unitoo
/
configurations-ansible
1
0
Fork 1
Code Issues 2 Pull Requests Packages Releases Activity
configurations-ansible/roles/hardening-basic
History
Claudio Maradonna 4ddb7d334a
add some debug messages; cleanup of some blocks; update some README with missing useful informations 		2023-01-13 18:01:41 +01:00
..
defaults optimized hardening-basic role; add journalctl hardening 2022-11-22 11:42:08 +01:00
handlers init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00
meta init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00
tasks add some debug messages; cleanup of some blocks; update some README with missing useful informations 2023-01-13 18:01:41 +01:00
templates optimized hardening-basic role; add journalctl hardening 2022-11-22 11:42:08 +01:00
tests init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00
vars init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00
.travis.yml init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00
README.md optimized hardening-basic role; add journalctl hardening 2022-11-22 11:42:08 +01:00

README.md

hardening-basic

This role harden a target with best practises for SSH, modprobe and sysctl

Requirements

.

Role Variables

  • hardening_sshd_enabled (boolean): Enable or disable ssh hardening
  • hardening_sshd_authorized_key_file (string): Set the relative path for sshd authorized_key_file
  • hardening_sshd_tcp_forward (boolean): Enable or disable sshd tcp forwarding
  • hardening_sshd_legal_banner (boolean): Enable or disable sshd legal banner (/etc/issue.net)
  • hardening_sshd_permissions_set_sticky_bit (boolean): Enable or disable the sticky bit for sshd directory and files (root)
  • hardening_sysctl_vm_swappiness (integer): Set the value for sysctl vm.swappiness
  • hardening_sysctl_disable_ipv6 (boolean): Enable or disable ipv6 though sysctl
  • hardening_modprobe_disable_list (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
  • hardening_journald_system_max_use (string): Example 250M
  • hardening_journald_system_max_file_size (string): Example 50M

Dependencies

.

Example Playbook

ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags hardening

License

GPLv3

Author Information