konstruktoid.hardening
Ansible Role for Securing Servers
This is an Ansible role created to improve the security of servers running on AlmaLinux, Debian, or Ubuntu.
It focuses on systemd and needs Ansible version 2.15 or higher.
This role works with the following operating systems:
- AlmaLinux 8
- AlmaLinux 9
- Debian 11 (Bullseye)
- Debian 12 (Bookworm)
- Ubuntu 22.04 (Jammy Jellyfish)
- Ubuntu 24.04 (Noble Numbat)
For users of AWS or Azure, hardened Ubuntu Amazon Machine Images (AMIs) and Azure virtual machine images are also available.
You can find these in the konstruktoid/hardened-images repository. These images are created using Packer, with the configuration coming from this Ansible role.
Note Please do not use this role without testing it in a safe environment first.
Note A SLSA artifact is available under the slsa action workflow for verification.
Requirements
None.
Examples
Using the Role
---
roles:
- name: konstruktoid.hardening
version: v2.1.0
src: https://github.com/konstruktoid/ansible-role-hardening.git
scm: git
Creating a Playbook
---
- name: Use the hardening role
hosts: localhost
any_errors_fatal: true
tasks:
- name: Import the hardening role
ansible.builtin.import_role:
name: konstruktoid.hardening
vars:
sshd_admin_net:
- 10.0.2.0/24
- 192.168.0.0/24
- 192.168.1.0/24
suid_sgid_permissions: false
Local Playbook with Git Checkout
---
- name: Checkout and configure konstruktoid.hardening
hosts: localhost
any_errors_fatal: true
tasks:
- name: Clone hardening repository
become: true
tags:
- always
block:
- name: Install git
ansible.builtin.package:
name: git
state: present
- name: Checkout konstruktoid.hardening
become: true
ansible.builtin.git:
repo: https://github.com/konstruktoid/ansible-role-hardening
dest: /etc/ansible/roles/konstruktoid.hardening
version: v2.1.0
- name: Remove git
ansible.builtin.package:
name: git
state: absent
- name: Include the hardening role
ansible.builtin.include_role:
name: konstruktoid.hardening
vars:
sshd_allow_groups:
- ubuntu
sshd_login_grace_time: 60
sshd_max_auth_tries: 10
sshd_use_dns: false
sshd_update_moduli: true
Note about UFW Rules
Instead of resetting ufw every time (which could disrupt network traffic), the role removes all ufw rules that do not have comment: ansible managed set.
The role also sets a default deny policy. You need to create firewall rules for any additional ports beyond what is specified in the sshd_ports and ufw_outgoing_traffic variables.
For more details, see ufw(8).
Task Execution and Structure
Refer to STRUCTURE.md for the role structure overview.
Role Testing
See TESTING.md.
Role Variables with Defaults
./defaults/main/aide.yml
manage_aide: true
aide_checksums: sha512
aide_dir_exclusions:
- /var/lib/docker
- /var/lib/lxcfs
- /var/lib/private/systemd
- /var/log/audit
- /var/log/journal
If manage_aide: true, AIDE will be installed and configured.
aide_checksums modifies the AIDE Checksums variable. It might not be present depending on the distribution.
aide_dir_exclusions lists directories to ignore in the AIDE database.
./defaults/main/auditd.yml
manage_auditd: true
auditd_apply_audit_rules: true
auditd_action_mail_acct: root
auditd_admin_space_left_action: suspend
auditd_disk_error_action: suspend
auditd_disk_full_action: suspend
auditd_enable_flag: 2
auditd_flush: incremental_async
auditd_max_log_file: 20
auditd_max_log_file_action: rotate
auditd_mode: 1
auditd_num_logs: 5
auditd_space_left: 75
auditd_space_left_action: email
grub_audit_backlog_cmdline: audit_backlog_limit=8192
grub_audit_cmdline: audit=1
If manage_auditd: true, the Linux Audit System will be configured and enabled on boot via GRUB.
