From a08be12b41dcdeba2877f959a6a7dcb5ebda2f6c Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Mon, 11 Mar 2019 14:52:03 +0100
Subject: [PATCH] Security policies based on ANSSI recommandations

---
 base.yml                                      |  1 +
 roles/basesecurity/tasks/main.yml             | 25 +++++++++++++++++++
 .../templates/sysctl.d/local.conf.j2          | 17 +++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 roles/basesecurity/tasks/main.yml
 create mode 100644 roles/basesecurity/templates/sysctl.d/local.conf.j2

diff --git a/base.yml b/base.yml
index 90e258b..e10f9d7 100644
--- a/base.yml
+++ b/base.yml
@@ -3,3 +3,4 @@
 - hosts: all
   roles:
    - baseconfig
+   - basesecurity
diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml
new file mode 100644
index 0000000..6b0f596
--- /dev/null
+++ b/roles/basesecurity/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: Configure sysctl
+  template:
+    src: 'sysctl.d/local.conf.j2'
+    dest: '/etc/sysctl.d/local.conf'
+    mode: 0644
+
+# Use this command to list setuid or setgid executables
+# find / -type f -perm /6000 -ls 2>/dev/null
+- name: Desactivate setuid/setgid on unused binaries
+  file:
+    path: "{{ item }}"
+    mode: u-s,g-s
+  loop:
+    - /usr/lib/openssh/sshkeysign  # Not used
+    - /usr/bin/gpasswd  # No group auth
+    - /usr/bin/passwd  # Only root should change passwd
+    - /usr/bin/expiry  # With re2o
+    - /usr/bin/newgrp  # No group auth
+    - /usr/bin/chage  # With re2o
+    - /usr/bin/chsh  # With re2o
+    - /usr/bin/chfn  # With re2o
+    - /bin/mount  # Only root should mount
+    - /bin/umount  # Only root should umount
+  ignore_errors: yes  # Sometimes file won't exist
diff --git a/roles/basesecurity/templates/sysctl.d/local.conf.j2 b/roles/basesecurity/templates/sysctl.d/local.conf.j2
new file mode 100644
index 0000000..86ef034
--- /dev/null
+++ b/roles/basesecurity/templates/sysctl.d/local.conf.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf
+
+# Disable core dump of setuid executables
+# So an user can't read privileged information in memory
+fs.suid_dumpable = 0
+
+# Obfuscate kernel memory addresses
+kernel.kptr_restrict = 1
+
+# Restrict dmesg access
+# This can leak specific harware failures to exploit
+kernel.dmesg_restrict = 1
+
+# Do not load kernel modules after boot
+# Some modules have security issues and are used in exploits
+kernel.modules_disabled = 1