thechip911.hardening

Hardening - Ansible Role

This is an Ansible role designed to enhance the security of AlmaLinux, Debian, or Ubuntu servers. It is compatible with systemd edition.

Requirements: Ansible version 2.12 or higher.

You can find it on Ansible Galaxy.

Supported versions include:

AlmaLinux 8
Debian 11
Ubuntu 20.04 LTS (Focal Fossa) and 22.04 LTS (Jammy Jellyfish).

Important: Always test this role in a non-production environment before using it.

Important: There is a SLSA artifact included for verification under the slsa action workflow.

Dependencies

This role has no dependencies.

Examples

Playbook

---
- hosts: localhost
  any_errors_fatal: true
  tasks:
    - name: Include the hardening role
      ansible.builtin.include_role:
        name: thechip911.hardening
      vars:
        block_blacklisted: true
        sshd_admin_net:
          - 10.0.0.0/16
        suid_sgid_permissions: false
...

ansible-pull with git checkout

---
- hosts: localhost
  any_errors_fatal: true
  tasks:
    - name: Install git
      become: true
      ansible.builtin.package:
        name: git
        state: present

    - name: Checkout thechip911.hardening
      become: true
      ansible.builtin.git:
        repo: 'https://github.com/thechip911/ansible-role-hardening'
        dest: /etc/ansible/roles/thechip911.hardening
        version: master

    - name: Include the hardening role
      ansible.builtin.include_role:
        name: thechip911.hardening
      vars:
        block_blacklisted: true
        sshd_admin_net:
          - 10.0.2.0/16
        suid_sgid_permissions: false
...

Note on UFW Firewall Rules

This role avoids resetting ufw on every run to prevent network disruption. It will remove all ufw rules that do not include the comment: ansible managed parameter.

It sets default deny policies, meaning you must create firewall rules for any ports other than those specified in sshd_port and ufw_outgoing_traffic.

Task Execution and Structure

For details on role structure, refer to STRUCTURE.md.

Role Testing

Refer to TESTING.md.

Role Variables with Defaults

./defaults/main/auditd.yml

auditd_apply_audit_rules: true
auditd_action_mail_acct: root
auditd_admin_space_left_action: suspend
auditd_disk_error_action: suspend
auditd_disk_full_action: suspend
auditd_max_log_file: 8
auditd_max_log_file_action: keep_logs
auditd_mode: 1
auditd_num_logs: 5
auditd_space_left: 75
auditd_space_left_action: email
grub_audit_backlog_cmdline: audit_backlog_limit=8192
grub_audit_cmdline: audit=1

Enable auditd at boot using Grub.

When auditd_apply_audit_rules: 'yes', the role will apply the auditd rules defined in the template file.

Ensure auditd_action_mail_acct contains a valid email address for notifications about low disk space.

./defaults/main/compilers.yml

compilers:
  - as
  - cargo
  - cc
  - cc-[0-9]*
  - clang-[0-9]*
  - gcc
  - gcc-[0-9]*
  - go
  - make
  - rustc

A list of compilers restricted to the root user.

./defaults/main/disablewireless.yml

disable_wireless: false

Set to true to disable all wireless interfaces.

./defaults/main/dns.yml

dns: 127.0.0.1 1.1.1.1
fallback_dns: 9.9.9.9 1.0.0.1
dnssec: allow-downgrade
dns_over_tls: opportunistic

Set DNS servers to use. dnssec allows DNSSEC validation, and dns_over_tls will encrypt connections if supported by the DNS server.

./defaults/main/ipv6.yml

disable_ipv6: false
ipv6_disable_sysctl_settings:
  net.ipv6.conf.all.disable_ipv6: 1
  net.ipv6.conf.default.disable_ipv6: 1

Set disable_ipv6: true to disable IPv6.

./defaults/main/limits.yml

limit_nofile_hard: 1024
limit_nofile_soft: 512
limit_nproc_hard: 1024
limit_nproc_soft: 512

Defines maximum open files and processes.

./defaults/main/misc.yml

install_aide: true
reboot_ubuntu: false
...

install_aide: true means AIDE will be installed and configured.

./defaults/main/module_blocklists.yml

block_blacklisted: false
fs_modules_blocklist:
  - cramfs
  ...

Blocked kernel modules. Setting block_blacklisted: true stops any blacklisted kernel modules from loading.

./defaults/main/mount.yml

hide_pid: 2
process_group: root

Control access mode for /proc/<pid>/.

./defaults/main/ntp.yml

fallback_ntp: 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org
ntp: 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org

Defines NTP server addresses.

./defaults/main/packages.yml

system_upgrade: true
packages_blocklist:
  - apport*
  ...

Set system_upgrade: 'yes' to run necessary system updates.

./defaults/main/password.yml

crypto_policy: FIPS
...

Set cryptographic policies and password quality requirements.

./defaults/main/sshd.yml

sshd_accept_env: LANG LC_*
...

Configures SSH settings and access controls.

./defaults/main/suid_sgid_blocklist.yml

suid_sgid_permissions: true
suid_sgid_blocklist:
  - ansible-playbook
  ...

Remove any SUID/SGID permissions for listed commands.

./defaults/main/sysctl.yml

sysctl_dev_tty_ldisc_autoload: 0
...

Configure system settings using sysctl.

./defaults/main/ufw.yml

ufw_enable: true
ufw_outgoing_traffic:
  - 22
  ...

Set ufw_enable: true to install and configure UFW firewall rules.

./defaults/main/users.yml

delete_users:
  - games
  ...

Specifies users to be removed from the system.

Contributing

We welcome contributions of any size. If you notice any issues, feel free to submit them or improve the code. You can also support the project through sponsorship.

License

Apache License Version 2.0

Author Information

https://github.com/thechip911

Informazioni sul progetto

AlmaLinux, Debian and Ubuntu hardening. systemd edition.

role almalinux centos cis debian disa hardening security system systemd ubuntu

Installa

ansible-galaxy install thechip911.hardening

GitHub repository

0 stelle

0 fork

0 problemi aperti

Licenza

apache-2.0

Download

109

Proprietario

Alok Sharma