5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
18 # Linux password hardening
21 - name: "Set Password Strength Minimum Digit Characters."
23 path: /etc/security/pwquality.conf
24 regexp: '^[#\s]*dcredit'
27 - name: "Set Password Minimum Length."
29 path: /etc/security/pwquality.conf
30 regexp: '^[#\s]*minlen'
33 - name: "Set Password Strength Minimum Uppercase Characters."
35 path: /etc/security/pwquality.conf
36 regexp: '^[#\s]*ucredit'
39 - name: "Set Password Strength Minimum Special Characters."
41 path: /etc/security/pwquality.conf
42 regexp: '^[#\s]*ocredit'
45 - name: "Set Password Strength Minimum Lowercase Characters."
47 path: /etc/security/pwquality.conf
48 regexp: '^[#\s]*lcredit'
51 - name: "Set Password Strength Minimum Different Categories."
53 path: /etc/security/pwquality.conf
54 regexp: '^[#\s]*minclass'
57 - name: "Set Password Minimum Length in login.defs"
60 regexp: '^PASS_MIN_LEN[\s]*[0-9]*$'
61 line: 'PASS_MIN_LEN 8'
63 - name: "Set Password Minimum Age"
66 regexp: '^PASS_MIN_DAYS[\s]*[0-9]*$'
67 line: 'PASS_MIN_DAYS 0'
73 - name: "Ensure YUM Removes Previous Package Versions"
76 insertafter: '^[#\s]*\[main\]'
77 line: 'clean_requirements_on_remove = 1'
79 - name: "Ensure gpgcheck Enabled for Local Packages"
82 insertafter: '^[#\s]*\[main\]'
83 line: 'localpkg_gpgcheck = 1'
86 # Setting Ctrl-Alt-Del action
89 - name: "Disable Ctrl-Alt-Del Burst Action"
91 path: /etc/systemd/system.conf
92 insertafter: '^[#\s]*CtrlAltDelBurstAction'
93 line: 'CtrlAltDelBurstAction=none'
95 - name: "Disable Ctrl-Alt-Del Reboot Activation"
96 command: systemctl mask ctrl-alt-del.target
99 # Configure kernel modules
102 - name: "kernel module setting"
105 dest="/etc/modprobe.d/{{item}}.conf"
107 line="install {{item}} /bin/true"
122 # Disable interactive boot
125 - name: Verify that Interactive Boot is Disabled GRUB_CMDLINE_LINUX Setting
127 path: /etc/default/grub
129 regexp: '^GRUB_CMDLINE_LINUX=(.*)systemd\.confirm_spawn=(1|yes|true|on)\s*(.*)$'
130 line: 'GRUB_CMDLINE_LINUX=\1\3'
132 - name: Verify that Interactive Boot is Disabled GRUB_CMDLINE_LINUX_DEFAULT Setting
134 path: /etc/default/grub
136 regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=(.*)systemd\.confirm_spawn=(1|yes|true|on)\s*(.*)$'
137 line: 'GRUB_CMDLINE_LINUX_DEFAULT=\1\3'
140 # Set file permissions
143 - name: "Set set the 600 file permissions"
149 - /boot/grub2/grub.cfg
154 # Disable direct root login
157 - name: "Direct root Logins Not Allowed"
158 shell: echo > /etc/securetty
160 - name: Change 'root' shell to nologin
165 - name: Lock 'root' password
174 - name: Disable ipv6 support if the ipv6 is not needed
175 when: ansible_default_ipv6|length == 0
177 name: net.ipv6.conf.all.disable_ipv6
182 - name: Disable Support for udp6
183 when: ansible_default_ipv6|length == 0
189 - name: Disable Support for tcp6
190 when: ansible_default_ipv6|length == 0
196 - name: Disable automatic ipv6 configuration
197 when: ansible_default_ipv6|length > 0
199 name: "{{ item.name }}"
200 value: "{{ item.value }}"
204 - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
205 - { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
206 - { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
207 - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
208 - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
209 - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
210 - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
213 # Configure kernel parameters
216 - name: Configure the kernel parameters
218 name: "{{ item.name }}"
219 value: "{{ item.value }}"
223 - { name: 'net.ipv4.conf.default.send_redirects', value: 0 }
224 - { name: 'net.ipv4.conf.all.send_redirects', value: 0 }
225 - { name: 'net.ipv4.ip_forward', value: 0 }
226 - { name: 'net.ipv4.conf.all.accept_redirects', value: 0 }
227 - { name: 'net.ipv4.conf.all.secure_redirects', value: 0 }
228 - { name: 'net.ipv4.conf.all.log_martians', value: 1 }
