optimized hardening-basic role; add journalctl hardening
This commit is contained in:
parent
9f3042a83d
commit
ddbbb2f427
8 changed files with 33 additions and 5 deletions
|
@ -19,6 +19,8 @@ Role Variables
|
||||||
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
|
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
|
||||||
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
|
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
|
||||||
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
||||||
|
- **hardening_journald_system_max_use** (string): Example 250M
|
||||||
|
- **hardening_journald_system_max_file_size** (string): Example 50M
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
|
||||||
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
|
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
|
||||||
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
|
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
|
||||||
vivid: [vivid]
|
vivid: [vivid]
|
||||||
|
|
||||||
|
hardening_journald_system_max_use: 250M
|
||||||
|
hardening_journald_system_max_file_size: 50M
|
||||||
|
|
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
- name: Create directory tree if not exists
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '/etc/{{ item.path }}'
|
||||||
|
state: directory
|
||||||
|
mode: '{{ item.mode }}'
|
||||||
|
with_community.general.filetree: '../templates/systemd/etc/'
|
||||||
|
when: item.state == 'directory'
|
||||||
|
|
||||||
|
- name: Create and copy hardening files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '/etc/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/systemd/etc/'
|
||||||
|
when: item.state == 'file'
|
|
@ -7,12 +7,18 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: '{{ item.src }}'
|
src: '{{ item.src }}'
|
||||||
dest: '/etc/{{ item.path }}'
|
dest: '/etc/{{ item.path }}'
|
||||||
with_community.general.filetree: '../templates/etc/'
|
with_community.general.filetree: '../templates/basic/etc/'
|
||||||
when: item.state == 'file'
|
when: item.state == 'file'
|
||||||
|
|
||||||
- name: Harden SSH Config
|
- name: Harden SSH Config
|
||||||
when: 'hardening_sshd_enabled is true'
|
when: 'hardening_sshd_enabled is true'
|
||||||
block:
|
block:
|
||||||
|
- name: Create and copy hardening files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '/etc/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/ssh/etc/'
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
- name: Give 1700 permissions to .ssh folder
|
- name: Give 1700 permissions to .ssh folder
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
@ -33,3 +39,7 @@
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
state: restarted
|
state: restarted
|
||||||
name: sshd
|
name: sshd
|
||||||
|
|
||||||
|
- name: Harden Service Manager (like Systemd)
|
||||||
|
block:
|
||||||
|
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
{% if hardening_sshd_enabled %}
|
|
||||||
|
|
||||||
Protocol 2 # Protocol 1 is fundamentally broken
|
Protocol 2 # Protocol 1 is fundamentally broken
|
||||||
StrictModes yes # Protects from misconfiguration
|
StrictModes yes # Protects from misconfiguration
|
||||||
|
|
||||||
|
@ -54,5 +52,3 @@ MaxStartups 2 # Max concurrent
|
||||||
TCPKeepAlive yes # Do not use TCP keep-alive
|
TCPKeepAlive yes # Do not use TCP keep-alive
|
||||||
|
|
||||||
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
|
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
|
||||||
|
|
||||||
{% endif %}
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
[Journal]
|
||||||
|
SystemMaxUse={{ hardening_journald_system_max_use }}
|
||||||
|
SystemMaxFileSize={{ hardening_journald_system_max_file_size }}
|
Loading…
Reference in a new issue