configurations-ansible/roles/hardening-basic/README.md

44 lines
1.4 KiB
Markdown
Raw Permalink Normal View History

2022-11-21 15:02:03 +01:00
hardening-basic
=========
2022-11-21 15:02:03 +01:00
This role harden a target with best practises for SSH, modprobe and sysctl
Requirements
------------
2022-11-21 15:02:03 +01:00
.
Role Variables
--------------
2022-11-21 16:52:36 +01:00
- **hardening_sshd_enabled** (boolean): Enable or disable ssh hardening
- **hardening_sshd_authorized_key_file** (string): Set the relative path for sshd authorized_key_file
- **hardening_sshd_tcp_forward** (boolean): Enable or disable sshd tcp forwarding
- **hardening_sshd_legal_banner** (boolean): Enable or disable sshd legal banner (/etc/issue.net)
- **hardening_sshd_permissions_set_sticky_bit** (boolean): Enable or disable the sticky bit for sshd directory and files (root)
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- **hardening_journald_system_max_use** (string): Example 250M
- **hardening_journald_system_max_file_size** (string): Example 50M
Dependencies
------------
2022-11-21 15:02:03 +01:00
.
Example Playbook
----------------
2022-11-21 15:02:03 +01:00
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags hardening`
License
-------
2022-11-21 15:02:03 +01:00
GPLv3
Author Information
------------------
2022-11-21 15:02:03 +01:00
- [Claudio Maradonna](https://social.unitoo.it/claudio)