diff --git a/.travis.yml b/.travis.yml index 09221113f..2bcaaeb88 100644 --- a/.travis.yml +++ b/.travis.yml @@ -59,10 +59,10 @@ script: - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --skip-tags "sysctl"' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --diff --skip-tags "sysctl"' # Verify role - - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 os-10 package-01 package-02 package-03 package-04 package-05 package-06 package-09' + - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 package-01 package-02 package-03 package-04 package-05 package-06 package-09' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/tasks/auditd.yml b/tasks/auditd.yml new file mode 100644 index 000000000..2ff1ed2c5 --- /dev/null +++ b/tasks/auditd.yml @@ -0,0 +1,14 @@ +--- + +- name: install auditd package | package-08 + package: + name: '{{ auditd_package }}' + state: 'present' + +- name: configure auditd | package-08 + template: + src: 'etc/audit/auditd.conf.j2' + dest: '/etc/audit/auditd.conf' + owner: 'root' + group: 'root' + mode: '0640' diff --git a/tasks/limits.yml b/tasks/limits.yml index b04787376..fb1a733c3 100644 --- a/tasks/limits.yml +++ b/tasks/limits.yml @@ -8,7 +8,7 @@ group: 'root' mode: '0755' state: 'directory' - + - name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b pam_limits: dest: '/etc/security/limits.d/10.hardcore.conf' @@ -17,14 +17,14 @@ limit_item: core value: 0 comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information - + - name: set 10.hardcore.conf perms to 0400 and root ownership file: path: /etc/security/limits.d/10.hardcore.conf owner: 'root' group: 'root' mode: '0440' - + when: 'not os_security_kernel_enable_core_dump' - name: remove 10.hardcore.conf config file @@ -32,4 +32,11 @@ path: /etc/security/limits.d/10.hardcore.conf state: absent +- name: create sane limits.conf | sysctl-31a, sysctl-31b + template: + src: 'etc/security/limits.d/limits.conf.j2' + dest: '/etc/security/limits.d/10.hardcore.conf' + owner: 'root' + group: 'root' + mode: '0440' when: 'os_security_kernel_enable_core_dump' diff --git a/tasks/login_defs.yml b/tasks/login_defs.yml index 02421a585..165e61553 100644 --- a/tasks/login_defs.yml +++ b/tasks/login_defs.yml @@ -1,7 +1,7 @@ --- - name: create login.defs | os-05, os-05b template: - src: 'login.defs.j2' + src: 'etc/login.defs.j2' dest: '/etc/login.defs' owner: 'root' group: 'root' diff --git a/tasks/main.yml b/tasks/main.yml index 8979725f1..01149804f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -13,13 +13,16 @@ skip: true tags: always +- import_tasks: auditd.yml + tags: auditd + - import_tasks: limits.yml tags: limits - import_tasks: login_defs.yml tags: login_defs -- include_tasks: minimize_access.yml +- import_tasks: minimize_access.yml tags: minimize_access - import_tasks: pam.yml diff --git a/tasks/modprobe.yml b/tasks/modprobe.yml index 0017e3f68..66aa95037 100644 --- a/tasks/modprobe.yml +++ b/tasks/modprobe.yml @@ -6,7 +6,7 @@ - name: disable unused filesystems | os-10 template: - src: 'modprobe.j2' + src: 'etc/modprobe.d/modprobe.j2' dest: '/etc/modprobe.d/dev-sec.conf' owner: 'root' group: 'root' diff --git a/tasks/pam.yml b/tasks/pam.yml index ce95ea3e1..012a4de48 100644 --- a/tasks/pam.yml +++ b/tasks/pam.yml @@ -33,7 +33,7 @@ - name: configure passwdqc template: - src: 'pam_passwdqc.j2' + src: 'usr/share/pam-configs/pam_passwdqd.j2' dest: '{{ passwdqc_path }}' mode: '0640' owner: 'root' @@ -54,7 +54,7 @@ - name: configure tally2 template: - src: 'pam_tally2.j2' + src: 'usr/share/pam-configs/pam_tally2.j2' dest: '{{ tally2_path }}' mode: '0640' owner: 'root' @@ -87,7 +87,7 @@ - name: configure passwdqc and tally via central system-auth confic template: - src: 'rhel_system_auth.j2' + src: 'etc/pam.d/rhel_system_auth.j2' dest: '/etc/pam.d/system-auth-ac' mode: '0640' owner: 'root' @@ -95,7 +95,7 @@ - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 template: - src: 'rhel_libuser.conf.j2' + src: 'etc/rhel_libuser.conf.j2' dest: '/etc/libuser.conf' mode: '0640' owner: 'root' diff --git a/tasks/profile.yml b/tasks/profile.yml index 5d3cacf7e..6245474e3 100644 --- a/tasks/profile.yml +++ b/tasks/profile.yml @@ -1,7 +1,7 @@ --- - name: add pinerolo_profile.sh to profile.d template: - src: 'profile.conf.j2' + src: 'etc/profile.d/profile.conf.j2' dest: '/etc/profile.d/pinerolo_profile.sh' owner: 'root' group: 'root' diff --git a/tasks/securetty.yml b/tasks/securetty.yml index 9f922e2f8..1743a1962 