Custom harden-linux role

2025-12-25 13:46:59 +01:00 · 2018-07-31 01:47:35 +02:00 · 2018-07-31 01:47:35 +02:00 · bc0f0c4894
commit bc0f0c4894
parent 5d81de3cf9
19 changed files with 1293 additions and 37 deletions
--- a/roles/harden-linux/tasks/main.yml
+++ b/roles/harden-linux/tasks/main.yml
@ -0,0 +1,180 @@
+- name: Delete root pw file /root/.pw (if present)
+  file:
+    path: /root/.pw
+    state: absent
+
+- name: Update APT package cache
+  apt:
+    update_cache: true
+    cache_valid_time: 3600
+  tags:
+    - apt
+
+- name: Install aptitude
+  apt:
+    pkg: aptitude
+    state: present
+  tags:
+    - apt
+
+- name: Upgrade APT to the latest packages
+  apt:
+    upgrade: safe
+
+- name: Install required packages
+  apt:
+    state: present
+    pkg: "{{item}}"
+  with_items:
+    - "{{harden_linux_required_packages}}"
+  tags:
+    - ufw
+
+- name: Add deploy user
+  user:
+    name: "{{harden_linux_deploy_user}}"
+    password: "{{harden_linux_deploy_user_password}}"
+    uid: "{{harden_linux_deploy_user_uid}}"
+    shell: "{{harden_linux_deploy_user_shell}}"
+    home: "{{harden_linux_deploy_user_home}}"
+  tags:
+    - user
+
+- name: Add authorized keys for deploy user
+  authorized_key:
+    user: "{{harden_linux_deploy_user}}"
+    key: "{{item}}"
+  with_items:
+    - "{{harden_linux_deploy_user_public_keys}}"
+  when: harden_linux_deploy_user_public_keys is defined
+  tags:
+    - user
+
+- name: Add deploy user to sudoers
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: "{{harden_linux_deploy_user}} ALL"
+    line: "{{harden_linux_deploy_user}} ALL=(ALL) NOPASSWD:ALL"
+    state: present
+  tags:
+    - user
+    - sudo
+
+- name: Adjust APT update intervals
+  copy:
+    src: etc/apt/apt.conf.d/10periodic
+    dest: /etc/apt/apt.conf.d/10periodic
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - apt
+
+- name: Combine harden_linux_sshd_settings and harden_linux_sshd_settings_user (if defined)
+  set_fact:
+    harden_linux_sshd_settings: "{{harden_linux_sshd_settings | combine(harden_linux_sshd_settings_user|default({})) }}"
+  tags:
+    - ssh
+
+- name: Ensure sshd_config setting
+  lineinfile:
+    dest: "/etc/ssh/sshd_config"
+    regexp: "{{item}}"
+    line: "{{harden_linux_sshd_settings[item]}}"
+    state: "present"
+  notify: "restart ssh"
+  with_items:
+    - "{{harden_linux_sshd_settings | list}}"
+  tags:
+    - ssh
+
+- name: Combine harden_linux_sysctl_settings and harden_linux_sysctl_settings_user (if defined)
+  set_fact:
+    harden_linux_sysctl_settings: "{{harden_linux_sysctl_settings | combine(harden_linux_sysctl_settings_user|default({})) }}"
+  tags:
+    - sysctl
+
+- name: Sysctl settings
+  sysctl:
+    name: "{{item}}"
+    value: "{{harden_linux_sysctl_settings[item]}}"
+    sysctl_set: yes
+  with_items:
+    - "{{harden_linux_sysctl_settings | list}}"
+  tags:
+    - sysctl
+
+- name: Combine harden_linux_ufw_defaults and harden_linux_ufw_defaults_user (if defined)
+  set_fact:
+    harden_linux_ufw_defaults: "{{harden_linux_ufw_defaults | combine(harden_linux_ufw_defaults_user|default({})) }}"
+  tags:
+    - ufw
+
+- name: UFW - Configure defaults
+  lineinfile:
+    dest: /etc/default/ufw
+    regexp: "{{item}}"
+    line: "{{harden_linux_ufw_defaults[item]}}"
+    state: present
+  notify: "reload ufw"
+  with_items:
+    - "{{harden_linux_ufw_defaults | list}}"
+  tags:
+    - ufw
+
+- name: UFW - Apply firewall rules
+  ufw:
+    rule: "{{item.rule}}"
+    interface: "{{item.interface | default('')}}"
+    direction: "{{item.direction | default('in')}}"
+    from_ip: "{{item.from_ip | default('any')}}"
+    to_ip: "{{item.to_ip | default('any')}}"
+    from_port: "{{item.from_port | default('')}}"
+    to_port: "{{item.to_port | default('')}}"
+    protocol: "{{item.protocol | default('any')}}"
+    log: "{{item.log | default(False)}}"
+  with_items: "{{harden_linux_ufw_rules}}"
+  tags:
+    - ufw
+    - ufwrules
+
+- name: UFW - Allow configured networks to communicate
+  ufw:
+    rule: allow
+    src: "{{item}}"
+  with_items:
+    - "{{harden_linux_ufw_allow_networks}}"
+  when: harden_linux_ufw_allow_networks is defined
+  tags:
+    - ufw
+
+- name: UFW - Setup logging
+  ufw:
+    logging: "{{harden_linux_ufw_logging}}"
+  tags:
+    - ufw
+
+- name: Update Sshguard white list
+  lineinfile:
+    dest: /etc/sshguard/whitelist
+    regexp: "^{{item}}"
+    line: "{{item}}"
+    state: present
+  with_items:
+    - "{{harden_linux_sshguard_whitelist}}"
+  tags:
+    - sshguard
+
+- name: UFW - Enable firewall/iptables
+  ufw:
+    state: enabled
+  tags:
+    - ufw
+
+- name: Change root password
+  user:
+    name: "root"
+    password: "{{harden_linux_root_password}}"
+  when: harden_linux_root_password is defined
+  tags:
+    - user