Ansible
/
BasicServerHardening
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
BasicServerHardening/tasks/main.yml

416 lines
9.5 KiB
YAML
Raw Permalink Blame History

---
# plays for setting up basic security hardening
#
# Setup /etc/issue
#
- name: Setup /etc/issue
template:
src: "issue"
dest: "/etc/issue"
when: BasicHardeningEnable and BasicHardeningEnableIssue
#
# Setup /etc/issue.net
#
- name: Setup /etc/issue.net
template:
src: "issue"
dest: "/etc/issue.net"
when: BasicHardeningEnable and BasicHardeningEnableIssue
#
# Disable ssh root login
#
- name: Disable SSH Root Login
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: "PermitRootLogin no"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH and BasicHardeningDisableSSHRootLogin
notify:
- restart ssh
#
# set maximum number of concurrent ssh client sessions
#
- name: SSH Update ClientAliveCountMax
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{BasicHardeningSSHClientAliveCountMax}}"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH
notify:
- restart ssh
- name: SSH Update MaxSessions
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^MaxSessions'
line: "MaxSessions {{BasicHardeningSSHClientAliveCountMax}}"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH
notify:
- restart ssh
#
# setup SSH compression
#
- name: SSH Update Compression
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^Compression'
line: "Compression delayed"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH
notify:
- restart ssh
#
# setup ssh max auth tries
#
- name: SSH Update MaxAuthTries
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^MaxAuthTries'
line: "MaxAuthTries {{BasicHardeningSSHMaxAuthRetries}}"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH
notify:
- restart ssh
- name: SSH Update TCPKeepAlive
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^TCPKeepAlive'
line: "TCPKeepAlive No"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH and ansible_facts.distribution_release != "stretch"
notify:
- restart ssh
- name: SSH Update X11Forwarding
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^X11Forwarding'
line: "X11Forwarding No"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH and ansible_facts.distribution_release != "stretch"
notify:
- restart ssh
- name: SSH enable Banner
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^Banner'
line: "Banner /etc/issue.net"
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningEnableSSH and BasicHardeningEnableIssue
notify:
- restart ssh
#
# setup umask in login.defs
#
- name: Set default login.defs umask to 027
lineinfile:
dest: /etc/login.defs
regexp: '^UMASK'
line: "UMASK {{BasicHardeningUmask}}"
state: present
backup: yes
when: BasicHardeningEnable
#
# setup minimum password age in login.defs
#
- name: Set minimum password age in login.defs
lineinfile:
dest: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{BasicHardeningMinPasswordAge}}"
state: present
backup: yes
when: BasicHardeningEnable
#
# setup maximum password age in login.defs
#
- name: Set maximum password age in login.defs
lineinfile:
dest: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{BasicHardeningMaxPasswordAge}}"
state: present
backup: yes
when: BasicHardeningEnable
#
# setup some security related kernel parameters
#
- name: Enable spoof protection
sysctl:
name: net.ipv4.conf.default.rp_filter
value: '1'
state: present
when: BasicHardeningEnable
- name: Enable spoof protection 2
sysctl:
name: net.ipv4.conf.all.rp_filter
value: '1'
state: present
when: BasicHardeningEnable
- name: Enable syn cookies
sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
state: present
when: BasicHardeningEnable
- name: Disable IPv4 ICMP Redirects
sysctl:
name: net.ipv4.conf.all.accept_redirects
value: '0'
state: present
when: BasicHardeningEnable
- name: Disable IPv6 ICMP Redirects
sysctl:
name: net.ipv6.conf.all.accept_redirects
value: '0'
state: present
when: BasicHardeningEnable
- name: Disable Sending IPv4 ICMP Redirects
sysctl:
name: net.ipv4.conf.all.send_redirects
value: '0'
state: present
when: BasicHardeningEnable
- name: Enable ALSR
sysctl:
