X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=fdf6512a635c7e7edc89e29d4acbfe54e8515ce9;hb=refs%2Fheads%2Fmaster;hp=7aab1664d789723a8fda7578b100c26e75a0d17a;hpb=407c56bb4dab1eac542f37c5b0b25cb63133b2f0;p=ta%2Finfra-ansible.git diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml index 7aab166..fdf6512 100644 --- a/roles/ops-hardening/tasks/main.yaml +++ b/roles/ops-hardening/tasks/main.yaml @@ -76,7 +76,13 @@ lineinfile: path: /etc/login.defs regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$' - line: 'SHA_CRYPT_MIN_ROUNDS 5000' + line: 'SHA_CRYPT_MIN_ROUNDS 10000' + +- name: "Set maximum number of password hash rounds" + lineinfile: + path: /etc/login.defs + regexp: '^SHA_CRYPT_MAX_ROUNDS[\s]*[0-9]*$' + line: 'SHA_CRYPT_MAX_ROUNDS 10000' # # Linux Failed password attempts @@ -224,6 +230,14 @@ when: - item.stat.exists == true +- name: Limit access to the assembler binary + file: + path: "/usr/bin/as" + state: file + mode: "0700" + owner: root + group: root + # # Disable direct root login # @@ -267,8 +281,7 @@ state: absent regexp: '^tcp6.*' -- name: Disable automatic ipv6 configuration - when: ansible_default_ipv6|length > 0 +- name: Disable automatic ipv6 configuration and routing sysctl: name: "{{ item.name }}" value: "{{ item.value }}" @@ -276,12 +289,13 @@ reload: yes with_items: - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 } + - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 } - { name: 'net.ipv6.conf.all.accept_ra', value: 0 } - { name: 'net.ipv6.conf.default.accept_ra', value: 0 } - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 } - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 } - - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 } - { name: 'net.ipv6.conf.all.forwarding', value: 0 } + - { name: 'net.ipv6.conf.default.forwarding', value: 0 } # # Configure kernel parameters @@ -312,6 +326,8 @@ - { name: 'kernel.randomize_va_space', value: 2 } - { name: 'kernel.core_pattern', value: '/var/core/core'} - { name: 'kernel.kptr_restrict', value: 2 } + - { name: 'kernel.sysrq', value: 0 } + - { name: 'kernel.yama.ptrace_scope', value: 3 } # # Configure core dump @@ -330,6 +346,13 @@ line: 'Storage=none' # +# Confingure kernel dump +- name: "Disable kernel dump service" + shell: systemctl stop kdump.service + +- name: "Disable kernel dump service" + shell: systemctl disable kdump.service + # Configure syslog # - name: "Stop rsyslog Service" @@ -456,7 +479,7 @@ # # tighten USB permissions -# +# - name: Set USBGuard RestoreControllerDeviceState to false lineinfile: path: /etc/usbguard/usbguard-daemon.conf @@ -490,9 +513,9 @@ - Name: Ban suspect USB devices blockinfile: - # this isn't the optimal way to do this, i know, but i don't + # this isn't the optimal way to do this, i know, but i don't # want to create a whole new template tree just to add this. - path: /etc/usbguard/rules.conf + path: /etc/usbguard/rules.conf create: yes owner: root group: root @@ -509,9 +532,9 @@ # enabled: # xHCI controller/hub allow with-interface equals { 09:00:00 } - # mass media — sites may want to consider restricting + # mass media — sites may want to consider restricting # this to 08:06:50 to just get the virtual CDROM and ban - # other USB media + # other USB media allow with-interface equals { 08:*:* } # ethernet allow with-interface equals { 02:02:ff }