-05-09)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.0.0...4.1.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/4.0.0...4.1.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -123,6 +336,7 @@
- Adds option to enable password based authentication on the server [\#107](https://github.com/dev-sec/ansible-ssh-hardening/pull/107) ([colin-nolan](https://github.com/colin-nolan)) - Adds option to enable password based authentication on the server [\#107](https://github.com/dev-sec/ansible-ssh-hardening/pull/107) ([colin-nolan](https://github.com/colin-nolan))
## [4.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.0.0) (2017-04-22) ## [4.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.0.0) (2017-04-22)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.2.0...4.0.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.2.0...4.0.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -145,8 +359,6 @@
**Fixed bugs:** **Fixed bugs:**
- SELinux-specific task still runs on SELinux-disabled systems [\#74](https://github.com/dev-sec/ansible-ssh-hardening/issues/74) - SELinux-specific task still runs on SELinux-disabled systems [\#74](https://github.com/dev-sec/ansible-ssh-hardening/issues/74)
- List only one Port in ssh config [\#84](https://github.com/dev-sec/ansible-ssh-hardening/pull/84) ([fullyint](https://github.com/fullyint))
- Fix ssh config to handle custom options per Host [\#83](https://github.com/dev-sec/ansible-ssh-hardening/pull/83) ([fullyint](https://github.com/fullyint))
**Closed issues:** **Closed issues:**
@ -159,6 +371,7 @@
- Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio)) - Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio))
## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24) ## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1.0...3.2.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1.0...3.2.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -173,11 +386,8 @@
- Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75) - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75)
- Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61) - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61)
**Closed issues:**
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03) ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0)
**Implemented enhancements:** **Implemented enhancements:**
@ -185,6 +395,7 @@
- use new ciphers, kex, macs and privilege separation for redhat family 7 or later [\#72](https://github.com/dev-sec/ansible-ssh-hardening/issues/72) - use new ciphers, kex, macs and privilege separation for redhat family 7 or later [\#72](https://github.com/dev-sec/ansible-ssh-hardening/issues/72)
## [3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1) (2016-08-03) ## [3.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1) (2016-08-03)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.0.0...3.1) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.0.0...3.1)
**Implemented enhancements:** **Implemented enhancements:**
@ -212,11 +423,12 @@
- Add SCP/SFTP to FAQ [\#58](https://github.com/dev-sec/ansible-ssh-hardening/pull/58) ([rndmh3ro](https://github.com/rndmh3ro)) - Add SCP/SFTP to FAQ [\#58](https://github.com/dev-sec/ansible-ssh-hardening/pull/58) ([rndmh3ro](https://github.com/rndmh3ro))
## [3.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.0.0) (2016-03-13) ## [3.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.0.0) (2016-03-13)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/2.0.0...3.0.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/2.0.0...3.0.0)
**Implemented enhancements:** **Implemented enhancements:**
- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([shirokatze](https://github.com/shirokatze)) - Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost))
- add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro)) - add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
- update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro)) - update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
- add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) - add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
@ -235,6 +447,7 @@
- New release 3.0.0 [\#59](https://github.com/dev-sec/ansible-ssh-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro)) - New release 3.0.0 [\#59](https://github.com/dev-sec/ansible-ssh-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
## [2.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/2.0.0) (2015-11-28) ## [2.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/2.0.0) (2015-11-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.1...2.0.0) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.1...2.0.0)
**Closed issues:** **Closed issues:**
@ -248,6 +461,7 @@
- sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123)) - sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))
## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1)
**Merged pull requests:** **Merged pull requests:**
@ -255,10 +469,12 @@
- Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle))
## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) ## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2)
## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.2.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0)
**Merged pull requests:** **Merged pull requests:**
@ -266,16 +482,20 @@
- Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro)) - Add more travis-tests [\#38](https://github.com/dev-sec/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro))
- Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro)) - Support for selinux and pam. fix \#23 [\#35](https://github.com/dev-sec/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.1)
## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01) ## [1.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1.0) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1.0)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1...1.1.0)
## [1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.1) (2015-09-01)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.0.0...1.1)
**Closed issues:** **Closed issues:**
- ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33) - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28)
- UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23) - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:** **Merged pull requests:**
@ -296,6 +516,9 @@
- Debian install script [\#19](https://github.com/dev-sec/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro)) - Debian install script [\#19](https://github.com/dev-sec/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro))
## [1.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.0.0) (2015-04-30) ## [1.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.0.0) (2015-04-30)
[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/a9591764206b79a4ed324bb8576151ebac0127b1...1.0.0)
**Implemented enhancements:** **Implemented enhancements:**
- Update variable-documentation [\#12](https://github.com/dev-sec/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro)) - Update variable-documentation [\#12](https://github.com/dev-sec/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro))
@ -304,7 +527,6 @@
- add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7) - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7)
- Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6) - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6)
- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2)
**Merged pull requests:** **Merged pull requests:**
@ -325,4 +547,4 @@
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

1
ansible/roles/dev-sec.ssh-hardening/Gemfile
View file

@ -11,6 +11,7 @@ group :integration do
gem 'kitchen-sync' gem 'kitchen-sync'
gem 'kitchen-transport-rsync' gem 'kitchen-transport-rsync'
gem 'kitchen-docker' gem 'kitchen-docker'
gem 'inspec', '~> 3'
end end
group :tools do group :tools do

