scathatheworm.security-settings
ansible-security-settings
Ansible Role for setting security rules to meet enterprise compliance for business operating systems.
Overview
This role sets up various security configurations related to login, password management, SSH, PAM, SELinux, and more. It is aimed at meeting enterprise compliance standards.
Configurations Include:
- PAM modules for automatic account lockout after failed login attempts.
- Password history settings.
- Password complexity requirements.
- SSH settings like port, root login, banners, ciphers, and port forwarding.
- SELinux and firewall configurations.
- Shell timeout settings.
- Disabling physical send break and Ctrl-Alt-Del.
- Linux audit daemon configuration.
- Firewall status management.
- Magic SysRq settings.
Password Aging Settings:
| Name | Default Value | Description |
|---|---|---|
os_auth_pw_max_age |
60 | Maximum days a password is valid before needing a change. |
os_auth_pw_min_age |
10 | Minimum days a password must be active before it can change. |
os_auth_pw_warn_age |
7 | Days before expiration that the user will be warned. |
passhistory |
6 | Number of previous passwords to remember to avoid reuse. |
Password Complexity Requirements:
| Name | Default Value | Description |
|---|---|---|
pwquality_minlen |
8 | Minimum password length. |
pwquality_maxrepeat |
3 | Maximum allowed repeated characters in the password. |
pwquality_lcredit |
-1 | Minimum lowercase characters required in password. |
pwquality_ucredit |
-1 | Minimum uppercase characters required in password. |
pwquality_dcredit |
-1 | Minimum digits required in password. |
pwquality_ocredit |
-1 | Minimum special characters required in password. |
solaris_dictionary_minwordlength |
5 | Minimum word length for dictionary checks on Solaris. |
Account Inactivity and Failed Login Settings:
| Name | Default Value | Description |
|---|---|---|
fail_deny |
5 | Attempts before locking an account after failed logins. |
fail_unlock |
0 | Seconds before unlocking an account after failed attempts. |
inactive_lock |
0 | Days an account can be inactive before being locked. |
shell_timeout |
900 | Timeout for active shell in seconds. Set to 0 to disable. |
System Services and Settings:
| Name | Default Value | Description |
|---|---|---|
selinux_state |
permissive | SELinux mode configuration. |
firewall_check |
false | Whether to check firewall setup. |
firewall_state |
stopped | Desired firewall status. |
firewall_enable |
'no' | Status of firewall configuration. |
disable_ctrlaltdel |
True | Disable Ctrl-Alt-Del and physical send break functionality. |
solaris_disable_services |
false | Disable unsafe services on Solaris. |
magic_sysrq |
1 | Kernel.SysRq setting value in Linux. |
SSH Configuration Settings:
| Name | Default Value | Description |
|---|---|---|
sshrootlogin |
'no' | Allow SSH root login; keep single quotes as is. |
sshportforwarding |
'no' | Configure options for port forwarding. |
sshmainport |
22 | Main SSH port. |
sshextraport |
0 | Secondary SSH port, set to 0 to disable. |
setloginbanner |
true | Use a login banner in SSH. |
sshd_solaris_restrict_ipv4 |
True | Restrict SSH connections to IPv4 in Solaris. |
ssh_enforce_ciphers |
True | Enforce strong ciphers in SSH. |
sha1_mac_enabled |
False | Disable SHA1 HMAC usage. |
md5_mac_enabled |
False | Disable MD5 HMAC usage. |
truncated_mac_enabled |
False | Disable truncated HMACs in SSH. |
cbc_ciphers_enabled |
False | Disable CBC mode ciphers in SSH. |
sweet32_ciphers_enabled |
False | Enable 64-bit CBC mode ciphers, considered vulnerable. |
rc4_ciphers_enabled |
False | Enable ARC4 ciphers, known to be vulnerable. |
nist_curves_enabled |
false | Disable weak NIST KEX curve cryptography. |
logjam_sha1_enabled |
false | Disable SHA1 KEX algorithms, vulnerable to logjam attacks. |
Audit Configuration Settings:
| Name | Default Value | Description |
|---|---|---|
auditd_configure |
true | Enable management of auditd configuration. |
auditd_max_log_filesize |
25 | Maximum log file size in MB. |
auditd_num_logs |
8 | Maximum number of audit logs to keep. |
security_audit_datetime_changes |
true | Track date/time modifications with auditd. |
security_audit_account_modifications |
true | Track account changes with auditd. |
security_audit_network_changes |
true | Track network configuration changes with auditd. |
security_audit_selinux_changes |
true | Track SELinux setting changes with auditd. |
security_audit_permission_changes |
false | Track file permission changes with auditd. |
security_audit_fileaccess_failedattempts |
false | Track unauthorized file access attempts with auditd. |
security_audit_filesystem_mounts |
true | Track file system mounts/unmounts with auditd. |
security_audit_deletions |
false | Track file deletions with auditd. |
security_audit_sudoers |
true | Track changes to sudoers rules with auditd. |
security_audit_kernel_modules |
false | Track kernel module operations and sysctl settings with auditd. |
security_audit_logon |
true | Track all login/logout sessions with auditd. |
security_audit_elevated_privilege_commands |
true | Track all elevated commands. |
security_audit_all_commands |
false | Track all commands executed. |
security_audit_log_integrity |
false | Monitor log integrity and configuration with auditd. |
security_audit_configuration_immutable |
false | Make auditd rules immutable; requires a reboot for changes. |
security_audit_custom_rules |
empty | Custom rules can be added to the configuration. |
Informazioni sul progetto
Ansible Role for enforcing security settings related to enterprise compliance on enterprise grade OS.
Installa
ansible-galaxy install scathatheworm.security-settingsLicenza
gpl-2.0
Download
118
Proprietario
IT stuff.