When auditd_apply_audit_rules: 'yes', the role will apply the auditd rules from the template file included.
auditd_action_mail_acct should be a valid email address for alerts.
Refer to the auditd.conf(5) for more information.
./defaults/main/automatic_updates.yml
automatic_updates:
enabled: true
reboot: false
If automatic_updates is enabled, it will install and configure dnf-automatic or unattended-upgrades based on the distribution.
If reboot is set to true, the system will restart if necessary.
./defaults/main/compilers.yml
manage_compilers: true
compilers:
- as
- cargo
- cc
- cc-[0-9]*
- clang-[0-9]*
- gcc
- gcc-[0-9]*
- go
- make
- rustc
If manage_compilers: true, the listed compilers will be restricted to the root user.
./defaults/main/crypto_policies.yml
set_crypto_policy: true
crypto_policy: DEFAULT:NO-SHA1
Set and use cryptographic policies if /etc/crypto-policies/config exists and set_crypto_policy: true.
./defaults/main/disablewireless.yml
disable_wireless: false
If true, all wireless interfaces will be turned off.
./defaults/main/dns.yml
manage_resolved: true
dns:
- 1.1.1.2
- 9.9.9.9
fallback_dns:
- 1.0.0.2
- 149.112.112.112
dnssec: allow-downgrade
dns_over_tls: opportunistic
If manage_resolved: true, configure systemd-resolved.
Choose DNS servers and fallback addresses for system use.
./defaults/main/ipv6.yml
disable_ipv6: false
sysctl_net_ipv6_conf_accept_ra_rtr_pref: 0
ipv6_disable_sysctl_settings:
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1
ipv6_sysctl_settings:
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv6.conf.all.accept_source_route: 0
net.ipv6.conf.all.forwarding: 0
net.ipv6.conf.all.use_tempaddr: 2
net.ipv6.conf.default.accept_ra: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.default.accept_source_route: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
net.ipv6.conf.default.router_solicitations: 0
net.ipv6.conf.default.use_tempaddr: 2
If disable_ipv6: true, then IPv6 will be turned off and the relevant settings will be adjusted.
./defaults/main/journal.yml
rsyslog_filecreatemode: "0640"
journald_compress: true
journald_forwardtosyslog: false
journald_storage: persistent
Sets the configuration for rsyslog and journald.
./defaults/main/kernel.yml
allow_virtual_system_calls: true
enable_page_poisoning: true
kernel_lockdown: false
page_table_isolation: true
slub_debugger_poisoning: false
Sets various kernel security features.
./defaults/main/limits.yml
limit_nofile_hard: 1024
limit_nofile_soft: 512
limit_nproc_hard: 1024
limit_nproc_soft: 512
Defines the limits for open files and processes.
./defaults/main/misc.yml
reboot_ubuntu: false
redhat_signing_keys:
- 567E347AD0044ADE55BA8A5F199E2F91FD431D51
- 47DB287789B21722B6D95DDE5326810137017186
epel7_signing_keys:
- 91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
epel8_signing_keys:
- 94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
epel9_signing_keys:
- FF8AD1344597106ECE813B918A3872BF3228467C
If reboot_ubuntu: true, the Ubuntu node will reboot if necessary. This section also specifies signing keys.
./defaults/main/module_blocklists.yml
fs_modules_blocklist:
- cramfs
- freevxfs
- hfs
- hfsplus
- jffs2
- squashfs
- udf
misc_modules_blocklist:
- bluetooth
- bnep
- btusb
- can
- cpia2
- firewire-core
- floppy
- ksmbd
- n_hdlc
- net-pf-31
- pcspkr
- soundcore
- thunderbolt
- usb-midi
- usb-storage
- uvcvideo
- v4l2_common
net_modules_blocklist:
- atm
- dccp
- sctp
- rds
- tipc
These are kernel modules that will be blacklisted and disabled.