57
ansible/roles/dev-sec.ssh-hardening/README.md
View file

@ -12,7 +12,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
## Requirements ## Requirements
* Ansible > 2.4 * Ansible > 2.5
## Role Variables ## Role Variables
| Name | Default Value | Description | | Name | Default Value | Description |
@ -22,17 +22,18 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_client_port` | '22' |port to which ssh-client should connect| |`ssh_client_port` | '22' |port to which ssh-client should connect|
|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!| |`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!|
|`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version| |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version|
|`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms|
|`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages |
|`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent | |`ssh_client_alive_count` | 3 | defines how often keep-alive messages are sent |
|`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required |
|`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.|
|`ssh_allow_root_with_key` | false | false to disable root login altogether. Set to true to allow root to login via key-based mechanism.| |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login |
|`ssh_allow_tcp_forwarding` | false | false to disable TCP Forwarding. Set to true to allow TCP Forwarding.| |`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`|
|`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.| |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.|
|`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.| |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.|
|`ssh_pam_support` | true | true if SSH has PAM support.| |`ssh_pam_support` | true | true if SSH has PAM support.|
|`ssh_use_pam` | false | false to disable pam authentication.| |`ssh_use_pam` | true | false to disable pam authentication.|
|`ssh_gssapi_support` | true | true if SSH has GSSAPI support.| |`ssh_gssapi_support` | false | true if SSH has GSSAPI support.|
|`ssh_kerberos_support` | true | true if SSH has Kerberos support.| |`ssh_kerberos_support` | true | true if SSH has Kerberos support.|
|`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.| |`ssh_deny_users` | '' | if specified, login is disallowed for user names that match one of the patterns.|
|`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.| |`ssh_allow_users` | '' | if specified, login is allowed only for user names that match one of the patterns.|
@ -46,6 +47,7 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_print_motd` | false | false to disable printing of the MOTD| |`ssh_print_motd` | false | false to disable printing of the MOTD|
|`ssh_print_last_log` | false | false to disable display of last login information| |`ssh_print_last_log` | false | false to disable display of last login information|
|`sftp_enabled` | false | true to enable sftp configuration| |`sftp_enabled` | false | true to enable sftp configuration|
|`sftp_umask` | 0027 | Specifies the umask for sftp|
|`sftp_chroot` | true | false to disable chroot for sftp| |`sftp_chroot` | true | false to disable chroot for sftp|
|`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location|
|`ssh_client_roaming` | false | enable experimental client roaming| |`ssh_client_roaming` | false | enable experimental client roaming|
@ -54,8 +56,6 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) | |`ssh_challengeresponseauthentication` | false | Specifies whether challenge-response authentication is allowed (e.g. via PAM) |
|`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client |
|`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server |
|`ssh_google_auth` | false | `true` to enable google authenticator based TOTP 2FA |
|`ssh_pam_device` | false | `true` to enable public key auth with pam device 2FA |
|`ssh_banner` | `false` | `true` to print a banner on login | |`ssh_banner` | `false` | `true` to print a banner on login |
|`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_hardening` | `true` | `false` to stop harden the client |
|`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. |
@ -64,15 +64,40 @@ Warning: This role disables root-login on the target server! Please make sure yo
|`ssh_print_debian_banner` | `false` | `true` to print debian specific banner | |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner |
|`ssh_server_enabled` | `true` | `false` to disable the opensshd server | |`ssh_server_enabled` | `true` | `false` to disable the opensshd server |
|`ssh_server_hardening` | `true` | `false` to stop harden the server | |`ssh_server_hardening` | `true` | `false` to stop harden the server |
|`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd | |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
|`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
|`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.| |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
|`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.| |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|
|`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` | |`ssh_macs` | [] | Change this list to overwrite macs. Defaults found in `defaults/main.yml` |
|`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` | |`ssh_kex` | [] | Change this list to overwrite kexs. Defaults found in `defaults/main.yml` |
|`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` | |`ssh_ciphers` | [] | Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` |
|`ssh_custom_options` | [] | Custom lines for SSH client configuration |
|`sshd_custom_options` | [] | Custom lines for SSH daemon configuration |
|`sshd_syslog_facility` | 'AUTH' | The facility code that is used when logging messages from sshd |
|`sshd_log_level` | 'VERBOSE' | the verbosity level that is used when logging messages from sshd |
|`sshd_strict_modes` | 'yes' | Check file modes and ownership of the user's files and home directory before accepting login |
|`sshd_authenticationmethods` | `publickey` | Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
## Configuring settings not listed in role-variables
If you want to configure ssh options that are not listed above, you can use `ssh_custom_options` (for `/etc/ssh/ssh_config`) or `sshd_custom_options` (for `/etc/ssh/sshd_config`) to set them. These options will be set on the **beginning** of the file so you can override options further down in the file.
Example playbook:
```
- hosts: localhost
roles:
- dev-sec.ssh-hardening
vars:
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"
```
## Example Playbook ## Example Playbook
@ -97,27 +122,31 @@ bundle install
### Testing with Docker ### Testing with Docker
``` ```
# fast test on one machine # fast test on one machine
bundle exec kitchen test default-ubuntu-1204 bundle exec kitchen test ssh-ubuntu1804-ansible-latest
# test on all machines # test on all machines
bundle exec kitchen test bundle exec kitchen test
# for development # for development
bundle exec kitchen create default-ubuntu-1204 bundle exec kitchen create ssh-ubuntu1804-ansible-latest
bundle exec kitchen converge default-ubuntu-1204 bundle exec kitchen converge ssh-ubuntu1804-ansible-latest
bundle exec kitchen verify ssh-ubuntu1804-ansible-latest
# cleanup
bundle exec kitchen destroy ssh-ubuntu1804-ansible-latest
``` ```
### Testing with Virtualbox ### Testing with Virtualbox
``` ```
# fast test on one machine # fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204 KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test ssh-ubuntu-1804
# test on all machines # test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
# for development # for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204 KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create ssh-ubuntu-1804
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204 KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge ssh-ubuntu-1804
``` ```
For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) For more information see [test-kitchen](http://kitchen.ci/docs/getting-started)

