kmonticolo.ansible_os_hardening
os-hardening (Ansible Role)
Description
This role adds many security settings for better protection of your system. It follows the DevSec Linux Baseline.
It does the following things:
- Manages packages, allowing only those that are signed.
- Removes packages known to cause problems.
- Configures
pamand its limits. - Sets up shadow passwords.
- Configures permissions for system paths.
- Disables core dumps using soft limits.
- Limits root logins to the system console.
- Manages SUID settings.
- Sets kernel parameters using sysctl.
- Installs and configures auditd.
It does not:
- Update system packages.
- Install security patches.
Requirements
- Requires Ansible version 2.5.0 or later.
Warning
If you are using inspec to test your machines after applying this role, make sure to add the user you are connecting with to the os_ignore_users variable. Otherwise, the tests may fail. More information can be found in issue #124.
If you are using Docker or Kubernetes with Docker, you'll need to change the IPv4 IP forwarding setting like this:
- hosts: localhost
roles:
- dev-sec.os-hardening
vars:
sysctl_overwrite:
net.ipv4.ip_forward: 1
Variables
Here's a list of configurable variables with their default values:
| Name | Default Value | Description |
|---|---|---|
os_desktop_enable |
false | Set to true if this is a desktop system. |
os_env_extra_user_paths |
[] | Add extra paths to the user's PATH. |
os_env_umask |
027 | Default permissions for new files. |
os_auth_pw_max_age |
60 | Maximum age for passwords. |
os_auth_pw_min_age |
7 | Minimum age before allowing a password change. |
os_auth_retries |
5 | Max attempts before account lockout. |
os_auth_lockout_time |
600 | Lockout duration in seconds. |
os_auth_timeout |
60 | Timeout for authentication. |
os_auth_allow_homeless |
false | Allow users without home directories to log in. |
os_auth_pam_passwdqc_enable |
true | Enable strong password checks in PAM. |
os_auth_pam_passwdqc_options |
"min=disabled,disabled,16,12,8" | Options for password checking. |
os_security_users_allow |
[] | Actions allowed for users. |
os_security_kernel_enable_module_loading |
true | Allow changes to kernel modules while the system is running. |
os_security_kernel_enable_core_dump |
false | Enable core dumps on kernel crashes. |
os_security_suid_sgid_enforce |
true | Reduce SUID/SGID bits as needed. |
os_security_suid_sgid_blacklist |
[] | Paths to remove SUID/SGID bits from. |
os_security_suid_sgid_whitelist |
[] | Paths to keep SUID/SGID bits unchanged. |
os_security_suid_sgid_remove_from_unknown |
false | Remove SUID/SGID bits from unknown files. |
os_security_packages_clean |
true | Remove problematic packages. |
ufw_manage_defaults |
true | Apply all default UFW settings. |
ufw_ipt_sysctl |
'' | Override sysctl values using UFW if desired. |
ufw_default_input_policy |
DROP | Set the default input policy for UFW. |
ufw_default_output_policy |
ACCEPT | Set the default output policy for UFW. |
ufw_default_forward_policy |
DROP | Set the default forward policy for UFW. |
os_auditd_enabled |
true | Set to false to skip installing auditd. |
Packages
The following packages are removed:
- xinetd
- inetd
- tftp-server
- ypserv
- telnet-server
- rsh-server
- prelink
Disabled Filesystems
The following filesystems are disabled, as they are usually unnecessary:
- "cramfs"
- "freevxfs"
- "jffs2"
- "hfs"
- "hfsplus"
- "squashfs"
- "udf"
- "vfat" (if not using UEFI)
You can prevent some filesystems from being disabled by adding them to the os_filesystem_whitelist.
Installation
To install this role, use ansible-galaxy:
ansible-galaxy install dev-sec.os-hardening
Example Playbook
Here's a simple playbook example:
- hosts: localhost
roles:
- dev-sec.os-hardening
Changing Sysctl Variables
To change sysctl variables, you can use the sysctl_overwrite variable. For example, to enable IPv4 traffic forwarding:
- hosts: localhost
roles:
- dev-sec.os-hardening
vars:
sysctl_overwrite:
net.ipv4.ip_forward: 1
Alternatively, you can change Ansible's hash-behavior to merge, but this applies to all playbooks and is not typically recommended.
Local Testing
For local testing, it's best to use Docker. You need to install Docker first. Check the Get started page for help.
You can also use Vagrant with VirtualBox or VMware to run tests locally. Install VirtualBox and Vagrant, then see Vagrant Downloads for the right package.
For testing, you'll also need test-kitchen. Install it like this:
# Install dependencies
gem install bundler
bundle install
Testing with Docker
# Quick test on one machine
bundle exec kitchen test default-ubuntu-1404
# Test on all machines
bundle exec kitchen test
# For development
bundle exec kitchen create default-ubuntu-1404
bundle exec kitchen converge default-ubuntu-1404
Testing with Virtualbox
# Quick test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404
# Test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test
# For development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404
For more details, refer to test-kitchen.
Contributors + Kudos
This role is mostly based on various guides, including resources from:
- Arch Linux wiki on Sysctl hardening
- NSA Guide for Secure Configuration of RHEL
- Ubuntu Security Features
- Deutsche Telekom Security Requirements (German)
Thanks to everyone involved!
Contributing
Please check the contributor guidelines.
License and Author
- Author: Sebastian Gumprich
This project is licensed under Apache License, Version 2.0. You may view the license at:
http://www.apache.org/licenses/LICENSE-2.0
Software under the license is offered "AS IS," without any warranties. Please see the license for more details.
This role provides numerous security-related configurations, providing all-round base protection.
ansible-galaxy install kmonticolo.ansible_os_hardening