Note Disabling the
usb-storagemodule will disable all USB storage devices. If such devices are needed, configure USBGuard or a similar tool.
./defaults/main/mount.yml
hide_pid: 2
process_group: root
Sets access modes for /proc/<pid>/.
./defaults/main/ntp.yml
manage_timesyncd: true
fallback_ntp:
- ntp.netnod.se
- ntp.ubuntu.com
ntp:
- 2.pool.ntp.org
- time.nist.gov
If manage_timesyncd: true, then configure systemd's time synchronization.
./defaults/main/packagemgmt.yml
apt_hardening_options:
- Acquire::AllowDowngradeToInsecureRepositories "false";
- Acquire::AllowInsecureRepositories "false";
- Acquire::http::AllowRedirect "false";
- APT::Get::AllowUnauthenticated "false";
- APT::Get::AutomaticRemove "true";
- APT::Install-Recommends "false";
- APT::Install-Suggests "false";
- APT::Periodic::AutocleanInterval "7";
- APT::Sandbox::Seccomp "1";
- Unattended-Upgrade::Remove-Unused-Dependencies "true";
- Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Configures APT settings for security.
./defaults/main/packages.yml
system_upgrade: true
packages_blocklist:
- apport*
- autofs
- avahi*
- avahi-*
- beep
- git
- pastebinit
- popularity-contest
- prelink
- rpcbind
- rsh*
- rsync
- talk*
- telnet*
- tftp*
- tuned
- whoopsie
- xinetd
- yp-tools
- ypbind
packages_debian:
- acct
- apparmor-profiles
- apparmor-utils
- apt-show-versions
- audispd-plugins
- auditd
- cracklib-runtime
- debsums
- gnupg2
- haveged
- libpam-apparmor
- libpam-cap
- libpam-modules
- libpam-pwquality
- libpam-tmpdir
- lsb-release
- needrestart
- openssh-server
- postfix
- rsyslog
- sysstat
- systemd-journal-remote
- tcpd
- vlock
- wamerican
packages_redhat:
- audispd-plugins
- audit
- cracklib
- gnupg2
- haveged
- libpwquality
- openssh-server
- needrestart
- postfix
- psacct
- python3-dnf-plugin-post-transaction-actions
- rsyslog
- rsyslog-gnutls
- systemd-journal-remote
- vlock
- words
packages_ubuntu:
- fwupd
- secureboot-db
- snapd
If system_upgrade: true, an upgrade will be performed as needed with corresponding packages to remove based on the distribution.
./defaults/main/password.yml
manage_faillock: true
faillock:
admin_group: []
audit: true
deny: 5
dir: /var/run/faillock
even_deny_root: true
fail_interval: 900
local_users_only: true
no_log_info: false
nodelay: true
root_unlock_time: 600
silent: false
unlock_time: 600
login_defs:
login_retries: 5
login_timeout: 60
pass_max_days: 60
pass_min_days: 1
pass_warn_age: 7
password_remember: 5
pwquality:
dcredit: -1
dictcheck: 1
dictpath: ""
difok: 8
enforce_for_root: true
enforcing: 1
gecoscheck: 1
lcredit: -1
local_users_only: true
maxclassrepeat: 4
maxrepeat: 3
minclass: 4
minlen: 15
ocredit: -1
retry: 3
ucredit: -1
usercheck: 1
usersubstr: 3
This configures user account locking and password complexity requirements.
./defaults/main/rkhunter.yml
manage_rkhunter: true
rkhunter_allow_ssh_prot_v1: false
rkhunter_allow_ssh_root_user: false
rkhunter_mirrors_mode: "0"
rkhunter_update_mirrors: true
rkhunter_web_cmd: curl -fsSL
If manage_rkhunter: true, the rkhunter utility will be configured.