52
ansible/roles/dev-sec.ssh-hardening/defaults/main.yml
View file

@ -30,6 +30,9 @@ ssh_listen_to: ['0.0.0.0'] # sshd
# Host keys to look for when starting sshd. # Host keys to look for when starting sshd.
ssh_host_key_files: [] # sshd ssh_host_key_files: [] # sshd
# Specifies the host key algorithms that the server offers
ssh_host_key_algorithms: [] # sshd
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. # Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
ssh_max_auth_retries: 2 ssh_max_auth_retries: 2
@ -48,11 +51,11 @@ ssh_permit_tunnel: false
# options: ['StrictHostKeyChecking no'] # options: ['StrictHostKeyChecking no']
ssh_remote_hosts: [] ssh_remote_hosts: []
# false to disable root login altogether. Set to true to allow root to login via key-based mechanism. # Set this to "without-password" or "yes" to allow root to login
ssh_allow_root_with_key: false # sshd ssh_permit_root_login: 'no' # sshd
# false to disable TCP Forwarding. Set to true to allow TCP Forwarding. # false to disable TCP Forwarding. Set to true to allow TCP Forwarding.
ssh_allow_tcp_forwarding: false # sshd ssh_allow_tcp_forwarding: 'no' # sshd
# false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address.
# Set to 'clientspecified' to allow the client to specify which address to bind to. # Set to 'clientspecified' to allow the client to specify which address to bind to.
@ -65,16 +68,13 @@ ssh_allow_agent_forwarding: false # sshd
ssh_pam_support: true ssh_pam_support: true
# false to disable pam authentication. # false to disable pam authentication.
ssh_use_pam: false # sshd ssh_use_pam: true # sshd
# false to disable google 2fa authentication # specify AuthenticationMethods
ssh_google_auth: false # sshd sshd_authenticationmethods: 'publickey'
# false to disable pam device 2FA input
ssh_pam_device: false # sshd
# true if SSH support GSSAPI # true if SSH support GSSAPI
ssh_gssapi_support: true ssh_gssapi_support: false
# true if SSH support Kerberos # true if SSH support Kerberos
ssh_kerberos_support: true ssh_kerberos_support: true
@ -139,6 +139,9 @@ sftp_enabled: false
# false to disable sftp chroot # false to disable sftp chroot
sftp_chroot: true sftp_chroot: true
# sftp default umask
sftp_umask: 0027
# change default sftp chroot location # change default sftp chroot location
sftp_chroot_dir: /home/%u sftp_chroot_dir: /home/%u
@ -151,7 +154,11 @@ ssh_server_match_user: false # sshd
# list of hashes (containing group and rules) to generate Match Group blocks for. # list of hashes (containing group and rules) to generate Match Group blocks for.
ssh_server_match_group: false # sshd ssh_server_match_group: false # sshd
ssh_server_permit_environment_vars: false # list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
ssh_server_match_address: false # sshd
ssh_server_permit_environment_vars: 'no'
ssh_server_accept_env_vars : ''
# maximum number of concurrent unauthenticated connections to the SSH daemon # maximum number of concurrent unauthenticated connections to the SSH daemon
ssh_max_startups: '10:30:100' # sshd ssh_max_startups: '10:30:100' # sshd
@ -167,6 +174,10 @@ ssh_macs_53_default:
- hmac-ripemd160 - hmac-ripemd160
- hmac-sha1 - hmac-sha1
ssh_macs_53_el_6_5_default:
- hmac-sha2-512
- hmac-sha2-256
ssh_macs_59_default: ssh_macs_59_default:
- hmac-sha2-512 - hmac-sha2-512
- hmac-sha2-256 - hmac-sha2-256
@ -205,6 +216,11 @@ ssh_kex_59_default:
ssh_kex_66_default: ssh_kex_66_default:
- curve25519-sha256@libssh.org - curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256 - diffie-hellman-group-exchange-sha256
ssh_kex_80_default:
- sntrup4591761x25519-sha512@tinyssh.org
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
# directory where to store ssh_password policy # directory where to store ssh_password policy
ssh_custom_selinux_dir: '/etc/selinux/local-policies' ssh_custom_selinux_dir: '/etc/selinux/local-policies'
@ -220,4 +236,16 @@ ssh_server_revoked_keys: []
# Set to false to turn the role into a no-op. Useful when using # Set to false to turn the role into a no-op. Useful when using
# the Ansible role dependency mechanism. # the Ansible role dependency mechanism.
ssh_hardening_enabled: true ssh_hardening_enabled: true
# Custom options for SSH client configuration file
ssh_custom_options: []
# Custom options for SSH daemon configuration file
sshd_custom_options: []
# Logging
sshd_syslog_facility: 'AUTH'
sshd_log_level: 'VERBOSE'
sshd_strict_modes: yes

3
ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info
View file

@ -1 +1,2 @@
{install_date: 'Mon Dec 17 12:48:22 2018', version: 5.0.0} install_date: Fri May 15 20:29:21 2020
version: 8.1.0

10
ansible/roles/dev-sec.ssh-hardening/meta/main.yml
View file

@ -4,7 +4,7 @@ galaxy_info:
description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.' description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
company: Hardening Framework Team company: Hardening Framework Team
license: Apache License 2.0 license: Apache License 2.0
min_ansible_version: '2.4' min_ansible_version: '2.5'
platforms: platforms:
- name: EL - name: EL
versions: versions:
@ -12,14 +12,14 @@ galaxy_info:
- 7 - 7
- name: Ubuntu - name: Ubuntu
versions: versions:
- precise
- trusty
- xenial - xenial
- bionic
- name: Debian - name: Debian
versions: versions:
- wheezy - stretch
- jessie - buster
- name: Amazon - name: Amazon
- name: Fedora
galaxy_tags: galaxy_tags:
- system - system
- security - security

