diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index 81138483..1c936867 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -20,11 +20,6 @@ - path: "/etc/ssh/auth_principals/root" principals: - "root" - owner: "{{ ssh_owner }}" - group: "{{ ssh_group }}" - directoryowner: "{{ ssh_owner }}" - directorygroup: "{{ ssh_group }}" - directorymode: "0700" network_ipv6_enable: true ssh_allow_tcp_forwarding: 'yes' ssh_gateway_ports: true diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md index b70289d7..482f2cb8 100644 --- a/roles/mysql_hardening/README.md +++ b/roles/mysql_hardening/README.md @@ -1,6 +1,6 @@ # devsec.mysql_hardening -![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg) +![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.mysql_hardening/badge.svg) ## Description @@ -12,74 +12,128 @@ It configures: - Removes anonymous users, users without a password or authentication_string and test databases - various hardening options inside MySQL +Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice. + +Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) + ## Requirements -- Ansible 2.9.0 -- An existing MySQL installation +- An existing installation of MySQL or MariaDB. - python-jmespath on the ansible host -### Example playbook + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | bullseye, buster | +| Amazon | | +| opensuse | | -```yml -- hosts: localhost - collections: - - devsec.hardening - roles: - - mysql_hardening -``` +## Role Variables -This role expects an existing installation of MySQL or MariaDB. Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice. -Please ensure that the following variables are set accordingly: +* `mysql_daemon_enabled` + * Default: `true` + * Description: Whether to enable the MySQL-service so it starts on boot + * Type: bool + * Required: no +* `mysql_hardening_chroot` + * Default: `` + * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) + * Type: str + * Required: no +* `mysql_hardening_chroot.automatic-sp-privileges` + * Default: `0` + * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) + * Type: int + * Required: no +* `mysql_hardening_enabled` + * Default: `true` + * Description: Whether to run the hardening + * Type: bool + * Required: no +* `mysql_hardening_options.allow-suspicious-udfs` + * Default: `0` + * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) + * Type: int + * Required: no +* `mysql_hardening_options.local-infile` + * Default: `0` + * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) + * Type: int + * Required: no +* `mysql_hardening_options.safe-user-create` + * Default: `1` + * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) + * Type: int + * Required: no +* `mysql_hardening_options.secure-auth` + * Default: `1` + * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) + * Type: int + * Required: no +* `mysql_hardening_options.secure-file-priv` + * Default: `/tmp` + * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) + * Type: str + * Required: no +* `mysql_hardening_options.skip-symbolic-links` + * Default: `1` + * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) + * Type: int + * Required: no +* `mysql_hardening_restart_mysql` + * Default: `true` + * Description: Restart mysql after running this role + * Type: bool + * Required: no +* `mysql_hardening_skip_grant_tables:` + * Default: `false` + * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) + * Type: bool + * Required: no +* `mysql_hardening_skip_show_database` + * Default: `1` + * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) + * Type: int + * Required: no +* `mysql_remove_anonymous_users` + * Default: `true` + * Description: Set to `false` to keep users without authentication + * Type: bool + * Required: no +* `mysql_remove_remote_root` + * Default: `true` + * Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users. + * Type: bool + * Required: no +* `mysql_remove_test_database` + * Default: `true` + * Description: Set to `false` to keep the test database + * Type: bool + * Required: no +* `mysql_root_password` + * Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----` + * Description: The default password. Please change or overwrite it + * Type: str + * Required: no +* `mysql_user_home` + * Default: `{{ ansible_env.HOME }}` + * Description: The path where the `.my.cnf` will be stored + * Type: str + * Required: no -- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` -- `mysql_hardening_user: 'mysql'` The user that mysql runs as. -- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed -- _deprecated: `mysql_datadir: '/var/lib/mysql'` The MySQL data directory_ - - `mysql_datadir` is no longer necessary, as MySQL data directory is automatically taken from `mysql_info`. But it can still be defined and will also be checked for correct permissions. +## Dependencies -## Role Variables +None. -- `mysql_hardening_chroot` - - Default: "" - - Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) -- `mysql_hardening_options.safe-user-create` - - Default: 1 - - Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) -- `mysql_hardening_options.secure-auth` - - Default: 1 - - Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) -- `mysql_hardening_options.skip-symbolic-links` - - Default: 1 - - Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) -- `mysql_hardening_skip_grant_tables:` - - Default: false - - Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) -- `mysql_hardening_skip_show_database` - - Default: 1 - - Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) -- `mysql_hardening_options.local-infile` - - Default: 0 - - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) -- `mysql_hardening_options.allow-suspicious-udfs` - - Default: 0 - - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) -- `mysql_hardening_chroot.automatic-sp-privileges` - - Default: 0 - - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) -- `mysql_hardening_options.secure-file-priv` - - Default: /tmp - - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) -- `mysql_allow_remote_root` - - Default: false - - Description: delete remote root users -- `mysql_remove_anonymous_users` - - Default: true - - Description: remove users without authentication -- `mysql_remove_test_database` - - Default: true - - Description: remove test database -- `mysql_hardening_restart_mysql` - - Default: true - - Description: Restart mysql after running this role +## Example Playbook + +``` +- hosts: all + roles: + - name: devsec.hardening.mysql_hardening +``` + -Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) diff --git a/roles/mysql_hardening/defaults/main.yml b/roles/mysql_hardening/defaults/main.yml index c56e479c..e8d1fadf 100644 --- a/roles/mysql_hardening/defaults/main.yml +++ b/roles/mysql_hardening/defaults/main.yml @@ -6,8 +6,6 @@ mysql_daemon_enabled: true mysql_hardening_restart_mysql: true -# general configuration -mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf" # You have to change this to your own strong enough mysql root password mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----" # There .my.cnf with mysql root credentials will be installed diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml new file mode 100644 index 00000000..b95eaf55 --- /dev/null +++ b/roles/mysql_hardening/meta/argument_specs.yml @@ -0,0 +1,79 @@ +--- +argument_specs: + main: + short_description: The main entry point for the mysql hardening role. + version_added: 8.8.0 + options: + mysql_hardening_chroot: + default: '' + type: str + description: '[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)' + mysql_hardening_options.safe-user-create: + default: 1 + type: int + description: '[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)' + mysql_hardening_options.secure-auth: + default: 1 + type: int + description: '[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)' + mysql_hardening_options.skip-symbolic-links: + default: 1 + type: int + description: '[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)' + 'mysql_hardening_skip_grant_tables:': + default: false + type: bool + description: '[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)' + mysql_hardening_skip_show_database: + default: 1 + type: int + description: '[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)' + mysql_hardening_options.local-infile: + default: 0 + type: int + description: '[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)' + mysql_hardening_options.allow-suspicious-udfs: + default: 0 + type: int + description: '[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)' + mysql_hardening_chroot.automatic-sp-privileges: + default: 0 + type: int + description: '[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)' + mysql_hardening_options.secure-file-priv: + default: /tmp + type: str + description: '[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)' + mysql_remove_anonymous_users: + default: true + type: bool + description: Set to `false` to keep users without authentication + mysql_remove_test_database: + default: true + type: bool + description: Set to `false` to keep the test database + mysql_hardening_restart_mysql: + default: true + type: bool + description: Restart mysql after running this role + mysql_hardening_enabled: + default: true + type: bool + description: Whether to run the hardening + mysql_daemon_enabled: + default: true + type: bool + description: Whether to enable the MySQL-service so it starts on boot + mysql_root_password: + default: '-----====>SetR00tPa$$wordH3r3!!!<====-----' + type: str + description: The default password. Please change or overwrite it + mysql_user_home: + default: '{{ ansible_env.HOME }}' + type: str + description: The path where the `.my.cnf` will be stored + mysql_remove_remote_root: + default: true + type: bool + description: If `true`, root can only connect from localhost. Set to `false` + to not remove remote root users. diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml index 54c32093..39c99620 100644 --- a/roles/mysql_hardening/tasks/configure.yml +++ b/roles/mysql_hardening/tasks/configure.yml @@ -56,7 +56,7 @@ - name: Apply hardening configuration ansible.builtin.template: src: hardening.cnf.j2 - dest: "{{ mysql_hardening_mysql_hardening_conf_file }}" + dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}" owner: "{{ mysql_cnf_owner }}" group: "{{ mysql_cnf_group }}" mode: "0640" diff --git a/roles/nginx_hardening/README.md b/roles/nginx_hardening/README.md index 83bed24b..8dd8a150 100644 --- a/roles/nginx_hardening/README.md +++ b/roles/nginx_hardening/README.md @@ -15,103 +15,132 @@ It works with the following nginx-roles, including, but not limited to: **NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!** -## Requirements - -- Ansible >= 2.9 + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | ## Role Variables -- [nginx_client_body_buffer_size][] - - Default: `1k` - - Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. -- nginx_remove_default_site - - Default: `true` - - Description: Disables the default site. Set to false to enable the default site in nginx. -- [nginx_client_max_body_size][] - - Default: `1k` - - Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41 - 3 (Request Entity Too Large) error is returned to the client. -- [nginx_keepalive_timeout][] - - Default: `5 5` - - Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op - tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. -- [nginx_server_tokens][] - - Default: `off` - - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head - er. -- [nginx_client_header_buffer_size][] - - Default: `1k` - - Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. -- [nginx_large_client_header_buffers][] - - Default: `2 1k` - - Description: Sets the maximum number and size of buffers used for reading large client request header. -- [nginx_client_body_timeout][] - - Default: `10` - - Description: Defines a timeout for reading client request body. -- [nginx_client_header_timeout][] - - Default: `10` - - Description: Defines a timeout for reading client request header. -- [nginx_send_timeout][] - - Default: `10` - - Description: Sets a timeout for transmitting a response to the client. -- [nginx_limit_conn_zone][] - - Default: `$binary_remote_addr zone=default:10m` - - Description: Sets parameters for a shared memory zone that will keep states for various keys. -- [nginx_limit_conn][] - - Default: `default 5` - - Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. -- [nginx_add_header][] - - Default: `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"", Content-Security-Policy \"script-src 'self'; object-src 'self'\" ]` - - Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. -- [nginx_ssl_protocols][] - - Default: `TLSv1.2` - - Description: Specifies the SSL protocol which should be used. -- [nginx_ssl_ciphers][] - - Default: _see defaults.yml_ - - Description: Specifies the TLS ciphers which should be used. -- [nginx_ssl_prefer_server_ciphers][] - - Default: `on` - - Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. -- [nginx_dh_size][] - - Default: `2048` - - Description: Specifies the length of DH parameters for EDH ciphers. -- [nginx_configuration_dir][] - - default: "/etc/nginx" - - Description: The main location for all nginx configuration files -- [nginx_configuration_hardening_dir][] - - default: "/etc/nginx" - - Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) -- [nginx_owner_user][] - - default: "root" - - Description: The owner user of the nginx configuration files -- [nginx_owner_group][] - - default: "root" - - Description: The owner group of the nginx configuration files +* `nginx_add_header` + * Default: `['X-Frame-Options SAMEORIGIN', 'X-Content-Type-Options nosniff', 'X-XSS-Protection "1; mode=block"', 'Content-Security-Policy \\"script-src \'self\'; object-src \'self\'\\"']` + * Description: Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) + * Type: str + * Required: no +* `nginx_client_body_buffer_size` + * Default: `1k` + * Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) + * Type: str + * Required: no +* `nginx_client_body_timeout` + * Default: `10` + * Description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) + * Type: int + * Required: no +* `nginx_client_header_buffer_size` + * Default: `1k` + * Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client + * Type: str + * Required: no +* `nginx_client_header_timeout` + * Default: `10` + * Description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) + * Type: int + * Required: no +* `nginx_client_max_body_size` + * Default: `1k` + * Description: Sets the maximum allowed size of the client request body, specified in the "Content-Length" request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) + * Type: str + * Required: no +* `nginx_configuration_dir` + * Default: `/etc/nginx` + * Description: The main location for all nginx configuration files + * Type: str + * Required: no +* `nginx_configuration_hardening_dir` + * Default: `/etc/nginx` + * Description: The location for the nginx hardening configuration file (Could be different e.g. when used in jails) + * Type: str + * Required: no +* `nginx_dh_size` + * Default: `2048` + * Description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) + * Type: str + * Required: no +* `nginx_keepalive_timeout` + * Default: `5 5` + * Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) + * Type: str + * Required: no +* `nginx_large_client_header_buffers` + * Default: `2 1k` + * Description: Sets the maximum number and size of buffers used for reading large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) + * Type: str + * Required: no +* `nginx_limit_conn` + * Default: `default 5` + * Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn) + * Type: str + * Required: no +* `nginx_limit_conn_zone` + * Default: `$binary_remote_addr zone=default:10m` + * Description: Sets parameters for a shared memory zone that will keep states for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone) + * Type: str + * Required: no +* `nginx_owner_group` + * Default: `root` + * Description: The owner group of the nginx configuration files + * Type: str + * Required: no +* `nginx_owner_user` + * Default: `root` + * Description: The owner user of the nginx configuration files + * Type: str + * Required: no +* `nginx_remove_default_site` + * Default: `true` + * Description: Disables the