Merge branch 'basesecurity' into 'master'

Security policies based on ANSSI recommandations

See merge request aurore/ansible!19
This commit is contained in:
Alexandre IOOSS 2019-03-11 14:52:56 +01:00
commit 4dfdc74bd8
3 changed files with 43 additions and 0 deletions

View file

@ -3,3 +3,4 @@
- hosts: all
roles:
- baseconfig
- basesecurity

View file

@ -0,0 +1,25 @@
---
- name: Configure sysctl
template:
src: 'sysctl.d/local.conf.j2'
dest: '/etc/sysctl.d/local.conf'
mode: 0644
# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
file:
path: "{{ item }}"
mode: u-s,g-s
loop:
- /usr/lib/openssh/sshkeysign # Not used
- /usr/bin/gpasswd # No group auth
- /usr/bin/passwd # Only root should change passwd
- /usr/bin/expiry # With re2o
- /usr/bin/newgrp # No group auth
- /usr/bin/chage # With re2o
- /usr/bin/chsh # With re2o
- /usr/bin/chfn # With re2o
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: yes # Sometimes file won't exist

View file

@ -0,0 +1,17 @@
# {{ ansible_managed }}
# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
# Disable core dump of setuid executables
# So an user can't read privileged information in memory
fs.suid_dumpable = 0
# Obfuscate kernel memory addresses
kernel.kptr_restrict = 1
# Restrict dmesg access
# This can leak specific harware failures to exploit
kernel.dmesg_restrict = 1
# Do not load kernel modules after boot
# Some modules have security issues and are used in exploits
kernel.modules_disabled = 1