Security policies based on ANSSI recommandations

base.yml

@@ -3,3 +3,4 @@
 - hosts: all
   roles:
    - baseconfig
+   - basesecurity

roles/basesecurity/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Configure sysctl
+  template:
+    src: 'sysctl.d/local.conf.j2'
+    dest: '/etc/sysctl.d/local.conf'
+    mode: 0644
+
+# Use this command to list setuid or setgid executables
+# find / -type f -perm /6000 -ls 2>/dev/null
+- name: Desactivate setuid/setgid on unused binaries
+  file:
+    path: "{{ item }}"
+    mode: u-s,g-s
+  loop:
+    - /usr/lib/openssh/sshkeysign  # Not used
+    - /usr/bin/gpasswd  # No group auth
+    - /usr/bin/passwd  # Only root should change passwd
+    - /usr/bin/expiry  # With re2o
+    - /usr/bin/newgrp  # No group auth
+    - /usr/bin/chage  # With re2o
+    - /usr/bin/chsh  # With re2o
+    - /usr/bin/chfn  # With re2o
+    - /bin/mount  # Only root should mount
+    - /bin/umount  # Only root should umount
+  ignore_errors: yes  # Sometimes file won't exist

roles/basesecurity/templates/sysctl.d/local.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
+
+# Disable core dump of setuid executables
+# So an user can't read privileged information in memory
+fs.suid_dumpable = 0
+
+# Obfuscate kernel memory addresses
+kernel.kptr_restrict = 1
+
+# Restrict dmesg access
+# This can leak specific harware failures to exploit
+kernel.dmesg_restrict = 1
+
+# Do not load kernel modules after boot
+# Some modules have security issues and are used in exploits
+kernel.modules_disabled = 1