default site. Set to false to enable the default site in nginx. + * Type: bool + * Required: no +* `nginx_send_timeout` + * Default: `10` + * Description: Sets a timeout for transmitting a response to the client. See [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) + * Type: int + * Required: no +* `nginx_server_tokens` + * Default: `False` + * Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) + * Type: str + * Required: no +* `nginx_ssl_ciphers` + * Default: `ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256` + * Description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) + * Type: str + * Required: no +* `nginx_ssl_prefer_server_ciphers` + * Default: `on` + * Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) + * Type: str + * Required: no +* `nginx_ssl_protocols` + * Default: `TLSv1.2` + * Description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) + * Type: str + * Required: no + +## Dependencies + +None. ## Example Playbook ``` -- hosts: localhost - collections: - - devsec.hardening +- hosts: all roles: - - nginx_hardening + - name: devsec.hardening.nginx_hardening ``` - -[nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size -[nginx_client_max_body_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size -[nginx_keepalive_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout -[nginx_server_tokens]: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens -[nginx_more_clear_headers]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header -[nginx_client_header_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size -[nginx_large_client_header_buffers]: http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers -[nginx_client_body_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout -[nginx_client_header_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout -[nginx_send_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout -[nginx_limit_conn_zone]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone -[nginx_limit_conn]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn -[nginx_add_header]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header -[nginx_ssl_protocols]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols -[nginx_ssl_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers -[nginx_ssl_prefer_server_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers -[nginx_dh_size]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + diff --git a/roles/nginx_hardening/defaults/main.yml b/roles/nginx_hardening/defaults/main.yml index 73913eb7..0b03c3ec 100644 --- a/roles/nginx_hardening/defaults/main.yml +++ b/roles/nginx_hardening/defaults/main.yml @@ -25,7 +25,6 @@ nginx_add_header: - Strict-Transport-Security max-age=15768000 - Content-Security-Policy "script-src 'self'; object-src 'self'" -nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" nginx_ssl_protocols: TLSv1.2 TLSv1.3 # yamllint disable-line rule:line-length diff --git a/roles/nginx_hardening/meta/argument_specs.yml b/roles/nginx_hardening/meta/argument_specs.yml new file mode 100644 index 00000000..25e40aea --- /dev/null +++ b/roles/nginx_hardening/meta/argument_specs.yml @@ -0,0 +1,112 @@ +--- +argument_specs: + main: + short_description: The main entry point for the nginx hardening role. + version_added: 8.8.0 + options: + nginx_client_body_buffer_size: + default: 1k + type: str + description: Sets buffer size for reading client request body. In case the + request body is larger than the buffer, the whole body or only its part + is written to a temporary file. See [nginx_client_body_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) + nginx_remove_default_site: + default: true + type: bool + description: Disables the default site. Set to false to enable the default + site in nginx. + nginx_client_max_body_size: + default: 1k + type: str + description: Sets the maximum allowed size of the client request body, specified + in the "Content-Length" request header field. If the size in a request exceeds + the configured value, the 413 (Request Entity Too Large) error is returned + to the client. See [nginx_client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) + nginx_keepalive_timeout: + default: 5 5 + type: str + description: The first parameter sets a timeout during which a keep-alive + client connection will stay open on the server side. The zero value disables + keep-alive client connections. The optional second parameter sets a value + in the "Keep-Alive timeout=time" response header field. See [nginx_keepalive_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) # noqa yaml[line-length] + nginx_server_tokens: + default: false + type: str + description: Disables emitting nginx version in error messages and in the + "Server" response header field. Set to on to enable the nginx version in + error messages and "Server" response header. See [nginx_server_tokens](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) + nginx_client_header_buffer_size: + default: 1k + type: str + description: Sets buffer size for reading client request header. For most + requests, a buffer of 1K bytes is enough. See [nginx_client_header_buffer_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client + nginx_large_client_header_buffers: + default: 2 1k + type: str + description: Sets the maximum number and size of buffers used for reading + large client request header. See [nginx_large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) # noqa yaml[line-length] + nginx_client_body_timeout: + default: 10 + type: int + description: Defines a timeout for reading client request body. See [nginx_client_body_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) # noqa yaml[line-length] + nginx_client_header_timeout: + default: 10 + type: int + description: Defines a timeout for reading client request header. See [nginx_client_header_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout) # noqa yaml[line-length] + nginx_send_timeout: + default: 10 + type: int + description: Sets a timeout for transmitting a response to the client. See + [nginx_send_timeout](http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) + nginx_limit_conn_zone: + default: $binary_remote_addr zone=default:10m + type: str + description: Sets parameters for a shared memory zone that will keep states + for various keys. See [nginx_limit_conn_zone](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone) + nginx_limit_conn: + default: default 5 + type: str + description: Sets the shared memory zone and the maximum allowed number of + connections for a given key value. See [nginx_limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn) + nginx_add_header: + default: [X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, X-XSS-Protection + "1; mode=block", Content-Security-Policy \"script-src 'self'; object-src + 'self'\"] + type: str + description: Adds the specified field to a response header provided that the + response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307. See + [nginx_add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) + nginx_ssl_protocols: + default: TLSv1.2 + type: str + description: Specifies the SSL protocol which should be used. See [nginx_ssl_protocols](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) # noqa yaml[line-length] + nginx_ssl_ciphers: + default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # noqa yaml[line-length] + type: str + description: Specifies the TLS ciphers which should be used. See [nginx_ssl_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) + nginx_ssl_prefer_server_ciphers: + default: 'on' + type: str + description: Specifies that server ciphers should be preferred over client + ciphers when using the TLS protocols. Set to false to disable it. See [nginx_ssl_prefer_server_ciphers](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) # noqa yaml[line-length] + nginx_dh_size: + default: 2048 + type: str + description: Specifies the length of DH parameters for EDH ciphers. See [nginx_dh_size](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) # noqa yaml[line-length] + nginx_configuration_dir: + default: /etc/nginx + type: str + description: The main location for all nginx configuration files + nginx_configuration_hardening_dir: + default: /etc/nginx + type: str + description: The location for the nginx hardening configuration file (Could + be different e.g. when used in jails) + nginx_owner_user: + default: root + type: str + description: The owner user of the nginx configuration files + nginx_owner_group: + default: root + type: str + description: The owner group of the nginx configuration files diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 74fc71b9..4273e939 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -3,10 +3,6 @@ ![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg) ![devsec.os_hardening VM](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening%20VM/badge.svg) -## Looking for the old ansible-os-hardening role? - -This role is now part of the hardening-collection. You can find the old role in the branch `legacy`. - ## Description This role provides numerous security-related configurations, providing all-round base protection. It is intended to be compliant with the [DevSec Linux Baseline](https://github.com/dev-sec/linux-baseline). @@ -34,9 +30,892 @@ It will not: - Update system packages - Install security patches -## Requirements +We remove the following packages: -- Ansible 2.9.0 +- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) +- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) +- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5) +- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4) +- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2) +- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3) +- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) + +We disable the following filesystems, because they're most likely not used: + +- "cramfs" +- "freevxfs" +- "jffs2" +- "hfs" +- "hfsplus" +- "squashfs" +- "udf" +- "vfat" # only if uefi is not in use + +To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. + + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | +| Fedora | | +| ArchLinux | | +| SmartOS | | +| opensuse | | + +## Role Variables + +* `os_apt_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring apt. + * Type: bool + * Required: no +* `os_auditd_action_mail_acct` + * Default: `root` + * Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. of events created on one system but reported/analyzed on another system. + * Type: str + * Required: no +* `os_auditd_admin_space_left` + * Default: `50` + * Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. + * Type: int + * Required: no +* `os_auditd_admin_space_left_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_disk_error_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take whenever there is an error detected when writing audit events to disk or rotating logs. Valid values are ignore, syslog, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_disk_full_action` + * Default: `SUSPEND` + * Description: This parameter tells the system what action to take when the system has detected that the partition to which log files are written has become full. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auditd_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring auditd. + * Type: bool + * Required: no +* `os_auditd_flush` + * Default: `INCREMENTAL` + * Description: Valid values are none, incremental, incremental_async, data, and sync. + * Type: str + * Required: no +* `os_auditd_log_format` + * Default: `RAW` + * Description: Describes how the information should be stored on disk. There are 2 options - raw and enriched. + * Type: str + * Required: no +* `os_auditd_log_group` + * Default: `root` + * Description: specifies the group that is applied to the log file's permissions. The group name can be either numeric or spelled out. + * Type: str + * Required: no +* `os_auditd_max_log_file` + * Default: `6` + * Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. + * Type: int + * Required: no +* `os_auditd_max_log_file_action` + * Default: `keep_logs` + * Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. + * Type: str + * Required: no +* `os_auditd_num_logs` + * Default: `5` + * Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. + * Type: int + * Required: no +* `os_auditd_space_left` + * Default: `75` + * Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. + * Type: int + * Required: no +* `os_auditd_space_left_action` + * Default: `SYSLOG` + * Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + * Type: str + * Required: no +* `os_auth_allow_homeless` + * Default: `false` + * Description: true if to allow users without home to login. + * Type: bool + * Required: no +* `os_auth_gid_max` + * Default: `60000` + * Description: maximum number for automatic gid selection in groupadd. + * Type: int + * Required: no +* `os_auth_gid_min` + * Default: `1000` + * Description: minimum number for automatic gid selection in groupadd. + * Type: int + * Required: no +* `os_auth_lockout_time` + * Default: `600` + * Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts. + * Type: int + * Required: no +* `os_auth_pam_oddjob_mkhomedir` + * Default: `false` + * Description: Enables automatic homedir e.g. in FreeIPA environments + * Type: bool + * Required: no +* `os_auth_pam_passwdqc_enable` + * Default: `true` + * Description: true if you want to use strong password checking in PAM using passwdqc. + * Type: bool + * Required: no +* `os_auth_pam_passwdqc_options` + * Default: `min=disabled,disabled,16,12,8` + * Description: set to any option line (as a string) that you want to pass to passwdqc. + * Type: str + * Required: no +* `os_auth_pam_pwquality_options` + * Default: `try_first_pass retry=3 authtok_type=` + * Description: Options to pass to the PAM module pwquality + * Type: str + * Required: no +* `os_auth_pw_max_age` + * Default: `60` + * Description: maximum password age (set to `99999` to effectively disable it). + * Type: int + * Required: no +* `os_auth_pw_min_age` + * Default: `7` + * Description: minimum password age (before allowing any other password change). + * Type: int + * Required: no +* `os_auth_pw_remember` + * Default: `5` + * Description: how many used passwords are record. + * Type: int + * Required: no +* `os_auth_pw_warn_age` + * Default: `7` + * Description: number of days of warning before password expires. + * Type: int + * Required: no +* `os_auth_retries` + * Default: `5` + * Description: the maximum number of authentication attempts, before the account is locked for some time. + * Type: int + * Required: no +* `os_auth_root_ttys` + * Default: `["console", "tty1", "tty2", "tty3", "tty4", "tty5", "tty6"]` + * Description: A list of TTYs, from which root can log in, see `man securetty` for reference + * Type: list + * Required: no +* `os_auth_sub_gid_count` + * Default: `65536` + * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. + * Type: int + * Required: no +* `os_auth_sub_gid_max` + * Default: `600100000` + * Description: maximum number for automatic subordinate gid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_gid_min` + * Default: `100000` + * Description: minimum number for automatic subordinate gid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_uid_count` + * Default: `65536` + * Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. + * Type: int + * Required: no +* `os_auth_sub_uid_max` + * Default: `600100000` + * Description: maximum number for automatic subordinate uid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_sub_uid_min` + * Default: `100000` + * Description: minimum number for automatic subordinate uid selection in useradd and newusers. + * Type: int + * Required: no +* `os_auth_timeout` + * Default: `60` + * Description: authentication timeout in seconds, so login will exit if this time passes. + * Type: int + * Required: no +* `os_auth_uid_max` + * Default: `60000` + * Description: maximum number for automatic uid selection in useradd. + * Type: int + * Required: no +* `os_auth_uid_min` + * Default: `1000` + * Description: minimum number for automatic uid selection in useradd. + * Type: int + * Required: no +* `os_chfn_restrict` + * Default: `''` + * Description: Indicate which fields are changeable by chfn. + * Type: str + * Required: no +* `os_chmod_home_folders` + * Default: `true` + * Description: Set to `false` to disable "chmod 700" of home folders for regular users + * Type: bool + * Required: no +* `os_chmod_rootuser_home_folder` + * Default: `true` + * Description: Set to `false` to disable "chmod 700" of root's home folder + * Type: bool + * Required: no +* `os_cron_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring cron. + * Type: bool + * Required: no +* `os_ctrlaltdel_disabled` + * Default: `false` + * Description: Set to true to disable ctrl-alt-delete key combination. + * Type: bool + * Required: no +* `os_desktop_enable` + * Default: `false` + * Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + * Type: bool + * Required: no +* `os_env_extra_user_paths` + * Default: `"[]"` + * Description: add additional paths to the user's `PATH` variable (default is empty). + * Type: list + * Required: no +* `os_filesystem_whitelist` + * Default: `"[]"` + * Description: A list of filesystems that should not be disabled + * Type: list + * Required: no +* `os_hardening_enabled` + * Default: `true` + * Description: Whether to run the hardening + * Type: bool + * Required: no +* `os_ignore_home_folder_users` + * Default: `"[]"` + * Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. + * Type: list + * Required: no +* `os_ignore_users` + * Default: `["vagrant", "kitchen"]` + * Description: Specify system accounts whose login should not be disabled and password not changed + * Type: list + * Required: no +* `os_limits_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring limits. + * Type: bool + * Required: no +* `os_login_defs_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring login_defs for newly created users. + * Type: bool + * Required: no +* `os_minimize_access_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring minimize_access. + * Type: bool + * Required: no +* `os_mnt_boot_dir_mode` + * Default: `0700` + * Description: Set default perimissions for /boot + * Type: str + * Required: no +* `os_mnt_boot_dump` + * Default: `ext3 + ext4 = 1 / other = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_boot_enabled` + * Default: `false` + * Description: Set to true to configure /boot mountpoint + * Type: bool + * Required: no +* `os_mnt_boot_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_boot_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /boot + * Type: str + * Required: no +* `os_mnt_boot_passno` + * Default: `ext3 + ext4 = 2 / other = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_boot_src` + * Default: `''` + * Description: Set mount source for /boot + * Type: str + * Required: no +* `os_mnt_dev_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /dev + * Type: str + * Required: no +* `os_mnt_dev_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_enabled` + * Default: `true` + * Description: Set to false to ignore /dev mountpoint + * Type: bool + * Required: no +* `os_mnt_dev_filesystem` + * Default: `devtmpfs` + * Description: Configure file system for fstab entry /dev + * Type: str + * Required: no +* `os_mnt_dev_options` + * Default: `rw,nosuid,noexec` + * Description: Configure mount options for /dev + * Type: str + * Required: no +* `os_mnt_dev_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_shm_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_shm_enabled` + * Default: `true` + * Description: Set to false to ignore /dev/shm mountpoint + * Type: bool + * Required: no +* `os_mnt_dev_shm_filesystem` + * Default: `tmpfs` + * Description: Configure file system for fstab entry /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_shm_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_dev_shm_src` + * Default: `tmpfs` + * Description: Set mount source for /dev/shm + * Type: str + * Required: no +* `os_mnt_dev_src` + * Default: `devtmpfs` + * Description: Set mount source for /dev + * Type: str + * Required: no +* `os_mnt_home_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /home + * Type: str + * Required: no +* `os_mnt_home_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_home_enabled` + * Default: `false` + * Description: Set to true to configure /home mountpoint + * Type: bool + * Required: no +* `os_mnt_home_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_home_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /home + * Type: str + * Required: no +* `os_mnt_home_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_home_src` + * Default: `''` + * Description: Set mount source for /home. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_run_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /run + * Type: str + * Required: no +* `os_mnt_run_dump` + * Default: `0` + * Description: Configure dump for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_run_enabled` + * Default: `true` + * Description: Set to false to ignore /run mountpoint + * Type: bool + * Required: no +* `os_mnt_run_filesystem` + * Default: `tmpfs` + * Description: Configure file system for fstab entry /run + * Type: str + * Required: no +* `os_mnt_run_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /run + * Type: str + * Required: no +* `os_mnt_run_passno` + * Default: `0` + * Description: Configure passno for fstab entry /var/tmp. + * Type: str + * Required: no +* `os_mnt_run_src` + * Default: `tmpfs` + * Description: Set mount source for /run + * Type: str + * Required: no +* `os_mnt_tmp_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /tmp + * Type: str + * Required: no +* `os_mnt_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_tmp_enabled` + * Default: `false` + * Description: Set to true to configure /tmp mountpoint + * Type: bool + * Required: no +* `os_mnt_tmp_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_tmp_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /tmp + * Type: str + * Required: no +* `os_mnt_tmp_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_tmp_src` + * Default: `''` + * Description: Set mount source for /tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /var + * Type: str + * Required: no +* `os_mnt_var_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_enabled` + * Default: `false` + * Description: Set to true to configure /var mountpoint + * Type: bool + * Required: no +* `os_mnt_var_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_log_audit_dir_mode` + * Default: `0640` + * Description: Set default perimissions for /var/log/audit + * Type: str + * Required: no +* `os_mnt_var_log_audit_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_audit_enabled` + * Default: `false` + * Description: Set to true to configure /var/log/audit mountpoint + * Type: bool + * Required: no +* `os_mnt_var_log_audit_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_log_audit_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/log/audit + * Type: str + * Required: no +* `os_mnt_var_log_audit_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_audit_src` + * Default: `''` + * Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_log_dir_mode` + * Default: `0755` + * Description: Set default perimissions for /var/log + * Type: str + * Required: no +* `os_mnt_var_log_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_enabled` + * Default: `false` + * Description: Set to true to configure /var/log mountpoint + * Type: bool + * Required: no +* `os_mnt_var_log_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_log_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/log + * Type: str + * Required: no +* `os_mnt_var_log_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_log_src` + * Default: `''` + * Description: Set mount source for /var/log. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_options` + * Default: `rw,nosuid,nodev` + * Description: Configure mount options for /var + * Type: str + * Required: no +* `os_mnt_var_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_src` + * Default: `''` + * Description: Set mount source for /var. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_mnt_var_tmp_dir_mode` + * Default: `1777` + * Description: Set default perimissions for /var/tmp + * Type: str + * Required: no +* `os_mnt_var_tmp_dump` + * Default: `ext3/4 = 1, others = 0` + * Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_tmp_enabled` + * Default: `false` + * Description: Set to true to configure /var/tmp mountpoint + * Type: bool + * Required: no +* `os_mnt_var_tmp_filesystem` + * Default: `''` + * Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. + * Type: str + * Required: no +* `os_mnt_var_tmp_options` + * Default: `rw,nosuid,nodev,noexec` + * Description: Configure mount options for /var/tmp + * Type: str + * Required: no +* `os_mnt_var_tmp_passno` + * Default: `ext3/4 = 2, others = 0` + * Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. + * Type: str + * Required: no +* `os_mnt_var_tmp_src` + * Default: `''` + * Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. + * Type: str + * Required: no +* `os_modprobe_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring modprobe. + * Type: bool + * Required: no +* `os_netrc_enabled` + * Default: `true` + * Description: Configure filesystem for existence of .netrc file in homedir + * Type: bool + * Required: no +* `os_netrc_whitelist_user` + * Default: `"[]"` + * Description: Add list of user to allow creation of .netrc in users homedir + * Type: list + * Required: no +* `os_pam_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring pam. + * Type: bool + * Required: no +* `os_profile_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring profile. + * Type: bool + * Required: no +* `os_remove_additional_root_users` + * Default: `false` + * Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. + * Type: bool + * Required: no +* `os_rhosts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring rhosts. + * Type: bool + * Required: no +* `os_rootuser_pw_ageing` + * Default: `false` + * Description: Set to true to enforce password age settings for root user(s) + * Type: bool + * Required: no +* `os_securetty_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring securetty. + * Type: bool + * Required: no +* `os_security_auto_logout` + * Default: `0` + * Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. + * Type: int + * Required: no +* `os_security_init_prompt` + * Default: `true` + * Description: The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot. + * Type: bool + * Required: no +* `os_security_init_single` + * Default: `false` + * Description: Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. To require entry of the root password even if the system is started in single-user mode, set this to false + * Type: bool + * Required: no +* `os_security_kernel_enable_core_dump` + * Default: `false` + * Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. + * Type: bool + * Required: no +* `os_security_kernel_enable_module_loading` + * Default: `true` + * Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue + * Type: bool + * Required: no +* `os_security_packages_clean` + * Default: `true` + * Description: removes packages with known issues. See section packages. + * Type: bool + * Required: no +* `os_security_packages_list` + * Default: `["xinetd", "inetd", "ypserv", "telnet-server", "rsh-server", "prelink"]` + * Description: List of deprecated or insecure packages to remove + * Type: list + * Required: no +* `os_security_suid_sgid_blacklist` + * Default: `"[]"` + * Description: a list of paths which should have their SUID/SGID bits removed. + * Type: list + * Required: no +* `os_security_suid_sgid_enforce` + * Default: `true` + * Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. + * Type: bool + * Required: no +* `os_security_suid_sgid_remove_from_unknown` + * Default: `false` + * Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. + * Type: bool + * Required: no +* `os_security_suid_sgid_whitelist` + * Default: `"[]"` + * Description: a list of paths which should not have their SUID/SGID bits altered. + * Type: list + * Required: no +* `os_security_users_allow` + * Default: `"[]"` + * Description: list of things, that a user is allowed to do. May contain `change_user`. + * Type: list + * Required: no +* `os_selinux_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring selinux. + * Type: bool + * Required: no +* `os_selinux_policy` + * Default: `targeted` + * Description: Set the SELinux polixy. + * Type: str + * Required: no +* `os_selinux_state` + * Default: `enforcing` + * Description: Set the SELinux state, can be either disabled, permissive, or enforcing. + * Type: str + * Required: no +* `os_sha_crypt_max_rounds` + * Default: `640000` + * Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_sha_crypt_min_rounds` + * Default: `640000` + * Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. + * Type: int + * Required: no +* `os_sysctl_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring sysctl. + * Type: bool + * Required: no +* `os_unused_filesystems` + * Default: `["cramfs", "freevxfs", "jffs2", "hfs", "hfsplus", "squashfs", "udf", "vfat", "dccp", "rds", "sctp", "tipc"]` + * Description: Disable this list of unused filesystems + * Type: list + * Required: no +* `os_user_accounts_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring user_accounts. + * Type: bool + * Required: no +* `os_user_pw_ageing` + * Default: `true` + * Description: Set to false to disable password age enforcement on existing users + * Type: bool + * Required: no +* `os_users_without_password_ageing` + * Default: `"[]"` + * Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled + * Type: list + * Required: no +* `os_yum_enabled` + * Default: `true` + * Description: Set to false to disable installing and configuring yum. + * Type: bool + * Required: no +* `os_yum_repo_file_whitelist` + * Default: `"[]"` + * Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. + * Type: list + * Required: no +* `proc_mnt_options` + * Default: `rw,nosuid,nodev,noexec,relatime` + * Description: Mount proc with hardenized options. Note that the hidepid option is set separately in vars/. + * Type: str + * Required: no +* `sysctl_config` + * Default: `{"fs.protected_hardlinks": 1, "fs.protected_symlinks": 1, "fs.protected_fifos": 1, "fs.protected_regular": 2, "fs.suid_dumpable": 0, "kernel.core_uses_pid": 1, "kernel.kptr_restrict": 2, "kernel.kexec_load_disabled": 1, "kernel.sysrq": 0, "kernel.randomize_va_space": 2, "kernel.yama.ptrace_scope": 1, "net.ipv4.ip_forward": 0, "net.ipv6.conf.all.forwarding": 0, "net.ipv4.conf.all.rp_filter": 1, "net.ipv4.conf.default.rp_filter": 1, "net.ipv4.icmp_echo_ignore_broadcasts": 1, "net.ipv4.icmp_ignore_bogus_error_responses": 1, "net.ipv4.icmp_ratelimit": 100, "net.ipv4.icmp_ratemask": 88089, "net.ipv4.tcp_timestamps": 0, "net.ipv4.conf.all.arp_ignore": 1, "net.ipv4.conf.all.arp_announce": 2, "net.ipv4.tcp_rfc1337": 1, "net.ipv4.tcp_syncookies": 1, "net.ipv4.conf.all.shared_media": 1, "net.ipv4.conf.default.shared_media": 1, "net.ipv4.conf.all.accept_source_route": 0, "net.ipv4.conf.default.accept_source_route": 0, "net.ipv6.conf.all.accept_source_route": 0, "net.ipv6.conf.default.accept_source_route": 0, "net.ipv4.conf.all.send_redirects": 0, "net.ipv4.conf.default.send_redirects": 0, "net.ipv4.conf.all.log_martians": 1, "net.ipv4.conf.default.log_martians": 1, "net.ipv4.conf.default.accept_redirects": 0, "net.ipv4.conf.all.accept_redirects": 0, "net.ipv4.conf.all.secure_redirects": 0, "net.ipv4.conf.default.secure_redirects": 0, "net.ipv6.conf.default.accept_redirects": 0, "net.ipv6.conf.all.accept_redirects": 0, "net.ipv6.conf.all.accept_ra": 0, "net.ipv6.conf.default.accept_ra": 0, "net.ipv6.conf.default.router_solicitations": 0, "net.ipv6.conf.all.router_solicitations": 0, "net.ipv6.conf.default.accept_ra_rtr_pref": 0, "net.ipv6.conf.default.accept_ra_pinfo": 0, "net.ipv6.conf.default.accept_ra_defrtr": 0, "net.ipv6.conf.default.autoconf": 0, "net.ipv6.conf.all.autoconf": 0, "net.ipv6.conf.default.dad_transmits": 0, "net.ipv6.conf.default.max_addresses": 1, "vm.mmap_min_addr": 65536, "vm.mmap_rnd_bits": 32, "vm.mmap_rnd_compat_bits": 16}` + * Description: various sysctl-settings + * Type: dict + * Required: no +* `sysctl_overwrite` + * Default: `"{}"` + * Description: To overwrite options in the `sysctl_config`-dict, overwrite them here. + * Type: dict + * Required: no +* `ufw_default_application_policy` + * Default: `SKIP` + * Description: The default application policy is skip, which means that the update --add-new command will do nothing + * Type: str + * Required: no +* `ufw_default_forward_policy` + * Default: `DROP` + * Description: set default forward policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_default_input_policy` + * Default: `DROP` + * Description: set default input policy of ufw to `DROP`. + * Type: str + * Required: no +* `ufw_default_output_policy` + * Default: `ACCEPT` + * Description: set default output policy of ufw to `ACCEPT`. + * Type: str + * Required: no +* `ufw_enable_ipv6` + * Default: `true` + * Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). + * Type: bool + * Required: no +* `ufw_ipt_modules` + * Default: `nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns` + * Description: Define which netfilter modules to load + * Type: str + * Required: no +* `ufw_ipt_sysctl` + * Default: `''` + * Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. + * Type: str + * Required: no +* `ufw_manage_builtins` + * Default: `no` + * Description: If this variable is set to 'yes', on stop and reload the built-in chains are flushed. If it is set to 'no', on stop and reload the ufw secondary chains are removed and the ufw primary chains are flushed + * Type: str + * Required: no +* `ufw_manage_defaults` + * Default: `true` + * Description: true means apply all settings with `ufw_` prefix. + * Type: bool + * Required: no + +## Dependencies + +None. + +## Example Playbook + +``` +- hosts: all + roles: + - name: devsec.hardening.os_hardening +``` + ## Known Limitations @@ -83,531 +962,13 @@ We are setting this sysctl to a default of `32`, some systems only support small vm.mmap_rnd_bits: 16 ``` -### Testing with inspec +## Testing with inspec If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable. Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124). We know that this is the case on Raspberry Pi. -## Variables - -- `os_desktop_enable` - - Default: `false` - - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. -- `os_env_extra_user_paths` - - Default: `[]` - - Description: add additional paths to the user's `PATH` variable (default is empty). -- `os_env_umask` - - Default: `027` or `077` depending on the platform. - - Description: set default permissions for new files to `750` or `700`. -- `os_auth_pw_max_age` - - Default: `60` - - Description: maximum password age (set to `99999` to effectively disable it). -- `os_auth_pw_min_age` - - Default: `7` - - Description: minimum password age (before allowing any other password change). -- `os_auth_pw_warn_age` - - Default: `7` - - Description: number of days of warning before password expires. -- `os_auth_pw_remember` - - Default: `5` - - Description: how many used passwords are record. -- `os_auth_retries` - - Default: `5` - - Description: the maximum number of authentication attempts, before the account is locked for some time. -- `os_auth_lockout_time` - - Default: `600` - - Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts. -- `os_auth_timeout` - - Default: `60` - - Description: authentication timeout in seconds, so login will exit if this time passes. -- `os_auth_allow_homeless` - - Default: `false` - - Description: true if to allow users without home to login. -- `os_auth_pam_passwdqc_enable` - - Default: `true` - - Description: true if you want to use strong password checking in PAM using passwdqc. -- `os_auth_pam_passwdqc_options` - - Default: `min=disabled,disabled,16,12,8` - - Description: set to any option line (as a string) that you want to pass to passwdqc. -- `os_auth_pam_sssd_enable` - - Default: `false` (on RHEL8/CentOS8/Fedora `true`) - - Description: activate PAM auth support for sssd -- `os_auth_pam_oddjob_mkhomedir` - - Default: `false` - - Description: Enables automatic homedir e.g. in FreeIPA environments -- `os_security_users_allow` - - Default: `[]` - - Description: list of things, that a user is allowed to do. May contain `change_user`. -- `os_security_kernel_enable_module_loading` - - Default: `true` - - Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`). - - WARNING: Rebuilding initramfs is deprecated and will be removed in the next major release. For more information take a look at this issue: -- `os_security_kernel_enable_core_dump` - - Default: `false` - - Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created. -- `os_security_suid_sgid_enforce` - - Default: `true` - - Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own. -- `os_security_suid_sgid_blacklist` - - Default: `[]` - - Description: a list of paths which should have their SUID/SGID bits removed. -- `os_security_suid_sgid_whitelist` - - Default: `[]` - - Description: a list of paths which should not have their SUID/SGID bits altered. -- `os_security_suid_sgid_remove_from_unknown` - - Default: `false` - - Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. -- `os_auth_uid_min` - - Default: `1000` - - Description: minimum number for automatic uid selection in useradd. -- `os_auth_uid_max` - - Default: `60000` - - Description: maximum number for automatic uid selection in useradd. -- `os_auth_gid_min` - - Default: `1000` - - Description: minimum number for automatic gid selection in groupadd. -- `os_auth_gid_max` - - Default: `60000` - - Description: maximum number for automatic gid selection in groupadd. -- `os_auth_sub_uid_count` - - Default: `65536` - - Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. -- `os_auth_sub_uid_min`. - - Default: `100000` - - Description: minimum number for automatic subordinate uid selection in useradd and newusers. -- `os_auth_sub_uid_max` - - Default: `600100000` - - Description: maximum number for automatic subordinate uid selection in useradd and newusers. -- `os_auth_sub_gid_count` - - Default: `65536` - - Description: If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. -- `os_auth_sub_gid_min` - - Default: `100000` - - Description: minimum number for automatic subordinate gid selection in useradd and newusers. -- `os_auth_sub_gid_max` - - Default: `600100000` - - Description: maximum number for automatic subordinate gid selection in useradd and newusers. -- `os_security_packages_clean` - - Default: `true` - - Description: removes packages with known issues. See section packages. -- `os_selinux_state` - - Default: `enforcing` - - Description: Set the SELinux state, can be either disabled, permissive, or enforcing. -- `os_selinux_policy` - - Default: `targeted` - - Description: Set the SELinux polixy. -- `ufw_manage_defaults` - - Default: `true` - - Description: true means apply all settings with `ufw_` prefix. -- `ufw_ipt_sysctl` - - Default: `''` - - Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`. -- `ufw_default_input_policy` - - Default: `DROP` - - Description: set default input policy of ufw to `DROP`. -- `ufw_default_output_policy` - - Default: `ACCEPT` - - Description: set default output policy of ufw to `ACCEPT`. -- `ufw_default_forward_policy` - - Default: `DROP` - - Description: set default forward policy of ufw to `DROP`. -- `ufw_enable_ipv6` - - Default: `true` - - Description: Set to `true` to apply rules to support IPv6 (no means only IPv6 on loopback accepted). -- `os_auditd_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring auditd. -- `os_auditd_template` - - Default: `etc/audit/auditd.conf.j2` - - Description: Template file to use for auditd.conf. By overwriting this value, a custom auditd.conf template can be provided. Put a `templates` directory next to your playbook with a custom template in it (e.q. `myauditd.conf.j2`) and set this variable to your template. -- `os_auditd_max_log_file_action` - - Default: `keep_logs` - - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. -- `os_auditd_max_log_file` - - Default: `6` - - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric. -- `os_auditd_num_logs` - - Default: `5` - - Description: This keyword specifies the number of log files to keep if `rotate` is given as the max_log_file_action. The value given must be numeric. -- `hidepid_option` - - Default: `2` (on RHEL/CentOS7 `0`, see known limitations) - - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. -- `proc_mnt_options` - - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` - - Description: Mount proc with hardenized options, including `hidepid` with variable value. -- `os_ignore_users` - - Default: `['vagrant', 'kitchen']` - - Description: Specify system accounts whose login should not be disabled and password not changed -- `os_chmod_home_folders` - - Default: `true` - - Description: Set to `false` to disable "chmod 700" of home folders for regular users -- `os_ignore_home_folder_users` - - Default: `[]` - - Description: Specify user accounts, whose home folders shouldn't be chmodded to 700 when "os_chmod_home_folders" is enabled. -- `os_chmod_rootuser_home_folder` - - Default: `true` - - Description: Set to `false` to disable "chmod 700" of root's home folder -- `os_rootuser_pw_ageing` - - Default: `false` - - Description: Set to true to enforce password age settings for root user(s) -- `os_remove_additional_root_users` - - Default: `false` - - Description: When enabled and there are multiple users with UID=0, only "root" will be kept. Others will be deleted. -- `os_user_pw_ageing` - - Default: `true` - - Description: Set to false to disable password age enforcement on existing users -- `os_users_without_password_ageing` - - Default: `[]` - - Description: List of users, where password ageing should not be enforced even if "os_user_pw_ageing" is enabled -- `os_cron_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring cron. -- `os_ctrlaltdel_disabled` - - Default: `false` - - Description: Set to true to disable ctrl-alt-delete key combination. -- `os_limits_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring limits. -- `os_login_defs_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring login_defs for newly created users. -- `os_minimize_access_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring minimize_access. -- `os_pam_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring pam. -- `os_modprobe_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring modprobe. -- `os_profile_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring profile. -- `os_security_auto_logout` - - Default: `0` - - Description: Set timeout in seconds for logout users automatically after time. Setting this to `0` disables the timeout. -- `os_securetty_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring securetty. -- `os_sysctl_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring sysctl. -- `os_user_accounts_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring user_accounts. -- `os_rhosts_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring rhosts. -- `os_yum_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring yum. -- `os_yum_repo_file_whitelist` - - Default: `[]` - - Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered. -- `os_apt_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring apt. -- `os_selinux_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring selinux. -- `os_sha_crypt_min_rounds` - - Default: `640000` - - Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. -- `os_sha_crypt_max_rounds` - - Default: `640000` - - Description: Define the number of maximum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range. -- `os_auditd_enabled` - - Default: `true` - - Description: Set to false to disable installing and configuring `auditd`. -- `os_auditd_flush` - - Default: `INCREMENTAL` - - Description: Valid values are none, incremental, incremental_async, data, and sync. -- `os_auditd_freq` - - Default: `20` - - Description: Specify number of records to write before issuing an explicit flush to disk command. This value is only valid when the flush keyword is set to incremental or incremental_async. -- `os_auditd_max_log_file` - - Default: 6 - - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. -- `os_auditd_max_log_file_action` - - Default: `keep_logs` - - Description: This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. Valid values are ignore, syslog, suspend, rotate and keep_logs. -- `os_auditd_write_logs` - - Default: `true` - - Description: Set to false in order to disable writing logs to disk. -- `os_auditd_log_file` - - Default: `/var/log/audit/audit.log` - - Description: Specify the full path name to the log file where audit records will be stored. It must be a regular file. -- `os_auditd_log_format` - - Default: `RAW` - - Description: The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to `RAW`, the audit records will be stored in a format exactly as the kernel sends it. The `ENRICHED` option will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of events created on one system but reported/analyzed on another system. -- `os_auditd_admin_space_left` - - Default: 50 - - Description: This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. -- `os_auditd_space_left` - - Default: 75 - - Description: If the free space in the filesystem containing log_file drops below this value, the audit daemon takes the action specified by space_left_action. -- `os_auditd_space_left_action` - - Default: SYSLOG - - Description: This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. -- `os_auditd_action_mail_acct` - - Default: root - - Description: If `space_left_action` or `admin_space_left_action` are set to `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. If the address or alias is not local, requires email properly configured on the machine and network. -- `os_mnt_boot_dir_mode` - - Default: `0700` - - Description: Set default perimissions for /boot -- `os_mnt_boot_enabled` - - Default: `false` - - Description: Set to true to configure /boot mountpoint -- `os_mnt_boot_src` - - Default: `''` - - Description: Set mount source for /boot -- `os_mnt_boot_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /boot -- `os_mnt_boot_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /boot. If empty, the current file system type will be used. -- `os_mnt_boot_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_boot_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_dev_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /dev -- `os_mnt_dev_enabled` - - Default: `true` - - Description: Set to false to ignore /dev mountpoint -- `os_mnt_dev_src` - - Default: `devtmpfs` - - Description: Set mount source for /dev -- `os_mnt_dev_options` - - Default: `'rw,nosuid,noexec'` - - Description: Configure mount options for /dev -- `os_mnt_dev_filesystem` - - Default: `devtmpfs` - - Description: Configure file system for fstab entry /dev -- `os_mnt_dev_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_dev_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_dev_shm_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /dev/shm -- `os_mnt_dev_shm_enabled` - - Default: `true` - - Description: Set to false to ignore /dev/shm mountpoint -- `os_mnt_dev_shm_src` - - Default: `tmpfs` - - Description: Set mount source for /dev/shm -- `os_mnt_dev_shm_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /dev/shm -- `os_mnt_dev_shm_filesystem` - - Default: `tmpfs` - - Description: Configure file system for fstab entry /dev/shm -- `os_mnt_dev_shm_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_dev_shm_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_home_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /home -- `os_mnt_home_enabled` - - Default: `false` - - Description: Set to true to configure /home mountpoint -- `os_mnt_home_src` - - Default: `""` - - Description: Set mount source for /home. If empty, the current file system source device will be used. -- `os_mnt_home_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /home -- `os_mnt_home_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /home. If empty, the current file system type will be used. -- `os_mnt_home_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_home_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_run_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /run -- `os_mnt_run_enabled` - - Default: `true` - - Description: Set to false to ignore /run mountpoint -- `os_mnt_run_src` - - Default: `tmpfs` - - Description: Set mount source for /run -- `os_mnt_run_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /run -- `os_mnt_run_filesystem` - - Default: `tmpfs` - - Description: Configure file system for fstab entry /run -- `os_mnt_run_dump` - - Default: `0` - - Description: Configure dump for fstab entry /var/tmp. -- `os_mnt_run_passno` - - Default: `0` - - Description: Configure passno for fstab entry /var/tmp. -- `os_mnt_tmp_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /tmp -- `os_mnt_tmp_enabled` - - Default: `false` - - Description: Set to true to configure /tmp mountpoint -- `os_mnt_tmp_src` - - Default: `""` - - Description: Set mount source for /tmp. If empty, the current file system source device will be used. -- `os_mnt_tmp_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /tmp -- `os_mnt_tmp_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /tmp. If empty, the current file system type will be used. -- `os_mnt_tmp_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_tmp_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /var -- `os_mnt_var_enabled` - - Default: `false` - - Description: Set to true to configure /var mountpoint -- `os_mnt_var_src` - - Default: `""` - - Description: Set mount source for /var. If empty, the current file system source device will be used. -- `os_mnt_var_options` - - Default: `rw,nosuid,nodev` - - Description: Configure mount options for /var -- `os_mnt_var_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var. If empty, the current file system type will be used. -- `os_mnt_var_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_dir_mode` - - Default: `0755` - - Description: Set default perimissions for /var/log -- `os_mnt_var_log_enabled` - - Default: `false` - - Description: Set to true to configure /var/log mountpoint -- `os_mnt_var_log_src` - - Default: `""` - - Description: Set mount source for /var/log. If empty, the current file system source device will be used. -- `os_mnt_var_log_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/log -- `os_mnt_var_log_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/log. If empty, the current file system type will be used. -- `os_mnt_var_log_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_audit_dir_mode` - - Default: `0640` - - Description: Set default perimissions for /var/log/audit -- `os_mnt_var_log_audit_enabled` - - Default: `false` - - Description: Set to true to configure /var/log/audit mountpoint -- `os_mnt_var_log_audit_src` - - Default: `""` - - Description: Set mount source for /var/log/audit. If empty, the current file system source device will be used. -- `os_mnt_var_log_audit_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/log/audit -- `os_mnt_var_log_audit_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/log/audit. If empty, the current file system type will be used. -- `os_mnt_var_log_audit_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_log_audit_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_tmp_dir_mode` - - Default: `1777` - - Description: Set default perimissions for /var/tmp -- `os_mnt_var_tmp_enabled` - - Default: `false` - - Description: Set to true to configure /var/tmp mountpoint -- `os_mnt_var_tmp_src` - - Default: `""` - - Description: Set mount source for /var/tmp. If empty, the current file system source device will be used. -- `os_mnt_var_tmp_options` - - Default: `rw,nosuid,nodev,noexec` - - Description: Configure mount options for /var/tmp -- `os_mnt_var_tmp_filesystem` - - Default: `""` - - Description: Configure file system for fstab entry /var/tmp. If empty, the current file system type will be used. -- `os_mnt_var_tmp_dump` - - Default: ext3 + ext4 `1` / other `0` - - Description: Configure dump for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_mnt_var_tmp_passno` - - Default: ext3 + ext4 `2` / other `0` - - Description: Configure passno for fstab entry /var/tmp. If empty, the default depends on fstype. -- `os_netrc_enabled` - - Default: `True` - - Description: Configure filesystem for existence of .netrc file in homedir -- `os_netrc_whitelist_user` - - Default: `` - - Description: Add list of user to allow creation of .netrc in users homedir - -## Packages - -We remove the following packages: - -- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) -- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1) -- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5) -- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4) -- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2) -- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3) -- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink)) - -## Disabled filesystems - -We disable the following filesystems, because they're most likely not used: - -- "cramfs" -- "freevxfs" -- "jffs2" -- "hfs" -- "hfsplus" -- "squashfs" -- "udf" -- "vfat" # only if uefi is not in use - -To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable. - -## Example Playbook - -```yaml -- hosts: localhost - collections: - - devsec.hardening - roles: - - os_hardening -``` - ## Changing sysctl variables If you want to override sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to override the whole `sysctl_dict`). diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index 20392185..1ce0ac86 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -306,7 +306,7 @@ sysctl_config: # Do not delete the following line or otherwise the playbook will fail # at task 'create a combined sysctl-dict if overwrites are defined' -sysctl_overwrite: +sysctl_overwrite: {} # Disable unused filesystems os_unused_filesystems: - cramfs @@ -356,7 +356,7 @@ os_selinux_state: enforcing os_selinux_policy: targeted # Mount options for proc in /etc/fstab. -proc_mnt_options: rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }} +proc_mnt_options: rw,nosuid,nodev,noexec,relatime # Set to false to disable installing and configuring cron. os_cron_enabled: true diff --git a/roles/os_hardening/meta/argument_specs.yml b/roles/os_hardening/meta/argument_specs.yml new file mode 100644 index 00000000..5ca59a77 --- /dev/null +++ b/roles/os_hardening/meta/argument_specs.yml @@ -0,0 +1,844 @@ +--- +argument_specs: + main: + short_description: The main entry point for the os hardening role. + version_added: 8.8.0 + options: + os_desktop_enable: + default: false + type: bool + description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc. + os_env_extra_user_paths: + default: '[]' + type: list + description: add additional paths to the user's `PATH` variable (default is + empty). + os_auth_pw_max_age: + default: 60 + type: int + description: maximum password age (set to `99999` to effectively disable it). + os_auth_pw_min_age: + default: 7 + type: int + description: minimum password age (before allowing any other password change). + os_auth_pw_warn_age: + default: 7 + type: int + description: number of days of warning before password expires. + os_auth_pw_remember: + default: 5 + type: int + description: how many used passwords are record. + os_auth_retries: + default: 5 + type: int + description: the maximum number of authentication attempts, before the account + is locked for some time. + os_auth_lockout_time: + default: 600 + type: int + description: time in seconds that needs to pass, if the account was locked + due to too many failed authentication attempts. + os_auth_timeout: + default: 60 + type: int + description: authentication timeout in seconds, so login will exit if this + time passes. + os_auth_allow_homeless: + default: false + type: bool + description: true if to allow users without home to login. + os_auth_pam_passwdqc_enable: + default: true + type: bool + description: true if you want to use strong password checking in PAM using + passwdqc. + os_auth_pam_passwdqc_options: + default: min=disabled,disabled,16,12,8 + type: str + description: set to any option line (as a string) that you want to pass to + passwdqc. + os_auth_pam_oddjob_mkhomedir: + default: false + type: bool + description: Enables automatic homedir e.g. in FreeIPA environments + os_auth_pam_pwquality_options: + default: try_first_pass retry=3 authtok_type= + type: str + description: Options to pass to the PAM module pwquality + os_security_users_allow: + default: '[]' + type: list + description: list of things, that a user is allowed to do. May contain `change_user`. + os_security_kernel_enable_module_loading: + default: true + type: bool + description: true if you want to allowed to change kernel modules once the + system is running (eg `modprobe`, `rmmod`). WARNING - Rebuilding initramfs + is deprecated and will be removed in the next major release. For more information + take a look at this issue + os_security_kernel_enable_core_dump: + default: false + type: bool + description: kernel is crashing or otherwise misbehaving and a kernel core + dump is created. + os_security_suid_sgid_enforce: + default: true + type: bool + description: true if you want to reduce SUID/SGID bits. There is already a + list of items which are searched for configured, but you can also add your + own. + os_security_suid_sgid_blacklist: + default: '[]' + type: list + description: a list of paths which should have their SUID/SGID bits removed. + os_security_suid_sgid_whitelist: + default: '[]' + type: list + description: a list of paths which should not have their SUID/SGID bits altered. + os_security_suid_sgid_remove_from_unknown: + default: false + type: bool + description: true if you want to remove SUID/SGID bits from any file, that + is not explicitly configured in a `blacklist`. This will make every Ansible-run + search through the mounted filesystems looking for SUID/SGID bits that are + not configured in the default and user blacklist. If it finds an SUID/SGID + bit, it will be removed, unless this file is in your `whitelist`. + os_auth_uid_min: + default: 1000 + type: int + description: minimum number for automatic uid selection in useradd. + os_auth_uid_max: + default: 60000 + type: int + description: maximum number for automatic uid selection in useradd. + os_auth_gid_min: + default: 1000 + type: int + description: minimum number for automatic gid selection in groupadd. + os_auth_gid_max: + default: 60000 + type: int + description: maximum number for automatic gid selection in groupadd. + os_auth_sub_uid_count: + default: 65536 + type: int + description: If /etc/subuid exists, the commands useradd and newusers (unless + the user already have subordinate user IDs) allocate SUB_UID_COUNT unused + user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user. See + also `os_auth_sub_uid_min` and `os_auth_sub_uid_max`. + os_auth_sub_uid_min: + default: 100000 + type: int + description: minimum number for automatic subordinate uid selection in useradd + and newusers. + os_auth_sub_uid_max: + default: 600100000 + type: int + description: maximum number for automatic subordinate uid selection in useradd + and newusers. + os_auth_sub_gid_count: + default: 65536 + type: int + description: If /etc/subuid exists, the commands useradd and newusers (unless + the user already have subordinate group IDs) allocate SUB_GID_COUNT unused + group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user. See + also `os_auth_sub_gid_min` and `os_auth_sub_gid_max`. + os_auth_sub_gid_min: + default: 100000 + type: int + description: minimum number for automatic subordinate gid selection in useradd + and newusers. + os_auth_sub_gid_max: + default: 600100000 + type: int + description: maximum number for automatic subordinate gid selection in useradd + and newusers. + os_security_packages_clean: + default: true + type: bool + description: removes packages with known issues. See section packages. + os_selinux_state: + default: enforcing + type: str + description: Set the SELinux state, can be either disabled, permissive, or + enforcing. + os_selinux_policy: + default: targeted + type: str + description: Set the SELinux polixy. + ufw_manage_defaults: + default: true + type: bool + description: true means apply all settings with `ufw_` prefix. + ufw_ipt_sysctl: + default: "''" + type: str + description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you + want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl + dictionary, for example `/etc/ufw/sysctl.conf`. + ufw_default_input_policy: + default: DROP + type: str + description: set default input policy of ufw to `DROP`. + ufw_default_output_policy: + default: ACCEPT + type: str + description: set default output policy of ufw to `ACCEPT`. + ufw_default_forward_policy: + default: DROP + type: str + description: set default forward policy of ufw to `DROP`. + ufw_enable_ipv6: + default: true + type: bool + description: Set to `true` to apply rules to support IPv6 (no means only IPv6 + on loopback accepted). + os_auditd_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring auditd. + os_auditd_log_format: + default: RAW + type: str + description: Describes how the information should be stored on disk. There + are 2 options - raw and enriched. + os_auditd_max_log_file_action: + default: keep_logs + type: str + description: Defines the behaviour of auditd when its log file is filled up. + Possible other values are described in the auditd.conf man page. The most + common alternative to the default may be `rotate`. + os_auditd_max_log_file: + default: 6 + type: int + description: This keyword specifies the maximum file size in megabytes. When + this limit is reached, it will trigger a configurable action. The value + given must be numeric. + os_auditd_num_logs: + default: 5 + type: int + description: This keyword specifies the number of log files to keep if `rotate` + is given as the max_log_file_action. The value given must be numeric. + os_auditd_flush: + default: INCREMENTAL + type: str + description: Valid values are none, incremental, incremental_async, data, + and sync. + os_auditd_admin_space_left: + default: 50 + type: int + description: This is a numeric value in megabytes that tells the audit daemon + when to perform a configurable action because the system is running low + on disk space. + os_auditd_admin_space_left_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take when the + system has detected that it is low on disk space. Valid values are ignore, + syslog, rotate, email, exec, suspend, single, and halt. + os_auditd_space_left: + default: 75 + type: int + description: If the free space in the filesystem containing log_file drops + below this value, the audit daemon takes the action specified by space_left_action. + os_auditd_space_left_action: + default: SYSLOG + type: str + description: This parameter tells the system what action to take when the + system has detected that it is starting to get low on disk space. Valid + values are ignore, syslog, rotate, email, exec, suspend, single, and halt. + os_auditd_action_mail_acct: + default: root + type: str + description: If `space_left_action` or `admin_space_left_action` are set to + `email`, uses the address or alias to send the email using `/usr/lib/sendmail`. + of events created on one system but reported/analyzed on another system. + os_auditd_disk_error_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take whenever + there is an error detected when writing audit events to disk or rotating + logs. Valid values are ignore, syslog, exec, suspend, single, and halt. + os_auditd_disk_full_action: + default: SUSPEND + type: str + description: This parameter tells the system what action to take when the + system has detected that the partition to which log files are written has + become full. Valid values are ignore, syslog, rotate, exec, suspend, single, + and halt. + os_auditd_log_group: + default: root + type: str + description: specifies the group that is applied to the log file's permissions. + The group name can be either numeric or spelled out. + proc_mnt_options: + default: rw,nosuid,nodev,noexec,relatime + type: str + description: Mount proc with hardenized options. Note that the hidepid option + is set separately in vars/. + os_ignore_users: + default: [vagrant, kitchen] + type: list + description: Specify system accounts whose login should not be disabled and + password not changed + os_chmod_home_folders: + default: true + type: bool + description: Set to `false` to disable "chmod 700" of home folders for regular + users + os_ignore_home_folder_users: + default: '[]' + type: list + description: Specify user accounts, whose home folders shouldn't be chmodded + to 700 when "os_chmod_home_folders" is enabled. + os_chmod_rootuser_home_folder: + default: true + type: bool + description: Set to `false` to disable "chmod 700" of root's home folder + os_rootuser_pw_ageing: + default: false + type: bool + description: Set to true to enforce password age settings for root user(s) + os_remove_additional_root_users: + default: false + type: bool + description: When enabled and there are multiple users with UID=0, only "root" + will be kept. Others will be deleted. + os_user_pw_ageing: + default: true + type: bool + description: Set to false to disable password age enforcement on existing + users + os_users_without_password_ageing: + default: '[]' + type: list + description: List of users, where password ageing should not be enforced even + if "os_user_pw_ageing" is enabled + os_cron_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring cron. + os_ctrlaltdel_disabled: + default: false + type: bool + description: Set to true to disable ctrl-alt-delete key combination. + os_limits_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring limits. + os_login_defs_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring login_defs + for newly created users. + os_minimize_access_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring minimize_access. + os_pam_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring pam. + os_modprobe_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring modprobe. + os_profile_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring profile. + os_security_auto_logout: + default: 0 + type: int + description: Set timeout in seconds for logout users automatically after time. + Setting this to `0` disables the timeout. + os_securetty_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring securetty. + os_sysctl_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring sysctl. + os_user_accounts_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring user_accounts. + os_rhosts_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring rhosts. + os_yum_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring yum. + os_yum_repo_file_whitelist: + default: '[]' + type: list + description: List of yum repository files under /etc/yum.repos.d/ which should + not be altered. + os_apt_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring apt. + os_selinux_enabled: + default: true + type: bool + description: Set to false to disable installing and configuring selinux. + os_sha_crypt_min_rounds: + default: 640000 + type: int + description: Define the number of minimum SHA rounds. With a lot of rounds + brute forcing the password is more difficult. But note also that it more + CPU resources will be needed to authenticate users. The values must be inside + the 1000-999999999 range. + os_sha_crypt_max_rounds: + default: 640000 + type: int + description: Define the number of maximum SHA rounds. With a lot of rounds + brute forcing the password is more difficult. But note also that it more + CPU resources will be needed to authenticate users. The values must be inside + the 1000-999999999 range. + os_mnt_boot_dir_mode: + default: '0700' + type: str + description: Set default perimissions for /boot + os_mnt_boot_enabled: + default: false + type: bool + description: Set to true to configure /boot mountpoint + os_mnt_boot_src: + default: "''" + type: str + description: Set mount source for /boot + os_mnt_boot_options: + default: rw,nosuid,nodev,noexec + description: Configure mount options for /boot + os_mnt_boot_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /boot. If empty, the current + file system type will be used. + os_mnt_boot_dump: + default: ext3 + ext4 = 1 / other = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_boot_passno: + default: ext3 + ext4 = 2 / other = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_dev_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /dev + os_mnt_dev_enabled: + default: true + type: bool + description: Set to false to ignore /dev mountpoint + os_mnt_dev_src: + default: devtmpfs + type: str + description: Set mount source for /dev + os_mnt_dev_options: + default: rw,nosuid,noexec + type: str + description: Configure mount options for /dev + os_mnt_dev_filesystem: + default: devtmpfs + type: str + description: Configure file system for fstab entry /dev + os_mnt_dev_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_dev_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_dev_shm_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /dev/shm + os_mnt_dev_shm_enabled: + default: true + type: bool + description: Set to false to ignore /dev/shm mountpoint + os_mnt_dev_shm_src: + default: tmpfs + type: str + description: Set mount source for /dev/shm + os_mnt_dev_shm_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /dev/shm + os_mnt_dev_shm_filesystem: + default: tmpfs + type: str + description: Configure file system for fstab entry /dev/shm + os_mnt_dev_shm_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_dev_shm_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_home_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /home + os_mnt_home_enabled: + default: false + type: bool + description: Set to true to configure /home mountpoint + os_mnt_home_src: + default: "''" + type: str + description: Set mount source for /home. If empty, the current file system + source device will be used. + os_mnt_home_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /home + os_mnt_home_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /home. If empty, the current + file system type will be used. + os_mnt_home_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_home_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_run_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /run + os_mnt_run_enabled: + default: true + type: bool + description: Set to false to ignore /run mountpoint + os_mnt_run_src: + default: tmpfs + type: str + description: Set mount source for /run + os_mnt_run_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /run + os_mnt_run_filesystem: + default: tmpfs + type: str + description: Configure file system for fstab entry /run + os_mnt_run_dump: + default: 0 + type: str + description: Configure dump for fstab entry /var/tmp. + os_mnt_run_passno: + default: 0 + type: str + description: Configure passno for fstab entry /var/tmp. + os_mnt_tmp_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /tmp + os_mnt_tmp_enabled: + default: false + type: bool + description: Set to true to configure /tmp mountpoint + os_mnt_tmp_src: + default: "''" + type: str + description: Set mount source for /tmp. If empty, the current file system + source device will be used. + os_mnt_tmp_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /tmp + os_mnt_tmp_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /tmp. If empty, the current + file system type will be used. + os_mnt_tmp_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_tmp_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /var + os_mnt_var_enabled: + default: false + type: bool + description: Set to true to configure /var mountpoint + os_mnt_var_src: + default: "''" + type: str + description: Set mount source for /var. If empty, the current file system + source device will be used. + os_mnt_var_options: + default: rw,nosuid,nodev + type: str + description: Configure mount options for /var + os_mnt_var_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var. If empty, the current + file system type will be used. + os_mnt_var_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_dir_mode: + default: '0755' + type: str + description: Set default perimissions for /var/log + os_mnt_var_log_enabled: + default: false + type: bool + description: Set to true to configure /var/log mountpoint + os_mnt_var_log_src: + default: "''" + type: str + description: Set mount source for /var/log. If empty, the current file system + source device will be used. + os_mnt_var_log_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/log + os_mnt_var_log_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/log. If empty, the + current file system type will be used. + os_mnt_var_log_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_audit_dir_mode: + default: '0640' + type: str + description: Set default perimissions for /var/log/audit + os_mnt_var_log_audit_enabled: + default: false + type: bool + description: Set to true to configure /var/log/audit mountpoint + os_mnt_var_log_audit_src: + default: "''" + type: str + description: Set mount source for /var/log/audit. If empty, the current file + system source device will be used. + os_mnt_var_log_audit_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/log/audit + os_mnt_var_log_audit_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/log/audit. If empty, + the current file system type will be used. + os_mnt_var_log_audit_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_log_audit_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_tmp_dir_mode: + default: '1777' + type: str + description: Set default perimissions for /var/tmp + os_mnt_var_tmp_enabled: + default: false + type: bool + description: Set to true to configure /var/tmp mountpoint + os_mnt_var_tmp_src: + default: "''" + type: str + description: Set mount source for /var/tmp. If empty, the current file system + source device will be used. + os_mnt_var_tmp_options: + default: rw,nosuid,nodev,noexec + type: str + description: Configure mount options for /var/tmp + os_mnt_var_tmp_filesystem: + default: "''" + type: str + description: Configure file system for fstab entry /var/tmp. If empty, the + current file system type will be used. + os_mnt_var_tmp_dump: + default: ext3/4 = 1, others = 0 + type: str + description: Configure dump for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_mnt_var_tmp_passno: + default: ext3/4 = 2, others = 0 + type: str + description: Configure passno for fstab entry /var/tmp. If empty, the default + depends on fstype. + os_netrc_enabled: + default: true + type: bool + description: Configure filesystem for existence of .netrc file in homedir + os_netrc_whitelist_user: + default: '[]' + type: list + description: Add list of user to allow creation of .netrc in users homedir + sysctl_overwrite: + default: '{}' + type: dict + description: To overwrite options in the `sysctl_config`-dict, overwrite them + here. + sysctl_config: + type: dict + description: various sysctl-settings + default: + fs.protected_hardlinks: 1 + fs.protected_symlinks: 1 + fs.protected_fifos: 1 + fs.protected_regular: 2 + fs.suid_dumpable: 0 + kernel.core_uses_pid: 1 + kernel.kptr_restrict: 2 + kernel.kexec_load_disabled: 1 + kernel.sysrq: 0 + kernel.randomize_va_space: 2 + kernel.yama.ptrace_scope: 1 + net.ipv4.ip_forward: 0 + net.ipv6.conf.all.forwarding: 0 + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + net.ipv4.icmp_echo_ignore_broadcasts: 1 + net.ipv4.icmp_ignore_bogus_error_responses: 1 + net.ipv4.icmp_ratelimit: 100 + net.ipv4.icmp_ratemask: 88089 + net.ipv4.tcp_timestamps: 0 + net.ipv4.conf.all.arp_ignore: 1 + net.ipv4.conf.all.arp_announce: 2 + net.ipv4.tcp_rfc1337: 1 + net.ipv4.tcp_syncookies: 1 + net.ipv4.conf.all.shared_media: 1 + net.ipv4.conf.default.shared_media: 1 + net.ipv4.conf.all.accept_source_route: 0 + net.ipv4.conf.default.accept_source_route: 0 + net.ipv6.conf.all.accept_source_route: 0 + net.ipv6.conf.default.accept_source_route: 0 + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + net.ipv4.conf.all.log_martians: 1 + net.ipv4.conf.default.log_martians: 1 + net.ipv4.conf.default.accept_redirects: 0 + net.ipv4.conf.all.accept_redirects: 0 + net.ipv4.conf.all.secure_redirects: 0 + net.ipv4.conf.default.secure_redirects: 0 + net.ipv6.conf.default.accept_redirects: 0 + net.ipv6.conf.all.accept_redirects: 0 + net.ipv6.conf.all.accept_ra: 0 + net.ipv6.conf.default.accept_ra: 0 + net.ipv6.conf.default.router_solicitations: 0 + net.ipv6.conf.all.router_solicitations: 0 + net.ipv6.conf.default.accept_ra_rtr_pref: 0 + net.ipv6.conf.default.accept_ra_pinfo: 0 + net.ipv6.conf.default.accept_ra_defrtr: 0 + net.ipv6.conf.default.autoconf: 0 + net.ipv6.conf.all.autoconf: 0 + net.ipv6.conf.default.dad_transmits: 0 + net.ipv6.conf.default.max_addresses: 1 + vm.mmap_min_addr: 65536 + vm.mmap_rnd_bits: 32 + vm.mmap_rnd_compat_bits: 16 + os_unused_filesystems: + default: + - cramfs + - freevxfs + - jffs2 + - hfs + - hfsplus + - squashfs + - udf + - vfat + - dccp + - rds + - sctp + - tipc + type: list + description: Disable this list of unused filesystems + os_filesystem_whitelist: + default: '[]' + type: list + description: A list of filesystems that should not be disabled + os_hardening_enabled: + default: true + type: bool + description: Whether to run the hardening + os_auth_root_ttys: + default: [console, tty1, tty2, tty3, tty4, tty5, tty6] + type: list + description: A list of TTYs, from which root can log in, see `man securetty` + for reference + os_chfn_restrict: + default: "''" + type: str + description: Indicate which fields are changeable by chfn. + os_security_init_prompt: + default: true + type: bool + description: The PROMPT option provides console users the ability to interactively + boot the system and select which services to start on boot. + os_security_init_single: + default: false + type: bool + description: Single-user mode is intended as a system recovery method, providing + a single user root access to the system by providing a boot option at startup. + By default, no authentication is performed if single-user mode is selected. + To require entry of the root password even if the system is started in single-user + mode, set this to false + os_security_packages_list: + default: [xinetd, inetd, ypserv, telnet-server, rsh-server, prelink] + type: list + description: List of deprecated or insecure packages to remove + ufw_default_application_policy: + default: SKIP + type: str + description: The default application policy is skip, which means that the + update --add-new command will do nothing + ufw_ipt_modules: + default: nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns + type: str + description: Define which netfilter modules to load + ufw_manage_builtins: + default: 'no' + type: str + description: If this variable is set to 'yes', on stop and reload the built-in + chains are flushed. If it is set to 'no', on stop and reload the ufw secondary + chains are removed and the ufw primary chains are flushed diff --git a/roles/os_hardening/tasks/minimize_access.yml b/roles/os_hardening/tasks/minimize_access.yml index da99781b..a7083865 100644 --- a/roles/os_hardening/tasks/minimize_access.yml +++ b/roles/os_hardening/tasks/minimize_access.yml @@ -73,12 +73,23 @@ mode: "0750" when: '"change_user" not in os_security_users_allow' +# we have to define this combined variable here, because when defining it +# in the defaults like this: +# proc_mnt_options: rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }} +# the role argument validator complains about the missing hidepid_option-variable. +# If we define the hidepid_option-variable in the defaults, we cannot +# overwrite it anymore in the vars (for some reason). + +- name: Define proc_mnt_options including hidepid_option + ansible.builtin.set_fact: + _proc_mnt_options: "{{ proc_mnt_options }},hidepid={{ hidepid_option }}" + - name: Set option hidepid for proc filesystem ansible.posix.mount: path: /proc src: proc fstype: proc - opts: "{{ proc_mnt_options }}" + opts: "{{ _proc_mnt_options }}" state: mounted - name: Generate list of current available mounted filesystems on the system diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index cb131229..c088f09d 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -1,6 +1,6 @@ # dev-sec.ssh_hardening -![devsec.ssh_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.ssh_hardening/badge.svg) +![devsec.ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.ssh_hardening/badge.svg) ## Description @@ -8,250 +8,430 @@ This role provides secure ssh-client and ssh-server configurations. It is intend Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server. -## Requirements + +## Supported Operating Systems +| Platform | Versions | +| -------- | -------- | +| EL | 7, 8, 9 | +| Ubuntu | bionic, focal, jammy | +| Debian | buster, bullseye | +| Amazon | | +| Fedora | | +| ArchLinux | | +| SmartOS | | +| FreeBSD | 12.2 | +| OpenBSD | 7.0 | -- Ansible >= 2.9 -- root-privileges on the target system +## Role Variables -As this role requires root-privileges, we added `become: true` to all tasks. So please make sure you run the role as root or as a user with become-privileges. +* `network_ipv6_enable` + * Default: `true` + * Description: `false` if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). + * Type: bool + * Required: no +* `sftp_chroot` + * Default: `true` + * Description: Set to `false` to disable chroot for sftp. + * Type: bool + * Required: no +* `sftp_chroot_dir` + * Default: `/home/%u` + * Description: change default stp chroot location + * Type: str + * Required: no +* `sftp_enabled` + * Default: `true` + * Description: Set to `false` to disable sftp configuration. + * Type: bool + * Required: no +* `sftp_umask` + * Default: `0027` + * Description: Specifies the umask for sftp. + * Type: str + * Required: no +* `ssh_allow_agent_forwarding` + * Default: `false` + * Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding. + * Type: bool + * Required: no +* `ssh_allow_groups` + * Default: `` + * Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. + * Type: str + * Required: no +* `ssh_allow_tcp_forwarding` + * Default: `no` + * Description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. + * Type: str + * Required: no +* `ssh_allow_users` + * Default: `` + * Description: if specified, login is allowed only for user names that match one of the patterns. + * Type: str + * Required: no +* `ssh_authorized_keys_file` + * Default: `` + * Description: change default file that contains the public keys that can be used for user authentication + * Type: str + * Required: no +* `ssh_authorized_principals` + * Default: `` + * Description: list of hashes containing file paths and authorized principals, see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` is set + * Type: list + * Required: no +* `ssh_authorized_principals_file` + * Default: `` + * Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. + * Type: str + * Required: no +* `ssh_banner` + * Default: `false` + * Description: Set to `true` to print a banner on login. + * Type: bool + * Required: no +* `ssh_banner_path` + * Default: `/etc/sshd/banner.txt` + * Description: path to the SSH banner file. + * Type: str + * Required: no +* `ssh_challengeresponseauthentication` + * Default: `false` + * Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). + * Type: bool + * Required: no +* `ssh_ciphers` + * Default: `` + * Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_client_alive_count` + * Default: `3` + * Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. + * Type: str + * Required: no +* `ssh_client_alive_interval` + * Default: `600` + * Description: specifies an interval for sending keepalive messages. + * Type: str + * Required: no +* `ssh_client_compression` + * Default: `false` + * Description: Specifies whether the client requests compression. + * Type: bool + * Required: no +* `ssh_client_config_file` + * Default: `/etc/ssh/ssh_config` + * Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. + * Type: str + * Required: no +* `ssh_client_hardening` + * Default: `true` + * Description: `false` to stop harden the client. + * Type: bool + * Required: no +* `ssh_client_host_key_algorithms` + * Default: `` + * Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! + * Type: list + * Required: no +* `ssh_client_password_login` + * Default: `false` + * Description: Set to `true` to allow password-based authentication with the ssh client. + * Type: bool + * Required: no +* `ssh_client_port` + * Default: `22` + * Description: Specifies the port number to connect on the remote host. + * Type: str + * Required: no +* `ssh_client_roaming` + * Default: `false` + * Description: enable experimental client roaming. + * Type: bool + * Required: no +* `ssh_compression` + * Default: `false` + * Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. + * Type: bool + * Required: no +* `ssh_custom_options` + * Default: `[]` + * Description: Custom lines for SSH client configuration. + * Type: str + * Required: no +* `ssh_custom_selinux_dir` + * Default: `/etc/selinux/local-policies` + * Description: directory where to store the ssh_password policy + * Type: str + * Required: no +* `ssh_deny_groups` + * Default: `` + * Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. + * Type: str + * Required: no +* `ssh_deny_users` + * Default: `` + * Description: if specified, login is disallowed for user names that match one of the patterns. + * Type: str + * Required: no +* `ssh_gateway_ports` + * Default: `false` + * Description: Set to `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. + * Type: bool + * Required: no +* `ssh_gssapi_delegation` + * Default: `false` + * Description: Set to `true` to enable GSSAPI credential forwarding. + * Type: bool + * Required: no +* `ssh_gssapi_support` + * Default: `false` + * Description: Set to `true` to enable GSSAPI authentication (both client and server). + * Type: bool + * Required: no +* `ssh_hardening_enabled` + * Default: `true` + * Description: Whether to run the hardening + * Type: bool + * Required: no +* `ssh_host_certificates` + * Default: `` + * Description: Host certificates to look for when starting sshd + * Type: list + * Required: no +* `ssh_host_key_algorithms` + * Default: `` + * Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version + * Type: list + * Required: no +* `ssh_host_key_files` + * Default: `` + * Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. + * Type: list + * Required: no +* `ssh_host_rsa_key_size` + * Default: `4096` + * Description: Specifies the number of bits in the private host RSA key to create. + * Type: str + * Required: no +* `ssh_kerberos_support` + * Default: `true` + * Description: Set to `true` if SSH has Kerberos support. + * Type: bool + * Required: no +* `ssh_kex` + * Default: `` + * Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_listen_to` + * Default: `["0.0.0.0"]` + * Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons + * Type: list + * Required: no +* `ssh_login_grace_time` + * Default: `30s` + * Description: specifies the time allowed for successful authentication to the SSH server. + * Type: str + * Required: no +* `ssh_macs` + * Default: `` + * Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_max_auth_retries` + * Default: `2` + * Description: Specifies the maximum number of authentication attempts permitted per connection. + * Type: str + * Required: no +* `ssh_max_sessions` + * Default: `10` + * Description: Specifies the maximum number of open sessions permitted from a given connection. + * Type: str + * Required: no +* `ssh_max_startups` + * Default: `10:30:60` + * Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. + * Type: str + * Required: no +* `ssh_pam_support` + * Default: `true` + * Description: Set to `true` if SSH has PAM support. + * Type: bool + * Required: no +* `ssh_permit_root_login` + * Default: `no` + * Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! + * Type: str + * Required: no +* `ssh_permit_tunnel` + * Default: `false` + * Description: `true` if SSH Port Tunneling is required. + * Type: bool + * Required: no +* `ssh_print_debian_banner` + * Default: `false` + * Description: Set to `true` to print debian specific banner. + * Type: bool + * Required: no +* `ssh_print_last_log` + * Default: `false` + * Description: Set to `false` to disable display of last login information. + * Type: bool + * Required: no +* `ssh_print_motd` + * Default: `false` + * Description: Set to `false` to disable printing of the MOTD. + * Type: bool + * Required: no +* `ssh_print_pam_motd` + * Default: `false` + * Description: Set to `false` to disable printing of the MOTD via pam (Debian and Ubuntu). + * Type: bool + * Required: no +* `ssh_ps59` + * Default: `sandbox` + * Description: Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. + * Type: str + * Required: no +* `ssh_remote_hosts` + * Default: `` + * Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml` + * Type: list + * Required: no +* `ssh_server_accept_env_vars` + * Default: `` + * Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. + * Type: str + * Required: no +* `ssh_server_config_file` + * Default: `/etc/ssh/sshd_config` + * Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. + * Type: str + * Required: no +* `ssh_server_enabled` + * Default: `true` + * Description: Set to `false` to disable the opensshd server. + * Type: bool + * Required: no +* `ssh_server_hardening` + * Default: `true` + * Description: `false` to stop harden the server. + * Type: bool + * Required: no +* `ssh_server_match_address` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_group` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_local_port` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_match_user` + * Default: `` + * Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. + * Type: str + * Required: no +* `ssh_server_password_login` + * Default: `false` + * Description: Set to `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. + * Type: bool + * Required: no +* `ssh_server_permit_environment_vars` + * Default: `no` + * Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global 'yes' or 'no' settings. + * Type: str + * Required: no +* `ssh_server_ports` + * Default: `["22"]` + * Description: ports on which ssh-server should listen. + * Type: list + * Required: no +* `ssh_server_revoked_keys` + * Default: `` + * Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys. + * Type: list + * Required: no +* `ssh_trusted_user_ca_keys` + * Default: `` + * Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. + * Type: list + * Required: no +* `ssh_trusted_user_ca_keys_file` + * Default: `` + * Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. + * Type: str + * Required: no +* `ssh_use_dns` + * Default: `false` + * Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. + * Type: bool + * Required: no +* `ssh_use_pam` + * Default: `true` + * Description: Set to `false` to disable pam authentication. + * Type: bool + * Required: no +* `ssh_x11_forwarding` + * Default: `false` + * Description: Set to `false` to disable X11 Forwarding. Set to `true` to allow X11 Forwarding. + * Type: bool + * Required: no +* `sshd_authenticationmethods` + * Default: `publickey` + * Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml` + * Type: str + * Required: no +* `sshd_custom_options` + * Default: `` + * Description: Custom lines for SSH daemon configuration. + * Type: list + * Required: no +* `sshd_log_level` + * Default: `VERBOSE` + * Description: the verbosity level that is used when logging messages from sshd. + * Type: str + * Required: no +* `sshd_moduli_file` + * Default: `/etc/ssh/moduli` + * Description: path to the SSH moduli file. + * Type: str + * Required: no +* `sshd_moduli_minimum` + * Default: `2048` + * Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. + * Type: str + * Required: no +* `sshd_strict_modes` + * Default: `true` + * Description: Check file modes and ownership of the user's files and home directory before accepting login. + * Type: bool + * Required: no +* `sshd_syslog_facility` + * Default: `AUTH` + * Description: The facility code that is used when logging messages from sshd. + * Type: str + * Required: no -## Role Variables +## Dependencies -- `network_ipv6_enable` - - Default: `true` - - Description: false if IPv6 is not needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`). -- `ssh_client_config_file` - - Default: `'/etc/ssh/ssh_config'` - - Description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. -- `ssh_server_config_file` - - Default: `'/etc/ssh/sshd_config'` - - Description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. -- `ssh_server_ports` - - Default: `['22']` - - Description: ports on which ssh-server should listen. -- `ssh_client_port` - - Default: `'22'` - - Description: Specifies the port number to connect on the remote host. -- `ssh_listen_to` - - Default: `['0.0.0.0']` - - Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 addresses, but should be configured to specific addresses for security reasons! -- `ssh_host_key_files` - - Default: `[]` - - Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version. -- `ssh_host_rsa_key_size` - - Default: `4096` - - Description: Specifies the number of bits in the private host RSA key to create. -- `ssh_host_key_algorithms` - - Default: `[]` - - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version! -- `ssh_client_host_key_algorithms` - - Default: `[]` - - Description: Specifies the host key algorithms that the client wants to use in order of preference. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man ssh_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version!. -- `ssh_client_alive_interval` - - Default: `600` - - Description: specifies an interval for sending keepalive messages. -- `ssh_client_alive_count` - - Default: `3` - - Description: Defines the number of acceptable unanswered client alive messages before disconnecting clients. -- `ssh_permit_tunnel` - - Default: `false` - - Description: true if SSH Port Tunneling is required. -- `ssh_remote_hosts` - - Default: `[]` - - Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`. -- `ssh_permit_root_login` - - Default: `no` - - Description: Disable root-login. Set to `'without-password'` or `'yes'` to enable root-login - The quotes are required! -- `ssh_allow_tcp_forwarding` - - Default: `no` - - Description: `'no'` or `False` to disable TCP Forwarding. Set to `'yes'` or `True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. -- `ssh_gateway_ports` - - Default: `false` - - Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to. -- `ssh_allow_agent_forwarding` - - Default: `false` - - Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding. -- `ssh_x11_forwarding` - - Default: `false` - - Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding. -- `ssh_pam_support` - - Default: `true` - - Description: true if SSH has PAM support. -- `ssh_use_pam` - - Default: `true` - - Description: false to disable pam authentication. -- `ssh_gssapi_support` - - Default: `false` - - Description: Set to true to enable GSSAPI authentication (both client and server). -- `ssh_gssapi_delegation` - - Default: `false` - - Description: Set to true to enable GSSAPI credential forwarding. -- `ssh_kerberos_support` - - Default: `true` - - Description: true if SSH has Kerberos support. -- `ssh_deny_users` - - Default: `''` - - Description: if specified, login is disallowed for user names that match one of the patterns. -- `ssh_allow_users` - - Default: `''` - - Description: if specified, login is allowed only for user names that match one of the patterns. -- `ssh_deny_groups` - - Default: `''` - - Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -- `ssh_allow_groups` - - Default: `''` - - Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -- `ssh_authorized_keys_file` - - Default: `''` - - Description: change default file that contains the public keys that can be used for user authentication. -- `ssh_trusted_user_ca_keys_file` - - Default: `''` - - Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates. -- `ssh_trusted_user_ca_keys` - - Default: `[]` - - Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. -- `ssh_authorized_principals_file` - - Default: `''` - - Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set. -- `ssh_authorized_principals` - - Default: `[]` - - Description: list of hashes containing file paths and authorized principals, see `default_custom.yml` for all options. Only used if `ssh_authorized_principals_file` is set. -- `ssh_print_motd` - - Default: `false` - - Description: false to disable printing of the MOTD. -- `ssh_print_pam_motd` - - Default: `false` - - Description: false to disable printing of the MOTD via pam (Debian and Ubuntu). -- `ssh_print_last_log` - - Default: `false` - - Description: false to disable display of last login information. -- `sftp_enabled` - - Default: `true` - - Description: false to disable sftp configuration. -- `sftp_umask` - - Default: `'0027'` - - Description: Specifies the umask for sftp. -- `sftp_chroot` - - Default: `true` - - Description: false to disable chroot for sftp. -- `sftp_chroot_dir` - - Default: `/home/%u` - - Description: change default sftp chroot location. -- `ssh_client_roaming` - - Default: `false` - - Description: enable experimental client roaming. -- `sshd_moduli_file` - - Default: `'/etc/ssh/moduli'` - - Description: path to the SSH moduli file. -- `sshd_moduli_minimum` - - Default: `2048` - - Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam. -- `ssh_challengeresponseauthentication` - - Default: `false` - - Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM). -- `ssh_client_password_login` - - Default: `false` - - Description: `true` to allow password-based authentication with the ssh client. -- `ssh_server_password_login` - - Default: `false` - - Description: `true` to allow password-based authentication to the ssh server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `ssh_server_password_login`: `true`. -- `ssh_banner` - - Default: `false` - - Description: `true` to print a banner on login. -- `ssh_banner_path` - - Default: `'/etc/sshd/banner.txt'` - - Description: path to the SSH banner file. -- `ssh_client_hardening` - - Default: `true` - - Description: `false` to stop harden the client. -- `ssh_client_compression` - - Default: `false` - - Description: Specifies whether the client requests compression. -- `ssh_compression` - - Default: `false` - - Description: Specifies whether server-side compression is enabled after the user has authenticated successfully. -- `ssh_login_grace_time` - - Default: `30s` - - Description: specifies the time allowed for successful authentication to the SSH server. -- `ssh_max_auth_retries` - - Default: `2` - - Description: Specifies the maximum number of authentication attempts permitted per connection. -- `ssh_max_sessions` - - Default: `10` - - Description: Specifies the maximum number of open sessions permitted from a given connection. -- `ssh_print_debian_banner` - - Default: `false` - - Description: `true` to print debian specific banner. -- `ssh_server_enabled` - - Default: `true` - - Description: `false` to disable the opensshd server. -- `ssh_server_hardening` - - Default: `true` - - Description: `false` to stop harden the server. -- `ssh_server_match_address` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_group` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_user` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_match_local_port` - - Default: `''` - - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. -- `ssh_server_permit_environment_vars` - - Default: `no` - - Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings. -- `ssh_server_accept_env_vars` - - Default: `''` - - Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace. -- `ssh_use_dns` - - Default: `false` - - Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. -- `ssh_server_revoked_keys` - - Default: `[]` - - Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys. -- `ssh_max_startups` - - Default: `'10:30:60'` - - Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. -- `ssh_macs` - - Default: `[]` - - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`. -- `ssh_kex` - - Default: `[]` - - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`. -- `ssh_ciphers` - - Default: `[]` - - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`. -- `ssh_custom_options` - - Default: `[]` - - Description: Custom lines for SSH client configuration. -- `sshd_custom_options` - - Default: `[]` - - Description: Custom lines for SSH daemon configuration. -- `sshd_syslog_facility` - - Default: `'AUTH'` - - Description: The facility code that is used when logging messages from sshd. -- `sshd_log_level` - - Default: `'VERBOSE'` - - Description: the verbosity level that is used when logging messages from sshd. -- `sshd_strict_modes` - - Default: `true` - - Description: Check file modes and ownership of the user's files and home directory before accepting login. -- `sshd_authenticationmethods` - - Default: `publickey` - - Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`. +None. ## Example Playbook -```yml -- hosts: localhost - collections: - - devsec.hardening +``` +- hosts: all roles: - - ssh_hardening + - name: devsec.hardening.ssh_hardening ``` + ## Configuring settings not listed in role-variables diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml new file mode 100644 index 00000000..5879bd3a --- /dev/null +++ b/roles/ssh_hardening/meta/argument_specs.yml @@ -0,0 +1,354 @@ +--- +argument_specs: + main: + short_description: The main entry point for the ssh hardening role. + version_added: 8.8.0 + options: + network_ipv6_enable: + default: true + type: bool + description: '`false` if IPv6 is not needed. `ssh_listen_to` must also be + set to listen to IPv6 addresses (for example `[::]`).' + ssh_client_config_file: + default: /etc/ssh/ssh_config + description: path of the ssh client configuration file, e.g. `/etc/ssh/ssh_config.d/custom.conf`. + ssh_server_config_file: + default: /etc/ssh/sshd_config + description: path of the ssh server configuration file, e.g. `/etc/ssh/sshd_config.d/custom.conf`. + ssh_server_ports: + default: ['22'] + type: list + description: ports on which ssh-server should listen. + ssh_client_port: + default: '22' + description: Specifies the port number to connect on the remote host. + ssh_listen_to: + default: [0.0.0.0] + type: list + description: one or more ip addresses, to which ssh-server should listen to. + Default is all IPv4 addresses, but should be configured to specific addresses + for security reasons + ssh_host_key_files: + default: [] + type: list + description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', + '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the + installed sshd version. + ssh_host_rsa_key_size: + default: 4096 + description: Specifies the number of bits in the private host RSA key to create. + ssh_host_key_algorithms: + default: [] + type: list + description: Host key algorithms that the server offers. If empty the default + list will be used. Otherwise overrides the setting with specified list of + algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other + sources for supported algorithms - make sure you check the correct version + ssh_client_host_key_algorithms: + default: [] + type: list + description: Specifies the host key algorithms that the client wants to use + in order of preference. If empty the default list will be used. Otherwise + overrides the setting with specified list of algorithms. Check `man ssh_config`, + `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make + sure you check the correct version! + ssh_client_alive_interval: + default: 600 + description: specifies an interval for sending keepalive messages. + ssh_client_alive_count: + default: 3 + description: Defines the number of acceptable unanswered client alive messages + before disconnecting clients. + ssh_permit_tunnel: + default: false + type: bool + description: '`true` if SSH Port Tunneling is required.' + ssh_remote_hosts: + default: [] + type: list + description: one or more hosts and their custom options for the ssh-client. + Default is empty. See examples in `defaults/main.yml` + ssh_permit_root_login: + default: 'no' + description: Disable root-login. Set to `'without-password'` or `'yes'` to + enable root-login - The quotes are required! + ssh_allow_tcp_forwarding: + default: 'no' + description: Set to `'no'` or `false` to disable TCP Forwarding. Set to `'yes'` + or`True` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, + you can specify `'yes'`, `'no'`, `'all'`, `'local'`or`'remote'`. + ssh_gateway_ports: + default: false + type: bool + description: Set to `false` to disable binding forwarded ports to non-loopback + addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` + to allow the client to specify which address to bind to. + ssh_allow_agent_forwarding: + default: false + type: bool + description: Set to `false` to disable Agent Forwarding. Set to `true` to + allow Agent Forwarding. + ssh_x11_forwarding: + default: false + type: bool + description: Set to `false` to disable X11 Forwarding. Set to `true` to allow + X11 Forwarding. + ssh_pam_support: + default: true + type: bool + description: Set to `true` if SSH has PAM support. + ssh_use_pam: + default: true + type: bool + description: Set to `false` to disable pam authentication. + ssh_gssapi_support: + default: false + type: bool + description: Set to `true` to enable GSSAPI authentication (both client and + server). + ssh_gssapi_delegation: + default: false + type: bool + description: Set to `true` to enable GSSAPI credential forwarding. + ssh_kerberos_support: + default: true + type: bool + description: Set to `true` if SSH has Kerberos support. + ssh_deny_users: + default: '' + description: if specified, login is disallowed for user names that match one + of the patterns. + ssh_allow_users: + default: '' + description: if specified, login is allowed only for user names that match + one of the patterns. + ssh_deny_groups: + default: '' + description: if specified, login is disallowed for users whose primary group + or supplementary group list matches one of the patterns. + ssh_allow_groups: + default: '' + description: if specified, login is allowed only for users whose primary group + or supplementary group list matches one of the patterns. + ssh_authorized_keys_file: + default: '' + description: change default file that contains the public keys that can be + used for user authentication + ssh_trusted_user_ca_keys_file: + default: '' + description: specifies the file containing trusted certificate authorities + public keys used to sign user certificates. + ssh_trusted_user_ca_keys: + default: [] + type: list + description: set the trusted certificate authorities public keys used to sign + user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set. + ssh_authorized_principals_file: + default: '' + description: specifies the file containing principals that are allowed. Only + used if `ssh_trusted_user_ca_keys_file` is set. + ssh_authorized_principals: + default: [] + type: list + description: list of hashes containing file paths and authorized principals, + see `default_cstom.yml` for all options. Only used if `ssh_authorized_principals_file` + is set + ssh_print_motd: + default: false + type: bool + description: Set to `false` to disable printing of the MOTD. + ssh_print_pam_motd: + default: false + type: bool + description: Set to `false` to disable printing of the MOTD via pam (Debian + and Ubuntu). + ssh_print_last_log: + default: false + type: bool + description: Set to `false` to disable display of last login information. + sftp_enabled: + default: true + type: bool + description: Set to `false` to disable sftp configuration. + sftp_umask: + default: '0027' + description: Specifies the umask for sftp. + sftp_chroot: + default: true + type: bool + description: Set to `false` to disable chroot for sftp. + sftp_chroot_dir: + default: /home/%u + description: change default stp chroot location + ssh_client_roaming: + default: false + type: bool + description: enable experimental client roaming. + sshd_moduli_file: + default: /etc/ssh/moduli + description: path to the SSH moduli file. + sshd_moduli_minimum: + default: 2048 + description: remove Diffie-Hellman parameters smaller than the defined size + to mitigate logjam. + ssh_challengeresponseauthentication: + default: false + type: bool + description: Specifies whether challenge-response authentication is allowed + (e.g. via PAM). + ssh_client_password_login: + default: false + type: bool + description: Set to `true` to allow password-based authentication with the + ssh client. + ssh_server_password_login: + default: false + type: bool + description: 'Set to `true` to allow password-based authentication to the + ssh server. You probably also need to change `sshd_authenticationmethods` + to include `password` if you set `ssh_server_password_login`: `true`.' + ssh_banner: + default: false + type: bool + description: Set to `true` to print a banner on login. + ssh_banner_path: + default: /etc/sshd/banner.txt + description: path to the SSH banner file. + ssh_client_hardening: + default: true + type: bool + description: '`false` to stop harden the client.' + ssh_client_compression: + default: false + type: bool + description: Specifies whether the client requests compression. + ssh_compression: + default: false + type: bool + description: Specifies whether server-side compression is enabled after the + user has authenticated successfully. + ssh_login_grace_time: + default: 30s + description: specifies the time allowed for successful authentication to the + SSH server. + ssh_max_auth_retries: + default: 2 + description: Specifies the maximum number of authentication attempts permitted + per connection. + ssh_max_sessions: + default: 10 + description: Specifies the maximum number of open sessions permitted from + a given connection. + ssh_print_debian_banner: + default: false + type: bool + description: Set to `true` to print debian specific banner. + ssh_server_enabled: + default: true + type: bool + description: Set to `false` to disable the opensshd server. + ssh_server_hardening: + default: true + type: bool + description: '`false` to stop harden the server.' + ssh_server_match_address: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_group: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_user: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_match_local_port: + default: '' + description: Introduces a conditional block. If all of the criteria on the + Match line are satisfied, the keywords on the following lines override those + set in the global section of the config file, until either another Match + line or the end of the file. + ssh_server_permit_environment_vars: + default: 'no' + description: "`yes` to specify that ~/.ssh/environment and environment= options\ + \ in ~/.ssh/authorized_keys are processed by sshd. With openssh version\ + \ 7.8 it is possible to specify a whitelist of environment variable names\ + \ in addition to global 'yes' or 'no' settings." + ssh_server_accept_env_vars: + default: '' + description: Specifies what environment variables sent by the client will + be copied into the session's environment, multiple environment variables + may be separated by whitespace. + ssh_use_dns: + default: false + type: bool + description: Specifies whether sshd should look up the remote host name, and + to check that the resolved host name for the remote IP address maps back + to the very same IP address. + ssh_server_revoked_keys: + default: [] + type: list + description: a list of revoked public keys that the ssh server will always + reject, useful to revoke known weak or compromised keys. + ssh_max_startups: + default: 10:30:60 + description: Specifies the maximum number of concurrent unauthenticated connections + to the SSH daemon. + ssh_macs: + default: [] + type: list + description: Change this list to overwrite macs. Defaults found in `defaults/main.yml` + ssh_kex: + default: [] + type: list + description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml` + ssh_ciphers: + default: [] + type: list + description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml` + ssh_custom_options: + default: [] + description: Custom lines for SSH client configuration. + sshd_custom_options: + default: [] + type: list + description: Custom lines for SSH daemon configuration. + sshd_syslog_facility: + default: AUTH + description: The facility code that is used when logging messages from sshd. + type: str + sshd_log_level: + default: VERBOSE + description: the verbosity level that is used when logging messages from sshd. + sshd_strict_modes: + default: true + type: bool + description: Check file modes and ownership of the user's files and home directory + before accepting login. + sshd_authenticationmethods: + default: publickey + description: Specifies the authentication methods that must be successfully + completed for a user to be granted access. Make sure to set all required + variables for your selected authentication method. Defaults found in `defaults/main.yml` + ssh_custom_selinux_dir: + default: /etc/selinux/local-policies + description: directory where to store the ssh_password policy + ssh_hardening_enabled: + default: true + type: bool + description: Whether to run the hardening + ssh_host_certificates: + default: [] + type: list + description: Host certificates to look for when starting sshd + ssh_ps59: + default: sandbox + description: Specifies whether sshd separates privileges by creating an unprivileged + child process to deal with incoming network traffic.