optimized hardening-basic role; add journalctl hardening

roles/hardening-basic/README.md

@@ -19,6 +19,8 @@ Role Variables
 - **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness 
 - **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
 - **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
+- **hardening_journald_system_max_use** (string): Example 250M
+- **hardening_journald_system_max_file_size** (string): Example 50M
 
 Dependencies
 ------------

roles/hardening-basic/defaults/main.yml

@@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
   rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
   rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
   vivid: [vivid]
+
+hardening_journald_system_max_use: 250M
+hardening_journald_system_max_file_size: 50M

roles/hardening-basic/tasks/harden_systemd.yml

@@ -0,0 +1,14 @@
+- name: Create directory tree if not exists
+  ansible.builtin.file:
+    path: '/etc/{{ item.path }}'
+    state: directory
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '../templates/systemd/etc/'
+  when: item.state == 'directory'
+
+- name: Create and copy hardening files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/etc/{{ item.path }}'
+  with_community.general.filetree: '../templates/systemd/etc/'
+  when: item.state == 'file'

roles/hardening-basic/tasks/main.yml

@@ -7,12 +7,18 @@
       ansible.builtin.template:
         src: '{{ item.src }}'
         dest: '/etc/{{ item.path }}'
-      with_community.general.filetree: '../templates/etc/'
+      with_community.general.filetree: '../templates/basic/etc/'
       when: item.state == 'file'
 
     - name: Harden SSH Config
       when: 'hardening_sshd_enabled is true'
       block:
+        - name: Create and copy hardening files
+          ansible.builtin.template:
+            src: '{{ item.src }}'
+            dest: '/etc/{{ item.path }}'
+          with_community.general.filetree: '../templates/ssh/etc/'
+          when: item.state == 'file'
 
         - name: Give 1700 permissions to .ssh folder
           ansible.builtin.file:
@@ -33,3 +39,7 @@
           ansible.builtin.systemd:
             state: restarted
             name: sshd
+
+    - name: Harden Service Manager (like Systemd)
+      block:
+        - include_tasks: "harden_{{ ansible_service_mgr }}.yml"

roles/hardening-basic/templates/ssh/etc/ssh/sshd_config.d/99-hardening.conf

@@ -1,5 +1,3 @@
-{% if hardening_sshd_enabled %}
-
 Protocol 2                                                      # Protocol 1 is fundamentally broken
 StrictModes yes                                                 # Protects from misconfiguration
 
@@ -54,5 +52,3 @@ MaxStartups 2                                                   # Max concurrent
 TCPKeepAlive yes                                                # Do not use TCP keep-alive
 
 AcceptEnv LANG LC_*                                             # Allow client to pass locale environment variables
-
-{% endif %}

roles/hardening-basic/templates/systemd/etc/systemd/journald.conf.d/size.conf

@@ -0,0 +1,3 @@
+[Journal]
+SystemMaxUse={{ hardening_journald_system_max_use }}
+SystemMaxFileSize={{ hardening_journald_system_max_file_size }}