From ddfb1fbdce6b3050e818483a081e186ccdf917ed Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Jul 2023 14:09:59 +0200 Subject: [PATCH 01/17] add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/README.md | 183 ++- roles/mysql_hardening/meta/argument_specs.yml | 82 + roles/os_hardening/README.md | 1344 ++++++++++------- roles/os_hardening/defaults/main.yml | 2 +- roles/os_hardening/meta/argument_specs.yml | 847 +++++++++++ roles/os_hardening/tasks/minimize_access.yml | 13 +- roles/ssh_hardening/README.md | 661 +++++--- roles/ssh_hardening/meta/argument_specs.yml | 351 +++++ 8 files changed, 2670 insertions(+), 813 deletions(-) create mode 100644 roles/mysql_hardening/meta/argument_specs.yml create mode 100644 roles/os_hardening/meta/argument_specs.yml create mode 100644 roles/ssh_hardening/meta/argument_specs.yml diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md index b70289d7e..f4bf9c919 100644 --- a/roles/mysql_hardening/README.md +++ b/roles/mysql_hardening/README.md @@ -1,6 +1,6 @@ # devsec.mysql_hardening -![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg) +![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.mysql_hardening/badge.svg) ## Description @@ -12,74 +12,133 @@ It configures: - Removes anonymous users, users without a password or authentication_string and test databases - various hardening options inside MySQL +Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice. + +Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) + ## Requirements -- Ansible 2.9.0 -- An existing MySQL installation +- An existing installation of MySQL or MariaDB. - python-jmespath on the ansible host -### Example playbook + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | bullseye, buster | +| Amazon | | +| opensuse | | -```yml -- hosts: localhost - collections: - - devsec.hardening - roles: - - mysql_hardening -``` +## Role Variables -This role expects an existing installation of MySQL or MariaDB. Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice. -Please ensure that the following variables are set accordingly: +* `mysql_hardening_chroot` + * Default: `` + * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) + * Type: str + * Required: no +* `mysql_hardening_options.safe-user-create` + * Default: `1` + * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) + * Type: int + * Required: no +* `mysql_hardening_options.secure-auth` + * Default: `1` + * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) + * Type: int + * Required: no +* `mysql_hardening_options.skip-symbolic-links` + * Default: `1` + * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) + * Type: int + * Required: no +* `mysql_hardening_skip_grant_tables:` + * Default: `false` + * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) + * Type: bool + * Required: no +* `mysql_hardening_skip_show_database` + * Default: `1` + * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) + * Type: int + * Required: no +* `mysql_hardening_options.local-infile` + * Default: `0` + * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) + * Type: int + * Required: no +* `mysql_hardening_options.allow-suspicious-udfs` + * Default: `0` + * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) + * Type: int + * Required: no +* `mysql_hardening_chroot.automatic-sp-privileges` + * Default: `0` + * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) + * Type: int + * Required: no +* `mysql_hardening_options.secure-file-priv` + * Default: `/tmp` + * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) + * Type: str + * Required: no +* `mysql_remove_anonymous_users` + * Default: `true` + * Description: remove users without authentication + * Type: bool + * Required: no +* `mysql_remove_test_database` + * Default: `true` + * Description: remove test database + * Type: bool + * Required: no +* `mysql_hardening_restart_mysql` + * Default: `true` + * Description: Restart mysql after running this role + * Type: bool + * Required: no +* `mysql_hardening_enabled` + * Default: `true` + * Description: Wether to run the hardening + * Type: bool + * Required: no +* `mysql_daemon_enabled` + * Default: `true` + * Description: Wether to run the hardening + * Type: bool + * Required: no +* `mysql_hardening_mysql_hardening_conf_file` + * Default: `{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf` + * Description: The path to the configuration file for hardening-related options + * Type: str + * Required: no +* `mysql_root_password` + * Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----` + * Description: The default password. Please change or overwrite it + * Type: str + * Required: no +* `mysql_user_home` + * Default: `{{ ansible_env.HOME }}` + * Description: The path where the `.my.cnf` will be stored + * Type: str + * Required: no +* `mysql_remove_remote_root` + * Default: `true` + * Description: Set to false to not remove remote root users. If true, root can only connect from localhost + * Type: bool + * Required: no -- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` -- `mysql_hardening_user: 'mysql'` The user that mysql runs as. -- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed -- _deprecated: `mysql_datadir: '/var/lib/mysql'` The MySQL data directory_ - - `mysql_datadir` is no longer necessary, as MySQL data directory is automatically taken from `mysql_info`. But it can still be defined and will also be checked for correct permissions. +## Dependencies -## Role Variables +None. -- `mysql_hardening_chroot` - - Default: "" - - Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) -- `mysql_hardening_options.safe-user-create` - - Default: 1 - - Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) -- `mysql_hardening_options.secure-auth` - - Default: 1 - - Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) -- `mysql_hardening_options.skip-symbolic-links` - - Default: 1 - - Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) -- `mysql_hardening_skip_grant_tables:` - - Default: false - - Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) -- `mysql_hardening_skip_show_database` - - Default: 1 - - Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) -- `mysql_hardening_options.local-infile` - - Default: 0 - - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) -- `mysql_hardening_options.allow-suspicious-udfs` - - Default: 0 - - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) -- `mysql_hardening_chroot.automatic-sp-privileges` - - Default: 0 - - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) -- `mysql_hardening_options.secure-file-priv` - - Default: /tmp - - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) -- `mysql_allow_remote_root` - - Default: false - - Description: delete remote root users -- `mysql_remove_anonymous_users` - - Default: true - - Description: remove users without authentication -- `mysql_remove_test_database` - - Default: true - - Description: remove test database -- `mysql_hardening_restart_mysql` - - Default: true - - Description: Restart mysql after running this role +## Example Playbook + +``` +- hosts: all + roles: + - name: devsec.hardening.mysql_hardening +``` + -Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml new file mode 100644 index 000000000..8fa2355da --- /dev/null +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -0,0 +1,82 @@ +--- +argument_specs: + main: + short_description: The main entry point for the mysql hardening role. + version_added: 8.8.0 + options: + mysql_hardening_chroot: + default: "" + type: "str" + description: "[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)" + mysql_hardening_options.safe-user-create: + default: 1 + type: int + description: "[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)" + mysql_hardening_options.secure-auth: + default: 1 + type: int + description: "[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)" + mysql_hardening_options.skip-symbolic-links: + default: 1 + type: int + description: "[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)" + mysql_hardening_skip_grant_tables:: + default: false + type: bool + description: "[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)" + mysql_hardening_skip_show_database: + default: 1 + type: int + description: "[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)" + mysql_hardening_options.local-infile: + default: 0 + type: int + description: "[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)" + mysql_hardening_options.allow-suspicious-udfs: + default: 0 + type: int + description: "[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)" + mysql_hardening_chroot.automatic-sp-privileges: + default: 0 + type: int + description: "[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)" + mysql_hardening_options.secure-file-priv: + default: /tmp + type: str + description: "[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)" + mysql_remove_anonymous_users: + default: true + type: bool + description: remove users without authentication + mysql_remove_test_database: + default: true + type: bool + description: remove test database + mysql_hardening_restart_mysql: + default: true + type: bool + description: Restart mysql after running this role + mysql_hardening_enabled: + default: true + type: bool + description: Wether to run the hardening + mysql_daemon_enabled: + default: true + type: bool + description: "Wether to run the hardening" + mysql_hardening_mysql_hardening_conf_file: + default: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf" + type: str + description: "The path to the configuration file for hardening-related options" + mysql_root_password: + default: "-----====>SetR00tPa$$wordH3r3!!!<====-----" + type: str + description: "The default password. Please change or overwrite it" + mysql_user_home: + default: "{{ ansible_env.HOME }}" + type: str + description: "The path where the `.my.cnf` will be stored" + mysql_remove_remote_root: + default: true + type: bool + description: "Set to false to not remove remote root users. If true, root can only connect from localhost" diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 6844eb1db..75b98a03e 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -3,10 +3,6 @@ ![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg) ![devsec.os_hardening VM](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening%20VM/badge.svg) -## Looking for the old ansible-os-hardening role? - -This role is now part of the hardening-collection. You can find the old role in the branch `legacy`. - ## Description This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline). @@ -34,9 +30,837 @@ It will not: - Update system packages - Install security patches -## Requirements +We remove the following packages: -- Ansible 2.9.0 +- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) +- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) +- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5) +- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4) +- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2) +- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3) +- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) + +We disable the following filesystems, because they're most likely not used: + +- "cramfs" +- "freevxfs" +- "jffs2" +- "hfs" +- "hfsplus" +- "squashfs" +- "udf" +- "vfat" # only if uefi is not in use + +To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. + + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | +| Fedora | | +| ArchLinux | | +| SmartOS | | +| opensuse | | + +## Role Variables + +* `os_desktop_enable` + * Default: `false` + * Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + * Type: bool + * Required: no +* `os_env_extra_user_paths` + * Default: `"[]"` + * Description: add additional paths to the user's `PATH` variable (default is empty). + * Type: list + * Required: no +* `os_auth_pw_max_age` + * Default: `60` + * Description: maximum password age (set to `99999` to effectively disable it). + * Type: int + * Required: no +* `os_auth_pw_min_age` + * Default: `7` + * Description: minimum password age (before allowing any other password change). + * Type: int + * Required: no +* `os_auth_pw_warn_age` + * Default: `7` + * Description: number of days of warning before password expires. + * Type: int + * Required: no +* `os_auth_pw_remember` + * Default: `5` + * Description: how many used passwords are record. + * Type: int + * Required: no +* `os_auth_retries` + * Default: `5` + * Description: the maximum number of authentication attempts, before the account is locked for some time. + * Type: int + * Required: no +* `os_auth_lockout_time` + * Default: `600` + * Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts. + * Type: int + * Required: no +* `os_auth_timeout` + * Default: `60` + * Description: authentication timeout in seconds, so login will exit if this time passes. + * Type: int + * Required: no +* `os_auth_allow_homeless` + * Default: `false` + * Description: true if to allow users without home to login. + * Type: bool + * Required: no +* `os_auth_pam_passwdqc_enable` + * Default: `true` + * Description: true if you want to use strong password checking in PAM using passwdqc. + * Type: bool + * Required: no +* `os_auth_pam_passwdqc_options` + * Default: `min=disabled,disabled,16,12,8` + * Description: set to any option line (as a string) that you want to pass to passwdqc. + * Type: str + * Required: no +* `os_auth_pam_oddjob_mkhomedir` + * Default: `false` + * Description: Enables automatic homedir e.g. in FreeIPA environments + * Type: bool + * Required: no +* `os_security_users_allow` + * Default: `"[]"` + * Description: list of things, that a user is allowed to do. May contain `change_user`. + * Type: list + * Required: no +* `os_security_kernel_enable_module_loading` + * Default: `true` + * Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue + * Type: bool + * Required: no +* `os_security_kernel_enable_core_dump` + * Default: `false` + * Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. + * Type: bool + * Required: no +* `os_security_suid_sgid_enforce` + * Default: `true` + * Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. + * Type: bool + * Required: no +* `os_security_suid_sgid_blacklist` + * Default: `"[]"` + * Description: a list of paths which should have their SUID/SGID bits removed. + * Type: list + * Required: no +* `os_security_suid_sgid_whitelist` + * Default: `"[]"` + * Description: a list of paths which should not have their SUID/SGID bits altered. + * Type: list + * Required: no +* `os_security_suid_sgid_remove_from_unknown` + * Default: `false` + * Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. + * Type: bool + * Required: no +* `os_auth_uid_min` + * Default: `1000` + * Description: minimum number for automatic uid selection in useradd. + * Type: int + * Required: no +* `os_auth_uid_max` + * Default: `60000` + * Description: maximum number for automatic uid selection in useradd. + * Type: int + * Required: no +* `os_auth_gid_min` + * Default: `1000` + * Description: minimum number for automatic gid selection in groupadd. + * Type: int + * Required: no +* `os_auth_gid_max` + * Default: `60000` + * Description: maximum number for automatic gid selection in groupadd. + * Type: int + * Required: no +* `os_auth_sub_uid_count` + * Default: `65536` + * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. + * Type: int + * Required: no +* `os_auth_sub_uid_min` + * Default: `100000` + * Description: minimum number for automatic subordinate uid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_uid_max` + * Default: `600100000` + * Description: maximum number for automatic subordinate uid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_gid_count` + * Default: `65536` + * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. + * Type: int + * Required: no +* `os_auth_sub_gid_min` + * Default: `100000` + * Description: minimum number for automatic subordinate gid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_gid_max` + * Default: `600100000` + * Description: maximum number for automatic subordinate gid selection in useradd and newusers. + * Type: int + * Required: no +* `os_security_packages_clean` + * Default: `true` + * Description: removes packages with known issues. See section packages. + * Type: bool + * Required: no +* `os_selinux_state` + * Default: `enforcing` + * Description: Set the SELinux state, can be either disabled, permissive, or enforcing. + * Type: str + * Required: no +* `os_selinux_policy` + * Default: `targeted` + * Description: Set the SELinux polixy. + * Type: str + * Required: no +* `ufw_manage_defaults` + * Default: `true` + * Description: true means apply all settings with `ufw_` prefix. + * Type: bool + * Required: no +* `ufw_ipt_sysctl` + * Default: `''` + * Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. + * Type: str + * Required: no +* `ufw_default_input_policy` + * Default: `DROP` + * Description: set default input policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_default_output_policy` + * Default: `ACCEPT` + * Description: set default output policy of ufw to `ACCEPT`. + * Type: str + * Required: no +* `ufw_default_forward_policy` + * Default: `DROP` + * Description: set default forward policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_enable_ipv6` + * Default: `true` + * Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). + * Type: bool + * Required: no +* `os_auditd_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring auditd. + * Type: bool + * Required: no +* `os_auditd_max_log_file_action` + * Default: `keep_logs` + * Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. + * Type: str + * Required: no +* `os_auditd_max_log_file` + * Default: `6` + * Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. + * Type: int + * Required: no +* `os_auditd_num_logs` + * Default: `5` + * Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. + * Type: int + * Required: no +* `os_auditd_flush` + * Default: `INCREMENTAL` + * Description: Valid values are none, incremental, incremental_async, data, and sync. + * Type: str + * Required: no +* `os_auditd_admin_space_left` + * Default: `50` + * Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. + * Type: int + * Required: no +* `os_auditd_space_left` + * Default: `75` + * Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. + * Type: int + * Required: no +* `os_auditd_space_left_action` + * Default: `SYSLOG` + * Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_action_mail_acct` + * Default: `root` + * Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. of events created on one system but reported/analyzed on another system. + * Type: str + * Required: no +* `os_auditd_disk_error_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take whenever there is an error detected when writing audit events to disk or rotating logs. Valid values are ignore, syslog, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_disk_full_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take when the system has detected that the partition to which log files are written has become full. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_log_group` + * Default: `root` + * Description: specifies the group that is applied to the log file's permissions. The group name can be either numeric or spelled out. + * Type: str + * Required: no +* `proc_mnt_options` + * Default: `rw,nosuid,nodev,noexec,relatime,hidepid=` + * Description: Mount proc with hardenized options, including `hidepid` with variable value. + * Type: str + * Required: no +* `os_ignore_users` + * Default: `["vagrant", "kitchen"]` + * Description: Specify system accounts whose login should not be disabled and password not changed + * Type: list + * Required: no +* `os_chmod_home_folders` + * Default: `true` + * Description: Set to `false` to disable "chmod 700" of home folders for regular users + * Type: bool + * Required: no +* `os_ignore_home_folder_users` + * Default: `"[]"` + * Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. + * Type: list + * Required: no +* `os_chmod_rootuser_home_folder` + * Default: `true` + * Description: Set to `false` to disable "chmod 700" of root's home folder + * Type: bool + * Required: no +* `os_rootuser_pw_ageing` + * Default: `false` + * Description: Set to true to enforce password age settings for root user(s) + * Type: bool + * Required: no +* `os_remove_additional_root_users` + * Default: `false` + * Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. + * Type: bool + * Required: no +* `os_user_pw_ageing` + * Default: `true` + * Description: Set to false to disable password age enforcement on existing users + * Type: bool + * Required: no +* `os_users_without_password_ageing` + * Default: `"[]"` + * Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled + * Type: list + * Required: no +* `os_cron_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring cron. + * Type: bool + * Required: no +* `os_ctrlaltdel_disabled` + * Default: `false` + * Description: Set to true to disable ctrl-alt-delete key combination. + * Type: bool + * Required: no +* `os_limits_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring limits. + * Type: bool + * Required: no +* `os_login_defs_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring login_defs for newly created users. + * Type: bool + * Required: no +* `os_minimize_access_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring minimize_access. + * Type: bool + * Required: no +* `os_pam_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring pam. + * Type: bool + * Required: no +* `os_modprobe_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring modprobe. + * Type: bool + * Required: no +* `os_profile_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring profile. + * Type: bool + * Required: no +* `os_security_auto_logout` + * Default: `0` + * Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. + * Type: int + * Required: no +* `os_securetty_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring securetty. + * Type: bool + * Required: no +* `os_sysctl_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring sysctl. + * Type: bool + * Required: no +* `os_user_accounts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring user_accounts. + * Type: bool + * Required: no +* `os_rhosts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring rhosts. + * Type: bool + * Required: no +* `os_yum_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring yum. + * Type: bool + * Required: no +* `os_yum_repo_file_whitelist` + * Default: `"[]"` + * Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. + * Type: list + * Required: no +* `os_apt_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring apt. + * Type: bool + * Required: no +* `os_selinux_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring selinux. + * Type: bool + * Required: no +* `os_sha_crypt_min_rounds` + * Default: `640000` + * Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_sha_crypt_max_rounds` + * Default: `640000` + * Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_mnt_boot_dir_mode` + * Default: `0700` + * Description: Set default perimissions for /boot + * Type: str + * Required: no +* `os_mnt_boot_enabled` + * Default: `false` + * Description: Set to true to configure /boot mountpoint + * Type: bool + * Required: no +* `os_mnt_boot_src` + * Default: `''` + * Description: Set mount source for /boot + * Type: str + * Required: no +* `os_mnt_boot_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /boot + * Type: str + * Required: no +* `os_mnt_boot_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_boot_dump` + * Default: `ext3 + ext4 = 1 / other = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_boot_passno` + * Default: `ext3 + ext4 = 2 / other = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_dev_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /dev + * Type: str + * Required: no +* `os_mnt_dev_enabled` + * Default: `true` + * Description: Set to false to ignore /dev mountpoint + * Type: bool + * Required: no +* `os_mnt_dev_src` + * Default: `devtmpfs` + * Description: Set mount source for /dev + * Type: str + * Required: no +* `os_mnt_dev_options` + * Default: `rw,nosuid,noexec` + * Description: Configure mount options for /dev + * Type: str + * Required: no +* `os_mnt_dev_filesystem` + * Default: `devtmpfs` + * Description: Configure file system for fstab entry /dev + * Type: str + * Required: no +* `os_mnt_dev_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_shm_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_enabled` + * Default: `true` + * Description: Set to false to ignore /dev/shm mountpoint + * Type: bool + * Required: no +* `os_mnt_dev_shm_src` + * Default: `tmpfs` + * Description: Set mount source for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_filesystem` + * Default: `tmpfs` + * Description: Configure file system for fstab entry /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_shm_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_home_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /home + * Type: str + * Required: no +* `os_mnt_home_enabled` + * Default: `false` + * Description: Set to true to configure /home mountpoint + * Type: bool + * Required: no +* `os_mnt_home_src` + * Default: `''` + * Description: Set mount source for /home. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_home_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /home + * Type: str + * Required: no +* `os_mnt_home_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_home_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_home_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_run_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /run + * Type: str + * Required: no +* `os_mnt_run_enabled` + * Default: `true` + * Description: Set to false to ignore /run mountpoint + * Type: bool + * Required: no +* `os_mnt_run_src` + * Default: `tmpfs` + * Description: Set mount source for /run + * Type: str + * Required: no +* `os_mnt_run_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /run + * Type: str + * Required: no +* `os_mnt_run_filesystem` + * Default: `tmpfs` + * Description: Configure file system for fstab entry /run + * Type: str + * Required: no +* `os_mnt_run_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_run_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_tmp_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /tmp + * Type: str + * Required: no +* `os_mnt_tmp_enabled` + * Default: `false` + * Description: Set to true to configure /tmp mountpoint + * Type: bool + * Required: no +* `os_mnt_tmp_src` + * Default: `''` + * Description: Set mount source for /tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_tmp_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /tmp + * Type: str + * Required: no +* `os_mnt_tmp_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_tmp_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /var + * Type: str + * Required: no +* `os_mnt_var_enabled` + * Default: `false` + * Description: Set to true to configure /var mountpoint + * Type: bool + * Required: no +* `os_mnt_var_src` + * Default: `''` + * Description: Set mount source for /var. