88 lines
2.1 KiB
YAML
88 lines
2.1 KiB
YAML
---
|
|
- name: Configure sysctl
|
|
template:
|
|
src: sysctl.d/local.conf.j2
|
|
dest: /etc/sysctl.d/local.conf
|
|
mode: 0644
|
|
|
|
# Use this command to list setuid or setgid executables
|
|
# find / -type f -perm /6000 -ls 2>/dev/null
|
|
- name: Desactivate setuid/setgid on unused binaries
|
|
file:
|
|
path: "{{ item }}"
|
|
mode: u-s,g-s
|
|
loop:
|
|
- /usr/lib/openssh/sshkeysign # Not used
|
|
- /usr/bin/gpasswd # No group auth
|
|
- /usr/bin/passwd # Only root should change passwd
|
|
- /usr/bin/expiry # With re2o
|
|
- /usr/bin/newgrp # No group auth
|
|
- /usr/bin/chage # With re2o
|
|
- /usr/bin/chsh # With re2o
|
|
- /usr/bin/chfn # With re2o
|
|
- /bin/mount # Only root should mount
|
|
- /bin/umount # Only root should umount
|
|
ignore_errors: true # Sometimes file won't exist
|
|
|
|
# Only SSH keys to log on root
|
|
- name: Prohibit root SSH with password
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^{{ item.0 }}'
|
|
insertafter: '^#{{ item.0 }}'
|
|
line: '{{ item.0 }} {{ item.1 }}'
|
|
loop:
|
|
- ["PermitRootLogin", "prohibit-password"]
|
|
- ["AllowAgentForwarding", "no"]
|
|
- ["X11Forwarding", "no"]
|
|
- ["TCPKeepAlive", "yes"]
|
|
notify: Restart sshd service
|
|
|
|
# See banned client with `fail2ban-client status sshd`
|
|
- name: Install fail2ban
|
|
apt:
|
|
name: fail2ban
|
|
state: present
|
|
register: apt_result
|
|
retries: 3
|
|
until: apt_result is succeeded
|
|
|
|
- name: Configure fail2ban
|
|
ini_file:
|
|
path: /etc/fail2ban/jail.d/local.conf
|
|
section: "{{ item.section }}"
|
|
option: "{{ item.option }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
mode: 0644
|
|
notify: Restart fail2ban service
|
|
loop:
|
|
- section: sshd
|
|
option: ignoreip
|
|
value: 10.128.0.254 # Whitelist bastion
|
|
|
|
- section: sshd
|
|
option: enabled
|
|
value: "true"
|
|
|
|
- section: sshd
|
|
option: bantime
|
|
value: 600
|
|
|
|
- section: sshd
|
|
option: findtime
|
|
value: 600
|
|
|
|
- section: sshd
|
|
option: maxretry
|
|
value: 5
|
|
|
|
# See altered packages and configurations with `debsums -ca`
|
|
- name: Install debsums
|
|
apt:
|
|
name: debsums
|
|
state: present
|
|
register: apt_result
|
|
retries: 3
|
|
until: apt_result is succeeded
|