name: kernel.randomize_va_space
value: '2'
state: present
when: BasicHardeningEnable
#
# Install and enable fail2ban
#
- name: Install fail2ban
package:
name: fail2ban
state: latest
when: BasicHardeningEnable and BasicHardeningInstallFail2Ban
- name: Start/Enable the fail2ban service
service:
name: fail2ban
state: started
enabled: yes
when: BasicHardeningEnable and BasicHardeningInstallFail2Ban
#
# Install and enable rkhunter
#
- name: Install rkhunter
apt:
name: rkhunter
state: latest
when: BasicHardeningEnable and BasicHardeningInstallRkhunter
- name: Configure rkhunter for daily runs
lineinfile:
dest: /etc/default/rkhunter
regexp: '^CRON_DAILY_RUN='
line: 'CRON_DAILY_RUN="yes"'
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningInstallRkhunter
- name: Enable rkhunter for weekly updates
lineinfile:
dest: /etc/default/rkhunter
regexp: '^CRON_DB_UPDATE='
line: 'CRON_DB_UPDATE="yes"'
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningInstallRkhunter
- name: Enable rkhunter automatic database updates
lineinfile:
dest: /etc/default/rkhunter
regexp: '^APT_AUTOGEN='
line: 'APT_AUTOGEN="yes"'
state: present
backup: yes
when: BasicHardeningEnable and BasicHardeningInstallRkhunter
#
# Install per user tmp dirs
#
- name: Install libpam-tmpdir
package:
name: libpam-tmpdir
state: latest
when: BasicHardeningEnable
#
# install debsums for verifying package integrity
#
- name: Install debsums
package:
name: debsums
state: latest
when: BasicHardeningEnable
#
# Install the debsecan tool
#
- name: Install debsecan
package:
name: debsecan
state: latest
when: BasicHardeningEnable
#
# Install the lynis tool
#
- name: Add lynis Debian Repository GPG Key
ansible.builtin.apt_key:
url: https://packages.cisofy.com/keys/cisofy-software-public.key
state: present
when: BasicHardeningEnable and BasicHardeningInstallLynis
- name: Add Debian Lynis Repository
ansible.builtin.apt_repository:
repo: deb https://packages.cisofy.com/community/lynis/deb/ stable main
state: present
when: BasicHardeningEnable and BasicHardeningInstallLynis
- name: Install lynis
package:
name: lynis
state: latest
when: BasicHardeningEnable and BasicHardeningInstallLynis
#
# Install and enable usbguard
#
- name: Install usbguard
package:
name: usbguard
state: latest
when: BasicHardeningEnable and BasicHardeningInstallUSBGuard
#
# Disable core dumps as we are not checking them anyway
#
- name: Disable Core Dumps 1
pam_limits:
domain: "*"
limit_item: "core"
limit_type: "hard"
value: "0"
when: BasicHardeningEnable
- name: Disable Core Dumps 2
pam_limits:
domain: "*"
limit_item: "core"
limit_type: "soft"
value: "0"
when: BasicHardeningEnable
- name: Prevent setuid programs to core dump
sysctl:
name: fs.suid_dumpable
value: '0'
state: present
when: BasicHardeningEnable
- name: Deactivate kernel core dumps
sysctl:
name: kernel.core_pattern
value: '|/bin/false'
state: present
when: BasicHardeningEnable
- name: Setup maxlogins
pam_limits:
domain: "*"
limit_item: "maxlogins"
limit_type: "hard"
value: "4"
when: BasicHardeningEnable
- name: Setup nproc
pam_limits:
domain: "*"
limit_item: "nproc"
limit_type: "hard"
value: "1024"
when: BasicHardeningEnable
- name: Disallow opening files in world writeable sticky directories
sysctl:
name: fs.protected_regular
value: '2'
state: present
when: BasicHardeningEnable
- name: Disallow opening fifos in world writeable sticky directories
sysctl:
name: fs.protected_fifos
value: '1'
state: present
when: BasicHardeningEnable
- name: Protect hardlinks
sysctl:
name: fs.protected_hardlinks
value: '1'
state: present
when: BasicHardeningEnable
- name: Protect symlinks
sysctl:
name: fs.protected_symlinks
value: '1'
state: present
when: BasicHardeningEnable
- name: Disallow bpf loading for normal users
sysctl:
name: kernel.unprivileged_bpf_disabled
value: '1'
state: present
when: BasicHardeningEnable and ansible_kernel is version_compare('5.8','>=')
- name: harden den bpf jit compilter
sysctl:
name: net.core.bpf_jit_harden
value: '2'
state: present
when: BasicHardeningEnable and ansible_kernel is version_compare('5.8','>=')
Reference in New Issue View Git Blame Copy Permalink