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /var + * Type: str + * Required: no +* `os_mnt_var_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /var/log + * Type: str + * Required: no +* `os_mnt_var_log_enabled` + * Default: `false` + * Description: Set to true to configure /var/log mountpoint + * Type: bool + * Required: no +* `os_mnt_var_log_src` + * Default: `''` + * Description: Set mount source for /var/log. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_log_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/log + * Type: str + * Required: no +* `os_mnt_var_log_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_log_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_audit_dir_mode` + * Default: `0640` + * Description: Set default perimissions for /var/log/audit + * Type: str + * Required: no +* `os_mnt_var_log_audit_enabled` + * Default: `false` + * Description: Set to true to configure /var/log/audit mountpoint + * Type: bool + * Required: no +* `os_mnt_var_log_audit_src` + * Default: `''` + * Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_log_audit_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/log/audit + * Type: str + * Required: no +* `os_mnt_var_log_audit_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_log_audit_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_audit_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_tmp_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /var/tmp + * Type: str + * Required: no +* `os_mnt_var_tmp_enabled` + * Default: `false` + * Description: Set to true to configure /var/tmp mountpoint + * Type: bool + * Required: no +* `os_mnt_var_tmp_src` + * Default: `''` + * Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_tmp_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/tmp + * Type: str + * Required: no +* `os_mnt_var_tmp_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_tmp_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_netrc_enabled` + * Default: `true` + * Description: Configure filesystem for existence of .netrc file in homedir + * Type: bool + * Required: no +* `os_netrc_whitelist_user` + * Default: `"[]"` + * Description: Add list of user to allow creation of .netrc in users homedir + * Type: list + * Required: no +* `sysctl_overwrite` + * Default: `"{}"` + * Description: To overwrite options in the `sysctl_config`-dict, overwrite them here. + * Type: dict + * Required: no +* `sysctl_config` + * Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 1, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}` + * Description: various sysctl-settings + * Type: dict + * Required: no +* `os_unused_filesystems` + * Default: `["cramfs", "freevxfs", "jffs2", "hfs", "hfsplus", "squashfs", "udf", "vfat", "dccp", "rds", "sctp", "tipc"]` + * Description: Disable this list of unused filesystems + * Type: list + * Required: no +* `os_filesystem_whitelist` + * Default: `"[]"` + * Description: A list of filesystems that should not be disabled + * Type: list + * Required: no +* `os_hardening_enabled` + * Default: `true` + * Description: Wether to run the hardening + * Type: bool + * Required: no + +## Dependencies + +None. + +## Example Playbook + +``` +- hosts: all + roles: + - name: devsec.hardening.os_hardening +``` + ## Known Limitations @@ -83,519 +907,13 @@ We are setting this sysctl to a default of `32`, some systems only support small vm.mmap_rnd_bits: 16 ``` -### Testing with inspec +## Testing with inspec If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable. Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124). We know that this is the case on Raspberry Pi. -## Variables - -- `os_desktop_enable` - - Default: `false` - - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. -- `os_env_extra_user_paths` - - Default: `[]` - - Description: add additional paths to the user's `PATH` variable (default is empty). -- `os_env_umask` - - Default: `027` or `077` depending on the platform. - - Description: set default permissions for new files to `750` or `700`. -- `os_auth_pw_max_age` - - Default: `60` - - Description: maximum password age (set to `99999` to effectively disable it). -- `os_auth_pw_min_age` - - Default: `7` - - Description: minimum password age (before allowing any other password change). -- `os_auth_pw_warn_age` - - Default: `7` - - Description: number of days of warning before password expires. -- `os_auth_pw_remember` - - Default: `5` - - Description: how many used passwords are record. -- `os_auth_retries` - - Default: `5` - - Description: the maximum number of authentication attempts, before the account is locked for some time. -- `os_auth_lockout_time` - - Default: `600` - - Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts. -- `os_auth_timeout` - - Default: `60` - - Description: authentication timeout in seconds, so login will exit if this time passes. -- `os_auth_allow_homeless` - - Default: `false` - - Description: true if to allow users without home to login. -- `os_auth_pam_passwdqc_enable` - - Default: `true` - - Description: true if you want to use strong password checking in PAM using passwdqc. -- `os_auth_pam_passwdqc_options` - - Default: `min=disabled,disabled,16,12,8` - - Description: set to any option line (as a string) that you want to pass to passwdqc. -- `os_auth_pam_sssd_enable` - - Default: `false` (on RHEL8/CentOS8/Fedora `true`) - - Description: activate PAM auth support for sssd -- `os_auth_pam_oddjob_mkhomedir` - - Default: `false` - - Description: Enables automatic homedir e.g. in FreeIPA environments -- `os_security_users_allow` - - Default: `[]` - - Description: list of things, that a user is allowed to do. May contain `change_user`. -- `os_security_kernel_enable_module_loading` - - Default: `true` - - Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). - - WARNING: Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue: -- `os_security_kernel_enable_core_dump` - - Default: `false` - - Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. -- `os_security_suid_sgid_enforce` - - Default: `true` - - Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. -- `os_security_suid_sgid_blacklist` - - Default: `[]` - - Description: a list of paths which should have their SUID/SGID bits removed. -- `os_security_suid_sgid_whitelist` - - Default: `[]` - - Description: a list of paths which should not have their SUID/SGID bits altered. -- `os_security_suid_sgid_remove_from_unknown` - - Default: `false` - - Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. -- `os_auth_uid_min` - - Default: `1000` - - Description: minimum number for automatic uid selection in useradd. -- `os_auth_uid_max` - - Default: `60000` - - Description: maximum number for automatic uid selection in useradd. -- `os_auth_gid_min` - - Default: `1000` - - Description: minimum number for automatic gid selection in groupadd. -- `os_auth_gid_max` - - Default: `60000` - - Description: maximum number for automatic gid selection in groupadd. -- `os_auth_sub_uid_count` - - Default: `65536` - - Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. -- `os_auth_sub_uid_min`. - - Default: `100000` - - Description: minimum number for automatic subordinate uid selection in useradd and newusers. -- `os_auth_sub_uid_max` - - Default: `600100000` - - Description: maximum number for automatic subordinate uid selection in useradd and newusers. -- `os_auth_sub_gid_count` - - Default: `65536` - - Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. -- `os_auth_sub_gid_min` - - Default: `100000` - - Description: minimum number for automatic subordinate gid selection in useradd and newusers. -- `os_auth_sub_gid_max` - - Default: `600100000` - - Description: maximum number for automatic subordinate gid selection in useradd and newusers. -- `os_security_packages_clean` - - Default: `true` - - Description: removes packages with known issues. See section packages. -- `os_selinux_state` - - Default: `enforcing` - - Description: Set the SELinux state, can be either disabled, permissive, or enforcing. -- `os_selinux_policy` - - Default: `targeted` - - Description: Set the SELinux polixy. -- `ufw_manage_defaults` - - Default: `true` - - Description: true means apply all settings with `ufw_` prefix. -- `ufw_ipt_sysctl` - - Default: `''` - - Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. -- `ufw_default_input_policy` - - Default: `DROP` - - Description: set default input policy of ufw to `DROP`. -- `ufw_default_output_policy` - - Default: `ACCEPT` - - Description: set default output policy of ufw to `ACCEPT`. -- `ufw_default_forward_policy` - - Default: `DROP` - - Description: set default forward policy of ufw to `DROP`. -- `ufw_enable_ipv6` - - Default: `true` - - Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). -- `os_auditd_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring auditd. -- `os_auditd_max_log_file_action` - - Default: `keep_logs` - - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. -- `os_auditd_max_log_file` - - Default: `6` - - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. -- `os_auditd_num_logs` - - Default: `5` - - Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. -- `hidepid_option` - - Default: `2` (on RHEL/CentOS7 `0`, see known limitations) - - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. -- `proc_mnt_options` - - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` - - Description: Mount proc with hardenized options, including `hidepid` with variable value. -- `os_ignore_users` - - Default: `['vagrant', 'kitchen']` - - Description: Specify system accounts whose login should not be disabled and password not changed -- `os_chmod_home_folders` - - Default: `true` - - Description: Set to `false` to disable "chmod 700" of home folders for regular users -- `os_ignore_home_folder_users` - - Default: `[]` - - Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. -- `os_chmod_rootuser_home_folder` - - Default: `true` - - Description: Set to `false` to disable "chmod 700" of root's home folder -- `os_rootuser_pw_ageing` - - Default: `false` - - Description: Set to true to enforce password age settings for root user(s) -- `os_remove_additional_root_users` - - Default: `false` - - Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. -- `os_user_pw_ageing` - - Default: `true` - - Description: Set to false to disable password age enforcement on existing users -- `os_users_without_password_ageing` - - Default: `[]` - - Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled -- `os_cron_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring cron. -- `os_ctrlaltdel_disabled` - - Default: `false` - - Description: Set to true to disable ctrl-alt-delete key combination. -- `os_limits_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring limits. -- `os_login_defs_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring login_defs for newly created users. -- `os_minimize_access_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring minimize_access. -- `os_pam_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring pam. -- `os_modprobe_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring modprobe. -- `os_profile_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring profile. -- `os_security_auto_logout` - - Default: `0` - - Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. -- `os_securetty_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring securetty. -- `os_sysctl_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring sysctl. -- `os_user_accounts_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring user_accounts. -- `os_rhosts_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring rhosts. -- `os_yum_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring yum. -- `os_yum_repo_file_whitelist` - - Default: `[]` - - Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. -- `os_apt_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring apt. -- `os_selinux_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring selinux. -- `os_sha_crypt_min_rounds` - - Default: `640000` - - Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. -- `os_sha_crypt_max_rounds` - - Default: `640000` - - Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. -- `os_auditd_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring `auditd`. -- `os_auditd_flush` - - Default: `INCREMENTAL` - - Description: Valid values are none, incremental, incremental_async, data, and sync. -- `os_auditd_max_log_file` - - Default: 6 - - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. -- `os_auditd_max_log_file_action` - - Default: `keep_logs` - - Description: This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. Valid values are ignore, syslog, suspend, rotate and keep_logs. -- `os_auditd_admin_space_left` - - Default: 50 - - Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. -- `os_auditd_space_left` - - Default: 75 - - Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. -- `os_auditd_space_left_action` - - Default: SYSLOG - - Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. -- `os_auditd_action_mail_acct` - - Default: root - - Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. If the address or alias is not local, requires email properly configured on the machine and network. -- `os_auditd_log_format` - - Default: `RAW` - - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system. -- `os_mnt_boot_dir_mode` - - Default: `0700` - - Description: Set default perimissions for /boot -- `os_mnt_boot_enabled` - - Default: `false` - - Description: Set to true to configure /boot mountpoint -- `os_mnt_boot_src` - - Default: `''` - - Description: Set mount source for /boot -- `os_mnt_boot_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /boot -- `os_mnt_boot_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. -- `os_mnt_boot_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_boot_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_dev_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /dev -- `os_mnt_dev_enabled` - - Default: `true` - - Description: Set to false to ignore /dev mountpoint -- `os_mnt_dev_src` - - Default: `devtmpfs` - - Description: Set mount source for /dev -- `os_mnt_dev_options` - - Default: `'rw,nosuid,noexec'` - - Description: Configure mount options for /dev -- `os_mnt_dev_filesystem` - - Default: `devtmpfs` - - Description: Configure file system for fstab entry /dev -- `os_mnt_dev_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_dev_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_dev_shm_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /dev/shm -- `os_mnt_dev_shm_enabled` - - Default: `true` - - Description: Set to false to ignore /dev/shm mountpoint -- `os_mnt_dev_shm_src` - - Default: `tmpfs` - - Description: Set mount source for /dev/shm -- `os_mnt_dev_shm_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /dev/shm -- `os_mnt_dev_shm_filesystem` - - Default: `tmpfs` - - Description: Configure file system for fstab entry /dev/shm -- `os_mnt_dev_shm_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_dev_shm_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_home_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /home -- `os_mnt_home_enabled` - - Default: `false` - - Description: Set to true to configure /home mountpoint -- `os_mnt_home_src` - - Default: `""` - - Description: Set mount source for /home. If empty, the current file system source device will be used. -- `os_mnt_home_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /home -- `os_mnt_home_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. -- `os_mnt_home_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_home_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_run_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /run -- `os_mnt_run_enabled` - - Default: `true` - - Description: Set to false to ignore /run mountpoint -- `os_mnt_run_src` - - Default: `tmpfs` - - Description: Set mount source for /run -- `os_mnt_run_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /run -- `os_mnt_run_filesystem` - - Default: `tmpfs` - - Description: Configure file system for fstab entry /run -- `os_mnt_run_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_run_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_tmp_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /tmp -- `os_mnt_tmp_enabled` - - Default: `false` - - Description: Set to true to configure /tmp mountpoint -- `os_mnt_tmp_src` - - Default: `""` - - Description: Set mount source for /tmp. If empty, the current file system source device will be used. -- `os_mnt_tmp_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /tmp -- `os_mnt_tmp_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. -- `os_mnt_tmp_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_tmp_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /var -- `os_mnt_var_enabled` - - Default: `false` - - Description: Set to true to configure /var mountpoint -- `os_mnt_var_src` - - Default: `""` - - Description: Set mount source for /var. If empty, the current file system source device will be used. -- `os_mnt_var_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /var -- `os_mnt_var_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. -- `os_mnt_var_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /var/log -- `os_mnt_var_log_enabled` - - Default: `false` - - Description: Set to true to configure /var/log mountpoint -- `os_mnt_var_log_src` - - Default: `""` - - Description: Set mount source for /var/log. If empty, the current file system source device will be used. -- `os_mnt_var_log_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/log -- `os_mnt_var_log_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. -- `os_mnt_var_log_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_audit_dir_mode` - - Default: `0640` - - Description: Set default perimissions for /var/log/audit -- `os_mnt_var_log_audit_enabled` - - Default: `false` - - Description: Set to true to configure /var/log/audit mountpoint -- `os_mnt_var_log_audit_src` - - Default: `""` - - Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. -- `os_mnt_var_log_audit_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/log/audit -- `os_mnt_var_log_audit_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. -- `os_mnt_var_log_audit_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_audit_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_tmp_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /var/tmp -- `os_mnt_var_tmp_enabled` - - Default: `false` - - Description: Set to true to configure /var/tmp mountpoint -- `os_mnt_var_tmp_src` - - Default: `""` - - Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. -- `os_mnt_var_tmp_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/tmp -- `os_mnt_var_tmp_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. -- `os_mnt_var_tmp_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_tmp_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_netrc_enabled` - - Default: `True` - - Description: Configure filesystem for existence of .netrc file in homedir -- `os_netrc_whitelist_user` - - Default: `` - - Description: Add list of user to allow creation of .netrc in users homedir - -## Packages - -We remove the following packages: - -- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) -- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) -- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5) -- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4) -- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2) -- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3) -- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) - -## Disabled filesystems - -We disable the following filesystems, because they're most likely not used: - -- "cramfs" -- "freevxfs" -- "jffs2" -- "hfs" -- "hfsplus" -- "squashfs" -- "udf" -- "vfat" # only if uefi is not in use - -To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. - -## Example Playbook - -```yaml -- hosts: localhost - collections: - - devsec.hardening - roles: - - os_hardening -``` - ## Changing sysctl variables If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`). diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 77de4bffe..8948a8959 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -352,7 +352,7 @@ os_selinux_state: enforcing os_selinux_policy: targeted # Mount options for proc in /etc/fstab. -proc_mnt_options: rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }} +proc_mnt_options: rw,nosuid,nodev,noexec,relatime # Set to false to disable installing and configuring cron. os_cron_enabled: true diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml new file mode 100644 index 000000000..d45227257 --- /dev/null +++ b/roles/os_hardening/meta/argument_specs.yml @@ -0,0 +1,847 @@ +--- +argument_specs: + main: + short_description: The main entry point for the os hardening role. + version_added: 8.8.0 + options: + os_desktop_enable: + default: false + type: bool + description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + os_env_extra_user_paths: + default: '[]' + type: list + description: add additional paths to the user's `PATH` variable (default is + empty). + os_auth_pw_max_age: + default: 60 + type: int + description: maximum password age (set to `99999` to effectively disable it). + os_auth_pw_min_age: + default: 7 + type: int + description: minimum password age (before allowing any other password change). + os_auth_pw_warn_age: + default: 7 + type: int + description: number of days of warning before password expires. + os_auth_pw_remember: + default: 5 + type: int + description: how many used passwords are record. + os_auth_retries: + default: 5 + type: int + description: the maximum number of authentication attempts, before the account + is locked for some time. + os_auth_lockout_time: + default: 600 + type: int + description: time in seconds that needs to pass, if the account was locked + due to too many failed authentication attempts. + os_auth_timeout: + default: 60 + type: int + description: authentication timeout in seconds, so login will exit if this + time passes. + os_auth_allow_homeless: + default: false + type: bool + description: true if to allow users without home to login. + os_auth_pam_passwdqc_enable: + default: true + type: bool + description: true if you want to use strong password checking in PAM using + passwdqc. + os_auth_pam_passwdqc_options: + default: min=disabled,disabled,16,12,8 + type: str + description: set to any option line (as a string) that you want to pass to + passwdqc. + os_auth_pam_oddjob_mkhomedir: + default: false + type: bool + description: Enables automatic homedir e.g. in FreeIPA environments + os_auth_pam_pwquality_options: + default: try_first_pass retry=3 authtok_type= + type: str + description: Options to pass to the PAM module pwquality + os_security_users_allow: + default: '[]' + type: list + description: list of things, that a user is allowed to do. May contain `change_user`. + os_security_kernel_enable_module_loading: + default: true + type: bool + description: true if you want to allowed to change kernel modules once the + system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs + is deprecated and will be removed in the next major release. For more information + take a look at this issue + os_security_kernel_enable_core_dump: + default: false + type: bool + description: kernel is crashing or otherwise misbehaving and a kernel core + dump is created. + os_security_suid_sgid_enforce: + default: true + type: bool + description: true if you want to reduce SUID/SGID bits. There is already a + list of items which are searched for configured, but you can also add your + own. + os_security_suid_sgid_blacklist: + default: '[]' + type: list + description: a list of paths which should have their SUID/SGID bits removed. + os_security_suid_sgid_whitelist: + default: '[]' + type: list + description: a list of paths which should not have their SUID/SGID bits altered. + os_security_suid_sgid_remove_from_unknown: + default: false + type: bool + description: true if you want to remove SUID/SGID bits from any file, that + is not explicitly configured in a `blacklist`. This will make every Ansible-run + search through the mounted filesystems looking for SUID/SGID bits that are + not configured in the default and user blacklist. If it finds an SUID/SGID + bit, it will be removed, unless this file is in your `whitelist`. + os_auth_uid_min: + default: 1000 + type: int + description: minimum number for automatic uid selection in useradd. + os_auth_uid_max: + default: 60000 + type: int + description: maximum number for automatic uid selection in useradd. + os_auth_gid_min: + default: 1000 + type: int + description: minimum number for automatic gid selection in groupadd. + os_auth_gid_max: + default: 60000 + type: int + description: maximum number for automatic gid selection in groupadd. + os_auth_sub_uid_count: + default: 65536 + type: int + description: If /etc/subuid exists, the commands useradd and newusers (unless + the user already have subordinate user IDs) allocate SUB_UID_COUNT unused + user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See + also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. + os_auth_sub_uid_min: + default: 100000 + type: int + description: minimum number for automatic subordinate uid selection in useradd + and newusers. + os_auth_sub_uid_max: + default: 600100000 + type: int + description: maximum number for automatic subordinate uid selection in useradd + and newusers. + os_auth_sub_gid_count: + default: 65536 + type: int + description: If /etc/subuid exists, the commands useradd and newusers (unless + the user already have subordinate group IDs) allocate SUB_GID_COUNT unused + group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See + also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. + os_auth_sub_gid_min: + default: 100000 + type: int + description: minimum number for automatic subordinate gid selection in useradd + and newusers. + os_auth_sub_gid_max: + default: 600100000 + type: int + description: maximum number for automatic subordinate gid selection in useradd + and newusers. + os_security_packages_clean: + default: true + type: bool + description: removes packages with known issues. See section packages. + os_selinux_state: + default: enforcing + type: str + description: Set the SELinux state, can be either disabled, permissive, or + enforcing. + os_selinux_policy: + default: targeted + type: str + description: Set the SELinux polixy. + ufw_manage_defaults: + default: true + type: bool + description: true means apply all settings with `ufw_` prefix. + ufw_ipt_sysctl: + default: "''" + type: str + description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you + want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl + dictionary, for example `/etc/ufw/sysctl.conf`. + ufw_default_input_policy: + default: DROP + type: str + description: set default input policy of ufw to `DROP`. + ufw_default_output_policy: + default: ACCEPT + type: str + description: set default output policy of ufw to `ACCEPT`. + ufw_default_forward_policy: + default: DROP + type: str + description: set default forward policy of ufw to `DROP`. + ufw_enable_ipv6: + default: true + type: bool + description: Set to `true` to apply rules to support IPv6 (no means only IPv6 + on loopback accepted). + os_auditd_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring auditd. + os_auditd_log_format: + default: RAW + type: str + description: Describes how the information should be stored on disk. There + are 2 options - raw and enriched. + os_auditd_max_log_file_action: + default: keep_logs + type: str + description: Defines the behaviour of auditd when its log file is filled up. + Possible other values are described in the auditd.conf man page. The most + common alternative to the default may be `rotate`. + os_auditd_max_log_file: + default: 6 + type: int + description: This keyword specifies the maximum file size in megabytes. When + this limit is reached, it will trigger a configurable action. The value + given must be numeric. + os_auditd_num_logs: + default: 5 + type: int + description: This keyword specifies the number of log files to keep if `rotate` + is given as the max_log_file_action. The value given must be numeric. + os_auditd_flush: + default: INCREMENTAL + type: str + description: Valid values are none, incremental, incremental_async, data, + and sync. + os_auditd_admin_space_left: + default: 50 + type: int + description: This is a numeric value in megabytes that tells the audit daemon + when to perform a configurable action because the system is running low + on disk space. + os_auditd_admin_space_left_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take when the + system has detected that it is low on disk space. Valid values are ignore, + syslog, rotate, email, exec, suspend, single, and halt. + os_auditd_space_left: + default: 75 + type: int + description: If the free space in the filesystem containing log_file drops + below this value, the audit daemon takes the action specified by space_left_action. + os_auditd_space_left_action: + default: SYSLOG + type: str + description: This parameter tells the system what action to take when the + system has detected that it is starting to get low on disk space. Valid + values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + os_auditd_action_mail_acct: + default: root + type: str + description: If `space_left_action` or `admin_space_left_action` are set to + `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. + of events created on one system but reported/analyzed on another system. + os_auditd_disk_error_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take whenever + there is an error detected when writing audit events to disk or rotating + logs. Valid values are ignore, syslog, exec, suspend, single, and halt. + os_auditd_disk_full_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take when the + system has detected that the partition to which log files are written has + become full. Valid values are ignore, syslog, rotate, exec, suspend, single, + and halt. + os_auditd_log_group: + default: root + type: str + description: specifies the group that is applied to the log file's permissions. + The group name can be either numeric or spelled out. + proc_mnt_options: + default: rw,nosuid,nodev,noexec,relatime + type: str + description: Mount proc with hardenized options. Note that the hidepid option + is set separatly in vars/. + os_ignore_users: + default: [vagrant, kitchen] + type: list + description: Specify system accounts whose login should not be disabled and + password not changed + os_chmod_home_folders: + default: true + type: bool + description: Set to `false` to disable "chmod 700" of home folders for regular + users + os_ignore_home_folder_users: + default: '[]' + type: list + description: Specify user accounts, whose home folders shouldn't be chmodded + to 700 when "os_chmod_home_folders" is enabled. + os_chmod_rootuser_home_folder: + default: true + type: bool + description: Set to `false` to disable "chmod 700" of root's home folder + os_rootuser_pw_ageing: + default: false + type: bool + description: Set to true to enforce password age settings for root user(s) + os_remove_additional_root_users: + default: false + type: bool + description: When enabled and there are multiple users with UID=0, only "root" + will be kept. Others will be deleted. + os_user_pw_ageing: + default: true + type: bool + description: Set to false to disable password age enforcement on existing + users + os_users_without_password_ageing: + default: '[]' + type: list + description: List of users, where password ageing should not be enforced even + if "os_user_pw_ageing" is enabled + os_cron_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring cron. + os_ctrlaltdel_disabled: + default: false + type: bool + description: Set to true to disable ctrl-alt-delete key combination. + os_limits_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring limits. + os_login_defs_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring login_defs + for newly created users. + os_minimize_access_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring minimize_access. + os_pam_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring pam. + os_modprobe_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring modprobe. + os_profile_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring profile. + os_security_auto_logout: + default: 0 + type: int + description: Set timeout in seconds for logout users automatically after time. + Setting this to `0` disables the timeout. + os_securetty_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring securetty. + os_sysctl_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring sysctl. + os_user_accounts_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring user_accounts. + os_rhosts_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring rhosts. + os_yum_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring yum. + os_yum_repo_file_whitelist: + default: '[]' + type: list + description: List of yum repository files under /etc/yum.repos.d/ which should + not be altered. + os_apt_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring apt. + os_selinux_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring selinux. + os_sha_crypt_min_rounds: + default: 640000 + type: int + description: Define the number of minimum SHA rounds. With a lot of rounds + brute forcing the password is more difficult. But note also that it more + CPU resources will be needed to authenticate users. The values must be inside + the 1000-999999999 range. + os_sha_crypt_max_rounds: + default: 640000 + type: int + description: Define the number of maximum SHA rounds. With a lot of rounds + brute forcing the password is more difficult. But note also that it more + CPU resources will be needed to authenticate users. The values must be inside + the 1000-999999999 range. + os_mnt_boot_dir_mode: + default: '0700' + type: str + description: Set default perimissions for /boot + os_mnt_boot_enabled: + default: false + type: bool + description: Set to true to configure /boot mountpoint + os_mnt_boot_src: + default: "''" + type: str + description: Set mount source for /boot + os_mnt_boot_options: + default: rw,nosuid,nodev,noexec + description: Configure mount options for /boot + os_mnt_boot_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /boot. If empty, the current + file system type will be used. + os_mnt_boot_dump: + default: ext3 + ext4 = 1 / other = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_boot_passno: + default: ext3 + ext4 = 2 / other = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_dev_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /dev + os_mnt_dev_enabled: + default: true + type: bool + description: Set to false to ignore /dev mountpoint + os_mnt_dev_src: + default: devtmpfs + type: str + description: Set mount source for /dev + os_mnt_dev_options: + default: rw,nosuid,noexec + type: str + description: Configure mount options for /dev + os_mnt_dev_filesystem: + default: devtmpfs + type: str + description: Configure file system for fstab entry /dev + os_mnt_dev_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_dev_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_dev_shm_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /dev/shm + os_mnt_dev_shm_enabled: + default: true + type: bool + description: Set to false to ignore /dev/shm mountpoint + os_mnt_dev_shm_src: + default: tmpfs + type: str + description: Set mount source for /dev/shm + os_mnt_dev_shm_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /dev/shm + os_mnt_dev_shm_filesystem: + default: tmpfs + type: str + description: Configure file system for fstab entry /dev/shm + os_mnt_dev_shm_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_dev_shm_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_home_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /home + os_mnt_home_enabled: + default: false + type: bool + description: Set to true to configure /home mountpoint + os_mnt_home_src: + default: "''" + type: str + description: Set mount source for /home. If empty, the current file system + source device will be used. + os_mnt_home_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /home + os_mnt_home_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /home. If empty, the current + file system type will be used. + os_mnt_home_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_home_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_run_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /run + os_mnt_run_enabled: + default: true + type: bool + description: Set to false to ignore /run mountpoint + os_mnt_run_src: + default: tmpfs + type: str + description: Set mount source for /run + os_mnt_run_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /run + os_mnt_run_filesystem: + default: tmpfs + type: str + description: Configure file system for fstab entry /run + os_mnt_run_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_run_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_tmp_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /tmp + os_mnt_tmp_enabled: + default: false + type: bool + description: Set to true to configure /tmp mountpoint + os_mnt_tmp_src: + default: "''" + type: str + description: Set mount source for /tmp. If empty, the current file system + source device will be used. + os_mnt_tmp_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /tmp + os_mnt_tmp_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /tmp. If empty, the current + file system type will be used. + os_mnt_tmp_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_tmp_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /var + os_mnt_var_enabled: + default: false + type: bool + description: Set to true to configure /var mountpoint + os_mnt_var_src: + default: "''" + type: str + description: Set mount source for /var. If empty, the current file system + source device will be used. + os_mnt_var_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /var + os_mnt_var_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var. If empty, the current + file system type will be used. + os_mnt_var_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /var/log + os_mnt_var_log_enabled: + default: false + type: bool + description: Set to true to configure /var/log mountpoint + os_mnt_var_log_src: + default: "''" + type: str + description: Set mount source for /var/log. If empty, the current file system + source device will be used. + os_mnt_var_log_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/log + os_mnt_var_log_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/log. If empty, the + current file system type will be used. + os_mnt_var_log_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_audit_dir_mode: + default: '0640' + type: str + description: Set default perimissions for /var/log/audit + os_mnt_var_log_audit_enabled: + default: false + type: bool + description: Set to true to configure /var/log/audit mountpoint + os_mnt_var_log_audit_src: + default: "''" + type: str + description: Set mount source for /var/log/audit. If empty, the current file + system source device will be used. + os_mnt_var_log_audit_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/log/audit + os_mnt_var_log_audit_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/log/audit. If empty, + the current file system type will be used. + os_mnt_var_log_audit_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_audit_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_tmp_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /var/tmp + os_mnt_var_tmp_enabled: + default: false + type: bool + description: Set to true to configure /var/tmp mountpoint + os_mnt_var_tmp_src: + default: "''" + type: str + description: Set mount source for /var/tmp. If empty, the current file system + source device will be used. + os_mnt_var_tmp_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/tmp + os_mnt_var_tmp_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/tmp. If empty, the + current file system type will be used. + os_mnt_var_tmp_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_tmp_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_netrc_enabled: + default: true + type: bool + description: Configure filesystem for existence of .netrc file in homedir + os_netrc_whitelist_user: + default: '[]' + type: list + description: Add list of user to allow creation of .netrc in users homedir + sysctl_overwrite: + default: '{}' + type: dict + description: To overwrite options in the `sysctl_config`-dict, overwrite them + here. + sysctl_config: + type: dict + description: various sysctl-settings + default: + fs.protected_hardlinks: 1 + fs.protected_symlinks: 1 + fs.protected_fifos: 1 + fs.protected_regular: 2 + fs.suid_dumpable: 0 + kernel.core_uses_pid: 1 + kernel.kptr_restrict: 2 + kernel.kexec_load_disabled: 1 + kernel.sysrq: 0 + kernel.randomize_va_space: 2 + kernel.yama.ptrace_scope: 1 + net.ipv4.ip_forward: 0 + net.ipv6.conf.all.forwarding: 0 + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + net.ipv4.icmp_echo_ignore_broadcasts: 1 + net.ipv4.icmp_ignore_bogus_error_responses: 1 + net.ipv4.icmp_ratelimit: 100 + net.ipv4.icmp_ratemask: 88089 + net.ipv4.tcp_timestamps: 0 + net.ipv4.conf.all.arp_ignore: 1 + net.ipv4.conf.all.arp_announce: 2 + net.ipv4.tcp_rfc1337: 1 + net.ipv4.tcp_syncookies: 1 + net.ipv4.conf.all.shared_media: 1 + net.ipv4.conf.default.shared_media: 1 + net.ipv4.conf.all.accept_source_route: 0 + net.ipv4.conf.default.accept_source_route: 0 + net.ipv6.conf.all.accept_source_route: 0 + net.ipv6.conf.default.accept_source_route: 0 + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + net.ipv4.conf.all.log_martians: 1 + net.ipv4.conf.default.log_martians: 1 + net.ipv4.conf.default.accept_redirects: 0 + net.ipv4.conf.all.accept_redirects: 0 + net.ipv4.conf.all.secure_redirects: 0 + net.ipv4.conf.default.secure_redirects: 0 + net.ipv6.conf.default.accept_redirects: 0 + net.ipv6.conf.all.accept_redirects: 0 + net.ipv6.conf.all.accept_ra: 0 + net.ipv6.conf.default.accept_ra: 0 + net.ipv6.conf.default.router_solicitations: 0 + net.ipv6.conf.all.router_solicitations: 0 + net.ipv6.conf.default.accept_ra_rtr_pref: 0 + net.ipv6.conf.default.accept_ra_pinfo: 0 + net.ipv6.conf.default.accept_ra_defrtr: 0 + net.ipv6.conf.default.autoconf: 0 + net.ipv6.conf.all.autoconf: 0 + net.ipv6.conf.default.dad_transmits: 0 + net.ipv6.conf.default.max_addresses: 1 + vm.mmap_min_addr: 65536 + vm.mmap_rnd_bits: 32 + vm.mmap_rnd_compat_bits: 16 + os_unused_filesystems: + default: + - cramfs + - freevxfs + - jffs2 + - hfs + - hfsplus + - squashfs + - udf + - vfat + - dccp + - rds + - sctp + - tipc + type: list + description: Disable this list of unused filesystems + os_filesystem_whitelist: + default: '[]' + type: list + description: A list of filesystems that should not be disabled + os_hardening_enabled: + default: true + type: bool + description: Wether to run the hardening + os_auth_root_ttys: + default: [console, tty1, tty2, tty3, tty4, tty5, tty6] + type: list + description: A list of TTYs, from which root can log in, see `man securetty` + for reference + os_chfn_restrict: + default: "''" + type: str + description: Indicate which fields are changeable by chfn. + os_security_init_prompt: + default: true + type: bool + description: The PROMPT option provides console users the ability to interactively + boot the system and select which services to start on boot. + os_security_init_single: + default: false + type: bool + description: Single-user mode is intended as a system recovery method, providing + a single user root access to the system by providing a boot option at startup. + By default, no authentication is performed if single-user mode is selected. + To require entry of the root password even if the system is started in single-user + mode, set this to false + os_security_packages_list: + default: [xinetd, inetd, ypserv, telnet-server, rsh-server, prelink] + type: list + description: List of deprecated or insecure packages to remove + ufw_default_application_policy: + default: SKIP + type: str + description: The default application policy is skip, which means that the + update --add-new command will do nothing + ufw_ipt_modules: + default: nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns + type: str + description: Define which netfilter modules to load + ufw_manage_builtins: + default: 'no' + type: str + description: If this variable is set to 'yes', on stop and reload the built-in + chains are flushed. If it is set to 'no', on stop and reload the ufw secondary + chains are removed and the ufw primary chains are flushed + hidepid_option: + default: "" + type: str diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index da99781b6..a7083865a 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -73,12 +73,23 @@ mode: "0750" when: '"change_user" not in os_security_users_allow' +# we have to define this combined variable here, because when defining it +# in the defaults like this: +# proc_mnt_options: rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }} +# the role argument validator complains about the missing hidepid_option-variable. +# If we define the hidepid_option-variable in the defaults, we cannot +# overwrite it anymore in the vars (for some reason). + +- name: Define proc_mnt_options including hidepid_option + ansible.builtin.set_fact: + _proc_mnt_options: "{{ proc_mnt_options }},hidepid={{ hidepid_option }}" + - name: Set option hidepid for proc filesystem ansible.posix.mount: path: /proc src: proc fstype: proc - opts: "{{ proc_mnt_options }}" + opts: "{{ _proc_mnt_options }}" state: mounted - name: Generate list of current available mounted filesystems on the system diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index cb1312295..2154d69a9 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -1,6 +1,6 @@ # dev-sec.ssh_hardening -![devsec.ssh_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.ssh_hardening/badge.svg) +![devsec.ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.ssh_hardening/badge.svg) ## Description @@ -8,250 +8,431 @@ This role provides secure ssh-client and ssh-server configurations. It is intend Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server. -## Requirements + +## Supported Operating Systems -- Ansible >= 2.9 -- root-privileges on the target system - -As this role requires root-privileges, we added `become: true` to all tasks. So please make sure you run the role as root or as a user with become-privileges. +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | +| Fedora | | +| ArchLinux | | +| SmartOS | | +| FreeBSD | 12.2 | +| OpenBSD | 7.0 | ## Role Variables -- `network_ipv6_enable` - - Default: `true` - - Description: false if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). -- `ssh_client_config_file` - - Default: `'/etc/ssh/ssh_config'` - - Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. -- `ssh_server_config_file` - - Default: `'/etc/ssh/sshd_config'` - - Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. -- `ssh_server_ports` - - Default: `['22']` - - Description: ports on which ssh-server should listen. -- `ssh_client_port` - - Default: `'22'` - - Description: Specifies the port number to connect on the remote host. -- `ssh_listen_to` - - Default: `['0.0.0.0']` - - Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons! -- `ssh_host_key_files` - - Default: `[]` - - Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. -- `ssh_host_rsa_key_size` - - Default: `4096` - - Description: Specifies the number of bits in the private host RSA key to create. -- `ssh_host_key_algorithms` - - Default: `[]` - - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! -- `ssh_client_host_key_algorithms` - - Default: `[]` - - Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version!. -- `ssh_client_alive_interval` - - Default: `600` - - Description: specifies an interval for sending keepalive messages. -- `ssh_client_alive_count` - - Default: `3` - - Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. -- `ssh_permit_tunnel` - - Default: `false` - - Description: true if SSH Port Tunneling is required. -- `ssh_remote_hosts` - - Default: `[]` - - Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`. -- `ssh_permit_root_login` - - Default: `no` - - Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! -- `ssh_allow_tcp_forwarding` - - Default: `no` - - Description: `'no'` or `False` to disable TCP Forwarding. Set to `'yes'` or `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. -- `ssh_gateway_ports` - - Default: `false` - - Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. -- `ssh_allow_agent_forwarding` - - Default: `false` - - Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding. -- `ssh_x11_forwarding` - - Default: `false` - - Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. -- `ssh_pam_support` - - Default: `true` - - Description: true if SSH has PAM support. -- `ssh_use_pam` - - Default: `true` - - Description: false to disable pam authentication. -- `ssh_gssapi_support` - - Default: `false` - - Description: Set to true to enable GSSAPI authentication (both client and server). -- `ssh_gssapi_delegation` - - Default: `false` - - Description: Set to true to enable GSSAPI credential forwarding. -- `ssh_kerberos_support` - - Default: `true` - - Description: true if SSH has Kerberos support. -- `ssh_deny_users` - - Default: `''` - - Description: if specified, login is disallowed for user names that match one of the patterns. -- `ssh_allow_users` - - Default: `''` - - Description: if specified, login is allowed only for user names that match one of the patterns. -- `ssh_deny_groups` - - Default: `''` - - Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -- `ssh_allow_groups` - - Default: `''` - - Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -- `ssh_authorized_keys_file` - - Default: `''` - - Description: change default file that contains the public keys that can be used for user authentication. -- `ssh_trusted_user_ca_keys_file` - - Default: `''` - - Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. -- `ssh_trusted_user_ca_keys` - - Default: `[]` - - Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. -- `ssh_authorized_principals_file` - - Default: `''` - - Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. -- `ssh_authorized_principals` - - Default: `[]` - - Description: list of hashes containing file paths and authorized principals, see `default_custom.yml` for all options. Only used if `ssh_authorized_principals_file` is set. -- `ssh_print_motd` - - Default: `false` - - Description: false to disable printing of the MOTD. -- `ssh_print_pam_motd` - - Default: `false` - - Description: false to disable printing of the MOTD via pam (Debian and Ubuntu). -- `ssh_print_last_log` - - Default: `false` - - Description: false to disable display of last login information. -- `sftp_enabled` - - Default: `true` - - Description: false to disable sftp configuration. -- `sftp_umask` - - Default: `'0027'` - - Description: Specifies the umask for sftp. -- `sftp_chroot` - - Default: `true` - - Description: false to disable chroot for sftp. -- `sftp_chroot_dir` - - Default: `/home/%u` - - Description: change default sftp chroot location. -- `ssh_client_roaming` - - Default: `false` - - Description: enable experimental client roaming. -- `sshd_moduli_file` - - Default: `'/etc/ssh/moduli'` - - Description: path to the SSH moduli file. -- `sshd_moduli_minimum` - - Default: `2048` - - Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. -- `ssh_challengeresponseauthentication` - - Default: `false` - - Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). -- `ssh_client_password_login` - - Default: `false` - - Description: `true` to allow password-based authentication with the ssh client. -- `ssh_server_password_login` - - Default: `false` - - Description: `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. -- `ssh_banner` - - Default: `false` - - Description: `true` to print a banner on login. -- `ssh_banner_path` - - Default: `'/etc/sshd/banner.txt'` - - Description: path to the SSH banner file. -- `ssh_client_hardening` - - Default: `true` - - Description: `false` to stop harden the client. -- `ssh_client_compression` - - Default: `false` - - Description: Specifies whether the client requests compression. -- `ssh_compression` - - Default: `false` - - Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. -- `ssh_login_grace_time` - - Default: `30s` - - Description: specifies the time allowed for successful authentication to the SSH server. -- `ssh_max_auth_retries` - - Default: `2` - - Description: Specifies the maximum number of authentication attempts permitted per connection. -- `ssh_max_sessions` - - Default: `10` - - Description: Specifies the maximum number of open sessions permitted from a given connection. -- `ssh_print_debian_banner` - - Default: `false` - - Description: `true` to print debian specific banner. -- `ssh_server_enabled` - - Default: `true` - - Description: `false` to disable the opensshd server. -- `ssh_server_hardening` - - Default: `true` - - Description: `false` to stop harden the server. -- `ssh_server_match_address` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_group` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_user` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_local_port` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_permit_environment_vars` - - Default: `no` - - Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings. -- `ssh_server_accept_env_vars` - - Default: `''` - - Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. -- `ssh_use_dns` - - Default: `false` - - Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. -- `ssh_server_revoked_keys` - - Default: `[]` - - Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys. -- `ssh_max_startups` - - Default: `'10:30:60'` - - Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. -- `ssh_macs` - - Default: `[]` - - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`. -- `ssh_kex` - - Default: `[]` - - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`. -- `ssh_ciphers` - - Default: `[]` - - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`. -- `ssh_custom_options` - - Default: `[]` - - Description: Custom lines for SSH client configuration. -- `sshd_custom_options` - - Default: `[]` - - Description: Custom lines for SSH daemon configuration. -- `sshd_syslog_facility` - - Default: `'AUTH'` - - Description: The facility code that is used when logging messages from