From f09dd80cb562569eb0eb5ffa212d019d4204eb38 Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk <616047+kravietz@users.noreply.github.com> Date: Tue, 18 Feb 2020 14:43:14 +0000 Subject: [PATCH 1/3] Remove trailing space MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ansible-lint marks my build red due to this `¯\_(ツ)_/¯` Signed-off-by: Pawel Krawczyk --- tasks/user_accounts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/user_accounts.yml b/tasks/user_accounts.yml index 974fe2805..f7d7cd6e1 100644 --- a/tasks/user_accounts.yml +++ b/tasks/user_accounts.yml @@ -10,7 +10,7 @@ - name: calculate UID_MAX from UID_MIN by substracting 1 set_fact: uid_max: '{{ uid_min.stdout | int - 1 }}' - when: uid_min.stdout|int > 0 + when: uid_min.stdout|int > 0 - name: set UID_MAX on Debian-systems if no login.defs exist set_fact: From 924f1e87701aa7f0a0ab34895cbbec50977e53fa Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 18 Feb 2020 17:51:34 +0100 Subject: [PATCH 2/3] add ansible-lint (#262) * Update .travis.yml Signed-off-by: Pawel Krawczyk --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index ef46038ce..ed74614a3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -65,6 +65,9 @@ before_install: - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: + - pip install --user ansible-lint + - ansible-lint ./ + - container_id=$(mktemp) # Run container in detached state. - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' From ac9710ae4c06209c9a94847ed3e5d7bd02f63101 Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Fri, 28 Feb 2020 22:30:03 +0000 Subject: [PATCH 3/3] Add kernel hardening parameters from Tails and CIS Benchmark Signed-off-by: Pawel Krawczyk --- defaults/main.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 68e578811..ead22d5cd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -226,6 +226,23 @@ sysctl_config: fs.protected_hardlinks: 1 fs.protected_symlinks: 1 + # These settings are set to the maximum supported value in order to + # improve ASLR effectiveness for mmap, at the cost of increased + # address-space fragmentation. | Tail-1 + vm.mmap_rnd_bits: 32 + vm.mmap_rnd_compat_bits: 16 + + # Some off-the-shelf malware exploit kernel addresses exposed + # via /proc/kallsyms so by not making these addresses easily available + # we increase the cost of such attack some what; now such malware has + # to check which kernel Tails is running and then fetch the corresponding + # kernel address map from some external source. This is not hard, + # but certainly not all malware has such functionality. | Tails-2 + kernel.kptr_restrict: 2 + + # kexec is dangerous: it enables replacement of the running kernel. | Tails-3 + kernel.kexec_load_disabled: 1 + # Do not delete the following line or otherwise the playbook will fail # at task 'create a combined sysctl-dict if overwrites are defined' sysctl_overwrite: @@ -240,6 +257,12 @@ os_unused_filesystems: - "squashfs" - "udf" - "vfat" + # Obsolete network protocols that should be disabled + # per CIS Oracle Linux 6 Benchmark (2016) + - "tipc" # CIS 3.5.4 + - "sctp" # CIS 3.5.2 + - "dccp" # CIS 3.5.1 + - "rds" # CIS 3.5.3 # whitelist for used filesystems os_filesystem_whitelist: []