feat: harden OS and SSH daemon
This commit is contained in:
parent
b5bfbd8a2d
commit
a6c596a83d
GPG key ID:
F8F50389936984FF
1 changed files with 32 additions and 0 deletions
32
dolibarr/ansible/harden.yml
Normal file
32
dolibarr/ansible/harden.yml
Normal file
|
|
@ -0,0 +1,32 @@
|
||||||
|
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
---
|
||||||
|
- name: Baseline security compliance
|
||||||
|
hosts: all
|
||||||
|
remote_user: debian
|
||||||
|
become: true
|
||||||
|
pre_tasks:
|
||||||
|
- name: Ensure all VMs are reachable
|
||||||
|
ansible.builtin.ping:
|
||||||
|
collections:
|
||||||
|
- devsec.hardening
|
||||||
|
roles:
|
||||||
|
- devsec.hardening.os_hardening
|
||||||
|
- ssh_hardening
|
||||||
|
vars:
|
||||||
|
- ssh_allow_tcp_forwarding: no
|
||||||
|
- ssh_allow_agent_forwarding: false
|
||||||
|
- ssh_x11_forwarding: false
|
||||||
|
- ssh_server_password_login: false
|
||||||
|
- os_filesystem_whitelist: vfat
|
||||||
|
- sysctl_overwrite:
|
||||||
|
- net.ipv6.conf.default.autoconf: 0
|
||||||
|
- net.ipv6.conf.all.autoconf: 0
|
||||||
|
- net.ipv6.conf.all.router_solicitations: 0
|
||||||
|
- net.bridge.bridge-nf-call-iptables: 1
|
||||||
|
- net.bridge.bridge-nf-call-ip6tables: 1
|
||||||
|
- net.ipv4.ip_forward: 1
|
||||||
|
- fs.protected_symlinks: 1
|
||||||
|
- fs.protected_hardlinks: 1
|
||||||
Loading…
Reference in a new issue