sshd. -- `sshd_log_level` - - Default: `'VERBOSE'` - - Description: the verbosity level that is used when logging messages from sshd. -- `sshd_strict_modes` - - Default: `true` - - Description: Check file modes and ownership of the user's files and home directory before accepting login. -- `sshd_authenticationmethods` - - Default: `publickey` - - Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`. +* `network_ipv6_enable` + * Default: `true` + * Description: false if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). + * Type: bool + * Required: no +* `ssh_client_config_file` + * Default: `/etc/ssh/ssh_config` + * Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. + * Type: str + * Required: no +* `ssh_server_config_file` + * Default: `/etc/ssh/sshd_config` + * Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. + * Type: str + * Required: no +* `ssh_server_ports` + * Default: `["22"]` + * Description: ports on which ssh-server should listen. + * Type: list + * Required: no +* `ssh_client_port` + * Default: `22` + * Description: Specifies the port number to connect on the remote host. + * Type: str + * Required: no +* `ssh_listen_to` + * Default: `["0.0.0.0"]` + * Description: one or more ip addresses, to which ssh-server should listen to. Default i all IPv4 addresses, but should be configured to specific addresses for security reasons + * Type: list + * Required: no +* `ssh_host_key_files` + * Default: `` + * Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. + * Type: list + * Required: no +* `ssh_host_rsa_key_size` + * Default: `4096` + * Description: Specifies the number of bits in the private host RSA key to create. + * Type: str + * Required: no +* `ssh_host_key_algorithms` + * Default: `` + * Description: Host key algorithms that the server offers. If empty the default lst will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version + * Type: list + * Required: no +* `ssh_client_host_key_algorithms` + * Default: `` + * Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default lst will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! + * Type: list + * Required: no +* `ssh_client_alive_interval` + * Default: `600` + * Description: specifies an interval for sending keepalive messages. + * Type: str + * Required: no +* `ssh_client_alive_count` + * Default: `3` + * Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. + * Type: str + * Required: no +* `ssh_permit_tunnel` + * Default: `false` + * Description: true if SSH Port Tunneling is required. + * Type: bool + * Required: no +* `ssh_remote_hosts` + * Default: `` + * Description: one or more hosts and their custom options for the ssh-client. Default i empty. See examples in `defaults/ain.yml` + * Type: list + * Required: no +* `ssh_permit_root_login` + * Default: `no` + * Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! + * Type: str + * Required: no +* `ssh_allow_tcp_forwarding` + * Default: `no` + * Description: 'no' or `False` to disable TCP Forwarding. Set to `'yes'` or `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. + * Type: str + * Required: no +* `ssh_gateway_ports` + * Default: `false` + * Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. + * Type: bool + * Required: no +* `ssh_allow_agent_forwarding` + * Default: `false` + * Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding. + * Type: bool + * Required: no +* `ssh_x11_forwarding` + * Default: `false` + * Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. + * Type: bool + * Required: no +* `ssh_pam_support` + * Default: `true` + * Description: true if SSH has PAM support. + * Type: bool + * Required: no +* `ssh_use_pam` + * Default: `true` + * Description: false to disable pam authentication. + * Type: bool + * Required: no +* `ssh_gssapi_support` + * Default: `false` + * Description: Set to true to enable GSSAPI authentication (both client and server). + * Type: bool + * Required: no +* `ssh_gssapi_delegation` + * Default: `false` + * Description: Set to true to enable GSSAPI credential forwarding. + * Type: bool + * Required: no +* `ssh_kerberos_support` + * Default: `true` + * Description: true if SSH has Kerberos support. + * Type: bool + * Required: no +* `ssh_deny_users` + * Default: `` + * Description: if specified, login is disallowed for user names that match one of the patterns. + * Type: str + * Required: no +* `ssh_allow_users` + * Default: `` + * Description: if specified, login is allowed only for user names that match one of the patterns. + * Type: str + * Required: no +* `ssh_deny_groups` + * Default: `` + * Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. + * Type: str + * Required: no +* `ssh_allow_groups` + * Default: `` + * Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. + * Type: str + * Required: no +* `ssh_authorized_keys_file` + * Default: `` + * Description: change default fle that contains the public keys that can be used for user authentication + * Type: str + * Required: no +* `ssh_trusted_user_ca_keys_file` + * Default: `` + * Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. + * Type: str + * Required: no +* `ssh_trusted_user_ca_keys` + * Default: `` + * Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. + * Type: list + * Required: no +* `ssh_authorized_principals_file` + * Default: `` + * Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. + * Type: str + * Required: no +* `ssh_authorized_principals` + * Default: `` + * Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set + * Type: list + * Required: no +* `ssh_print_motd` + * Default: `false` + * Description: false to disable printing of the MOTD. + * Type: bool + * Required: no +* `ssh_print_pam_motd` + * Default: `false` + * Description: false to disable printing of the MOTD via pam (Debian and Ubuntu). + * Type: bool + * Required: no +* `ssh_print_last_log` + * Default: `false` + * Description: false to disable display of last login information. + * Type: bool + * Required: no +* `sftp_enabled` + * Default: `true` + * Description: false to disable sftp configuration. + * Type: bool + * Required: no +* `sftp_umask` + * Default: `0027` + * Description: Specifies the umask for sftp. + * Type: str + * Required: no +* `sftp_chroot` + * Default: `true` + * Description: false to disable chroot for sftp. + * Type: bool + * Required: no +* `sftp_chroot_dir` + * Default: `/home/%u` + * Description: change default stp chroot location + * Type: str + * Required: no +* `ssh_client_roaming` + * Default: `false` + * Description: enable experimental client roaming. + * Type: bool + * Required: no +* `sshd_moduli_file` + * Default: `/etc/ssh/moduli` + * Description: path to the SSH moduli file. + * Type: str + * Required: no +* `sshd_moduli_minimum` + * Default: `2048` + * Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. + * Type: str + * Required: no +* `ssh_challengeresponseauthentication` + * Default: `false` + * Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). + * Type: bool + * Required: no +* `ssh_client_password_login` + * Default: `false` + * Description: `true` to allow password-based authentication with the ssh client. + * Type: bool + * Required: no +* `ssh_server_password_login` + * Default: `false` + * Description: `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. + * Type: bool + * Required: no +* `ssh_banner` + * Default: `false` + * Description: `true` to print a banner on login. + * Type: bool + * Required: no +* `ssh_banner_path` + * Default: `/etc/sshd/banner.txt` + * Description: path to the SSH banner file. + * Type: str + * Required: no +* `ssh_client_hardening` + * Default: `true` + * Description: `false` to stop harden the client. + * Type: bool + * Required: no +* `ssh_client_compression` + * Default: `false` + * Description: Specifies whether the client requests compression. + * Type: bool + * Required: no +* `ssh_compression` + * Default: `false` + * Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. + * Type: bool + * Required: no +* `ssh_login_grace_time` + * Default: `30s` + * Description: specifies the time allowed for successful authentication to the SSH server. + * Type: str + * Required: no +* `ssh_max_auth_retries` + * Default: `2` + * Description: Specifies the maximum number of authentication attempts permitted per connection. + * Type: str + * Required: no +* `ssh_max_sessions` + * Default: `10` + * Description: Specifies the maximum number of open sessions permitted from a given connection. + * Type: str + * Required: no +* `ssh_print_debian_banner` + * Default: `false` + * Description: `true` to print debian specific banner. + * Type: bool + * Required: no +* `ssh_server_enabled` + * Default: `true` + * Description: `false` to disable the opensshd server. + * Type: bool + * Required: no +* `ssh_server_hardening` + * Default: `true` + * Description: `false` to stop harden the server. + * Type: bool + * Required: no +* `ssh_server_match_address` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_group` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_user` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_local_port` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_permit_environment_vars` + * Default: `no` + * Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global 'yes' or 'no' settings. + * Type: str + * Required: no +* `ssh_server_accept_env_vars` + * Default: `` + * Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. + * Type: str + * Required: no +* `ssh_use_dns` + * Default: `false` + * Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. + * Type: bool + * Required: no +* `ssh_server_revoked_keys` + * Default: `` + * Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys. + * Type: list + * Required: no +* `ssh_max_startups` + * Default: `10:30:60` + * Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. + * Type: str + * Required: no +* `ssh_macs` + * Default: `` + * Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_kex` + * Default: `` + * Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_ciphers` + * Default: `` + * Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_custom_options` + * Default: `[]` + * Description: Custom lines for SSH client configuration. + * Type: str + * Required: no +* `sshd_custom_options` + * Default: `` + * Description: Custom lines for SSH daemon configuration. + * Type: list + * Required: no +* `sshd_syslog_facility` + * Default: `AUTH` + * Description: The facility code that is used when logging messages from sshd. + * Type: str + * Required: no +* `sshd_log_level` + * Default: `VERBOSE` + * Description: the verbosity level that is used when logging messages from sshd. + * Type: str + * Required: no +* `sshd_strict_modes` + * Default: `true` + * Description: Check file modes and ownership of the user's files and home directory before accepting login. + * Type: bool + * Required: no +* `sshd_authenticationmethods` + * Default: `publickey` + * Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml` + * Type: str + * Required: no +* `ssh_custom_selinux_dir` + * Default: `/etc/selinux/local-policies` + * Description: directory where to store the ssh_password policy + * Type: str + * Required: no +* `ssh_hardening_enabled` + * Default: `true` + * Description: Wether to run the hardening or not + * Type: bool + * Required: no +* `ssh_host_certificates` + * Default: `` + * Description: Host certificates to look for when starting sshd + * Type: list + * Required: no +* `ssh_ps59` + * Default: `sandbox` + * Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. + * Type: str + * Required: no + +## Dependencies + +None. ## Example Playbook -```yml -- hosts: localhost - collections: - - devsec.hardening +``` +- hosts: all roles: - - ssh_hardening + - name: devsec.hardening.ssh_hardening ``` + ## Configuring settings not listed in role-variables @@ -281,3 +462,11 @@ If you use this role to disable SFTP (`sftp_enabled: false`) you will get errors This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port. If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable. + + +## License +Apache License 2.0 + +## Author and Project Information +Sebastian Gumprich @ Hardening Framework Team + diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml new file mode 100644 index 000000000..57c04ccce --- /dev/null +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -0,0 +1,351 @@ +--- +argument_specs: + main: + short_description: The main entry point for the ssh hardening role. + version_added: 8.8.0 + options: + network_ipv6_enable: + default: true + type: bool + description: false if IPv6 is not needed. `ssh_listen_to` must also be set + to listen to IPv6 addresses (for example `[::]`). + ssh_client_config_file: + default: /etc/ssh/ssh_config + description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. + ssh_server_config_file: + default: /etc/ssh/sshd_config + description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. + ssh_server_ports: + default: ['22'] + type: list + description: ports on which ssh-server should listen. + ssh_client_port: + default: '22' + description: Specifies the port number to connect on the remote host. + ssh_listen_to: + default: [0.0.0.0] + type: list + description: one or more ip addresses, to which ssh-server should listen to. + Default i all IPv4 addresses, but should be configured to specific addresses + for security reasons + ssh_host_key_files: + default: [] + type: list + description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the + installed sshd version. + ssh_host_rsa_key_size: + default: 4096 + description: Specifies the number of bits in the private host RSA key to create. + ssh_host_key_algorithms: + default: [] + type: list + description: Host key algorithms that the server offers. If empty the default + lst will be used. Otherwise overrides the setting with specified list of + algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other + sources for supported algorithms - make sure you check the correct version + ssh_client_host_key_algorithms: + default: [] + type: list + description: Specifies the host key algorithms that the client wants to use + in order of preference. If empty the default lst will be used. Otherwise + overrides the setting with specified list of algorithms. Check `man ssh_config`, + `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make + sure you check the correct version! + ssh_client_alive_interval: + default: 600 + description: specifies an interval for sending keepalive messages. + ssh_client_alive_count: + default: 3 + description: Defines the number of acceptable unanswered client alive messages + before disconnecting clients. + ssh_permit_tunnel: + default: false + type: bool + description: true if SSH Port Tunneling is required. + ssh_remote_hosts: + default: [] + type: list + description: one or more hosts and their custom options for the ssh-client. + Default i empty. See examples in `defaults/ain.yml` + ssh_permit_root_login: + default: 'no' + description: Disable root-login. Set to `'without-password'` or `'yes'` to + enable root-login - The quotes are required! + ssh_allow_tcp_forwarding: + default: 'no' + description: "'no' or `False` to disable TCP Forwarding. Set to `'yes'` or\ + \ `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version,\ + \ you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`." + ssh_gateway_ports: + default: false + type: bool + description: '`false` to disable binding forwarded ports to non-loopback addresses. + Set to `true` to force binding on wildcard address. Set to `clientspecified` + to allow the client to specify which address to bind to.' + ssh_allow_agent_forwarding: + default: false + type: bool + description: false to disable Agent Forwarding. Set to true to allow Agent + Forwarding. + ssh_x11_forwarding: + default: false + type: bool + description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. + ssh_pam_support: + default: true + type: bool + description: true if SSH has PAM support. + ssh_use_pam: + default: true + type: bool + description: false to disable pam authentication. + ssh_gssapi_support: + default: false + type: bool + description: Set to true to enable GSSAPI authentication (both client and + server). + ssh_gssapi_delegation: + default: false + type: bool + description: Set to true to enable GSSAPI credential forwarding. + ssh_kerberos_support: + default: true + type: bool + description: true if SSH has Kerberos support. + ssh_deny_users: + default: '' + description: if specified, login is disallowed for user names that match one + of the patterns. + ssh_allow_users: + default: '' + description: if specified, login is allowed only for user names that match + one of the patterns. + ssh_deny_groups: + default: '' + description: if specified, login is disallowed for users whose primary group + or supplementary group list matches one of the patterns. + ssh_allow_groups: + default: '' + description: if specified, login is allowed only for users whose primary group + or supplementary group list matches one of the patterns. + ssh_authorized_keys_file: + default: '' + description: change default fle that contains the public keys that can be + used for user authentication + ssh_trusted_user_ca_keys_file: + default: '' + description: specifies the file containing trusted certificate authorities + public keys used to sign user certificates. + ssh_trusted_user_ca_keys: + default: [] + type: list + description: set the trusted certificate authorities public keys used to sign + user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. + ssh_authorized_principals_file: + default: '' + description: specifies the file containing principals that are allowed. Only + used if `ssh_trusted_user_ca_keys_file` is set. + ssh_authorized_principals: + default: [] + type: list + description: list of hashes containing file paths and authorized principals, + see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` + is set + ssh_print_motd: + default: false + type: bool + description: false to disable printing of the MOTD. + ssh_print_pam_motd: + default: false + type: bool + description: false to disable printing of the MOTD via pam (Debian and Ubuntu). + ssh_print_last_log: + default: false + type: bool + description: false to disable display of last login information. + sftp_enabled: + default: true + type: bool + description: false to disable sftp configuration. + sftp_umask: + default: '0027' + description: Specifies the umask for sftp. + sftp_chroot: + default: true + type: bool + description: false to disable chroot for sftp. + sftp_chroot_dir: + default: /home/%u + description: change default stp chroot location + ssh_client_roaming: + default: false + type: bool + description: enable experimental client roaming. + sshd_moduli_file: + default: /etc/ssh/moduli + description: path to the SSH moduli file. + sshd_moduli_minimum: + default: 2048 + description: remove Diffie-Hellman parameters smaller than the defined size + to mitigate logjam. + ssh_challengeresponseauthentication: + default: false + type: bool + description: Specifies whether challenge-response authentication is allowed + (e.g. via PAM). + ssh_client_password_login: + default: false + type: bool + description: '`true` to allow password-based authentication with the ssh client.' + ssh_server_password_login: + default: false + type: bool + description: '`true` to allow password-based authentication to the ssh server. + You probably also need to change `sshd_authenticationmethods` to include + `password` if you set `ssh_server_password_login`: `true`.' + ssh_banner: + default: false + type: bool + description: '`true` to print a banner on login.' + ssh_banner_path: + default: /etc/sshd/banner.txt + description: path to the SSH banner file. + ssh_client_hardening: + default: true + type: bool + description: '`false` to stop harden the client.' + ssh_client_compression: + default: false + type: bool + description: Specifies whether the client requests compression. + ssh_compression: + default: false + type: bool + description: Specifies whether server-side compression is enabled after the + user has authenticated successfully. + ssh_login_grace_time: + default: 30s + description: specifies the time allowed for successful authentication to the + SSH server. + ssh_max_auth_retries: + default: 2 + description: Specifies the maximum number of authentication attempts permitted + per connection. + ssh_max_sessions: + default: 10 + description: Specifies the maximum number of open sessions permitted from + a given connection. + ssh_print_debian_banner: + default: false + type: bool + description: '`true` to print debian specific banner.' + ssh_server_enabled: + default: true + type: bool + description: '`false` to disable the opensshd server.' + ssh_server_hardening: + default: true + type: bool + description: '`false` to stop harden the server.' + ssh_server_match_address: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_group: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_user: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_local_port: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_permit_environment_vars: + default: 'no' + description: "`yes` to specify that ~/.ssh/environment and environment= options\ + \ in ~/.ssh/authorized_keys are processed by sshd. With openssh version\ + \ 7.8 it is possible to specify a whitelist of environment variable names\ + \ in addition to global 'yes' or 'no' settings." + ssh_server_accept_env_vars: + default: '' + description: Specifies what environment variables sent by the client will + be copied into the session's environment, multiple environment variables + may be separated by whitespace. + ssh_use_dns: + default: false + type: bool + description: Specifies whether sshd should look up the remote host name, and + to check that the resolved host name for the remote IP address maps back + to the very same IP address. + ssh_server_revoked_keys: + default: [] + type: list + description: a list of revoked public keys that the ssh server will always + reject, useful to revoke known weak or compromised keys. + ssh_max_startups: + default: 10:30:60 + description: Specifies the maximum number of concurrent unauthenticated connections + to the SSH daemon. + ssh_macs: + default: [] + type: list + description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + ssh_kex: + default: [] + type: list + description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + ssh_ciphers: + default: [] + type: list + description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` + ssh_custom_options: + default: [] + description: Custom lines for SSH client configuration. + sshd_custom_options: + default: [] + type: list + description: Custom lines for SSH daemon configuration. + sshd_syslog_facility: + default: AUTH + description: The facility code that is used when logging messages from sshd. + type: str + sshd_log_level: + default: VERBOSE + description: the verbosity level that is used when logging messages from sshd. + sshd_strict_modes: + default: true + type: bool + description: Check file modes and ownership of the user's files and home directory + before accepting login. + sshd_authenticationmethods: + default: publickey + description: Specifies the authentication methods that must be successfully + completed for a user to be granted access. Make sure to set all required + variables for your selected authentication method. Defaults found in `defaults/main.yml` + ssh_custom_selinux_dir: + default: /etc/selinux/local-policies + description: directory where to store the ssh_password policy + ssh_hardening_enabled: + default: true + type: bool + description: Wether to run the hardening + ssh_host_certificates: + default: [] + type: list + description: Host certificates to look for when starting sshd + ssh_ps59: + default: sandbox + description: Specifies whether sshd separates privileges by creating an unprivileged + child process to deal with incoming network traffic. From 4cb29752bc9cb2985582a1acb3e69bd9d9bd7370 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Jul 2023 14:09:59 +0200 Subject: [PATCH 02/17] add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich --- roles/nginx_hardening/defaults/main.yml | 1 - roles/nginx_hardening/meta/argument_specs.yml | 90 +++++++++++++++++++ roles/os_hardening/defaults/main.yml | 2 +- 3 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 roles/nginx_hardening/meta/argument_specs.yml diff --git a/roles/nginx_hardening/defaults/main.yml b/roles/nginx_hardening/defaults/main.yml index 73913eb73..0b03c3ec3 100644 --- a/roles/nginx_hardening/defaults/main.yml +++ b/roles/nginx_hardening/defaults/main.yml @@ -25,7 +25,6 @@ nginx_add_header: - Strict-Transport-Security max-age=15768000 - Content-Security-Policy "script-src 'self'; object-src 'self'" -nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" nginx_ssl_protocols: TLSv1.2 TLSv1.3 # yamllint disable-line rule:line-length diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml new file mode 100644 index 000000000..8b1bfac03 --- /dev/null +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -0,0 +1,90 @@ +--- +argument_specs: + main: + short_description: The main entry point for the nginx hardening role. + version_added: 8.8.0 + options: + nginx_client_body_buffer_size: + default: 1k + type: str + description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. + nginx_remove_default_site: + default: true + type: bool + description: Disables the default site. Set to false to enable the default site in nginx. + nginx_client_max_body_size: + default: 1k + type: str + description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. + nginx_keepalive_timeout: + default: 5 5 + type: str + description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. + nginx_server_tokens: + default: off + type: str + description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. + nginx_client_header_buffer_size: + default: 1k + type: str + description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. + nginx_large_client_header_buffers: + default: 2 1k + type: str + description: Sets the maximum number and size of buffers used for reading large client request header. + nginx_client_body_timeout: + default: 10 + type: int + description: Defines a timeout for reading client request body. + nginx_client_header_timeout: + default: 10 + type: int + description: Defines a timeout for reading client request header. + nginx_send_timeout: + default: 10 + type: int + description: Sets a timeout for transmitting a response to the client. + nginx_limit_conn_zone: + default: $binary_remote_addr zone=default:10m + type: str + description: Sets parameters for a shared memory zone that will keep states for various keys. + nginx_limit_conn: + default: default 5 + type: str + description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. + nginx_add_header: + default: [ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ] + type: str + description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. + nginx_ssl_protocols: + default: TLSv1.2 + type: str + description: Specifies the SSL protocol which should be used. + nginx_ssl_ciphers: + default: _see defaults.yml_ + type: str + description: Specifies the TLS ciphers which should be used. + nginx_ssl_prefer_server_ciphers: + default: on + type: str + description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. + nginx_dh_size: + default: 2048 + type: str + description: Specifies the length of DH parameters for EDH ciphers. + nginx_configuration_dir: + default: /etc/nginx + type: str + description: The main location for all nginx configuration files + nginx_configuration_hardening_dir: + default: /etc/nginx + type: str + description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) + nginx_owner_user: + default: root + type: str + description: The owner user of the nginx configuration files + nginx_owner_group: + default: root + type: str + description: The owner group of the nginx configuration files diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 40c3c7b57..1ce0ac86d 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -306,7 +306,7 @@ sysctl_config: # Do not delete the following line or otherwise the playbook will fail # at task 'create a combined sysctl-dict if overwrites are defined' -sysctl_overwrite: +sysctl_overwrite: {} # Disable unused filesystems os_unused_filesystems: - cramfs From a8fb04942a660b9ffeb86becdda18e2c432dd187 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:10:10 +0200 Subject: [PATCH 03/17] remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/README.md | 5 ----- roles/mysql_hardening/defaults/main.yml | 2 -- roles/mysql_hardening/meta/argument_specs.yml | 4 ---- roles/mysql_hardening/tasks/configure.yml | 2 +- roles/mysql_hardening/vars/Debian.yml | 1 - 5 files changed, 1 insertion(+), 13 deletions(-) diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md index f4bf9c919..515af200a 100644 --- a/roles/mysql_hardening/README.md +++ b/roles/mysql_hardening/README.md @@ -108,11 +108,6 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek * Description: Wether to run the hardening * Type: bool * Required: no -* `mysql_hardening_mysql_hardening_conf_file` - * Default: `{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf` - * Description: The path to the configuration file for hardening-related options - * Type: str - * Required: no * `mysql_root_password` * Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----` * Description: The default password. Please change or overwrite it diff --git a/roles/mysql_hardening/defaults/main.yml b/roles/mysql_hardening/defaults/main.yml index c56e479cf..e8d1fadff 100644 --- a/roles/mysql_hardening/defaults/main.yml +++ b/roles/mysql_hardening/defaults/main.yml @@ -6,8 +6,6 @@ mysql_daemon_enabled: true mysql_hardening_restart_mysql: true -# general configuration -mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf" # You have to change this to your own strong enough mysql root password mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----" # There .my.cnf with mysql root credentials will be installed diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index 8fa2355da..ec849315f 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -64,10 +64,6 @@ argument_specs: default: true type: bool description: "Wether to run the hardening" - mysql_hardening_mysql_hardening_conf_file: - default: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf" - type: str - description: "The path to the configuration file for hardening-related options" mysql_root_password: default: "-----====>SetR00tPa$$wordH3r3!!!