Code Review
/
ta
/
infra-ansible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
More security compliance modifications
[ta/infra-ansible.git]
/
roles
/
ops-hardening
/
tasks
/
main.yaml
diff --git
a/roles/ops-hardening/tasks/main.yaml
b/roles/ops-hardening/tasks/main.yaml
index
7aab166
..
1ce68f2
100644
(file)
--- a/
roles/ops-hardening/tasks/main.yaml
+++ b/
roles/ops-hardening/tasks/main.yaml
@@
-78,6
+78,12
@@
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
line: 'SHA_CRYPT_MIN_ROUNDS 5000'
regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
line: 'SHA_CRYPT_MIN_ROUNDS 5000'
+- name: "Set maximum number of password hash rounds"
+ lineinfile:
+ path: /etc/login.defs
+ regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$'
+ line: 'SHA_CRYPT_MAX_ROUNDS 10000'
+
#
# Linux Failed password attempts
#
#
# Linux Failed password attempts
#
@@
-312,6
+318,8
@@
- { name: 'kernel.randomize_va_space', value: 2 }
- { name: 'kernel.core_pattern', value: '/var/core/core'}
- { name: 'kernel.kptr_restrict', value: 2 }
- { name: 'kernel.randomize_va_space', value: 2 }
- { name: 'kernel.core_pattern', value: '/var/core/core'}
- { name: 'kernel.kptr_restrict', value: 2 }
+ - { name: 'kernel.sysrq', value: 0 }
+ - { name: 'kernel.yama.ptrace_scope', value: 3 }
#
# Configure core dump
#
# Configure core dump
@@
-330,6
+338,13
@@
line: 'Storage=none'
#
line: 'Storage=none'
#
+# Confingure kernel dump
+- name: "Disable kernel dump service"
+ shell: systemctl stop kdump.service
+
+- name: "Disable kernel dump service"
+ shell: systemctl disable kdump.service
+
# Configure syslog
#
- name: "Stop rsyslog Service"
# Configure syslog
#
- name: "Stop rsyslog Service"
@@
-456,7
+471,7
@@
#
# tighten USB permissions
#
# tighten USB permissions
-#
+#
- name: Set USBGuard RestoreControllerDeviceState to false
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
- name: Set USBGuard RestoreControllerDeviceState to false
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
@@
-490,9
+505,9
@@
- Name: Ban suspect USB devices
blockinfile:
- Name: Ban suspect USB devices
blockinfile:
- # this isn't the optimal way to do this, i know, but i don't
+ # this isn't the optimal way to do this, i know, but i don't
# want to create a whole new template tree just to add this.
# want to create a whole new template tree just to add this.
- path:
/etc/usbguard/rules.conf
+ path: /etc/usbguard/rules.conf
create: yes
owner: root
group: root
create: yes
owner: root
group: root
@@
-509,9
+524,9
@@
# enabled:
# xHCI controller/hub
allow with-interface equals { 09:00:00 }
# enabled:
# xHCI controller/hub
allow with-interface equals { 09:00:00 }
- # mass media — sites may want to consider restricting
+ # mass media — sites may want to consider restricting
# this to 08:06:50 to just get the virtual CDROM and ban
# this to 08:06:50 to just get the virtual CDROM and ban
- # other USB media
+ # other USB media
allow with-interface equals { 08:*:* }
# ethernet
allow with-interface equals { 02:02:ff }
allow with-interface equals { 08:*:* }
# ethernet
allow with-interface equals { 02:02:ff }