feat: harden OS and SSH daemon
This commit is contained in:
parent
b5bfbd8a2d
commit
a6c596a83d
GPG key ID:
F8F50389936984FF
1 changed files with 32 additions and 0 deletions
32
dolibarr/ansible/harden.yml
Normal file
32
dolibarr/ansible/harden.yml
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
---
|
||||
- name: Baseline security compliance
|
||||
hosts: all
|
||||
remote_user: debian
|
||||
become: true
|
||||
pre_tasks:
|
||||
- name: Ensure all VMs are reachable
|
||||
ansible.builtin.ping:
|
||||
collections:
|
||||
- devsec.hardening
|
||||
roles:
|
||||
- devsec.hardening.os_hardening
|
||||
- ssh_hardening
|
||||
vars:
|
||||
- ssh_allow_tcp_forwarding: no
|
||||
- ssh_allow_agent_forwarding: false
|
||||
- ssh_x11_forwarding: false
|
||||
- ssh_server_password_login: false
|
||||
- os_filesystem_whitelist: vfat
|
||||
- sysctl_overwrite:
|
||||
- net.ipv6.conf.default.autoconf: 0
|
||||
- net.ipv6.conf.all.autoconf: 0
|
||||
- net.ipv6.conf.all.router_solicitations: 0
|
||||
- net.bridge.bridge-nf-call-iptables: 1
|
||||
- net.bridge.bridge-nf-call-ip6tables: 1
|
||||
- net.ipv4.ip_forward: 1
|
||||
- fs.protected_symlinks: 1
|
||||
- fs.protected_hardlinks: 1
|
||||
Loading…
Reference in a new issue