<====-----" type: str diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml index 54c32093b..14f5bdf45 100644 --- a/roles/mysql_hardening/tasks/configure.yml +++ b/roles/mysql_hardening/tasks/configure.yml @@ -56,7 +56,7 @@ - name: Apply hardening configuration ansible.builtin.template: src: hardening.cnf.j2 - dest: "{{ mysql_hardening_mysql_hardening_conf_file }}" + dest: "{{ mysql_hardening_mysql_confd_dir + /hardening.cnf }}" owner: "{{ mysql_cnf_owner }}" group: "{{ mysql_cnf_group }}" mode: "0640" diff --git a/roles/mysql_hardening/vars/Debian.yml b/roles/mysql_hardening/vars/Debian.yml index 20cbaf6bc..18a1ca02f 100644 --- a/roles/mysql_hardening/vars/Debian.yml +++ b/roles/mysql_hardening/vars/Debian.yml @@ -2,7 +2,6 @@ mysql_daemon: mariadb mysql_hardening_mysql_conf_file: /etc/mysql/my.cnf -mysql_hardening_mysql_confd_dir: /etc/mysql/conf.d mysql_hardening_group: adm From ce7598708700b154f2cff60abfc81003f237c124 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:28:22 +0200 Subject: [PATCH 04/17] fix wrong syntax --- roles/mysql_hardening/tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml index 14f5bdf45..39c99620b 100644 --- a/roles/mysql_hardening/tasks/configure.yml +++ b/roles/mysql_hardening/tasks/configure.yml @@ -56,7 +56,7 @@ - name: Apply hardening configuration ansible.builtin.template: src: hardening.cnf.j2 - dest: "{{ mysql_hardening_mysql_confd_dir + /hardening.cnf }}" + dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}" owner: "{{ mysql_cnf_owner }}" group: "{{ mysql_cnf_group }}" mode: "0640" From 7cdfd7ec1a31a55682c214cc0de2642956bc6b03 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:29:30 +0200 Subject: [PATCH 05/17] fix spelling errors Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/README.md | 4 ++-- roles/mysql_hardening/meta/argument_specs.yml | 4 ++-- roles/os_hardening/README.md | 2 +- roles/os_hardening/meta/argument_specs.yml | 4 ++-- roles/ssh_hardening/README.md | 5 ++--- roles/ssh_hardening/meta/argument_specs.yml | 4 ++-- 6 files changed, 11 insertions(+), 12 deletions(-) diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md index 515af200a..1dafa5dee 100644 --- a/roles/mysql_hardening/README.md +++ b/roles/mysql_hardening/README.md @@ -100,12 +100,12 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek * Required: no * `mysql_hardening_enabled` * Default: `true` - * Description: Wether to run the hardening + * Description: Whether to run the hardening * Type: bool * Required: no * `mysql_daemon_enabled` * Default: `true` - * Description: Wether to run the hardening + * Description: Whether to run the hardening * Type: bool * Required: no * `mysql_root_password` diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index ec849315f..596806e31 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -59,11 +59,11 @@ argument_specs: mysql_hardening_enabled: default: true type: bool - description: Wether to run the hardening + description: Whether to run the hardening mysql_daemon_enabled: default: true type: bool - description: "Wether to run the hardening" + description: "Whether to run the hardening" mysql_root_password: default: "-----====>SetR00tPa$$wordH3r3!!!<====-----" type: str diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 75b98a03e..da3326c77 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -845,7 +845,7 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Required: no * `os_hardening_enabled` * Default: `true` - * Description: Wether to run the hardening + * Description: Whether to run the hardening * Type: bool * Required: no diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index d45227257..7c680e561 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -276,7 +276,7 @@ argument_specs: default: rw,nosuid,nodev,noexec,relatime type: str description: Mount proc with hardenized options. Note that the hidepid option - is set separatly in vars/. + is set separately in vars/. os_ignore_users: default: [vagrant, kitchen] type: list @@ -800,7 +800,7 @@ argument_specs: os_hardening_enabled: default: true type: bool - description: Wether to run the hardening + description: Whether to run the hardening os_auth_root_ttys: default: [console, tty1, tty2, tty3, tty4, tty5, tty6] type: list diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 2154d69a9..0573bb29c 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -10,7 +10,6 @@ Warning: This role disables root-login on the target server! Please make sure yo ## Supported Operating Systems - | Platform | Versions | | -------- | -------- | | EL | 7, 8, 9 | @@ -167,7 +166,7 @@ Warning: This role disables root-login on the target server! Please make sure yo * Required: no * `ssh_authorized_keys_file` * Default: `` - * Description: change default fle that contains the public keys that can be used for user authentication + * Description: change default file that contains the public keys that can be used for user authentication * Type: str * Required: no * `ssh_trusted_user_ca_keys_file` @@ -407,7 +406,7 @@ Warning: This role disables root-login on the target server! Please make sure yo * Required: no * `ssh_hardening_enabled` * Default: `true` - * Description: Wether to run the hardening or not + * Description: Whether to run the hardening * Type: bool * Required: no * `ssh_host_certificates` diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index 57c04ccce..ca4136b8a 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -131,7 +131,7 @@ argument_specs: or supplementary group list matches one of the patterns. ssh_authorized_keys_file: default: '' - description: change default fle that contains the public keys that can be + description: change default file that contains the public keys that can be used for user authentication ssh_trusted_user_ca_keys_file: default: '' @@ -340,7 +340,7 @@ argument_specs: ssh_hardening_enabled: default: true type: bool - description: Wether to run the hardening + description: Whether to run the hardening ssh_host_certificates: default: [] type: list From 76431ddbdb818c4b60f2edb9d066780c67f41a96 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:32:04 +0200 Subject: [PATCH 06/17] cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich --- molecule/ssh_hardening_custom_tests/converge.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index 811384837..f40ea4e70 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -20,10 +20,6 @@ - path: "/etc/ssh/auth_principals/root" principals: - "root" - owner: "{{ ssh_owner }}" - group: "{{ ssh_group }}" - directoryowner: "{{ ssh_owner }}" - directorygroup: "{{ ssh_group }}" directorymode: "0700" network_ipv6_enable: true ssh_allow_tcp_forwarding: 'yes' From 00cb7c43f4ac8c79a5d9513a23b471a9993b175b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:41:29 +0200 Subject: [PATCH 07/17] yamllint the arg-spec Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/meta/argument_specs.yml | 39 ++++++++------- roles/nginx_hardening/meta/argument_specs.yml | 50 +++++++++++++------ roles/os_hardening/meta/argument_specs.yml | 2 +- 3 files changed, 56 insertions(+), 35 deletions(-) diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index 596806e31..aeede8d12 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -5,45 +5,45 @@ argument_specs: version_added: 8.8.0 options: mysql_hardening_chroot: - default: "" - type: "str" - description: "[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)" + default: '' + type: str + description: '[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)' mysql_hardening_options.safe-user-create: default: 1 type: int - description: "[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)" + description: '[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)' mysql_hardening_options.secure-auth: default: 1 type: int - description: "[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)" + description: '[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)' mysql_hardening_options.skip-symbolic-links: default: 1 type: int - description: "[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)" - mysql_hardening_skip_grant_tables:: + description: '[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)' + 'mysql_hardening_skip_grant_tables:': default: false type: bool - description: "[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)" + description: '[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)' mysql_hardening_skip_show_database: default: 1 type: int - description: "[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)" + description: '[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)' mysql_hardening_options.local-infile: default: 0 type: int - description: "[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)" + description: '[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)' mysql_hardening_options.allow-suspicious-udfs: default: 0 type: int - description: "[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)" + description: '[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)' mysql_hardening_chroot.automatic-sp-privileges: default: 0 type: int - description: "[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)" + description: '[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)' mysql_hardening_options.secure-file-priv: default: /tmp type: str - description: "[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)" + description: '[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)' mysql_remove_anonymous_users: default: true type: bool @@ -63,16 +63,17 @@ argument_specs: mysql_daemon_enabled: default: true type: bool - description: "Whether to run the hardening" + description: Whether to run the hardening mysql_root_password: - default: "-----====>SetR00tPa$$wordH3r3!!!<====-----" + default: '-----====>SetR00tPa$$wordH3r3!!!<====-----' type: str - description: "The default password. Please change or overwrite it" + description: The default password. Please change or overwrite it mysql_user_home: - default: "{{ ansible_env.HOME }}" + default: '{{ ansible_env.HOME }}' type: str - description: "The path where the `.my.cnf` will be stored" + description: The path where the `.my.cnf` will be stored mysql_remove_remote_root: default: true type: bool - description: "Set to false to not remove remote root users. If true, root can only connect from localhost" + description: Set to false to not remove remote root users. If true, root can + only connect from localhost diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml index 8b1bfac03..8c3224b84 100644 --- a/roles/nginx_hardening/meta/argument_specs.yml +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -7,31 +7,44 @@ argument_specs: nginx_client_body_buffer_size: default: 1k type: str - description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. + description: Sets buffer size for reading client request body. In case the + request body is larger than the buffer, the whole body or only its part + is written to a temporary file. nginx_remove_default_site: default: true type: bool - description: Disables the default site. Set to false to enable the default site in nginx. + description: Disables the default site. Set to false to enable the default + site in nginx. nginx_client_max_body_size: default: 1k type: str - description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. + description: Sets the maximum allowed size of the client request body, specified + in the "Content-Length" request header field. If the size in a request exceeds + the configured value, the 413 (Request Entity Too Large) error is returned + to the client. nginx_keepalive_timeout: default: 5 5 type: str - description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. + description: The first parameter sets a timeout during which a keep-alive + client connection will stay open on the server side. The zero value disables + keep-alive client connections. The optional second parameter sets a value + in the "Keep-Alive timeout=time" response header field. nginx_server_tokens: - default: off + default: false type: str - description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. + description: Disables emitting nginx version in error messages and in the + "Server" response header field. Set to on to enable the nginx version in + error messages and "Server" response header. nginx_client_header_buffer_size: default: 1k type: str - description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. + description: Sets buffer size for reading client request header. For most + requests, a buffer of 1K bytes is enough. nginx_large_client_header_buffers: default: 2 1k type: str - description: Sets the maximum number and size of buffers used for reading large client request header. + description: Sets the maximum number and size of buffers used for reading + large client request header. nginx_client_body_timeout: default: 10 type: int @@ -47,15 +60,20 @@ argument_specs: nginx_limit_conn_zone: default: $binary_remote_addr zone=default:10m type: str - description: Sets parameters for a shared memory zone that will keep states for various keys. + description: Sets parameters for a shared memory zone that will keep states + for various keys. nginx_limit_conn: default: default 5 type: str - description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. + description: Sets the shared memory zone and the maximum allowed number of + connections for a given key value. nginx_add_header: - default: [ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ] + default: [X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, X-XSS-Protection + "1; mode=block", Content-Security-Policy \"script-src 'self'; object-src + 'self'\"] type: str - description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. + description: Adds the specified field to a response header provided that the + response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. nginx_ssl_protocols: default: TLSv1.2 type: str @@ -65,9 +83,10 @@ argument_specs: type: str description: Specifies the TLS ciphers which should be used. nginx_ssl_prefer_server_ciphers: - default: on + default: true type: str - description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. + description: Specifies that server ciphers should be preferred over client + ciphers when using the TLS protocols. Set to false to disable it. nginx_dh_size: default: 2048 type: str @@ -79,7 +98,8 @@ argument_specs: nginx_configuration_hardening_dir: default: /etc/nginx type: str - description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) + description: The location for the nginx hardening configuration file (Could + be different e.g. when used in jails) nginx_owner_user: default: root type: str diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index 7c680e561..bffe526ae 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -843,5 +843,5 @@ argument_specs: chains are flushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and the ufw primary chains are flushed hidepid_option: - default: "" + default: '' type: str From a927c776423c7a89b611da190b3e45111827df6a Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 31 Jul 2023 14:43:23 +0200 Subject: [PATCH 08/17] add back variable Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/vars/Debian.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/mysql_hardening/vars/Debian.yml b/roles/mysql_hardening/vars/Debian.yml index 18a1ca02f..40214b2e4 100644 --- a/roles/mysql_hardening/vars/Debian.yml +++ b/roles/mysql_hardening/vars/Debian.yml @@ -2,6 +2,8 @@ mysql_daemon: mariadb mysql_hardening_mysql_conf_file: /etc/mysql/my.cnf +mysql_hardening_mysql_confd_dir: /etc/mysql/conf.d + mysql_hardening_group: adm From 6dbc14d65be97165d663e36fd0d08b21206d08aa Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:01:45 +0200 Subject: [PATCH 09/17] remove redundant setting in tests --- molecule/ssh_hardening_custom_tests/converge.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index f40ea4e70..1c9368671 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -20,7 +20,6 @@ - path: "/etc/ssh/auth_principals/root" principals: - "root" - directorymode: "0700" network_ipv6_enable: true ssh_allow_tcp_forwarding: 'yes' ssh_gateway_ports: true From 224be1739b0be64e90964a6b4f7064fbf6f2932b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:02:17 +0200 Subject: [PATCH 10/17] fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/meta/argument_specs.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index aeede8d12..9af568fe2 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -63,7 +63,7 @@ argument_specs: mysql_daemon_enabled: default: true type: bool - description: Whether to run the hardening + description: Whether to enable the MySQL-service so it starts on boot mysql_root_password: default: '-----====>SetR00tPa$$wordH3r3!!!<====-----' type: str @@ -75,5 +75,4 @@ argument_specs: mysql_remove_remote_root: default: true type: bool - description: Set to false to not remove remote root users. If true, root can - only connect from localhost + description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users. From 8fecb67ca696e9618e8f15946e679bd0f15afd53 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:02:39 +0200 Subject: [PATCH 11/17] remove duplicate empty line Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/vars/Debian.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/mysql_hardening/vars/Debian.yml b/roles/mysql_hardening/vars/Debian.yml index 40214b2e4..20cbaf6bc 100644 --- a/roles/mysql_hardening/vars/Debian.yml +++ b/roles/mysql_hardening/vars/Debian.yml @@ -4,7 +4,6 @@ mysql_daemon: mariadb mysql_hardening_mysql_conf_file: /etc/mysql/my.cnf mysql_hardening_mysql_confd_dir: /etc/mysql/conf.d - mysql_hardening_group: adm mysql_cnf_owner: root # owner of /etc/mysql/*.cnf files From da25e68614dd2c7f2af3a3aac570e3fadb7ba316 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:02:58 +0200 Subject: [PATCH 12/17] set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich --- roles/nginx_hardening/meta/argument_specs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml index 8c3224b84..c0cae30fb 100644 --- a/roles/nginx_hardening/meta/argument_specs.yml +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -79,11 +79,11 @@ argument_specs: type: str description: Specifies the SSL protocol which should be used. nginx_ssl_ciphers: - default: _see defaults.yml_ + default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 type: str description: Specifies the TLS ciphers which should be used. nginx_ssl_prefer_server_ciphers: - default: true + default: "on" type: str description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. From 1e326cd1839c74d14185be7144834f2ee89238e1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:03:20 +0200 Subject: [PATCH 13/17] remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich --- roles/os_hardening/meta/argument_specs.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index bffe526ae..5ca59a775 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -842,6 +842,3 @@ argument_specs: description: If this variable is set to 'yes', on stop and reload the built-in chains are flushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and the ufw primary chains are flushed - hidepid_option: - default: '' - type: str From 90a41305215b5a27524204aa741376243a0478dc Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:41:35 +0200 Subject: [PATCH 14/17] remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich --- roles/ssh_hardening/README.md | 8 -------- roles/ssh_hardening/meta/argument_specs.yml | 10 +++++----- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 0573bb29c..9b2fb5388 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -461,11 +461,3 @@ If you use this role to disable SFTP (`sftp_enabled: false`) you will get errors This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port. If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable. - - -## License -Apache License 2.0 - -## Author and Project Information -Sebastian Gumprich @ Hardening Framework Team - diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index ca4136b8a..eb611f251 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -7,8 +7,8 @@ argument_specs: network_ipv6_enable: default: true type: bool - description: false if IPv6 is not needed. `ssh_listen_to` must also be set - to listen to IPv6 addresses (for example `[::]`). + description: '`false` if IPv6 is not needed. `ssh_listen_to` must also be + set to listen to IPv6 addresses (for example `[::]`).' ssh_client_config_file: default: /etc/ssh/ssh_config description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. @@ -26,7 +26,7 @@ argument_specs: default: [0.0.0.0] type: list description: one or more ip addresses, to which ssh-server should listen to. - Default i all IPv4 addresses, but should be configured to specific addresses + Default is all IPv4 addresses, but should be configured to specific addresses for security reasons ssh_host_key_files: default: [] @@ -41,14 +41,14 @@ argument_specs: default: [] type: list description: Host key algorithms that the server offers. If empty the default - lst will be used. Otherwise overrides the setting with specified list of + list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version ssh_client_host_key_algorithms: default: [] type: list description: Specifies the host key algorithms that the client wants to use - in order of preference. If empty the default lst will be used. Otherwise + in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! From 2cf3f9fc2d9def65fec699e6826a798522b66ec2 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 2 Aug 2023 13:45:02 +0200 Subject: [PATCH 15/17] fix styling Signed-off-by: Sebastian Gumprich --- roles/ssh_hardening/meta/argument_specs.