security-settings

Build Status Ansible Galaxy

ansible-security-settings

Ansible Role for enforcing security settings related to enterprise compliance on enterprise grade OS

Description

This role configures several security settings across login, password management, ssh, pam, selinux configuration and other. It is designed for enterprise compliance definitions.

Configures:

  • pam tally and faillock modules for automated account lockout on login failures
  • password history
  • password complexity
  • ssh port, rootlogin, banner, cipher, port forwarding settings
  • selinux and firewall state
  • shell timeout
  • physical sendbreak and ctrl-alt-del disabling
  • Linux auditd configuration
  • firewall status
  • Magic SysRq configuration

Password aging variables:

Name Default Value Description
os_auth_pw_max_age 60 Max days a password is valid before requiring a change
os_auth_pw_min_age 10 Min days of age a password must have before it can be changed
os_auth_pw_warn_age 7 Days before password expires that account will be warned
passhistory 6 number of passwords to remember to avoid reusage

Password complexity variables:

Name Default Value Description
pwquality_minlen 8 Minimum password length in characters
pwquality_maxrepeat 3 Maximum amount of same characters repeated in password
pwquality_lcredit -1 lowercase amount of chars that must be present in password, for 2 use '-2' and so on
pwquality_ucredit -1 uppercase amount of chars that must be present in password , for 2 use '-2' and so on
pwquality_dcredit -1 digits that must be present in password, for 2 use '-2' and so on
pwquality_ocredit -1 special chars that must be present in a password, for 2 use '-2' and so on
solaris_dictionary_minwordlength 5 Solaris minimum dictionary word length

Account inactivity and failed login variables:

Name Default Value Description
fail_deny 5 Amount of times failed passwords can be tried before locking the account
fail_unlock 0 Seconds elapsed before account is unlocked after failed logins, if set to 0 auto-unlock is disabled and passwords will remain locked
inactive_lock 0 Number of days an account can be inactive before it is locked, a value of 0 disables inactivity lockout
shell_timeout 900 desired shell timeout in seconds, set 0 to disable

System services and settings variables:

Name Default Value Description
selinux_state permissive selinux configuration value
firewall_check false Configures if the role should check firewall setup
firewall_state stopped Firewall desired status
firewall_enable 'no' Desired firewall configuration status
disable_ctrlaltdel True Whether to disable Control-Alt-Del and physical sendbreak in Solaris
solaris_disable_services false Disable unsafe solaris services
magic_sysrq 1 Value of kernel.sysrq setting in Linux, as accepted by the Linux kernel

SSH configuration variables:

Name Default Value Description
sshrootlogin 'no' allow ssh root login, keep single quotes to avoid boolean evaluation
sshportforwarding 'no' Configured options for port forwarding, values as in config file: yes, no, remote, local
sshmainport 22 main ssh port
sshextraport 0 secondary ssh port, set to 0 to disable an extra port
setloginbanner true use a login banner in ssh
sshd_solaris_restrict_ipv4 True Restrict ssh connections to ipv4 in solaris as workaround for DISPLAY issues
ssh_enforce_ciphers True Enforce strong ciphers and MACs in ssh, false to disable and allow all supported MACs and Ciphers
sha1_mac_enabled False Disable use of sha1 HMACs in ssh, theoretical attack vectors exist
md5_mac_enabled False Disable use of md5 HMACs in ssh, known vulnerabilies and attack vectors exist
truncated_mac_enabled False Disable use of md5 or sha1 truncated 96bit HMACs in ssh, shorter subsets of md5 and sha1
cbc_ciphers_enabled False Disable use of Cipher Block Chaining mode ciphers in ssh, considered vulnerable to several Padding on Oracle attacks
sweet32_ciphers_enabled False Enable use of 64bit Cipher Block Chaining mode ciphers in ssh, considered vulnerable to SWEET32 attack
rc4_ciphers_enabled False Enable use of arcfour ciphers in ssh, considered vulnerable with practical attacks in existance
nist_curves_enabled false Disable NIST KEX curve cryptography since they are weak in several aspects
logjam_sha1_enabled false Disable SHA1 KEX algorithms, vulnerable to logjam attacks

Audit configuration variables:

Name Default Value Description
auditd_configure: true Enable auditd configuration management
auditd_max_log_filesize 25 Audit max log filesize in MB
auditd_num_logs 8 Max number of audit logs to keep
security_audit_datetime_changes true auditd will track all date or time modifications
security_audit_account_modifications true auditd will track all account modifications
security_audit_network_changes true auditd will track all network config modifications
security_audit_selinux_changes true auditd will track changes to selinux configurations
security_audit_permission_changes false auditd will track all file permission changes
security_audit_fileaccess_failedattempts false auditd will track all unauthorized access attempts to files
security_audit_filesystem_mounts true auditd will track all mount/unmount of filesystems }
security_audit_deletions false auditd will track all file deletions
security_audit_sudoers true auditd will track all modification to sudoers rules
security_audit_kernel_modules false auditd will track all module operations as well as sysctl configurations
security_audit_logon true auditd will track all login/logout/sessions
security_audit_elevated_privilege_commands true auditd will track all elevated privilege commands
security_audit_all_commands false auditd will track ALL commands
security_audit_log_integrity false auditd will monitor integrity of logs and logging configuration
security_audit_configuration_immutable false auditd will make its rules immutable, a reboot will be needed to make changes
security_audit_custom_rules empty This is a multi-line variable, that if defined, should contain complete audit rules that will get added to the configuration file
About

Ansible Role for enforcing security settings related to enterprise compliance on enterprise grade OS.

Install
ansible-galaxy install scathatheworm/ansible-security-settings
GitHub repository
License
gpl-2.0
Downloads
109
Owner
IT stuff.