./defaults/main/sshd.yml
manage_ssh: true
sshd_accept_env: LANG LC_*
sshd_admin_net:
- 192.168.0.0/24
- 192.168.1.0/24
sshd_allow_agent_forwarding: false
sshd_allow_groups:
- sudo
sshd_allow_tcp_forwarding: false
sshd_allow_users:
- "{{ ansible_user | default(lookup('ansible.builtin.env', 'USER')) }}"
sshd_authentication_methods: any
sshd_authorized_principals_file: /etc/ssh/auth_principals/%u
sshd_banner: /etc/issue.net
sshd_ca_signature_algorithms:
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
- rsa-sha2-256
- rsa-sha2-512
- ssh-rsa
sshd_kbd_interactive_authentication: false
sshd_ciphers:
- [email protected]
- [email protected]
- aes256-ctr
sshd_client_alive_count_max: 1
sshd_client_alive_interval: 200
sshd_compression: false
sshd_config_d_force_clear: false
sshd_config_force_replace: false
sshd_debian_banner: false
sshd_deny_groups: []
sshd_deny_users: []
sshd_gssapi_authentication: false
sshd_host_key_algorithms:
- [email protected]
- [email protected]
- ssh-ed25519
- ssh-rsa
- [email protected]
- [email protected]
- [email protected]
- ecdsa-sha2-nistp521
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp256
sshd_host_keys_files: []
sshd_host_keys_group: root
sshd_host_keys_mode: "0600"
sshd_host_keys_owner: root
sshd_hostbased_authentication: false
sshd_ignore_rhosts: true
sshd_ignore_user_known_hosts: true
sshd_kerberos_authentication: false
sshd_kex_algorithms:
- [email protected]
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
sshd_listen:
- 0.0.0.0
sshd_log_level: VERBOSE
sshd_login_grace_time: 20
sshd_macs:
- [email protected]
- [email protected]
- hmac-sha2-512
- hmac-sha2-256
sshd_max_auth_tries: 3
sshd_max_sessions: 3
sshd_max_startups: 10:30:60
sshd_password_authentication: false
sshd_permit_empty_passwords: false
sshd_permit_root_login: false
sshd_ports:
- 22
sshd_print_last_log: true
sshd_print_motd: false
sshd_print_pam_motd: false
sshd_rekey_limit: 512M 1h
sshd_required_ecdsa_size: 521
sshd_required_rsa_size: 4096
sshd_sftp_enabled: true
sshd_sftp_only_chroot: true
sshd_sftp_only_chroot_dir: "%h"
sshd_sftp_only_group: ""
sshd_sftp_subsystem: internal-sftp -f LOCAL6 -l INFO
sshd_strict_modes: true
sshd_syslog_facility: AUTH
sshd_tcp_keep_alive: false
sshd_trusted_user_ca_keys_file: /etc/ssh/trusted-user-ca-keys.pem
sshd_update_moduli: false
sshd_use_dns: false
sshd_use_pam: true
sshd_use_privilege_separation: sandbox
sshd_x11_forwarding: false
If manage_ssh: true, the configuration for SSH will be updated.
Note The cryptographic settings will be updated, if applicable.
Only the networks defined in sshd_admin_net can connect through sshd_ports. Make sure that rules are set for other services as needed.
./defaults/main/suid_sgid_blocklist.yml
suid_sgid_permissions: true
suid_sgid_blocklist:
- 7z
- aa-exec
- ab
- agetty
- alpine
- ansible-playbook
- ansible-test
- aoss
- apt
- apt-get
[...]
When suid_sgid_permissions: true, it will remove any SUID/SGID permissions for the listed programs.
./defaults/main/sysctl.yml
manage_sysctl: true
sysctl_conf_dir: "{{ '/usr/lib/sysctl.d' if usr_lib_sysctl_d_dir else '/etc/sysctl.d' }}"
ipv4_sysctl_settings:
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.log_martians: 1
net.ipv4.ip_forward: 0
If manage_sysctl: true, this will update the system's sysctl configurations.