36
ansible/roles/dev-sec.ssh-hardening/tasks/2fa.yml
View file

@ -1,36 +0,0 @@
---
# Install the 2FA packages and setup the config in PAM and SSH
- name: Install google authenticator PAM module
apt:
name: 'libpam-google-authenticator'
state: present
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: Install google authenticator PAM module
yum:
name: 'google-authenticator'
state: present
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: Add google auth module to PAM
pamd:
name: 'sshd'
type: 'auth'
control: 'required'
module_path: 'pam_google_authenticator.so'
- name: Remove password auth from PAM
pamd:
name: 'sshd'
type: 'auth'
control: 'substack'
module_path: 'password-auth'
state: absent
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon'
- name: Remove password auth from PAM
replace:
dest: '/etc/pam.d/sshd'
regexp: '^@include common-auth'
replace: '#@include common-auth'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

36
ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml
View file

@ -3,61 +3,73 @@
- name: set hostkeys according to openssh-version - name: set hostkeys according to openssh-version
set_fact: set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
when: sshd_version.stdout >= '6.3' and not ssh_host_key_files when: sshd_version is version('6.3', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version - name: set hostkeys according to openssh-version
set_fact: set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
when: sshd_version.stdout >= '6.0' and not ssh_host_key_files when: sshd_version is version('6.0', '>=') and not ssh_host_key_files
- name: set hostkeys according to openssh-version - name: set hostkeys according to openssh-version
set_fact: set_fact:
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
when: sshd_version.stdout >= '5.3' and not ssh_host_key_files when: sshd_version is version('5.3', '>=') and not ssh_host_key_files
### ###
- name: set macs according to openssh-version if openssh >= 7.6 - name: set macs according to openssh-version if openssh >= 7.6
set_fact: set_fact:
ssh_macs: '{{ ssh_macs_76_default }}' ssh_macs: '{{ ssh_macs_76_default }}'
when: sshd_version.stdout >= '7.6' and not ssh_macs when: sshd_version is version('7.6', '>=') and not ssh_macs
- name: set macs according to openssh-version if openssh >= 6.6 - name: set macs according to openssh-version if openssh >= 6.6
set_fact: set_fact:
ssh_macs: '{{ ssh_macs_66_default }}' ssh_macs: '{{ ssh_macs_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_macs when: sshd_version is version('6.6', '>=') and not ssh_macs
- name: set macs according to openssh-version - name: set macs according to openssh-version
set_fact: set_fact:
ssh_macs: '{{ ssh_macs_59_default }}' ssh_macs: '{{ ssh_macs_59_default }}'
when: sshd_version.stdout >= '5.9' and not ssh_macs when: sshd_version is version('5.9', '>=') and not ssh_macs
- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)
set_fact:
ssh_macs: '{{ ssh_macs_53_el_6_5_default }}'
when:
- ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat']
- ansible_facts.distribution_version is version('6.5', '>=')
- not ssh_macs
- name: set macs according to openssh-version - name: set macs according to openssh-version
set_fact: set_fact:
ssh_macs: '{{ ssh_macs_53_default }}' ssh_macs: '{{ ssh_macs_53_default }}'
when: sshd_version.stdout >= '5.3' and not ssh_macs when: sshd_version is version('5.3', '>=') and not ssh_macs
### ###
- name: set ciphers according to openssh-version if openssh >= 6.6 - name: set ciphers according to openssh-version if openssh >= 6.6
set_fact: set_fact:
ssh_ciphers: '{{ ssh_ciphers_66_default }}' ssh_ciphers: '{{ ssh_ciphers_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_ciphers when: sshd_version is version('6.6', '>=') and not ssh_ciphers
- name: set ciphers according to openssh-version - name: set ciphers according to openssh-version
set_fact: set_fact:
ssh_ciphers: '{{ ssh_ciphers_53_default }}' ssh_ciphers: '{{ ssh_ciphers_53_default }}'
when: sshd_version.stdout >= '5.3' and not ssh_ciphers when: sshd_version is version('5.3', '>=') and not ssh_ciphers
### ###
- name: set kex according to openssh-version if openssh >= 8.0
set_fact:
ssh_kex: '{{ ssh_kex_80_default }}'
when: sshd_version is version('8.0', '>=') and not ssh_kex
- name: set kex according to openssh-version if openssh >= 6.6 - name: set kex according to openssh-version if openssh >= 6.6
set_fact: set_fact:
ssh_kex: '{{ ssh_kex_66_default }}' ssh_kex: '{{ ssh_kex_66_default }}'
when: sshd_version.stdout >= '6.6' and not ssh_kex when: sshd_version is version('6.6', '>=') and not ssh_kex
- name: set kex according to openssh-version - name: set kex according to openssh-version
set_fact: set_fact:
ssh_kex: '{{ ssh_kex_59_default }}' ssh_kex: '{{ ssh_kex_59_default }}'
when: sshd_version.stdout >= '5.9' and not ssh_kex when: sshd_version is version('5.9', '>=') and not ssh_kex

