optimized hardening-basic role; add journalctl hardening

This commit is contained in:
Claudio Maradonna 2022-11-22 11:42:08 +01:00
parent 9f3042a83d
commit ddbbb2f427
Signed by untrusted user who does not match committer: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
8 changed files with 33 additions and 5 deletions

View file

@ -19,6 +19,8 @@ Role Variables
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness - **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl - **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe - **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- **hardening_journald_system_max_use** (string): Example 250M
- **hardening_journald_system_max_file_size** (string): Example 50M
Dependencies Dependencies
------------ ------------

View file

@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf] rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm] rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
vivid: [vivid] vivid: [vivid]
hardening_journald_system_max_use: 250M
hardening_journald_system_max_file_size: 50M

View file

@ -0,0 +1,14 @@
- name: Create directory tree if not exists
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/systemd/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/systemd/etc/'
when: item.state == 'file'

View file

@ -7,12 +7,18 @@
ansible.builtin.template: ansible.builtin.template:
src: '{{ item.src }}' src: '{{ item.src }}'
dest: '/etc/{{ item.path }}' dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/etc/' with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'file' when: item.state == 'file'
- name: Harden SSH Config - name: Harden SSH Config
when: 'hardening_sshd_enabled is true' when: 'hardening_sshd_enabled is true'
block: block:
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'file'
- name: Give 1700 permissions to .ssh folder - name: Give 1700 permissions to .ssh folder
ansible.builtin.file: ansible.builtin.file:
@ -33,3 +39,7 @@
ansible.builtin.systemd: ansible.builtin.systemd:
state: restarted state: restarted
name: sshd name: sshd
- name: Harden Service Manager (like Systemd)
block:
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"

View file

@ -1,5 +1,3 @@
{% if hardening_sshd_enabled %}
Protocol 2 # Protocol 1 is fundamentally broken Protocol 2 # Protocol 1 is fundamentally broken
StrictModes yes # Protects from misconfiguration StrictModes yes # Protects from misconfiguration
@ -54,5 +52,3 @@ MaxStartups 2 # Max concurrent
TCPKeepAlive yes # Do not use TCP keep-alive TCPKeepAlive yes # Do not use TCP keep-alive
AcceptEnv LANG LC_* # Allow client to pass locale environment variables AcceptEnv LANG LC_* # Allow client to pass locale environment variables
{% endif %}

View file

@ -0,0 +1,3 @@
[Journal]
SystemMaxUse={{ hardening_journald_system_max_use }}
SystemMaxFileSize={{ hardening_journald_system_max_file_size }}