ansible/roles/basesecurity/tasks/main.yml
Hadrien Patte 737ca7b996
Feat: add state
Signed-off-by: Hadrien Patte <hadrien.patte@protonmail.com>
2019-03-23 20:05:42 +01:00

86 lines
2.1 KiB
YAML

---
- name: Configure sysctl
template:
src: sysctl.d/local.conf.j2
dest: /etc/sysctl.d/local.conf
mode: 0644
# Use this command to list setuid or setgid executables
# find / -type f -perm /6000 -ls 2>/dev/null
- name: Desactivate setuid/setgid on unused binaries
file:
path: "{{ item }}"
mode: u-s,g-s
loop:
- /usr/lib/openssh/sshkeysign # Not used
- /usr/bin/gpasswd # No group auth
- /usr/bin/passwd # Only root should change passwd
- /usr/bin/expiry # With re2o
- /usr/bin/newgrp # No group auth
- /usr/bin/chage # With re2o
- /usr/bin/chsh # With re2o
- /usr/bin/chfn # With re2o
- /bin/mount # Only root should mount
- /bin/umount # Only root should umount
ignore_errors: true # Sometimes file won't exist
# Only SSH keys to log on root
- name: Prohibit root SSH with password
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^{{ item.0 }}'
insertafter: '^#{{ item.0 }}'
line: '{{ item.0 }} {{ item.1 }}'
loop:
- ["PermitRootLogin", "prohibit-password"]
- ["AllowAgentForwarding", "no"]
- ["X11Forwarding", "no"]
- ["TCPKeepAlive", "no"]
notify: Restart sshd service
# See banned client with `fail2ban-client status sshd`
- name: Install fail2ban
apt:
name: fail2ban
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Configure fail2ban
ini_file:
path: /etc/fail2ban/jail.d/local.conf
section: "{{ item.section }}"
option: "{{ item.option }}"
value: "{{ item.value }}"
state: present
notify: Restart fail2ban service
loop:
- section: DEFAULT
option: ignoreip
value: 10.128.0.254 # Whitelist bastion
- section: sshd
option: enabled
value: "true"
- section: sshd
option: bantime
value: 600
- section: sshd
option: findtime
value: 600
- section: sshd
option: maxretry
value: 5
# See altered packages and configurations with `debsums -ca`
- name: Install debsums
apt:
name: debsums
state: present
register: apt_result
retries: 3
until: apt_result is succeeded