From 7e92fe1be9e0208e6f07cda5785092f1bfa16afa Mon Sep 17 00:00:00 2001 From: Aravinth Manivannan Date: Thu, 20 Jul 2023 13:43:44 +0530 Subject: [PATCH] feat: linux and ssh baseline hardening --- Makefile | 2 +- ansible/harden.yml | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 ansible/harden.yml diff --git a/Makefile b/Makefile index 73d7ad3..af37fad 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,7 @@ endef define configure_base ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/playbook.yml + ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/harden.yml endef define configure_loadbalance @@ -104,6 +105,5 @@ test.loadbalance: ## Test loadbalancer installation test.libreddit: ## Test libreddit installation $(call test_libreddit) - help: ## Prints help for targets with comments @cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/ansible/harden.yml b/ansible/harden.yml new file mode 100644 index 0000000..18994c9 --- /dev/null +++ b/ansible/harden.yml @@ -0,0 +1,29 @@ +# SPDX-FileCopyrightText: 2023 Aravinth Manivannan +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Baseline security compliance + hosts: all + remote_user: atm + become: true + pre_tasks: + - name: Ensure all VMs are reachable + ansible.builtin.ping: + collections: + - devsec.hardening + roles: + - devsec.hardening.os_hardening + - ssh_hardening + vars: + - ssh_allow_tcp_forwarding: no + - ssh_allow_agent_forwarding: false + - ssh_x11_forwarding: false + - ssh_server_password_login: false + - os_filesystem_whitelist: vfat + - sysctl_overwrite: + - net.ipv6.conf.default.autoconf: 0 + - net.ipv6.conf.all.autoconf: 0 + - net.ipv6.conf.all.router_solicitations: 0 + - fs.protected_symlinks: 1 + - fs.protected_hardlinks: 1