61
ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml
View file

@ -2,19 +2,21 @@
- name: Set OS dependent variables - name: Set OS dependent variables
include_vars: '{{ item }}' include_vars: '{{ item }}'
with_first_found: with_first_found:
- '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml' - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_distribution }}.yml' - '{{ ansible_facts.distribution }}.yml'
- '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
- '{{ ansible_os_family }}.yml' - '{{ ansible_facts.os_family }}.yml'
- name: get openssh-version - name: get openssh-version
shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g' command: ssh -V
args: register: sshd_version_raw
executable: /bin/sh
changed_when: false changed_when: false
register: sshd_version
check_mode: no check_mode: no
- name: parse openssh-version
set_fact:
sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"
- name: include tasks to create crypo-vars - name: include tasks to create crypo-vars
include_tasks: crypto.yml include_tasks: crypto.yml
@ -26,7 +28,7 @@
owner: '{{ ssh_owner }}' owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
notify: restart sshd notify: restart sshd
when: ssh_server_hardening when: ssh_server_hardening | bool
- name: create sshd_config and set permissions to root/600 - name: create sshd_config and set permissions to root/600
template: template:
@ -35,9 +37,21 @@
mode: '0600' mode: '0600'
owner: '{{ ssh_owner }}' owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
validate: '/usr/sbin/sshd -T -f %s' validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
notify: restart sshd notify: restart sshd
when: ssh_server_hardening when: ssh_server_hardening | bool
- name: disable dynamic MOTD
pamd:
name: sshd
type: session
control: optional
module_path: pam_motd.so
state: absent
when:
- ssh_server_hardening | bool
- ssh_pam_support | bool
- not (ssh_print_motd | bool)
- name: create ssh_config and set permissions to root/644 - name: create ssh_config and set permissions to root/644
template: template:
@ -46,38 +60,27 @@
mode: '0644' mode: '0644'
owner: '{{ ssh_owner }}' owner: '{{ ssh_owner }}'
group: '{{ ssh_group }}' group: '{{ ssh_group }}'
when: ssh_client_hardening when: ssh_client_hardening | bool
- name: Check if {{ sshd_moduli_file }} contains weak DH parameters - name: Check if {{ sshd_moduli_file }} contains weak DH parameters
shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
register: sshd_register_moduli register: sshd_register_moduli
changed_when: false changed_when: false
check_mode: no check_mode: no
when: ssh_server_hardening | bool
- name: remove all small primes - name: remove all small primes
shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ; shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
notify: restart sshd notify: restart sshd
when: sshd_register_moduli.stdout when:
- ssh_server_hardening | bool
- sshd_register_moduli.stdout
- name: include tasks to setup ca keys and principals - name: include tasks to setup ca keys and principals
include_tasks: ca_keys_and_principals.yml include_tasks: ca_keys_and_principals.yml
when: ssh_trusted_user_ca_keys_file != '' when: ssh_trusted_user_ca_keys_file | length > 0
- name: include tasks to setup 2FA
include_tasks: 2fa.yml
when:
- ssh_use_pam
- ssh_challengeresponseauthentication
- ssh_google_auth
- name: test to see if selinux is installed and running
command: getenforce
register: sestatus
failed_when: false
changed_when: false
check_mode: no
- name: include selinux specific tasks - name: include selinux specific tasks
include_tasks: selinux.yml include_tasks: selinux.yml
when: sestatus.rc == 0 when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"

2
ansible/roles/dev-sec.ssh-hardening/tasks/main.yml
View file

@ -1,4 +1,4 @@
--- ---
- include_tasks: hardening.yml - include_tasks: hardening.yml
when: ssh_hardening_enabled when: ssh_hardening_enabled | bool

37
ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml
View file

@ -1,24 +1,22 @@
--- ---
- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux - name: install selinux dependencies when selinux is installed
package: package:
name: '{{ item }}' name: '{{ ssh_selinux_packages }}'
state: present state: present
with_items:
- 'policycoreutils-python'
- 'checkpolicy'
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
- name: install selinux dependencies when selinux is installed on Debian or Ubuntu - name: "authorize {{ ssh_server_ports }} ports for selinux"
apt: seport:
name: '{{ item }}' ports: '{{ item }}'
proto: tcp
setype: ssh_port_t
state: present state: present
with_items: with_items:
- 'policycoreutils' - "{{ ssh_server_ports }}"
- 'checkpolicy'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: check if ssh_password module is already installed - name: check if ssh_password module is already installed
shell: 'semodule -l | grep ssh_password' shell: 'set -o pipefail && semodule -l | grep ssh_password'
args:
executable: /bin/bash
register: ssh_password_module register: ssh_password_module
failed_when: false failed_when: false
changed_when: false changed_when: false
@ -41,17 +39,18 @@
dest: '{{ ssh_custom_selinux_dir }}' dest: '{{ ssh_custom_selinux_dir }}'
- name: check and compile policy - name: check and compile policy
shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
- name: create selinux policy module package - name: create selinux policy module package
shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
- name: install selinux policy - name: install selinux policy
shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0 when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0
# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed. # The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed.
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html) # See http://danwalsh.livejournal.com/12333.html for more info
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk
command: semodule -r ssh_password command: semodule -r ssh_password
when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0 when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0

14
ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2
View file

@ -2,7 +2,15 @@
# This is the ssh client system-wide configuration file. # This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#
{% if ssh_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in ssh_custom_options %}
{{ line }}
{% endfor %}
{% endif %}
# Basic configuration # Basic configuration
# =================== # ===================
@ -82,7 +90,7 @@ ForwardX11 no
# Never use host-based authentication. It can be exploited. # Never use host-based authentication. It can be exploited.
HostbasedAuthentication no HostbasedAuthentication no
{% if sshd_version.stdout | float < 7.4 -%} {% if sshd_version is version('7.6', '<') %}
RhostsRSAAuthentication no RhostsRSAAuthentication no
# Enable RSA authentication via identity files. # Enable RSA authentication via identity files.
RSAAuthentication yes RSAAuthentication yes
@ -111,7 +119,7 @@ Compression yes
#EscapeChar ~ #EscapeChar ~
#VisualHostKey yes #VisualHostKey yes
{% if sshd_version.stdout | float <= 7.1 -%} {% if sshd_version is version('7.1', '<=') %}
# Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled. # Disable experimental client roaming. This is known to cause potential issues with secrets being disclosed to malicious servers and defaults to being disabled.
UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }} UseRoaming {{ 'yes' if ssh_client_roaming else 'no' }}
{% endif %} {% endif %}