100644 --- a/tasks/securetty.yml +++ b/tasks/securetty.yml @@ -1,7 +1,7 @@ --- - name: create securetty template: - src: 'securetty.j2' + src: 'etc/securetty.j2' dest: '/etc/securetty' owner: 'root' group: 'root' diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml index b2ada1633..5ff971995 100644 --- a/tasks/sysctl.yml +++ b/tasks/sysctl.yml @@ -8,7 +8,7 @@ - name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1 template: - src: 'rhel_sysconfig_init.j2' + src: 'etc/sysconfig/rhel_sysconfig_init.j2' dest: '/etc/sysconfig/init' owner: 'root' group: 'root' @@ -24,7 +24,7 @@ - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled template: - src: 'modules.j2' + src: 'etc/initramfs-tools/modules.j2' dest: '/etc/initramfs-tools/modules' owner: 'root' group: 'root' @@ -63,7 +63,7 @@ - name: Apply ufw defaults template: - src: 'ufw.j2' + src: 'etc/default/ufw.j2' dest: '/etc/default/ufw' when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') tags: ufw diff --git a/templates/etc/audit/auditd.conf.j2 b/templates/etc/audit/auditd.conf.j2 new file mode 100644 index 000000000..4f3040f70 --- /dev/null +++ b/templates/etc/audit/auditd.conf.j2 @@ -0,0 +1,28 @@ +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 6 +max_log_file_action = keep_logs +space_left = 75 +space_left_action = SYSLOG +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key diff --git a/templates/ufw.j2 b/templates/etc/default/ufw.j2 similarity index 100% rename from templates/ufw.j2 rename to templates/etc/default/ufw.j2 diff --git a/templates/modules.j2 b/templates/etc/initramfs-tools/modules.j2 similarity index 100% rename from templates/modules.j2 rename to templates/etc/initramfs-tools/modules.j2 diff --git a/templates/login.defs.j2 b/templates/etc/login.defs.j2 similarity index 100% rename from templates/login.defs.j2 rename to templates/etc/login.defs.j2 diff --git a/templates/modprobe.j2 b/templates/etc/modprobe.d/modprobe.j2 similarity index 100% rename from templates/modprobe.j2 rename to templates/etc/modprobe.d/modprobe.j2 diff --git a/templates/rhel_system_auth.j2 b/templates/etc/pam.d/rhel_system_auth.j2 similarity index 100% rename from templates/rhel_system_auth.j2 rename to templates/etc/pam.d/rhel_system_auth.j2 diff --git a/templates/profile.conf.j2 b/templates/etc/profile.d/profile.conf.j2 similarity index 100% rename from templates/profile.conf.j2 rename to templates/etc/profile.d/profile.conf.j2 diff --git a/templates/rhel_libuser.conf.j2 b/templates/etc/rhel_libuser.conf.j2 similarity index 100% rename from templates/rhel_libuser.conf.j2 rename to templates/etc/rhel_libuser.conf.j2 diff --git a/templates/securetty.j2 b/templates/etc/securetty.j2 similarity index 100% rename from templates/securetty.j2 rename to templates/etc/securetty.j2 diff --git a/templates/etc/security/limits.d/limits.conf.j2 b/templates/etc/security/limits.d/limits.conf.j2 new file mode 100644 index 000000000..2a55592db --- /dev/null +++ b/templates/etc/security/limits.d/limits.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed | comment }} +# Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information. +* hard core 0 diff --git a/templates/rhel_sysconfig_init.j2 b/templates/etc/sysconfig/rhel_sysconfig_init.j2 similarity index 100% rename from templates/rhel_sysconfig_init.j2 rename to templates/etc/sysconfig/rhel_sysconfig_init.j2 diff --git a/templates/pam_passwdqc.j2 b/templates/usr/share/pam-configs/pam_passwdqd.j2 similarity index 100% rename from templates/pam_passwdqc.j2 rename to templates/usr/share/pam-configs/pam_passwdqd.j2 diff --git a/templates/pam_tally2.j2 b/templates/usr/share/pam-configs/pam_tally2.j2 similarity index 100% rename from templates/pam_tally2.j2 rename to templates/usr/share/pam-configs/pam_tally2.j2 diff --git a/vars/Debian.yml b/vars/Debian.yml index 32863c764..be2847094 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -5,6 +5,7 @@ passwdqc_path: '/usr/share/pam-configs/passwdqc' tally2_path: '/usr/share/pam-configs/tally2' os_nologin_shell_path: '/usr/sbin/nologin' +auditd_package: 'auditd' modprobe_package: 'kmod' # Different distros use different standards for /etc/shadow perms, e.g. diff --git a/vars/RedHat.yml b/vars/RedHat.yml index ad851c17c..9624cc222 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,6 +1,7 @@ --- modprobe_package: 'module-init-tools' +auditd_package: 'audit' os_packages_pam_ccreds: 'pam_ccreds' os_packages_pam_passwdqc: 'pam_passwdqc'