.. | ||
defaults | ||
handlers | ||
meta | ||
tasks | ||
templates | ||
tests | ||
vars | ||
.travis.yml | ||
README.md |
hardening-basic
This role harden a target with best practises for SSH, modprobe and sysctl
Requirements
.
Role Variables
- hardening_sshd_enabled (boolean): Enable or disable ssh hardening
- hardening_sshd_authorized_key_file (string): Set the relative path for sshd authorized_key_file
- hardening_sshd_tcp_forward (boolean): Enable or disable sshd tcp forwarding
- hardening_sshd_legal_banner (boolean): Enable or disable sshd legal banner (/etc/issue.net)
- hardening_sshd_permissions_set_sticky_bit (boolean): Enable or disable the sticky bit for sshd directory and files (root)
- hardening_sysctl_vm_swappiness (integer): Set the value for sysctl vm.swappiness
- hardening_sysctl_disable_ipv6 (boolean): Enable or disable ipv6 though sysctl
- hardening_modprobe_disable_list (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- hardening_journald_system_max_use (string): Example 250M
- hardening_journald_system_max_file_size (string): Example 50M
Dependencies
.
Example Playbook
ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags hardening
License
GPLv3