From 2e3d5e916b9c1862a0c4f6eefaef22ba1613cb5b Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Thu, 3 Oct 2024 19:38:55 +0200 Subject: [PATCH 1/3] Remove unused files and variables Signed-off-by: Martin Schurz --- molecule/os_hardening/converge.yml | 1 - roles/os_hardening/defaults/main.yml | 1 - roles/os_hardening/meta/argument_specs.yml | 4 - .../templates/etc/initramfs-tools/modules.j2 | 113 ------------------ 4 files changed, 119 deletions(-) delete mode 100644 roles/os_hardening/templates/etc/initramfs-tools/modules.j2 diff --git a/molecule/os_hardening/converge.yml b/molecule/os_hardening/converge.yml index 7bd8462f6..d8f1f02d5 100644 --- a/molecule/os_hardening/converge.yml +++ b/molecule/os_hardening/converge.yml @@ -20,7 +20,6 @@ os_security_suid_sgid_remove_from_unknown: true os_auth_pam_passwdqc_enable: false os_auth_lockout_time: 15 - os_desktop_enable: true os_env_extra_user_paths: [/home] os_auth_allow_homeless: true os_security_suid_sgid_blacklist: [/bin/umount] diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 448047608..b9549f675 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -1,5 +1,4 @@ --- -os_desktop_enable: false os_env_user_paths: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin] os_env_extra_user_paths: [] os_auth_pw_max_age: 60 diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml index b23aa06c4..cedb27542 100644 --- a/roles/os_hardening/meta/argument_specs.yml +++ b/roles/os_hardening/meta/argument_specs.yml @@ -4,10 +4,6 @@ argument_specs: short_description: The main entry point for the os hardening role. version_added: 8.8.0 options: - os_desktop_enable: - default: false - type: bool - description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. os_env_user_paths: default: [/usr/local/sbin, /usr/local/bin, /usr/sbin, /usr/bin, /sbin, /bin] type: list diff --git a/roles/os_hardening/templates/etc/initramfs-tools/modules.j2 b/roles/os_hardening/templates/etc/initramfs-tools/modules.j2 deleted file mode 100644 index 765ce2b4c..000000000 --- a/roles/os_hardening/templates/etc/initramfs-tools/modules.j2 +++ /dev/null @@ -1,113 +0,0 @@ -{{ ansible_managed | comment }} -# Generated by Ansible role {{ ansible_role_name }} - -# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored. -# -# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/` -# We will sort by folder. - - -# Arch -# ---- -# -# Modules for certains builds, contains support modules and some CPU-specific optimizations. - -{% if ansible_facts.architecture == 'x86_64' %} -# Optimize for x86_64 cryptographic features -twofish-x86_64-3way -twofish-x86_64 -aes-x86_64 -salsa20-x86_64 -blowfish-x86_64 -{% endif %} - -{% if 'AuthenticAMD' in ansible_facts.processor %} -# AMD-specific optimizations -kvm-amd -{% else %} -# Intel-specific optimizations -ghash-clmulni-intel -aesni-intel -kvm-intel -{% endif %} - -kvm - -# Crypto -# ------ - -# Some core modules which comprise strong cryptography. -blowfish_common -blowfish_generic -ctr -cts -lrw -lzo -rmd160 -rmd256 -rmd320 -serpent -sha512_generic -twofish_common -twofish_generic -xts -zlib - - -# Drivers -# ------- - -# Basics -lp -rtc -loop - -# Filesystems -ext2 -btrfs - -{% if os_desktop_enable %} -# Desktop -psmouse -snd -snd_ac97_codec -snd_intel8x0 -snd_page_alloc -snd_pcm -snd_timer -soundcore -usbhid -{% endif %} - -# Lib -# --- -xz - - -# Net -# --- - -# All packets needed for netfilter rules (ie iptables, ebtables). -ip_tables -x_tables -iptable_filter -iptable_nat - -# Targets -ipt_LOG -ipt_REJECT - -# Modules -xt_connlimit -xt_tcpudp -xt_recent -xt_limit -xt_conntrack -nf_conntrack -nf_conntrack_ipv4 -nf_defrag_ipv4 -xt_state -nf_nat - -# Addons -xt_pknock From 4c87d293cea224f43c737eb10a642354b6aa90e0 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Thu, 3 Oct 2024 23:01:18 +0200 Subject: [PATCH 2/3] Disable testing of audit in docker Signed-off-by: Martin Schurz --- molecule/os_hardening/converge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/os_hardening/converge.yml b/molecule/os_hardening/converge.yml index d8f1f02d5..0af4a9fdb 100644 --- a/molecule/os_hardening/converge.yml +++ b/molecule/os_hardening/converge.yml @@ -16,7 +16,7 @@ vars: os_security_users_allow: change_user os_security_kernel_enable_core_dump: false - os_auditd_num_logs: 10 + os_auditd_enabled: false os_security_suid_sgid_remove_from_unknown: true os_auth_pam_passwdqc_enable: false os_auth_lockout_time: 15 From 2b495bf6b9f43505dd50e27fe1d3e692ab5ec198 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Thu, 3 Oct 2024 23:16:01 +0200 Subject: [PATCH 3/3] Disable testing of audit in docker Signed-off-by: Martin Schurz --- molecule/os_hardening/verify.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index d6d58658d..5717e6048 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -67,12 +67,14 @@ http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" + vars: + os_auditd_enabled: false + os_env_umask: "027 #override" tasks: # test if variable can be overridden - name: Workaround for https://github.com/ansible/ansible/issues/66304 ansible.builtin.set_fact: ansible_virtualization_type: docker - os_env_umask: "027 #override" - name: Include os_hardening role ansible.builtin.include_role: