optimized hardening-basic role; add journalctl hardening
This commit is contained in:
parent
9f3042a83d
commit
ddbbb2f427
8 changed files with 33 additions and 5 deletions
|
@ -19,6 +19,8 @@ Role Variables
|
|||
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
|
||||
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
|
||||
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
||||
- **hardening_journald_system_max_use** (string): Example 250M
|
||||
- **hardening_journald_system_max_file_size** (string): Example 50M
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
|
|
@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
|
|||
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
|
||||
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
|
||||
vivid: [vivid]
|
||||
|
||||
hardening_journald_system_max_use: 250M
|
||||
hardening_journald_system_max_file_size: 50M
|
||||
|
|
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- name: Create directory tree if not exists
|
||||
ansible.builtin.file:
|
||||
path: '/etc/{{ item.path }}'
|
||||
state: directory
|
||||
mode: '{{ item.mode }}'
|
||||
with_community.general.filetree: '../templates/systemd/etc/'
|
||||
when: item.state == 'directory'
|
||||
|
||||
- name: Create and copy hardening files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/systemd/etc/'
|
||||
when: item.state == 'file'
|
|
@ -7,12 +7,18 @@
|
|||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/etc/'
|
||||
with_community.general.filetree: '../templates/basic/etc/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Harden SSH Config
|
||||
when: 'hardening_sshd_enabled is true'
|
||||
block:
|
||||
- name: Create and copy hardening files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/ssh/etc/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Give 1700 permissions to .ssh folder
|
||||
ansible.builtin.file:
|
||||
|
@ -33,3 +39,7 @@
|
|||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
name: sshd
|
||||
|
||||
- name: Harden Service Manager (like Systemd)
|
||||
block:
|
||||
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
{% if hardening_sshd_enabled %}
|
||||
|
||||
Protocol 2 # Protocol 1 is fundamentally broken
|
||||
StrictModes yes # Protects from misconfiguration
|
||||
|
||||
|
@ -54,5 +52,3 @@ MaxStartups 2 # Max concurrent
|
|||
TCPKeepAlive yes # Do not use TCP keep-alive
|
||||
|
||||
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
|
||||
|
||||
{% endif %}
|
|
@ -0,0 +1,3 @@
|
|||
[Journal]
|
||||
SystemMaxUse={{ hardening_journald_system_max_use }}
|
||||
SystemMaxFileSize={{ hardening_journald_system_max_file_size }}
|
Loading…
Reference in a new issue