regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
line: 'PASS_MIN_DAYS 0'
+- name: "Set password hash to SHA512"
+ lineinfile:
+ path: /etc/login.defs
+ regexp: '^ENCRYPT_METHOD[\s]*[a-z0-9]*$'
+ line: 'ENCRYPT_METHOD SHA512'
+
+- name: "Set minimum number of password hash rounds"
+ lineinfile:
+ path: /etc/login.defs
+ regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
+ line: 'SHA_CRYPT_MIN_ROUNDS 10000'
+
+- name: "Set maximum number of password hash rounds"
+ lineinfile:
+ path: /etc/login.defs
+ regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$'
+ line: 'SHA_CRYPT_MAX_ROUNDS 10000'
+
#
# Linux Failed password attempts
#
+- name: "Ensure authconfig is properly configured"
+ command: authconfig --updateall
+ with_items:
+ - /etc/pam.d/system-auth-ac
+ - /etc/pam.d/password-auth-ac
+ when: not (item|exists and item|is_file)
+ tags:
+ - REC-443
- name: "Set Deny for failed password attempts 1"
lineinfile:
# Set file permissions
#
-- name: "Set set the 600 file permissions"
- file:
- path: "{{item}}"
- state: touch
- mode: 600
+- name: "Check files exist to determine the proper location of grub.cfg on UEFI systems"
+ stat: path={{item}}
with_items:
+ - /boot/efi/EFI/centos/grub.cfg
- /boot/grub2/grub.cfg
- /var/log/boot.log
- /var/log/cron
+ register: file_stat
+
+- name: "Set the 600 file permissions"
+ file:
+ path: "{{item.item}}"
+ state: touch
+ mode: "600"
+ with_items: "{{ file_stat.results }}"
+ when:
+ - item.stat.exists == true
+
+- name: Limit access to the assembler binary
+ file:
+ path: "/usr/bin/as"
+ state: file
+ mode: "0700"
+ owner: root
+ group: root
#
# Disable direct root login
state: absent
regexp: '^tcp6.*'
-- name: Disable automatic ipv6 configuration
- when: ansible_default_ipv6|length > 0
+- name: Disable automatic ipv6 configuration and routing
sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
reload: yes
with_items:
- { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+ - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
- { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
- { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
- { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
- - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
- { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+ - { name: 'net.ipv6.conf.default.forwarding', value: 0 }
#
# Configure kernel parameters
- { name: 'kernel.core_uses_pid', value: 1 }
- { name: 'kernel.randomize_va_space', value: 2 }
- { name: 'kernel.core_pattern', value: '/var/core/core'}
+ - { name: 'kernel.kptr_restrict', value: 2 }
+ - { name: 'kernel.sysrq', value: 0 }
+ - { name: 'kernel.yama.ptrace_scope', value: 3 }
#
# Configure core dump
line: 'Storage=none'
#
+# Confingure kernel dump
+- name: "Disable kernel dump service"
+ shell: systemctl stop kdump.service
+
+- name: "Disable kernel dump service"
+ shell: systemctl disable kdump.service
+
# Configure syslog
#
- name: "Stop rsyslog Service"
#define users
password_pbkdf2 root "{{ grub2_pass }}"
+- name: check whether grub-efi exists
+ stat:
+ path: /boot/efi/EFI/centos/grub.cfg
+ register: grub_efi_file_stat
+
- name: generate grub config
when: grub2_pass is defined and grub2_pass != 'Empty'
command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
+- name: generate grub-efi config
+ command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
+ when:
+ - grub2_pass is defined and grub2_pass != 'Empty'
+ - grub_efi_file_stat.stat.exists == true
+
#
#Setting the noexec option to the /dev/shm mount dir
#
state: absent
#
+# tighten USB permissions
+#
+- name: Set USBGuard RestoreControllerDeviceState to false
+ lineinfile:
+ path: /etc/usbguard/usbguard-daemon.conf
+ regexp: '^[#\s]*RestoreControllerDeviceState\s*=\s*[a-z\-]*\s*$'
+ line: 'RestoreControllerDeviceState=false'
+
+- name: Set USBGuard ImplicitPolicyTarget to block
+ lineinfile:
+ path: /etc/usbguard/usbguard-daemon.conf
+ regexp: '^[#\s]*ImplicitPolicyTarget\s*=\s*[a-z\-]*\s*$'
+ line: 'ImplicitPolicyTarget=block'
+
+- name: Apply USBGuard policy in all cases
+ lineinfile:
+ path: /etc/usbguard/usbguard-daemon.conf
+ regexp: "^[#\\s]*{{ item }}\\s*=\\s*[a-z\\-]*\\s*$"
+ line: "{{ item }}=apply-policy"
+ with_items:
+ - PresentControllerPolicy
+ - PresentDevicePolicy
+ - InsertedDevicePolicy
+
+- name: Limit USBGuard IPC to root
+ lineinfile:
+ path: /etc/usbguard/usbguard-daemon.conf
+ regexp: "^[#\\s]*IPCAllowed{{item}}\\s*="
+ line: "IPCAllowed{{item}}=root"
+ with_items:
+ - Users
+ - Groups
+
+- Name: Ban suspect USB devices
+ blockinfile:
+ # this isn't the optimal way to do this, i know, but i don't
+ # want to create a whole new template tree just to add this.
+ path: /etc/usbguard/rules.conf
+ create: yes
+ owner: root
+ group: root
+ mode: 0700
+ insertbefore: BOF
+ # rules.conf doesn't seem to allow comments
+ marker: ''
+ block: |
+ # the akraino REC is targeted at server installs; as such
+ # we're liberal about allowing standard devices on the
+ # assumption we will be deployed in a relatively secure
+ # environment. The values below were chosen based on the
+ # devices that appear on a nokia OE19 with the virtual console
+ # enabled:
+ # xHCI controller/hub
+ allow with-interface equals { 09:00:00 }
+ # mass media — sites may want to consider restricting
+ # this to 08:06:50 to just get the virtual CDROM and ban
+ # other USB media
+ allow with-interface equals { 08:*:* }
+ # ethernet
+ allow with-interface equals { 02:02:ff }
+ # keyboard/mouse
+ allow with-interface one-of { 03:00:01 03:01:01 }
+ # per usbguard-rules.conf manpage: ban keyboard devices
+ # that expose other, suspicious, interfaces
+ reject with-interface all-of { 08:*:* 03:00:* }
+ reject with-interface all-of { 08:*:* 03:01:* }
+ reject with-interface all-of { 08:*:* e0:*:* }
+ reject with-interface all-of { 08:*:* 02:*:* }
+
# Setting file permissions
#