119
ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2
View file

@ -3,11 +3,19 @@
# This is the ssh client system-wide configuration file. # This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
{% if sshd_custom_options -%}
# Custom configuration that overwrites default configuration
# ==========================================================
{% for line in sshd_custom_options -%}
{{ line }}
{% endfor %}
{% endif %}
# Basic configuration # Basic configuration
# =================== # ===================
# Either disable or only allowssh root login via certificates. # Either disable or only allow root login via certificates.
PermitRootLogin {{ 'without-password' if (ssh_allow_root_with_key|bool) else 'no' }} PermitRootLogin {{ ssh_permit_root_login }}
# Define which port sshd should listen to. Default to `22`. # Define which port sshd should listen to. Default to `22`.
{% for port in ssh_server_ports -%} {% for port in ssh_server_ports -%}
@ -24,9 +32,14 @@ ListenAddress {{address}}
# List HostKeys here. # List HostKeys here.
{% for key in ssh_host_key_files -%} {% for key in ssh_host_key_files -%}
HostKey {{key}} # Req 20 HostKey {{key}}
{% endfor %} {% endfor %}
# Specifies the host key algorithms that the server offers.
{% if sshd_version is version('5.8', '>=') %}
{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }}
{% endif %}
# Security configuration # Security configuration
# ====================== # ======================
@ -34,11 +47,11 @@ HostKey {{key}} # Req 20
Protocol 2 Protocol 2
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration. # Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
StrictModes yes StrictModes {{ 'yes' if (sshd_strict_modes|bool) else 'no' }}
# Logging, obsoletes QuietMode and FascistLogging # Logging, obsoletes QuietMode and FascistLogging
SyslogFacility AUTH SyslogFacility {{ sshd_syslog_facility }}
LogLevel VERBOSE LogLevel {{ sshd_log_level }}
# Cryptography # Cryptography
# ------------ # ------------
@ -75,8 +88,11 @@ LogLevel VERBOSE
# -------------- # --------------
# Secure Login directives. # Secure Login directives.
{% if sshd_version.stdout | float < 7.5 -%} {% if sshd_version is version('7.4', '<') %}
UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or (ansible_os_family in ['Oracle Linux', 'RedHat'] and ansible_distribution_major_version <= '6') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} UseLogin no
{% endif %}
{% if sshd_version is version('7.5', '<') %}
UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
{% endif %} {% endif %}
LoginGraceTime 30s LoginGraceTime 30s
@ -96,14 +112,11 @@ HostbasedAuthentication no
{% if ssh_pam_support -%} {% if ssh_pam_support -%}
UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }}
{% endif %} {% endif %}
{% if ssh_google_auth %}
# Force public key auth then ask for google auth code
AuthenticationMethods publickey,keyboard-interactive
{% endif %}
# Force public key auth then ask for pam device input # Set AuthenticationMethods per default to publickey
{% if ssh_pam_device %} # AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
AuthenticationMethods publickey,keyboard-interactive:pam {% if sshd_version is version('6.2', '>=') %}
AuthenticationMethods {{ sshd_authenticationmethods }}
{% endif %} {% endif %}
# Disable password-based authentication, it can allow for potentially easier brute-force attacks. # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
@ -119,11 +132,9 @@ KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no
{% endif %} {% endif %}
{% if ssh_gssapi_support -%}
# Only enable GSSAPI authentication if it is configured. # Only enable GSSAPI authentication if it is configured.
GSSAPIAuthentication no GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }}
GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
{% endif %}
# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
{% if ssh_deny_users -%} {% if ssh_deny_users -%}
@ -142,15 +153,15 @@ DenyGroups {{ssh_deny_groups}}
AllowGroups {{ssh_allow_groups}} AllowGroups {{ssh_allow_groups}}
{% endif %} {% endif %}
{% if ssh_authorized_keys_file %} {% if ssh_authorized_keys_file -%}
AuthorizedKeysFile {{ ssh_authorized_keys_file }} AuthorizedKeysFile {{ ssh_authorized_keys_file }}
{% endif %} {% endif %}
{% if ssh_trusted_user_ca_keys_file %} {% if ssh_trusted_user_ca_keys_file -%}
TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }} TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }}
{% if ssh_authorized_principals_file %} {% if ssh_authorized_principals_file -%}
AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }}
{% endif %} {% endif %}
{% endif %} {% endif %}
# Network # Network
@ -168,19 +179,23 @@ PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }}
# Disable forwarding tcp connections. # Disable forwarding tcp connections.
# no real advantage without denied shell access # no real advantage without denied shell access
AllowTcpForwarding {{ 'yes' if (ssh_allow_tcp_forwarding|bool) else 'no' }} {% if sshd_version is version('6.2', '>=') %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no', 'local', 'all')) else 'no' }}