./defaults/main/templates.yml
adduser_conf_template: etc/adduser.conf.j2
common_account_template: etc/pam.d/common-account.j2
common_auth_template: etc/pam.d/common-auth.j2
common_password_template: etc/pam.d/common-password.j2
coredump_conf_template: etc/systemd/coredump.conf.j2
faillock_conf_template: etc/security/faillock.conf.j2
hardening_rules_template: etc/audit/rules.d/hardening.rules.j2
hosts_allow_template: etc/hosts.allow.j2
hosts_deny_template: etc/hosts.deny.j2
initpath_sh_template: etc/profile.d/initpath.sh.j2
issue_template: etc/issue.j2
journald_conf_template: etc/systemd/journald.conf.j2
limits_conf_template: etc/security/limits.conf.j2
login_defs_template: etc/login.defs.j2
logind_conf_template: etc/systemd/logind.conf.j2
logrotate_conf_template: etc/logrotate.conf.j2
motd_template: etc/motd.j2
pwquality_conf_template: etc/security/pwquality.conf.j2
resolved_conf_template: etc/systemd/resolved.conf.j2
rkhunter_template: etc/default/rkhunter.j2
ssh_config_template: etc/ssh/ssh_config.j2
sshd_config_template: etc/ssh/sshd_config.j2
sysctl_ipv6_config_template: etc/sysctl/sysctl.ipv6.conf.j2
sysctl_main_config_template: etc/sysctl/sysctl.main.conf.j2
system_conf_template: etc/systemd/system.conf.j2
timesyncd_conf_template: etc/systemd/timesyncd.conf.j2
tmp_mount_template: etc/systemd/tmp.mount.j2
user_conf_template: etc/systemd/user.conf.j2
useradd_template: etc/default/useradd.j2
Paths for the role's templates that can be overridden.
./defaults/main/ufw.yml
manage_ufw: true
ufw_outgoing_traffic:
- 22
- 53
- 80
- 123
- 443
- 853
ufw_rate_limit: false
If manage_ufw: true, ufw will be installed and configured with the specified rules. Set to false if you want to configure a firewall manually.
./defaults/main/umask.yml
session_timeout: 900
umask_value: "077"
Sets the session timeout and umask value for security settings.
./defaults/main/usbguard.yml
manage_usbguard: true
usbguard_configuration_file: /etc/usbguard/usbguard-daemon.conf
usbguard_rulefile: /etc/usbguard/rules.conf
usbguard_auditbackend: LinuxAudit
usbguard_auditfilepath: /var/log/usbguard/usbguard-audit.log
usbguard_authorizeddefault: none
usbguard_devicemanagerbackend: uevent
usbguard_deviceruleswithport: false
usbguard_hidepii: false
usbguard_implicitpolicytarget: block
usbguard_inserteddevicepolicy: apply-policy
usbguard_ipcaccesscontrolfiles: /etc/usbguard/IPCAccessControl.d/
usbguard_ipcallowedgroups:
- plugdev
- root
- wheel
usbguard_ipcallowedusers:
- root
usbguard_presentcontrollerpolicy: keep
usbguard_presentdevicepolicy: apply-policy
usbguard_restorecontrollerdevicestate: false
If manage_usbguard: true, USBGuard will be installed and configured.
./defaults/main/users.yml
delete_users:
- games
- gnats
- irc
- list
- news
- sync
- uucp
Users that will be removed from the system.
Further Reading
- Comparing DISA STIG and CIS Benchmark values
- Center for Internet Security Linux Benchmarks
- Common Configuration Enumeration
- DISA Security Technical Implementation Guides
- SCAP Security Guides
- Systemd Security Configurations
Contributing
Want to help out? We welcome contributions, big or small. If you notice anything odd, submit an issue, improve the code through a pull request, or consider sponsoring this project.
License
Apache License Version 2.0
Author Information
AlmaLinux, Debian and Ubuntu hardening. systemd edition.
ansible-galaxy install konstruktoid.hardening