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index eb611f251..959808d26 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -62,21 +62,21 @@ argument_specs: ssh_permit_tunnel: default: false type: bool - description: true if SSH Port Tunneling is required. + description: '`true` if SSH Port Tunneling is required.' ssh_remote_hosts: default: [] type: list description: one or more hosts and their custom options for the ssh-client. - Default i empty. See examples in `defaults/ain.yml` + Default is empty. See examples in `defaults/main.yml` ssh_permit_root_login: default: 'no' description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! ssh_allow_tcp_forwarding: default: 'no' - description: "'no' or `False` to disable TCP Forwarding. Set to `'yes'` or\ - \ `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version,\ - \ you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`." + description: Set to `'no'` or `False` to disable TCP Forwarding. Set to `'yes'` + or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, + you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. ssh_gateway_ports: default: false type: bool From f26d67ac0e5129248e8685f6f870bf4cdedb7f29 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 3 Aug 2023 17:22:07 +0200 Subject: [PATCH 16/17] update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/README.md | 80 +- roles/mysql_hardening/meta/argument_specs.yml | 4 +- roles/nginx_hardening/README.md | 211 ++-- roles/nginx_hardening/meta/argument_specs.yml | 36 +- roles/os_hardening/README.md | 927 ++++++++++-------- roles/ssh_hardening/README.md | 442 ++++----- roles/ssh_hardening/meta/argument_specs.yml | 40 +- 7 files changed, 913 insertions(+), 827 deletions(-) diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md index 1dafa5dee..482f2cb8e 100644 --- a/roles/mysql_hardening/README.md +++ b/roles/mysql_hardening/README.md @@ -33,11 +33,36 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek ## Role Variables +* `mysql_daemon_enabled` + * Default: `true` + * Description: Whether to enable the MySQL-service so it starts on boot + * Type: bool + * Required: no * `mysql_hardening_chroot` * Default: `` * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) * Type: str * Required: no +* `mysql_hardening_chroot.automatic-sp-privileges` + * Default: `0` + * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) + * Type: int + * Required: no +* `mysql_hardening_enabled` + * Default: `true` + * Description: Whether to run the hardening + * Type: bool + * Required: no +* `mysql_hardening_options.allow-suspicious-udfs` + * Default: `0` + * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) + * Type: int + * Required: no +* `mysql_hardening_options.local-infile` + * Default: `0` + * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) + * Type: int + * Required: no * `mysql_hardening_options.safe-user-create` * Default: `1` * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) @@ -48,11 +73,21 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) * Type: int * Required: no +* `mysql_hardening_options.secure-file-priv` + * Default: `/tmp` + * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) + * Type: str + * Required: no * `mysql_hardening_options.skip-symbolic-links` * Default: `1` * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) * Type: int * Required: no +* `mysql_hardening_restart_mysql` + * Default: `true` + * Description: Restart mysql after running this role + * Type: bool + * Required: no * `mysql_hardening_skip_grant_tables:` * Default: `false` * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) @@ -63,49 +98,19 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) * Type: int * Required: no -* `mysql_hardening_options.local-infile` - * Default: `0` - * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) - * Type: int - * Required: no -* `mysql_hardening_options.allow-suspicious-udfs` - * Default: `0` - * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) - * Type: int - * Required: no -* `mysql_hardening_chroot.automatic-sp-privileges` - * Default: `0` - * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) - * Type: int - * Required: no -* `mysql_hardening_options.secure-file-priv` - * Default: `/tmp` - * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) - * Type: str - * Required: no * `mysql_remove_anonymous_users` * Default: `true` - * Description: remove users without authentication - * Type: bool - * Required: no -* `mysql_remove_test_database` - * Default: `true` - * Description: remove test database + * Description: Set to `false` to keep users without authentication * Type: bool * Required: no -* `mysql_hardening_restart_mysql` - * Default: `true` - * Description: Restart mysql after running this role - * Type: bool - * Required: no -* `mysql_hardening_enabled` +* `mysql_remove_remote_root` * Default: `true` - * Description: Whether to run the hardening + * Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users. * Type: bool * Required: no -* `mysql_daemon_enabled` +* `mysql_remove_test_database` * Default: `true` - * Description: Whether to run the hardening + * Description: Set to `false` to keep the test database * Type: bool * Required: no * `mysql_root_password` @@ -118,11 +123,6 @@ Further information is available at [Deutsche Telekom (German)](http://www.telek * Description: The path where the `.my.cnf` will be stored * Type: str * Required: no -* `mysql_remove_remote_root` - * Default: `true` - * Description: Set to false to not remove remote root users. If true, root can only connect from localhost - * Type: bool - * Required: no ## Dependencies diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index 9af568fe2..716d36c9e 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -47,11 +47,11 @@ argument_specs: mysql_remove_anonymous_users: default: true type: bool - description: remove users without authentication + description: Set to `false` to keep users without authentication mysql_remove_test_database: default: true type: bool - description: remove test database + description: Set to `false` to keep the test database mysql_hardening_restart_mysql: default: true type: bool diff --git a/roles/nginx_hardening/README.md b/roles/nginx_hardening/README.md index 83bed24bd..8dd8a1502 100644 --- a/roles/nginx_hardening/README.md +++ b/roles/nginx_hardening/README.md @@ -15,103 +15,132 @@ It works with the following nginx-roles, including, but not limited to: **NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!** -## Requirements - -- Ansible >= 2.9 + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | ## Role Variables -- [nginx_client_body_buffer_size][] - - Default: `1k` - - Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. -- nginx_remove_default_site - - Default: `true` - - Description: Disables the default site. Set to false to enable the default site in nginx. -- [nginx_client_max_body_size][] - - Default: `1k` - - Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41 - 3 (Request Entity Too Large) error is returned to the client. -- [nginx_keepalive_timeout][] - - Default: `5 5` - - Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op - tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. -- [nginx_server_tokens][] - - Default: `off` - - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head - er. -- [nginx_client_header_buffer_size][] - - Default: `1k` - - Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. -- [nginx_large_client_header_buffers][] - - Default: `2 1k` - - Description: Sets the maximum number and size of buffers used for reading large client request header. -- [nginx_client_body_timeout][] - - Default: `10` - - Description: Defines a timeout for reading client request body. -- [nginx_client_header_timeout][] - - Default: `10` - - Description: Defines a timeout for reading client request header. -- [nginx_send_timeout][] - - Default: `10` - - Description: Sets a timeout for transmitting a response to the client. -- [nginx_limit_conn_zone][] - - Default: `$binary_remote_addr zone=default:10m` - - Description: Sets parameters for a shared memory zone that will keep states for various keys. -- [nginx_limit_conn][] - - Default: `default 5` - - Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. -- [nginx_add_header][] - - Default: `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ]` - - Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. -- [nginx_ssl_protocols][] - - Default: `TLSv1.2` - - Description: Specifies the SSL protocol which should be used. -- [nginx_ssl_ciphers][] - - Default: _see defaults.yml_ - - Description: Specifies the TLS ciphers which should be used. -- [nginx_ssl_prefer_server_ciphers][] - - Default: `on` - - Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. -- [nginx_dh_size][] - - Default: `2048` - - Description: Specifies the length of DH parameters for EDH ciphers. -- [nginx_configuration_dir][] - - default: "/etc/nginx" - - Description: The main location for all nginx configuration files -- [nginx_configuration_hardening_dir][] - - default: "/etc/nginx" - - Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) -- [nginx_owner_user][] - - default: "root" - - Description: The owner user of the nginx configuration files -- [nginx_owner_group][] - - default: "root" - - Description: The owner group of the nginx configuration files +* `nginx_add_header` + * Default: `['X-Frame-Options SAMEORIGIN', 'X-Content-Type-Options nosniff', 'X-XSS-Protection "1; mode=block"', 'Content-Security-Policy \\"script-src \'self\'; object-src \'self\'\\"']` + * Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) + * Type: str + * Required: no +* `nginx_client_body_buffer_size` + * Default: `1k` + * Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) + * Type: str + * Required: no +* `nginx_client_body_timeout` + * Default: `10` + * Description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) + * Type: int + * Required: no +* `nginx_client_header_buffer_size` + * Default: `1k` + * Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client + * Type: str + * Required: no +* `nginx_client_header_timeout` + * Default: `10` + * Description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) + * Type: int + * Required: no +* `nginx_client_max_body_size` + * Default: `1k` + * Description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) + * Type: str + * Required: no +* `nginx_configuration_dir` + * Default: `/etc/nginx` + * Description: The main location for all nginx configuration files + * Type: str + * Required: no +* `nginx_configuration_hardening_dir` + * Default: `/etc/nginx` + * Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) + * Type: str + * Required: no +* `nginx_dh_size` + * Default: `2048` + * Description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) + * Type: str + * Required: no +* `nginx_keepalive_timeout` + * Default: `5 5` + * Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) + * Type: str + * Required: no +* `nginx_large_client_header_buffers` + * Default: `2 1k` + * Description: Sets the maximum number and size of buffers used for reading large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) + * Type: str + * Required: no +* `nginx_limit_conn` + * Default: `default 5` + * Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn) + * Type: str + * Required: no +* `nginx_limit_conn_zone` + * Default: `$binary_remote_addr zone=default:10m` + * Description: Sets parameters for a shared memory zone that will keep states for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone) + * Type: str + * Required: no +* `nginx_owner_group` + * Default: `root` + * Description: The owner group of the nginx configuration files + * Type: str + * Required: no +* `nginx_owner_user` + * Default: `root` + * Description: The owner user of the nginx configuration files + * Type: str + * Required: no +* `nginx_remove_default_site` + * Default: `true` + * Description: Disables the default site. Set to false to enable the default site in nginx. + * Type: bool + * Required: no +* `nginx_send_timeout` + * Default: `10` + * Description: Sets a timeout for transmitting a response to the client. See [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) + * Type: int + * Required: no +* `nginx_server_tokens` + * Default: `False` + * Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) + * Type: str + * Required: no +* `nginx_ssl_ciphers` + * Default: `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256` + * Description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) + * Type: str + * Required: no +* `nginx_ssl_prefer_server_ciphers` + * Default: `on` + * Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) + * Type: str + * Required: no +* `nginx_ssl_protocols` + * Default: `TLSv1.2` + * Description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) + * Type: str + * Required: no + +## Dependencies + +None. ## Example Playbook ``` -- hosts: localhost - collections: - - devsec.hardening +- hosts: all roles: - - nginx_hardening + - name: devsec.hardening.nginx_hardening ``` - -[nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size -[nginx_client_max_body_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size -[nginx_keepalive_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout -[nginx_server_tokens]: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens -[nginx_more_clear_headers]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header -[nginx_client_header_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size -[nginx_large_client_header_buffers]: http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers -[nginx_client_body_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout -[nginx_client_header_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout -[nginx_send_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout -[nginx_limit_conn_zone]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone -[nginx_limit_conn]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn -[nginx_add_header]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header -[nginx_ssl_protocols]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols -[nginx_ssl_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers -[nginx_ssl_prefer_server_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers -[nginx_dh_size]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml index c0cae30fb..4293471b0 100644 --- a/roles/nginx_hardening/meta/argument_specs.yml +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -9,7 +9,7 @@ argument_specs: type: str description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part - is written to a temporary file. + is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) nginx_remove_default_site: default: true type: bool @@ -21,76 +21,78 @@ argument_specs: description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned - to the client. + to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) nginx_keepalive_timeout: default: 5 5 type: str description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value - in the "Keep-Alive timeout=time" response header field. + in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) nginx_server_tokens: default: false type: str description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in - error messages and "Server" response header. + error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) nginx_client_header_buffer_size: default: 1k type: str description: Sets buffer size for reading client request header. For most - requests, a buffer of 1K bytes is enough. + requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client nginx_large_client_header_buffers: default: 2 1k type: str description: Sets the maximum number and size of buffers used for reading - large client request header. + large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) nginx_client_body_timeout: default: 10 type: int - description: Defines a timeout for reading client request body. + description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) nginx_client_header_timeout: default: 10 type: int - description: Defines a timeout for reading client request header. + description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) nginx_send_timeout: default: 10 type: int - description: Sets a timeout for transmitting a response to the client. + description: Sets a timeout for transmitting a response to the client. See + [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) nginx_limit_conn_zone: default: $binary_remote_addr zone=default:10m type: str description: Sets parameters for a shared memory zone that will keep states - for various keys. + for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone) nginx_limit_conn: default: default 5 type: str description: Sets the shared memory zone and the maximum allowed number of - connections for a given key value. + connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn) nginx_add_header: default: [X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, X-XSS-Protection "1; mode=block", Content-Security-Policy \"script-src 'self'; object-src 'self'\"] type: str description: Adds the specified field to a response header provided that the - response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. + response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See + [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) nginx_ssl_protocols: default: TLSv1.2 type: str - description: Specifies the SSL protocol which should be used. + description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) nginx_ssl_ciphers: default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 type: str - description: Specifies the TLS ciphers which should be used. + description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) nginx_ssl_prefer_server_ciphers: - default: "on" + default: 'on' type: str description: Specifies that server ciphers should be preferred over client - ciphers when using the TLS protocols. Set to false to disable it. + ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) nginx_dh_size: default: 2048 type: str - description: Specifies the length of DH parameters for EDH ciphers. + description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) nginx_configuration_dir: default: /etc/nginx type: str diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index da3326c77..4273e939d 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -68,39 +68,94 @@ To prevent some of the filesystems from being disabled, add them to the `os_file ## Role Variables -* `os_desktop_enable` - * Default: `false` - * Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. +* `os_apt_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring apt. * Type: bool * Required: no -* `os_env_extra_user_paths` - * Default: `"[]"` - * Description: add additional paths to the user's `PATH` variable (default is empty). - * Type: list +* `os_auditd_action_mail_acct` + * Default: `root` + * Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. of events created on one system but reported/analyzed on another system. + * Type: str * Required: no -* `os_auth_pw_max_age` - * Default: `60` - * Description: maximum password age (set to `99999` to effectively disable it). +* `os_auditd_admin_space_left` + * Default: `50` + * Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. * Type: int * Required: no -* `os_auth_pw_min_age` - * Default: `7` - * Description: minimum password age (before allowing any other password change). - * Type: int +* `os_auditd_admin_space_left_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + * Type: str * Required: no -* `os_auth_pw_warn_age` - * Default: `7` - * Description: number of days of warning before password expires. +* `os_auditd_disk_error_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take whenever there is an error detected when writing audit events to disk or rotating logs. Valid values are ignore, syslog, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_disk_full_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take when the system has detected that the partition to which log files are written has become full. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring auditd. + * Type: bool + * Required: no +* `os_auditd_flush` + * Default: `INCREMENTAL` + * Description: Valid values are none, incremental, incremental_async, data, and sync. + * Type: str + * Required: no +* `os_auditd_log_format` + * Default: `RAW` + * Description: Describes how the information should be stored on disk. There are 2 options - raw and enriched. + * Type: str + * Required: no +* `os_auditd_log_group` + * Default: `root` + * Description: specifies the group that is applied to the log file's permissions. The group name can be either numeric or spelled out. + * Type: str + * Required: no +* `os_auditd_max_log_file` + * Default: `6` + * Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. * Type: int * Required: no -* `os_auth_pw_remember` +* `os_auditd_max_log_file_action` + * Default: `keep_logs` + * Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. + * Type: str + * Required: no +* `os_auditd_num_logs` * Default: `5` - * Description: how many used passwords are record. + * Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. * Type: int * Required: no -* `os_auth_retries` - * Default: `5` - * Description: the maximum number of authentication attempts, before the account is locked for some time. +* `os_auditd_space_left` + * Default: `75` + * Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. + * Type: int + * Required: no +* `os_auditd_space_left_action` + * Default: `SYSLOG` + * Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auth_allow_homeless` + * Default: `false` + * Description: true if to allow users without home to login. + * Type: bool + * Required: no +* `os_auth_gid_max` + * Default: `60000` + * Description: maximum number for automatic gid selection in groupadd. + * Type: int + * Required: no +* `os_auth_gid_min` + * Default: `1000` + * Description: minimum number for automatic gid selection in groupadd. * Type: int * Required: no * `os_auth_lockout_time` @@ -108,14 +163,9 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts. * Type: int * Required: no -* `os_auth_timeout` - * Default: `60` - * Description: authentication timeout in seconds, so login will exit if this time passes. - * Type: int - * Required: no -* `os_auth_allow_homeless` +* `os_auth_pam_oddjob_mkhomedir` * Default: `false` - * Description: true if to allow users without home to login. + * Description: Enables automatic homedir e.g. in FreeIPA environments * Type: bool * Required: no * `os_auth_pam_passwdqc_enable` @@ -128,64 +178,54 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: set to any option line (as a string) that you want to pass to passwdqc. * Type: str * Required: no -* `os_auth_pam_oddjob_mkhomedir` - * Default: `false` - * Description: Enables automatic homedir e.g. in FreeIPA environments - * Type: bool +* `os_auth_pam_pwquality_options` + * Default: `try_first_pass retry=3 authtok_type=` + * Description: Options to pass to the PAM module pwquality + * Type: str * Required: no -* `os_security_users_allow` - * Default: `"[]"` - * Description: list of things, that a user is allowed to do. May contain `change_user`. - * Type: list +* `os_auth_pw_max_age` + * Default: `60` + * Description: maximum password age (set to `99999` to effectively disable it). + * Type: int * Required: no -* `os_security_kernel_enable_module_loading` - * Default: `true` - * Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue - * Type: bool +* `os_auth_pw_min_age` + * Default: `7` + * Description: minimum password age (before allowing any other password change). + * Type: int * Required: no -* `os_security_kernel_enable_core_dump` - * Default: `false` - * Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. - * Type: bool +* `os_auth_pw_remember` + * Default: `5` + * Description: how many used passwords are record. + * Type: int * Required: no -* `os_security_suid_sgid_enforce` - * Default: `true` - * Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. - * Type: bool +* `os_auth_pw_warn_age` + * Default: `7` + * Description: number of days of warning before password expires. + * Type: int * Required: no -* `os_security_suid_sgid_blacklist` - * Default: `"[]"` - * Description: a list of paths which should have their SUID/SGID bits removed. - * Type: list +* `os_auth_retries` + * Default: `5` + * Description: the maximum number of authentication attempts, before the account is locked for some time. + * Type: int * Required: no -* `os_security_suid_sgid_whitelist` - * Default: `"[]"` - * Description: a list of paths which should not have their SUID/SGID bits altered. +* `os_auth_root_ttys` + * Default: `["console", "tty1", "tty2", "tty3", "tty4", "tty5", "tty6"]` + * Description: A list of TTYs, from which root can log in, see `man securetty` for reference * Type: list * Required: no -* `os_security_suid_sgid_remove_from_unknown` - * Default: `false` - * Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. - * Type: bool - * Required: no -* `os_auth_uid_min` - * Default: `1000` - * Description: minimum number for automatic uid selection in useradd. - * Type: int - * Required: no -* `os_auth_uid_max` - * Default: `60000` - * Description: maximum number for automatic uid selection in useradd. +* `os_auth_sub_gid_count` + * Default: `65536` + * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. * Type: int * Required: no -* `os_auth_gid_min` - * Default: `1000` - * Description: minimum number for automatic gid selection in groupadd. +* `os_auth_sub_gid_max` + * Default: `600100000` + * Description: maximum number for automatic subordinate gid selection in useradd and newusers. * Type: int * Required: no -* `os_auth_gid_max` - * Default: `60000` - * Description: maximum number for automatic gid selection in groupadd. +* `os_auth_sub_gid_min` + * Default: `100000` + * Description: minimum number for automatic subordinate gid selection in useradd and newusers. * Type: int * Required: no * `os_auth_sub_uid_count` @@ -193,149 +233,74 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. * Type: int * Required: no -* `os_auth_sub_uid_min` - * Default: `100000` - * Description: minimum number for automatic subordinate uid selection in useradd and newusers. - * Type: int - * Required: no * `os_auth_sub_uid_max` * Default: `600100000` * Description: maximum number for automatic subordinate uid selection in useradd and newusers. * Type: int * Required: no -* `os_auth_sub_gid_count` - * Default: `65536` - * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. - * Type: int - * Required: no -* `os_auth_sub_gid_min` +* `os_auth_sub_uid_min` * Default: `100000` - * Description: minimum number for automatic subordinate gid selection in useradd and newusers. + * Description: minimum number for automatic subordinate uid selection in useradd and newusers. * Type: int * Required: no -* `os_auth_sub_gid_max` - * Default: `600100000` - * Description: maximum number for automatic subordinate gid selection in useradd and newusers. +* `os_auth_timeout` + * Default: `60` + * Description: authentication timeout in seconds, so login will exit if this time passes. * Type: int * Required: no -* `os_security_packages_clean` - * Default: `true` - * Description: removes packages with known issues. See section packages. - * Type: bool +* `os_auth_uid_max` + * Default: `60000` + * Description: maximum number for automatic uid selection in useradd. + * Type: int * Required: no -* `os_selinux_state` - * Default: `enforcing` - * Description: Set the SELinux state, can be either disabled, permissive, or enforcing. - * Type: str +* `os_auth_uid_min` + * Default: `1000` + * Description: minimum number for automatic uid selection in useradd. + * Type: int * Required: no -* `os_selinux_policy` - * Default: `targeted` - * Description: Set the SELinux polixy. +* `os_chfn_restrict` + * Default: `''` + * Description: Indicate which fields are changeable by chfn. * Type: str * Required: no -* `ufw_manage_defaults` +* `os_chmod_home_folders` * Default: `true` - * Description: true means apply all settings with `ufw_` prefix. + * Description: Set to `false` to disable "chmod 700" of home folders for regular users * Type: bool * Required: no -* `ufw_ipt_sysctl` - * Default: `''` - * Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. - * Type: str - * Required: no -* `ufw_default_input_policy` - * Default: `DROP` - * Description: set default input policy of ufw to `DROP`. - * Type: str - * Required: no -* `ufw_default_output_policy` - * Default: `ACCEPT` - * Description: set default output policy of ufw to `ACCEPT`. - * Type: str - * Required: no -* `ufw_default_forward_policy` - * Default: `DROP` - * Description: set default forward policy of ufw to `DROP`. - * Type: str - * Required: no -* `ufw_enable_ipv6` +* `os_chmod_rootuser_home_folder` * Default: `true` - * Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). + * Description: Set to `false` to disable "chmod 700" of root's home folder * Type: bool * Required: no -* `os_auditd_enabled` +* `os_cron_enabled` * Default: `true` - * Description: Set to false to disable installing and configuring auditd. + * Description: Set to false to disable installing and configuring cron. * Type: bool * Required: no -* `os_auditd_max_log_file_action` - * Default: `keep_logs` - * Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. - * Type: str - * Required: no -* `os_auditd_max_log_file` - * Default: `6` - * Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. - * Type: int - * Required: no -* `os_auditd_num_logs` - * Default: `5` - * Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. - * Type: int - * Required: no -* `os_auditd_flush` - * Default: `INCREMENTAL` - * Description: Valid values are none, incremental, incremental_async, data, and sync. - * Type: str - * Required: no -* `os_auditd_admin_space_left` - * Default: `50` - * Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. - * Type: int - * Required: no -* `os_auditd_space_left` - * Default: `75` - * Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. - * Type: int - * Required: no -* `os_auditd_space_left_action` - * Default: `SYSLOG` - * Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. - * Type: str - * Required: no -* `os_auditd_action_mail_acct` - * Default: `root` - * Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. of events created on one system but reported/analyzed on another system. - * Type: str - * Required: no -* `os_auditd_disk_error_action` - * Default: `SUSPEND` - * Description: This parameter tells the system what action to take whenever there is an error detected when writing audit events to disk or rotating logs. Valid values are ignore, syslog, exec, suspend, single, and halt. - * Type: str - * Required: no -* `os_auditd_disk_full_action` - * Default: `SUSPEND` - * Description: This parameter tells the system what action to take when the system has detected that the partition to which log files are written has become full. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. - * Type: str +* `os_ctrlaltdel_disabled` + * Default: `false` + * Description: Set to true to disable ctrl-alt-delete key combination. + * Type: bool * Required: no -* `os_auditd_log_group` - * Default: `root` - * Description: specifies the group that is applied to the log file's permissions. The group name can be either numeric or spelled out. - * Type: str +* `os_desktop_enable` + * Default: `false` + * Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + * Type: bool * Required: no -* `proc_mnt_options` - * Default: `rw,nosuid,nodev,noexec,relatime,hidepid=` - * Description: Mount proc with hardenized options, including `hidepid` with variable value. - * Type: str +* `os_env_extra_user_paths` + * Default: `"[]"` + * Description: add additional paths to the user's `PATH` variable (default is empty). + * Type: list * Required: no -* `os_ignore_users` - * Default: `["vagrant", "kitchen"]` - * Description: Specify system accounts whose login should not be disabled and password not changed +* `os_filesystem_whitelist` + * Default: `"[]"` + * Description: A list of filesystems that should not be disabled * Type: list * Required: no -* `os_chmod_home_folders` +* `os_hardening_enabled` * Default: `true` - * Description: Set to `false` to disable "chmod 700" of home folders for regular users + * Description: Whether to run the hardening * Type: bool * Required: no * `os_ignore_home_folder_users` @@ -343,41 +308,11 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. * Type: list * Required: no -* `os_chmod_rootuser_home_folder` - * Default: `true` - * Description: Set to `false` to disable "chmod 700" of root's home folder - * Type: bool - * Required: no -* `os_rootuser_pw_ageing` - * Default: `false` - * Description: Set to true to enforce password age settings for root user(s) - * Type: bool - * Required: no -* `os_remove_additional_root_users` - * Default: `false` - * Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. - * Type: bool - * Required: no -* `os_user_pw_ageing` - * Default: `true` - * Description: Set to false to disable password age enforcement on existing users - * Type: bool - * Required: no -* `os_users_without_password_ageing` - * Default: `"[]"` - * Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled +* `os_ignore_users` + * Default: `["vagrant", "kitchen"]` + * Description: Specify system accounts whose login should not be disabled and password not changed * Type: list * Required: no -* `os_cron_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring cron. - * Type: bool - * Required: no -* `os_ctrlaltdel_disabled` - * Default: `false` - * Description: Set to true to disable ctrl-alt-delete key combination. - * Type: bool - * Required: no * `os_limits_enabled` * Default: `true` * Description: Set to false to disable installing and configuring limits. @@ -393,89 +328,24 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Set to false to disable installing and configuring minimize_access. * Type: bool * Required: no -* `os_pam_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring pam. - * Type: bool - * Required: no -* `os_modprobe_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring modprobe. - * Type: bool - * Required: no -* `os_profile_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring profile. - * Type: bool - * Required: no -* `os_security_auto_logout` - * Default: `0` - * Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. - * Type: int - * Required: no -* `os_securetty_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring securetty. - * Type: bool - * Required: no -* `os_sysctl_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring sysctl. - * Type: bool - * Required: no -* `os_user_accounts_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring user_accounts. - * Type: bool - * Required: no -* `os_rhosts_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring rhosts. - * Type: bool - * Required: no -* `os_yum_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring yum. - * Type: bool - * Required: no -* `os_yum_repo_file_whitelist` - * Default: `"[]"` - * Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. - * Type: list - * Required: no -* `os_apt_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring apt. - * Type: bool - * Required: no -* `os_selinux_enabled` - * Default: `true` - * Description: Set to false to disable installing and configuring selinux. - * Type: bool - * Required: no -* `os_sha_crypt_min_rounds` - * Default: `640000` - * Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. - * Type: int - * Required: no -* `os_sha_crypt_max_rounds` - * Default: `640000` - * Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. - * Type: int - * Required: no * `os_mnt_boot_dir_mode` * Default: `0700` * Description: Set default perimissions for /boot * Type: str * Required: no +* `os_mnt_boot_dump` + * Default: `ext3 + ext4 = 1 / other = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_boot_enabled` * Default: `false` * Description: Set to true to configure /boot mountpoint * Type: bool * Required: no -* `os_mnt_boot_src` +* `os_mnt_boot_filesystem` * Default: `''` - * Description: Set mount source for /boot + * Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. * Type: str * Required: no * `os_mnt_boot_options` @@ -483,34 +353,34 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /boot * Type: str * Required: no -* `os_mnt_boot_filesystem` - * Default: `''` - * Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. - * Type: str - * Required: no -* `os_mnt_boot_dump` - * Default: `ext3 + ext4 = 1 / other = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. - * Type: str - * Required: no * `os_mnt_boot_passno` * Default: `ext3 + ext4 = 2 / other = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_boot_src` + * Default: `''` + * Description: Set mount source for /boot + * Type: str + * Required: no * `os_mnt_dev_dir_mode` * Default: `0755` * Description: Set default perimissions for /dev * Type: str * Required: no +* `os_mnt_dev_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no * `os_mnt_dev_enabled` * Default: `true` * Description: Set to false to ignore /dev mountpoint * Type: bool * Required: no -* `os_mnt_dev_src` +* `os_mnt_dev_filesystem` * Default: `devtmpfs` - * Description: Set mount source for /dev + * Description: Configure file system for fstab entry /dev * Type: str * Required: no * `os_mnt_dev_options` @@ -518,16 +388,6 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /dev * Type: str * Required: no -* `os_mnt_dev_filesystem` - * Default: `devtmpfs` - * Description: Configure file system for fstab entry /dev - * Type: str - * Required: no -* `os_mnt_dev_dump` - * Default: `0` - * Description: Configure dump for fstab entry /var/tmp. - * Type: str - * Required: no * `os_mnt_dev_passno` * Default: `0` * Description: Configure passno for fstab entry /var/tmp. @@ -538,14 +398,19 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Set default perimissions for /dev/shm * Type: str * Required: no +* `os_mnt_dev_shm_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no * `os_mnt_dev_shm_enabled` * Default: `true` * Description: Set to false to ignore /dev/shm mountpoint * Type: bool * Required: no -* `os_mnt_dev_shm_src` +* `os_mnt_dev_shm_filesystem` * Default: `tmpfs` - * Description: Set mount source for /dev/shm + * Description: Configure file system for fstab entry /dev/shm * Type: str * Required: no * `os_mnt_dev_shm_options` @@ -553,19 +418,19 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /dev/shm * Type: str * Required: no -* `os_mnt_dev_shm_filesystem` - * Default: `tmpfs` - * Description: Configure file system for fstab entry /dev/shm +* `os_mnt_dev_shm_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. * Type: str * Required: no -* `os_mnt_dev_shm_dump` - * Default: `0` - * Description: Configure dump for fstab entry /var/tmp. +* `os_mnt_dev_shm_src` + * Default: `tmpfs` + * Description: Set mount source for /dev/shm * Type: str * Required: no -* `os_mnt_dev_shm_passno` - * Default: `0` - * Description: Configure passno for fstab entry /var/tmp. +* `os_mnt_dev_src` + * Default: `devtmpfs` + * Description: Set mount source for /dev * Type: str * Required: no * `os_mnt_home_dir_mode` @@ -573,14 +438,19 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Set default perimissions for /home * Type: str * Required: no +* `os_mnt_home_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_home_enabled` * Default: `false` * Description: Set to true to configure /home mountpoint * Type: bool * Required: no -* `os_mnt_home_src` +* `os_mnt_home_filesystem` * Default: `''` - * Description: Set mount source for /home. If empty, the current file system source device will be used. + * Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. * Type: str * Required: no * `os_mnt_home_options` @@ -588,34 +458,34 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /home * Type: str * Required: no -* `os_mnt_home_filesystem` - * Default: `''` - * Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. - * Type: str - * Required: no -* `os_mnt_home_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. - * Type: str - * Required: no * `os_mnt_home_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_home_src` + * Default: `''` + * Description: Set mount source for /home. If empty, the current file system source device will be used. + * Type: str + * Required: no * `os_mnt_run_dir_mode` * Default: `0755` * Description: Set default perimissions for /run * Type: str * Required: no +* `os_mnt_run_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no * `os_mnt_run_enabled` * Default: `true` * Description: Set to false to ignore /run mountpoint * Type: bool * Required: no -* `os_mnt_run_src` +* `os_mnt_run_filesystem` * Default: `tmpfs` - * Description: Set mount source for /run + * Description: Configure file system for fstab entry /run * Type: str * Required: no * `os_mnt_run_options` @@ -623,34 +493,34 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /run * Type: str * Required: no -* `os_mnt_run_filesystem` - * Default: `tmpfs` - * Description: Configure file system for fstab entry /run - * Type: str - * Required: no -* `os_mnt_run_dump` - * Default: `0` - * Description: Configure dump for fstab entry /var/tmp. - * Type: str - * Required: no * `os_mnt_run_passno` * Default: `0` * Description: Configure passno for fstab entry /var/tmp. * Type: str * Required: no +* `os_mnt_run_src` + * Default: `tmpfs` + * Description: Set mount source for /run + * Type: str + * Required: no * `os_mnt_tmp_dir_mode` * Default: `1777` * Description: Set default perimissions for /tmp * Type: str * Required: no +* `os_mnt_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_tmp_enabled` * Default: `false` * Description: Set to true to configure /tmp mountpoint * Type: bool * Required: no -* `os_mnt_tmp_src` +* `os_mnt_tmp_filesystem` * Default: `''` - * Description: Set mount source for /tmp. If empty, the current file system source device will be used. + * Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. * Type: str * Required: no * `os_mnt_tmp_options` @@ -658,69 +528,89 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /tmp * Type: str * Required: no -* `os_mnt_tmp_filesystem` - * Default: `''` - * Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. - * Type: str - * Required: no -* `os_mnt_tmp_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. - * Type: str - * Required: no * `os_mnt_tmp_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_tmp_src` + * Default: `''` + * Description: Set mount source for /tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no * `os_mnt_var_dir_mode` * Default: `0755` * Description: Set default perimissions for /var * Type: str * Required: no +* `os_mnt_var_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_var_enabled` * Default: `false` * Description: Set to true to configure /var mountpoint * Type: bool * Required: no -* `os_mnt_var_src` +* `os_mnt_var_filesystem` * Default: `''` - * Description: Set mount source for /var. If empty, the current file system source device will be used. + * Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. * Type: str * Required: no -* `os_mnt_var_options` - * Default: `rw,nosuid,nodev` - * Description: Configure mount options for /var +* `os_mnt_var_log_audit_dir_mode` + * Default: `0640` + * Description: Set default perimissions for /var/log/audit * Type: str * Required: no -* `os_mnt_var_filesystem` +* `os_mnt_var_log_audit_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_audit_enabled` + * Default: `false` + * Description: Set to true to configure /var/log/audit mountpoint + * Type: bool + * Required: no +* `os_mnt_var_log_audit_filesystem` * Default: `''` - * Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. + * Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. * Type: str * Required: no -* `os_mnt_var_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. +* `os_mnt_var_log_audit_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/log/audit * Type: str * Required: no -* `os_mnt_var_passno` +* `os_mnt_var_log_audit_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_var_log_audit_src` + * Default: `''` + * Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. + * Type: str + * Required: no * `os_mnt_var_log_dir_mode` * Default: `0755` * Description: Set default perimissions for /var/log * Type: str * Required: no +* `os_mnt_var_log_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_var_log_enabled` * Default: `false` * Description: Set to true to configure /var/log mountpoint * Type: bool * Required: no -* `os_mnt_var_log_src` +* `os_mnt_var_log_filesystem` * Default: `''` - * Description: Set mount source for /var/log. If empty, the current file system source device will be used. + * Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. * Type: str * Required: no * `os_mnt_var_log_options` @@ -728,69 +618,49 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /var/log * Type: str * Required: no -* `os_mnt_var_log_filesystem` - * Default: `''` - * Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. - * Type: str - * Required: no -* `os_mnt_var_log_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. - * Type: str - * Required: no * `os_mnt_var_log_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no -* `os_mnt_var_log_audit_dir_mode` - * Default: `0640` - * Description: Set default perimissions for /var/log/audit - * Type: str - * Required: no -* `os_mnt_var_log_audit_enabled` - * Default: `false` - * Description: Set to true to configure /var/log/audit mountpoint - * Type: bool - * Required: no -* `os_mnt_var_log_audit_src` - * Default: `''` - * Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. - * Type: str - * Required: no -* `os_mnt_var_log_audit_options` - * Default: `rw,nosuid,nodev,noexec` - * Description: Configure mount options for /var/log/audit - * Type: str - * Required: no -* `os_mnt_var_log_audit_filesystem` +* `os_mnt_var_log_src` * Default: `''` - * Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. + * Description: Set mount source for /var/log. If empty, the current file system source device will be used. * Type: str * Required: no -* `os_mnt_var_log_audit_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. +* `os_mnt_var_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /var * Type: str * Required: no -* `os_mnt_var_log_audit_passno` +* `os_mnt_var_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_var_src` + * Default: `''` + * Description: Set mount source for /var. If empty, the current file system source device will be used. + * Type: str + * Required: no * `os_mnt_var_tmp_dir_mode` * Default: `1777` * Description: Set default perimissions for /var/tmp * Type: str * Required: no +* `os_mnt_var_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no * `os_mnt_var_tmp_enabled` * Default: `false` * Description: Set to true to configure /var/tmp mountpoint * Type: bool * Required: no -* `os_mnt_var_tmp_src` +* `os_mnt_var_tmp_filesystem` * Default: `''` - * Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. + * Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. * Type: str * Required: no * `os_mnt_var_tmp_options` @@ -798,21 +668,21 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Configure mount options for /var/tmp * Type: str * Required: no -* `os_mnt_var_tmp_filesystem` - * Default: `''` - * Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. - * Type: str - * Required: no -* `os_mnt_var_tmp_dump` - * Default: `ext3/4 = 1, others = 0` - * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. - * Type: str - * Required: no * `os_mnt_var_tmp_passno` * Default: `ext3/4 = 2, others = 0` * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. * Type: str * Required: no +* `os_mnt_var_tmp_src` + * Default: `''` + * Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_modprobe_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring modprobe. + * Type: bool + * Required: no * `os_netrc_enabled` * Default: `true` * Description: Configure filesystem for existence of .netrc file in homedir @@ -823,29 +693,214 @@ To prevent some of the filesystems from being disabled, add them to the `os_file * Description: Add list of user to allow creation of .netrc in users homedir * Type: list * Required: no -* `sysctl_overwrite` - * Default: `"{}"` - * Description: To overwrite options in the `sysctl_config`-dict, overwrite them here. - * Type: dict +* `os_pam_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring pam. + * Type: bool * Required: no -* `sysctl_config` - * Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 1, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}` - * Description: various sysctl-settings - * Type: dict +* `os_profile_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring profile. + * Type: bool + * Required: no +* `os_remove_additional_root_users` + * Default: `false` + * Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. + * Type: bool + * Required: no +* `os_rhosts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring rhosts. + * Type: bool + * Required: no +* `os_rootuser_pw_ageing` + * Default: `false` + * Description: Set to true to enforce password age settings for root user(s) + * Type: bool + * Required: no +* `os_securetty_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring securetty. + * Type: bool + * Required: no +* `os_security_auto_logout` + * Default: `0` + * Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. + * Type: int + * Required: no +* `os_security_init_prompt` + * Default: `true` + * Description: The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot. + * Type: bool + * Required: no +* `os_security_init_single` + * Default: `false` + * Description: Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, set this to false + * Type: bool + * Required: no +* `os_security_kernel_enable_core_dump` + * Default: `false` + * Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. + * Type: bool + * Required: no +* `os_security_kernel_enable_module_loading` + * Default: `true` + * Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue + * Type: bool + * Required: no +* `os_security_packages_clean` + * Default: `true` + * Description: removes packages with known issues. See section packages. + * Type: bool + * Required: no +* `os_security_packages_list` + * Default: `["xinetd", "inetd", "ypserv", "telnet-server", "rsh-server", "prelink"]` + * Description: List of deprecated or insecure packages to remove + * Type: list + * Required: no +* `os_security_suid_sgid_blacklist` + * Default: `"[]"` + * Description: a list of paths which should have their SUID/SGID bits removed. + * Type: list + * Required: no +* `os_security_suid_sgid_enforce` + * Default: `true` + * Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. + * Type: bool + * Required: no +* `os_security_suid_sgid_remove_from_unknown` + * Default: `false` + * Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. + * Type: bool + * Required: no +* `os_security_suid_sgid_whitelist` + * Default: `"[]"` + * Description: a list of paths which should not have their SUID/SGID bits altered. + * Type: list + * Required: no +* `os_security_users_allow` + * Default: `"[]"` + * Description: list of things, that a user is allowed to do. May contain `change_user`. + * Type: list + * Required: no +* `os_selinux_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring selinux. + * Type: bool + * Required: no +* `os_selinux_policy` + * Default: `targeted` + * Description: Set the SELinux polixy. + * Type: str + * Required: no +* `os_selinux_state` + * Default: `enforcing` + * Description: Set the SELinux state, can be either disabled, permissive, or enforcing. + * Type: str + * Required: no +* `os_sha_crypt_max_rounds` + * Default: `640000` + * Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_sha_crypt_min_rounds` + * Default: `640000` + * Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_sysctl_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring sysctl. + * Type: bool * Required: no * `os_unused_filesystems` * Default: `["cramfs", "freevxfs", "jffs2", "hfs", "hfsplus", "squashfs", "udf", "vfat", "dccp", "rds", "sctp", "tipc"]` * Description: Disable this list of unused filesystems * Type: list * Required: no -* `os_filesystem_whitelist` +* `os_user_accounts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring user_accounts. + * Type: bool + * Required: no +* `os_user_pw_ageing` + * Default: `true` + * Description: Set to false to disable password age enforcement on existing users + * Type: bool + * Required: no +* `os_users_without_password_ageing` * Default: `"[]"` - * Description: A list of filesystems that should not be disabled + * Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled * Type: list * Required: no -* `os_hardening_enabled` +* `os_yum_enabled` * Default: `true` - * Description: Whether to run the hardening + * Description: Set to false to disable installing and configuring yum. + * Type: bool + * Required: no +* `os_yum_repo_file_whitelist` + * Default: `"[]"` + * Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. + * Type: list + * Required: no +* `proc_mnt_options` + * Default: `rw,nosuid,nodev,noexec,relatime` + * Description: Mount proc with hardenized options. Note that the hidepid option is set separately in vars/. + * Type: str + * Required: no +* `sysctl_config` + * Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 1, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}` + * Description: various sysctl-settings + * Type: dict + * Required: no +* `sysctl_overwrite` + * Default: `"{}"` + * Description: To overwrite options in the `sysctl_config`-dict, overwrite them here. + * Type: dict + * Required: no +* `ufw_default_application_policy` + * Default: `SKIP` + * Description: The default application policy is skip, which means that the update --add-new command will do nothing + * Type: str + * Required: no +* `ufw_default_forward_policy` + * Default: `DROP` + * Description: set default forward policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_default_input_policy` + * Default: `DROP` + * Description: set default input policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_default_output_policy` + * Default: `ACCEPT` + * Description: set default output policy of ufw to `ACCEPT`. + * Type: str + * Required: no +* `ufw_enable_ipv6` + * Default: `true` + * Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). + * Type: bool + * Required: no +* `ufw_ipt_modules` + * Default: `nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns` + * Description: Define which netfilter modules to load + * Type: str + * Required: no +* `ufw_ipt_sysctl` + * Default: `''` + * Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. + * Type: str + * Required: no +* `ufw_manage_builtins` + * Default: `no` + * Description: If this variable is set to 'yes', on stop and reload the built-in chains are flushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and the ufw primary chains are flushed + * Type: str + * Required: no +* `ufw_manage_defaults` + * Default: `true` + * Description: true means apply all settings with `ufw_` prefix. * Type: bool * Required: no diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index 9b2fb5388..c088f09d7 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -26,132 +26,142 @@ Warning: This role disables root-login on the target server! Please make sure yo * `network_ipv6_enable` * Default: `true` - * Description: false if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). + * Description: `false` if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). * Type: bool * Required: no -* `ssh_client_config_file` - * Default: `/etc/ssh/ssh_config` - * Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. - * Type: str +* `sftp_chroot` + * Default: `true` + * Description: Set to `false` to disable chroot for sftp. + * Type: bool * Required: no -* `ssh_server_config_file` - * Default: `/etc/ssh/sshd_config` - * Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. +* `sftp_chroot_dir` + * Default: `/home/%u` + * Description: change default stp chroot location * Type: str * Required: no -* `ssh_server_ports` - * Default: `["22"]` - * Description: ports on which ssh-server should listen. - * Type: list +* `sftp_enabled` + * Default: `true` + * Description: Set to `false` to disable sftp configuration. + * Type: bool * Required: no -* `ssh_client_port` - * Default: `22` - * Description: Specifies the port number to connect on the remote host. +* `sftp_umask` + * Default: `0027` + * Description: Specifies the umask for sftp. * Type: str * Required: no -* `ssh_listen_to` - * Default: `["0.0.0.0"]` - * Description: one or more ip addresses, to