229 - { name: 'net.ipv4.conf.default.log_martians', value: 1 }
230 - { name: 'net.ipv4.conf.default.accept_redirects', value: 0 }
231 - { name: 'net.ipv4.conf.default.secure_redirects', value: 0 }
232 - { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1 }
233 - { name: 'net.ipv4.icmp_ignore_bogus_error_responses', value: 1 }
234 - { name: 'net.ipv4.tcp_syncookies', value: 1 }
235 - { name: 'fs.suid_dumpable', value: 0 }
236 - { name: 'kernel.dmesg_restrict', value: 1 }
237 - { name: 'kernel.core_uses_pid', value: 1 }
238 - { name: 'kernel.randomize_va_space', value: 2 }
239 - { name: 'kernel.core_pattern', value: '/var/core/core'}
242 # Configure core dump
245 - name: "Disable core dump for all user"
247 path: /etc/security/limits.conf
248 insertbefore: '^[a-z].*'
249 line: '* hard core 0'
251 - name: "Configure systemd not to store core dumps"
253 path: /etc/systemd/coredump.conf
254 insertafter: '^\[Coredump\]'
260 - name: "Stop rsyslog Service"
261 shell: systemctl stop rsyslog.service
263 - name: "Disable rsyslog Service"
264 shell: systemctl disable rsyslog.service
266 - name: "Ensure the /var/log/boot.log Rotated by logrotate"
268 path: /etc/logrotate.d/syslog
269 insertbefore: 'cron$'
270 line: /var/log/boot.log
272 - name: "Set the umasks by profile file"
275 regexp: '{{ item.old }}'
276 line: '{{ item.new }}'
278 - { old: 'umask 002', new: umask 027 }
279 - { old: 'umask 022', new: umask 077 }
285 - name: Set the max_request_body_size in the keystone.conf
287 path: /etc/keystone/keystone.conf
288 insertafter: 'DEFAULT'
289 line: "# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)\nmax_request_body_size = 114688\n"
291 - name: Set the insecure_debug in the keystone.conf
293 path: /etc/keystone/keystone.conf
294 insertafter: 'DEFAULT'
295 line: "# If set to true, then the server will return information in HTTP responses\n# that may allow an unauthenticated or authenticated user to get more\n# information than normal, such as additional details about why authentication\n# failed. This may be useful for debugging but is insecure. (boolean value)\ninsecure_debug = false\n"
298 #Setting bootloader password
300 - name: set host os variable
301 when: host_os is defined
303 grub2_pass: "{{ host_os.grub2_password | default('Empty') }}"
305 - name: protect grub with root password
306 when: grub2_pass is defined and grub2_pass != 'Empty'
308 dest: /etc/grub.d/40_custom
313 set superusers="root"
315 password_pbkdf2 root "{{ grub2_pass }}"
317 - name: generate grub config
318 when: grub2_pass is defined and grub2_pass != 'Empty'
319 command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
322 #Setting the noexec option to the /dev/shm mount dir
325 - name: get back device associated to mountpoint
326 shell: mount | grep ' /dev/shm ' |cut -d ' ' -f 1
327 register: device_name
330 - name: get back device previous mount option
331 shell: mount | grep ' /dev/shm ' | sed -re 's:.*\((.*)\):\1:'
332 register: device_cur_mountoption
335 - name: get back device fstype
336 shell: mount | grep ' /dev/shm ' | cut -d ' ' -f 5
337 register: device_fstype
340 - name: Ensure permission noexec are set on /dev/shm
343 src: "{{device_name.stdout}}"
344 opts: "{{device_cur_mountoption.stdout}},noexec"
346 fstype: "{{device_fstype.stdout}}"
349 # Disable NFS service
352 - name: disable NFS related services
366 - name: remove nfs-utils package
372 # Setting file permissions
375 #- name: "Remove the other user write permission from the system directorys"
376 # command: find / -xdev \( -perm -0002 -a ! -perm -1000 \) -type d -exec chmod o-w {} \;
378 #- name: "Remove the other user write permission from the system files"
379 # command: find / -xdev -perm -0002 -type f -exec chmod o-w {} \;
381 #- name: "Modified the unauthorized SUID/SGID system executables"
382 # command: sudo chmod -s $(sudo find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | grep -v sudo)