{% else %}
AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ('yes', 'no')) else 'no' }}
{% endif %}
# Disable agent formwarding, since local agent could be accessed through forwarded connection. # Disable agent forwarding, since local agent could be accessed through forwarded connection.
# no real advantage without denied shell access # no real advantage without denied shell access
AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }} AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }}
{% if ssh_gateway_ports|bool %} {% if ssh_gateway_ports|bool -%}
# Port forwardings are forced to bind to the wildcard address # Port forwardings are forced to bind to the wildcard address
GatewayPorts yes GatewayPorts yes
{% elif ssh_gateway_ports == 'clientspecified' %} {% elif ssh_gateway_ports == 'clientspecified' -%}
# Clients allowed to specify which address to bind port forwardings to # Clients allowed to specify which address to bind port forwardings to
GatewayPorts clientspecified GatewayPorts clientspecified
{% else %} {% else -%}
# Do not allow remote port forwardings to bind to non-loopback addresses. # Do not allow remote port forwardings to bind to non-loopback addresses.
GatewayPorts no GatewayPorts no
{% endif %} {% endif %}
@ -192,13 +207,10 @@ X11UseLocalhost yes
# User environment configuration # User environment configuration
# ============================== # ==============================
{% if ssh_server_permit_environment_vars %} PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
PermitUserEnvironment yes
{% for item in ssh_server_permit_environment_vars %} {% if ssh_server_accept_env_vars -%}
AcceptEnv {{ item }} AcceptEnv {{ ssh_server_accept_env_vars }}
{% endfor %}
{% else %}
PermitUserEnvironment no
{% endif %} {% endif %}
# Misc. configuration # Misc. configuration
@ -210,31 +222,31 @@ UseDNS {{ 'yes' if (ssh_use_dns|bool) else 'no' }}
PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }} PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }}
{% if ansible_os_family != 'FreeBSD' %} {% if ansible_facts.os_family != 'FreeBSD' %}
PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }}
{% endif %} {% endif %}
Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }} Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }}
{% if ansible_os_family == 'Debian' %} {% if ansible_facts.os_family == 'Debian' -%}
DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }} DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }}
{% endif %} {% endif %}
# Reject keys that are explicitly blacklisted # Reject keys that are explicitly blacklisted
RevokedKeys /etc/ssh/revoked_keys RevokedKeys /etc/ssh/revoked_keys
{% if sftp_enabled %} {% if sftp_enabled -%}
# SFTP matching configuration # SFTP matching configuration
# =========================== # ===========================
# Configuration, in case SFTP is used # Configuration, in case SFTP is used
# override default of no subsystems # override default of no subsystems
# Subsystem sftp /opt/app/openssh5/libexec/sftp-server # Subsystem sftp /opt/app/openssh5/libexec/sftp-server
Subsystem sftp internal-sftp -l INFO -f LOCAL6 Subsystem sftp internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
# These lines must appear at the *end* of sshd_config # These lines must appear at the *end* of sshd_config
Match Group sftponly Match Group sftponly
ForceCommand internal-sftp -l INFO -f LOCAL6 ForceCommand internal-sftp -l INFO -f LOCAL6 -u {{ sftp_umask }}
{% if sftp_chroot %} {% if sftp_chroot %}
ChrootDirectory {{ sftp_chroot_dir }} ChrootDirectory {{ sftp_chroot_dir }}
{% endif %} {% endif %}
@ -245,23 +257,38 @@ Match Group sftponly
X11Forwarding no X11Forwarding no
{% endif %} {% endif %}
{% if ssh_server_match_group %} {% if ssh_server_match_address -%}
# Address matching configuration
# ============================
{% for item in ssh_server_match_address -%}
Match Address {{ item.address }}
{% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %}
{% endif %}
{% if ssh_server_match_group -%}
# Group matching configuration # Group matching configuration
# ============================ # ============================
{% for item in ssh_server_match_group %} {% for item in ssh_server_match_group -%}
Match Group {{ item.group }} Match Group {{ item.group }}
{{ item.rules | indent(4) }} {% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ssh_server_match_user -%}
{% if ssh_server_match_user %}
# User matching configuration # User matching configuration
# =========================== # ===========================
{% for item in ssh_server_match_user %} {% for item in ssh_server_match_user -%}
Match User {{ item.user }} Match User {{ item.user }}
{{ item.rules | indent(4) }} {% for rule in item.rules %}
{{ rule | indent(4) }}
{% endfor %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