which ssh-server should listen to. Default i all IPv4 addresses, but should be configured to specific addresses for security reasons - * Type: list +* `ssh_allow_agent_forwarding` + * Default: `false` + * Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding. + * Type: bool * Required: no -* `ssh_host_key_files` +* `ssh_allow_groups` * Default: `` - * Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. - * Type: list + * Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. + * Type: str * Required: no -* `ssh_host_rsa_key_size` - * Default: `4096` - * Description: Specifies the number of bits in the private host RSA key to create. +* `ssh_allow_tcp_forwarding` + * Default: `no` + * Description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. * Type: str * Required: no -* `ssh_host_key_algorithms` +* `ssh_allow_users` * Default: `` - * Description: Host key algorithms that the server offers. If empty the default lst will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version - * Type: list + * Description: if specified, login is allowed only for user names that match one of the patterns. + * Type: str * Required: no -* `ssh_client_host_key_algorithms` +* `ssh_authorized_keys_file` * Default: `` - * Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default lst will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! + * Description: change default file that contains the public keys that can be used for user authentication + * Type: str + * Required: no +* `ssh_authorized_principals` + * Default: `` + * Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set * Type: list * Required: no -* `ssh_client_alive_interval` - * Default: `600` - * Description: specifies an interval for sending keepalive messages. +* `ssh_authorized_principals_file` + * Default: `` + * Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. * Type: str * Required: no -* `ssh_client_alive_count` - * Default: `3` - * Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. +* `ssh_banner` + * Default: `false` + * Description: Set to `true` to print a banner on login. + * Type: bool + * Required: no +* `ssh_banner_path` + * Default: `/etc/sshd/banner.txt` + * Description: path to the SSH banner file. * Type: str * Required: no -* `ssh_permit_tunnel` +* `ssh_challengeresponseauthentication` * Default: `false` - * Description: true if SSH Port Tunneling is required. + * Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). * Type: bool * Required: no -* `ssh_remote_hosts` +* `ssh_ciphers` * Default: `` - * Description: one or more hosts and their custom options for the ssh-client. Default i empty. See examples in `defaults/ain.yml` + * Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` * Type: list * Required: no -* `ssh_permit_root_login` - * Default: `no` - * Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! +* `ssh_client_alive_count` + * Default: `3` + * Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. * Type: str * Required: no -* `ssh_allow_tcp_forwarding` - * Default: `no` - * Description: 'no' or `False` to disable TCP Forwarding. Set to `'yes'` or `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. +* `ssh_client_alive_interval` + * Default: `600` + * Description: specifies an interval for sending keepalive messages. * Type: str * Required: no -* `ssh_gateway_ports` - * Default: `false` - * Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. - * Type: bool - * Required: no -* `ssh_allow_agent_forwarding` +* `ssh_client_compression` * Default: `false` - * Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding. + * Description: Specifies whether the client requests compression. * Type: bool * Required: no -* `ssh_x11_forwarding` - * Default: `false` - * Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. - * Type: bool +* `ssh_client_config_file` + * Default: `/etc/ssh/ssh_config` + * Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. + * Type: str * Required: no -* `ssh_pam_support` +* `ssh_client_hardening` * Default: `true` - * Description: true if SSH has PAM support. + * Description: `false` to stop harden the client. * Type: bool * Required: no -* `ssh_use_pam` - * Default: `true` - * Description: false to disable pam authentication. - * Type: bool +* `ssh_client_host_key_algorithms` + * Default: `` + * Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! + * Type: list * Required: no -* `ssh_gssapi_support` +* `ssh_client_password_login` * Default: `false` - * Description: Set to true to enable GSSAPI authentication (both client and server). + * Description: Set to `true` to allow password-based authentication with the ssh client. * Type: bool * Required: no -* `ssh_gssapi_delegation` +* `ssh_client_port` + * Default: `22` + * Description: Specifies the port number to connect on the remote host. + * Type: str + * Required: no +* `ssh_client_roaming` * Default: `false` - * Description: Set to true to enable GSSAPI credential forwarding. + * Description: enable experimental client roaming. * Type: bool * Required: no -* `ssh_kerberos_support` - * Default: `true` - * Description: true if SSH has Kerberos support. +* `ssh_compression` + * Default: `false` + * Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. * Type: bool * Required: no -* `ssh_deny_users` - * Default: `` - * Description: if specified, login is disallowed for user names that match one of the patterns. +* `ssh_custom_options` + * Default: `[]` + * Description: Custom lines for SSH client configuration. * Type: str * Required: no -* `ssh_allow_users` - * Default: `` - * Description: if specified, login is allowed only for user names that match one of the patterns. +* `ssh_custom_selinux_dir` + * Default: `/etc/selinux/local-policies` + * Description: directory where to store the ssh_password policy * Type: str * Required: no * `ssh_deny_groups` @@ -159,149 +169,149 @@ Warning: This role disables root-login on the target server! Please make sure yo * Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. * Type: str * Required: no -* `ssh_allow_groups` - * Default: `` - * Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. - * Type: str - * Required: no -* `ssh_authorized_keys_file` - * Default: `` - * Description: change default file that contains the public keys that can be used for user authentication - * Type: str - * Required: no -* `ssh_trusted_user_ca_keys_file` - * Default: `` - * Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. - * Type: str - * Required: no -* `ssh_trusted_user_ca_keys` - * Default: `` - * Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. - * Type: list - * Required: no -* `ssh_authorized_principals_file` +* `ssh_deny_users` * Default: `` - * Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. + * Description: if specified, login is disallowed for user names that match one of the patterns. * Type: str * Required: no -* `ssh_authorized_principals` - * Default: `` - * Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set - * Type: list - * Required: no -* `ssh_print_motd` +* `ssh_gateway_ports` * Default: `false` - * Description: false to disable printing of the MOTD. + * Description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. * Type: bool * Required: no -* `ssh_print_pam_motd` +* `ssh_gssapi_delegation` * Default: `false` - * Description: false to disable printing of the MOTD via pam (Debian and Ubuntu). + * Description: Set to `true` to enable GSSAPI credential forwarding. * Type: bool * Required: no -* `ssh_print_last_log` +* `ssh_gssapi_support` * Default: `false` - * Description: false to disable display of last login information. + * Description: Set to `true` to enable GSSAPI authentication (both client and server). * Type: bool * Required: no -* `sftp_enabled` +* `ssh_hardening_enabled` * Default: `true` - * Description: false to disable sftp configuration. + * Description: Whether to run the hardening * Type: bool * Required: no -* `sftp_umask` - * Default: `0027` - * Description: Specifies the umask for sftp. +* `ssh_host_certificates` + * Default: `` + * Description: Host certificates to look for when starting sshd + * Type: list + * Required: no +* `ssh_host_key_algorithms` + * Default: `` + * Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version + * Type: list + * Required: no +* `ssh_host_key_files` + * Default: `` + * Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. + * Type: list + * Required: no +* `ssh_host_rsa_key_size` + * Default: `4096` + * Description: Specifies the number of bits in the private host RSA key to create. * Type: str * Required: no -* `sftp_chroot` +* `ssh_kerberos_support` * Default: `true` - * Description: false to disable chroot for sftp. + * Description: Set to `true` if SSH has Kerberos support. * Type: bool * Required: no -* `sftp_chroot_dir` - * Default: `/home/%u` - * Description: change default stp chroot location +* `ssh_kex` + * Default: `` + * Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_listen_to` + * Default: `["0.0.0.0"]` + * Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons + * Type: list + * Required: no +* `ssh_login_grace_time` + * Default: `30s` + * Description: specifies the time allowed for successful authentication to the SSH server. * Type: str * Required: no -* `ssh_client_roaming` - * Default: `false` - * Description: enable experimental client roaming. - * Type: bool +* `ssh_macs` + * Default: `` + * Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + * Type: list * Required: no -* `sshd_moduli_file` - * Default: `/etc/ssh/moduli` - * Description: path to the SSH moduli file. +* `ssh_max_auth_retries` + * Default: `2` + * Description: Specifies the maximum number of authentication attempts permitted per connection. * Type: str * Required: no -* `sshd_moduli_minimum` - * Default: `2048` - * Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. +* `ssh_max_sessions` + * Default: `10` + * Description: Specifies the maximum number of open sessions permitted from a given connection. * Type: str * Required: no -* `ssh_challengeresponseauthentication` - * Default: `false` - * Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). - * Type: bool +* `ssh_max_startups` + * Default: `10:30:60` + * Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. + * Type: str * Required: no -* `ssh_client_password_login` - * Default: `false` - * Description: `true` to allow password-based authentication with the ssh client. +* `ssh_pam_support` + * Default: `true` + * Description: Set to `true` if SSH has PAM support. * Type: bool * Required: no -* `ssh_server_password_login` +* `ssh_permit_root_login` + * Default: `no` + * Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! + * Type: str + * Required: no +* `ssh_permit_tunnel` * Default: `false` - * Description: `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. + * Description: `true` if SSH Port Tunneling is required. * Type: bool * Required: no -* `ssh_banner` +* `ssh_print_debian_banner` * Default: `false` - * Description: `true` to print a banner on login. + * Description: Set to `true` to print debian specific banner. * Type: bool * Required: no -* `ssh_banner_path` - * Default: `/etc/sshd/banner.txt` - * Description: path to the SSH banner file. - * Type: str - * Required: no -* `ssh_client_hardening` - * Default: `true` - * Description: `false` to stop harden the client. +* `ssh_print_last_log` + * Default: `false` + * Description: Set to `false` to disable display of last login information. * Type: bool * Required: no -* `ssh_client_compression` +* `ssh_print_motd` * Default: `false` - * Description: Specifies whether the client requests compression. + * Description: Set to `false` to disable printing of the MOTD. * Type: bool * Required: no -* `ssh_compression` +* `ssh_print_pam_motd` * Default: `false` - * Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. + * Description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu). * Type: bool * Required: no -* `ssh_login_grace_time` - * Default: `30s` - * Description: specifies the time allowed for successful authentication to the SSH server. +* `ssh_ps59` + * Default: `sandbox` + * Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. * Type: str * Required: no -* `ssh_max_auth_retries` - * Default: `2` - * Description: Specifies the maximum number of authentication attempts permitted per connection. - * Type: str +* `ssh_remote_hosts` + * Default: `` + * Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml` + * Type: list * Required: no -* `ssh_max_sessions` - * Default: `10` - * Description: Specifies the maximum number of open sessions permitted from a given connection. +* `ssh_server_accept_env_vars` + * Default: `` + * Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. * Type: str * Required: no -* `ssh_print_debian_banner` - * Default: `false` - * Description: `true` to print debian specific banner. - * Type: bool +* `ssh_server_config_file` + * Default: `/etc/ssh/sshd_config` + * Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. + * Type: str * Required: no * `ssh_server_enabled` * Default: `true` - * Description: `false` to disable the opensshd server. + * Description: Set to `false` to disable the opensshd server. * Type: bool * Required: no * `ssh_server_hardening` @@ -319,59 +329,64 @@ Warning: This role disables root-login on the target server! Please make sure yo * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. * Type: str * Required: no -* `ssh_server_match_user` +* `ssh_server_match_local_port` * Default: `` * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. * Type: str * Required: no -* `ssh_server_match_local_port` +* `ssh_server_match_user` * Default: `` * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. * Type: str * Required: no +* `ssh_server_password_login` + * Default: `false` + * Description: Set to `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. + * Type: bool + * Required: no * `ssh_server_permit_environment_vars` * Default: `no` * Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global 'yes' or 'no' settings. * Type: str * Required: no -* `ssh_server_accept_env_vars` - * Default: `` - * Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. - * Type: str - * Required: no -* `ssh_use_dns` - * Default: `false` - * Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. - * Type: bool +* `ssh_server_ports` + * Default: `["22"]` + * Description: ports on which ssh-server should listen. + * Type: list * Required: no * `ssh_server_revoked_keys` * Default: `` * Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys. * Type: list * Required: no -* `ssh_max_startups` - * Default: `10:30:60` - * Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. - * Type: str - * Required: no -* `ssh_macs` +* `ssh_trusted_user_ca_keys` * Default: `` - * Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + * Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. * Type: list * Required: no -* `ssh_kex` +* `ssh_trusted_user_ca_keys_file` * Default: `` - * Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` - * Type: list + * Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. + * Type: str * Required: no -* `ssh_ciphers` - * Default: `` - * Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` - * Type: list +* `ssh_use_dns` + * Default: `false` + * Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. + * Type: bool * Required: no -* `ssh_custom_options` - * Default: `[]` - * Description: Custom lines for SSH client configuration. +* `ssh_use_pam` + * Default: `true` + * Description: Set to `false` to disable pam authentication. + * Type: bool + * Required: no +* `ssh_x11_forwarding` + * Default: `false` + * Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding. + * Type: bool + * Required: no +* `sshd_authenticationmethods` + * Default: `publickey` + * Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml` * Type: str * Required: no * `sshd_custom_options` @@ -379,44 +394,29 @@ Warning: This role disables root-login on the target server! Please make sure yo * Description: Custom lines for SSH daemon configuration. * Type: list * Required: no -* `sshd_syslog_facility` - * Default: `AUTH` - * Description: The facility code that is used when logging messages from sshd. - * Type: str - * Required: no * `sshd_log_level` * Default: `VERBOSE` * Description: the verbosity level that is used when logging messages from sshd. * Type: str * Required: no -* `sshd_strict_modes` - * Default: `true` - * Description: Check file modes and ownership of the user's files and home directory before accepting login. - * Type: bool - * Required: no -* `sshd_authenticationmethods` - * Default: `publickey` - * Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml` +* `sshd_moduli_file` + * Default: `/etc/ssh/moduli` + * Description: path to the SSH moduli file. * Type: str * Required: no -* `ssh_custom_selinux_dir` - * Default: `/etc/selinux/local-policies` - * Description: directory where to store the ssh_password policy +* `sshd_moduli_minimum` + * Default: `2048` + * Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. * Type: str * Required: no -* `ssh_hardening_enabled` +* `sshd_strict_modes` * Default: `true` - * Description: Whether to run the hardening + * Description: Check file modes and ownership of the user's files and home directory before accepting login. * Type: bool * Required: no -* `ssh_host_certificates` - * Default: `` - * Description: Host certificates to look for when starting sshd - * Type: list - * Required: no -* `ssh_ps59` - * Default: `sandbox` - * Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. +* `sshd_syslog_facility` + * Default: `AUTH` + * Description: The facility code that is used when logging messages from sshd. * Type: str * Required: no diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index 959808d26..cf0665339 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -74,45 +74,45 @@ argument_specs: enable root-login - The quotes are required! ssh_allow_tcp_forwarding: default: 'no' - description: Set to `'no'` or `False` to disable TCP Forwarding. Set to `'yes'` + description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. ssh_gateway_ports: default: false type: bool - description: '`false` to disable binding forwarded ports to non-loopback addresses. + description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` - to allow the client to specify which address to bind to.' + to allow the client to specify which address to bind to. ssh_allow_agent_forwarding: default: false type: bool - description: false to disable Agent Forwarding. Set to true to allow Agent + description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding. ssh_x11_forwarding: default: false type: bool - description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. + description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding. ssh_pam_support: default: true type: bool - description: true if SSH has PAM support. + description: Set to `true` if SSH has PAM support. ssh_use_pam: default: true type: bool - description: false to disable pam authentication. + description: Set to `false` to disable pam authentication. ssh_gssapi_support: default: false type: bool - description: Set to true to enable GSSAPI authentication (both client and + description: Set to `true` to enable GSSAPI authentication (both client and server). ssh_gssapi_delegation: default: false type: bool - description: Set to true to enable GSSAPI credential forwarding. + description: Set to `true` to enable GSSAPI credential forwarding. ssh_kerberos_support: default: true type: bool - description: true if SSH has Kerberos support. + description: Set to `true` if SSH has Kerberos support. ssh_deny_users: default: '' description: if specified, login is disallowed for user names that match one @@ -155,26 +155,26 @@ argument_specs: ssh_print_motd: default: false type: bool - description: false to disable printing of the MOTD. + description: Set to `false` to disable printing of the MOTD. ssh_print_pam_motd: default: false type: bool - description: false to disable printing of the MOTD via pam (Debian and Ubuntu). + description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu). ssh_print_last_log: default: false type: bool - description: false to disable display of last login information. + description: Set to `false` to disable display of last login information. sftp_enabled: default: true type: bool - description: false to disable sftp configuration. + description: Set to `false` to disable sftp configuration. sftp_umask: default: '0027' description: Specifies the umask for sftp. sftp_chroot: default: true type: bool - description: false to disable chroot for sftp. + description: Set to `false` to disable chroot for sftp. sftp_chroot_dir: default: /home/%u description: change default stp chroot location @@ -197,17 +197,17 @@ argument_specs: ssh_client_password_login: default: false type: bool - description: '`true` to allow password-based authentication with the ssh client.' + description: Set to `true` to allow password-based authentication with the ssh client. ssh_server_password_login: default: false type: bool - description: '`true` to allow password-based authentication to the ssh server. + description: 'Set to `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`.' ssh_banner: default: false type: bool - description: '`true` to print a banner on login.' + description: 'Set to `true` to print a banner on login.' ssh_banner_path: default: /etc/sshd/banner.txt description: path to the SSH banner file. @@ -239,11 +239,11 @@ argument_specs: ssh_print_debian_banner: default: false type: bool - description: '`true` to print debian specific banner.' + description: Set to `true` to print debian specific banner. ssh_server_enabled: default: true type: bool - description: '`false` to disable the opensshd server.' + description: Set to `false` to disable the opensshd server. ssh_server_hardening: default: true type: bool From b76618cc749a0c9e1cd70369131f2d2b676893aa Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 4 Aug 2023 09:09:44 +0200 Subject: [PATCH 17/17] some more linting Signed-off-by: Sebastian Gumprich --- roles/mysql_hardening/meta/argument_specs.yml | 3 ++- roles/nginx_hardening/meta/argument_specs.yml | 16 ++++++------ roles/ssh_hardening/meta/argument_specs.yml | 25 +++++++++++-------- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml index 716d36c9e..b95eaf557 100644 --- a/roles/mysql_hardening/meta/argument_specs.yml +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -75,4 +75,5 @@ argument_specs: mysql_remove_remote_root: default: true type: bool - description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users. + description: If `true`, root can only connect from localhost. Set to `false` + to not remove remote root users. diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml index 4293471b0..25e40aeab 100644 --- a/roles/nginx_hardening/meta/argument_specs.yml +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -28,7 +28,7 @@ argument_specs: description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value - in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) + in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) # noqa yaml[line-length] nginx_server_tokens: default: false type: str @@ -44,15 +44,15 @@ argument_specs: default: 2 1k type: str description: Sets the maximum number and size of buffers used for reading - large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) + large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) # noqa yaml[line-length] nginx_client_body_timeout: default: 10 type: int - description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) + description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) # noqa yaml[line-length] nginx_client_header_timeout: default: 10 type: int - description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) + description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) # noqa yaml[line-length] nginx_send_timeout: default: 10 type: int @@ -79,20 +79,20 @@ argument_specs: nginx_ssl_protocols: default: TLSv1.2 type: str - description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) + description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) # noqa yaml[line-length] nginx_ssl_ciphers: - default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # noqa yaml[line-length] type: str description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) nginx_ssl_prefer_server_ciphers: default: 'on' type: str description: Specifies that server ciphers should be preferred over client - ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) + ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) # noqa yaml[line-length] nginx_dh_size: default: 2048 type: str - description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) + description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) # noqa yaml[line-length] nginx_configuration_dir: default: /etc/nginx type: str diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml index cf0665339..5879bd3a5 100644 --- a/roles/ssh_hardening/meta/argument_specs.yml +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -80,18 +80,19 @@ argument_specs: ssh_gateway_ports: default: false type: bool - description: Set to `false` to disable binding forwarded ports to non-loopback addresses. - Set to `true` to force binding on wildcard address. Set to `clientspecified` + description: Set to `false` to disable binding forwarded ports to non-loopback + addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. ssh_allow_agent_forwarding: default: false type: bool - description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent - Forwarding. + description: Set to `false` to disable Agent Forwarding. Set to `true` to + allow Agent Forwarding. ssh_x11_forwarding: default: false type: bool - description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding. + description: Set to `false` to disable X11 Forwarding. Set to `true` to allow + X11 Forwarding. ssh_pam_support: default: true type: bool @@ -159,7 +160,8 @@ argument_specs: ssh_print_pam_motd: default: false type: bool - description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu). + description: Set to `false` to disable printing of the MOTD via pam (Debian + and Ubuntu). ssh_print_last_log: default: false type: bool @@ -197,17 +199,18 @@ argument_specs: ssh_client_password_login: default: false type: bool - description: Set to `true` to allow password-based authentication with the ssh client. + description: Set to `true` to allow password-based authentication with the + ssh client. ssh_server_password_login: default: false type: bool - description: 'Set to `true` to allow password-based authentication to the ssh server. - You probably also need to change `sshd_authenticationmethods` to include - `password` if you set `ssh_server_password_login`: `true`.' + description: 'Set to `true` to allow password-based authentication to the + ssh server. You probably also need to change `sshd_authenticationmethods` + to include `password` if you set `ssh_server_password_login`: `true`.' ssh_banner: default: false type: bool - description: 'Set to `true` to print a banner on login.' + description: Set to `true` to print a banner on login. ssh_banner_path: default: /etc/sshd/banner.txt description: path to the SSH banner file.