28
ansible/roles/dev-sec.ssh-hardening/tests/default.yml
View file

@ -2,20 +2,30 @@
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: localhost hosts: localhost
pre_tasks: pre_tasks:
- package: name="{{item}}" state=present - name: use python3
with_items: set_fact:
- "openssh-clients" ansible_python_interpreter: /usr/bin/python3
- "openssh-server" when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present
vars:
packages:
- openssh-clients
- openssh-server
- libselinux-python
ignore_errors: true ignore_errors: true
- apt: name="{{item}}" state=present update_cache=true - apt: name="{{packages}}" state=present update_cache=true
with_items: vars:
- "openssh-client" packages:
- "openssh-server" - "openssh-client"
- "openssh-server"
ignore_errors: true ignore_errors: true
- file: path="/var/run/sshd" state=directory - file: path="/var/run/sshd" state=directory
- name: create ssh host keys - name: create ssh host keys
command: "ssh-keygen -A" command: "ssh-keygen -A"
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7') when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon"
roles: roles:
- ansible-ssh-hardening - ansible-ssh-hardening

59
ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml
View file

@ -2,30 +2,40 @@
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
hosts: localhost hosts: localhost
pre_tasks: pre_tasks:
- package: name="{{item}}" state=present - name: use python3
with_items: set_fact:
- "openssh-clients" ansible_python_interpreter: /usr/bin/python3
- "openssh-server" when: ansible_facts.distribution == 'Fedora'
- package: name="{{ packages }}" state=present
vars:
packages:
- openssh-clients
- openssh-server
- libselinux-python
ignore_errors: true ignore_errors: true
- apt: name="{{item}}" state=present update_cache=true - apt: name="{{packages}}" state=present update_cache=true
with_items: vars:
- "openssh-client" packages:
- "openssh-server" - "openssh-client"
- "openssh-server"
ignore_errors: true ignore_errors: true
- file: path="/var/run/sshd" state=directory - file: path="/var/run/sshd" state=directory
- name: create ssh host keys - name: create ssh host keys
command: "ssh-keygen -A" command: "ssh-keygen -A"
when: not ((ansible_os_family in ['Oracle Linux', 'RedHat']) and ansible_distribution_major_version < '7') when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon"
roles: roles:
- ansible-ssh-hardening - ansible-ssh-hardening
vars: vars:
network_ipv6_enable: true network_ipv6_enable: true
ssh_allow_root_with_key: true ssh_allow_tcp_forwarding: 'yes'
ssh_allow_tcp_forwarding: true
ssh_gateway_ports: true ssh_gateway_ports: true
ssh_allow_agent_forwarding: true ssh_allow_agent_forwarding: true
ssh_server_permit_environment_vars: ['PWD','HTTP_PROXY'] ssh_server_permit_environment_vars: 'yes'
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
ssh_client_alive_interval: 100 ssh_client_alive_interval: 100
ssh_client_alive_count: 10 ssh_client_alive_count: 10
ssh_client_password_login: true ssh_client_password_login: true
@ -37,6 +47,7 @@
ssh_deny_groups: 'foo bar' ssh_deny_groups: 'foo bar'
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u' ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
ssh_max_auth_retries: 10 ssh_max_auth_retries: 10
ssh_permit_root_login: "without-password"
ssh_permit_tunnel: true ssh_permit_tunnel: true
ssh_print_motd: true ssh_print_motd: true
ssh_print_last_log: true ssh_print_last_log: true
@ -45,12 +56,21 @@
sftp_enabled: true sftp_enabled: true
sftp_chroot: true sftp_chroot: true
#ssh_server_enabled: false #ssh_server_enabled: false
ssh_server_match_address:
- address: '192.168.1.1/24'
rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_group: ssh_server_match_group:
- group: 'root' - group: 'root'
rules: 'AllowTcpForwarding yes' rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_server_match_user: ssh_server_match_user:
- user: 'root' - user: 'root'
rules: 'AllowTcpForwarding yes' rules:
- 'AllowTcpForwarding yes'
- 'AllowAgentForwarding no'
ssh_remote_hosts: ssh_remote_hosts:
- names: ['example.com', 'example2.com'] - names: ['example.com', 'example2.com']
options: ['Port 2222', 'ForwardAgent yes'] options: ['Port 2222', 'ForwardAgent yes']
@ -63,8 +83,13 @@
ssh_trusted_user_ca_keys: ssh_trusted_user_ca_keys:
- '# ssh-rsa ...' - '# ssh-rsa ...'
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u' ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
ssh_authorized_principals : ssh_authorized_principals:
- { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" } - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" }
ssh_host_key_algorithms:
- ssh-ed25519
- rsa-sha2-512
- rsa-sha2-256
- ssh-rsa
ssh_macs: ssh_macs:
- hmac-sha2-512 - hmac-sha2-512
- hmac-sha2-256 - hmac-sha2-256
@ -76,3 +101,7 @@
ssh_kex: ssh_kex:
- diffie-hellman-group-exchange-sha256 - diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1 - diffie-hellman-group-exchange-sha1
ssh_custom_options:
- "Include /etc/ssh/ssh_config.d/*"
sshd_custom_options:
- "AcceptEnv LANG"

3
ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml
View file

@ -1,3 +1,6 @@
sshd_service_name: ssh sshd_service_name: ssh
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

6
ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml Normal file
View file

@ -0,0 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- python3-policycoreutils
- checkpolicy

3
ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml
View file

@ -1,3 +1,6 @@
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

3
ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml
View file

@ -1,3 +1,6 @@
sshd_service_name: sshd sshd_service_name: sshd
ssh_owner: root ssh_owner: root
ssh_group: root ssh_group: root
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy

6
ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml Normal file
View file

@ -0,0 +1,6 @@
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_selinux_packages:
- python3-policycoreutils
- checkpolicy

5
ansible/roles/docker-compose/.gitignore vendored
View file

@ -1,5 +0,0 @@
*.retry
.vagrant
tests/_roles
!tests/_roles/.gitkeep
.DS_Store

24
ansible/roles/docker-compose/.travis.yml
View file

@ -1,24 +0,0 @@
---
language: python
python: "2.7"
sudo: required
dist: trusty
addons:
apt:
sources:
- sourceline: ppa:ansible/ansible
packages:
- ansible
before_install: cd tests
install:
- ansible-galaxy install -r roles.yml
script:
- ansible-playbook -i localhost test.yml
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

21
ansible/roles/docker-compose/LICENSE
View file

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2016 Suzuki Shunsuke
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

39
ansible/roles/docker-compose/README.md
View file

@ -1,39 +0,0 @@
docker-compose
===============
[![Build Status](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose.svg?branch=master)](https://travis-ci.org/suzuki-shunsuke/ansible-docker-compose)
Install Docker Compose.
https://galaxy.ansible.com/suzuki-shunsuke/docker-compose/
Requirements
------------
* Docker Engine
Role Variables
--------------
* docker_compose_path: the path where docker-compose is installed. The default is /usr/local/bin
* docker_compose_mode: the permission of the docker-compose. The default is 0755
* docker_compose_version: docker-compose version. The default is `1.11.2`
Dependencies
------------
Nothing.
Example Playbook
----------------
```yaml
- hosts: servers
roles:
- role: suzuki-shunsuke.docker-compose
```
License
-------
MIT

5
ansible/roles/docker-compose/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
# defaults file for docker-compose
docker_compose_path: /usr/local/bin
docker_compose_mode: 0755
docker_compose_version: 1.11.2

1
ansible/roles/docker-compose/meta/.galaxy_install_info
View file

@ -1 +0,0 @@
{install_date: 'Mon Apr 24 12:06:46 2017', version: 1.2.0}

15
ansible/roles/docker-compose/meta/main.yml
View file

@ -1,15 +0,0 @@
galaxy_info:
author: Suzuki Shunsuke
description: Install Docker Compose
license: MIT
min_ansible_version: 1.2
github_branch: master
platforms:
- name: GenericUnix
versions:
- all
galaxy_tags:
- docker
- docker compose
dependencies: []

7
ansible/roles/docker-compose/tasks/main.yml
View file

@ -1,7 +0,0 @@
---
# tasks file for docker-compose
- name: Install docker-compose
get_url:
url: https://github.com/docker/compose/releases/download/{{docker_compose_version}}/docker-compose-{{ansible_system}}-{{ansible_architecture}}
dest: "{{'{}/docker-compose'.format(docker_compose_path)}}"
mode: "{{docker_compose_mode}}"

12
ansible/roles/docker-compose/tests/Vagrantfile vendored
View file

@ -1,12 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure(2) do |config|
config.vm.box = "bento/ubuntu-16.04"
config.vm.provider "virtualbox" do |vb|
vb.memory = "2048"
end
config.vm.provision "ansible" do |ansible|
ansible.playbook = "./test.yml"
end
end

Some files were not shown because too many files have changed in this diff Show more