はじめに
devsec.hardening というサーバーハードリングを行う Ansible Collection を Reddit で見かけたので試してみました。
サーバーハードニングを行うことにより、 OS やアプリケーションの設定をより強固なものにしてくれます。この Ansible Collection を利用してサーバーの設定を行えば、 CIS Benchmark なども満たせるのかもしれません。
devsec.hardening について
この Ansible Collection は DevSec Hardening Framework として、 Chef や Puppet でも自動化できるように開発されています。このコレクションで強化を行える対象は以下の通りです。 OS だけでなく、 SSH や Nginx などのミドルウェアの設定も行えるようです。
- Linux
- SSH
- Nginx
- MySQL
- Apache(開発中)
- Windows(開発中)
コレクションは以下のコマンドでインストールできます。
ansible-galaxy collection install devsec.hardening
Play
試しにVagrant環境で実行します。以下の Vagrant ファイルと Playbook を同じディレクトリーに配置すれば同じように試せます。
# Vagrantfile
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/focal64"
config.vm.provision "ansible" do |ansible|
ansible.playbook = "playbook.yml"
end
end
# playbook.yml
- hosts: all
become: true
collections:
- devsec.hardening
roles:
- devsec.hardening.os_hardening
- devsec.hardening.ssh_hardening
- devsec.hardening.nginx_hardening
vars:
sysctl_overwrite:
net.ipv4.ip_forward: 1
pre_tasks:
- name: Install Nginx
package:
name: nginx
適用結果
適用したところ、よくある以下のような設定を行なってくれていますね。
- OS
- auditdの設定
- sysctlの強化
- SSH
- sshd_configの強化
- Nginx
- TLSの設定強化
- CROSSなのどのheader追加
こういった設定を入れると良いんだなと、勉強になりました。
長いですが、Ansibleのログ
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [default]
TASK [Install Nginx] ***********************************************************
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg-turbo8 libjpeg8 libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libtiff5
libwebp6 libxpm4 nginx-common nginx-core
Suggested packages:
libgd-tools fcgiwrap nginx-doc ssl-cert
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg-turbo8 libjpeg8 libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libtiff5
libwebp6 libxpm4 nginx nginx-common nginx-core
0 upgraded, 17 newly installed, 0 to remove and 0 not upgraded.
changed: [default]
TASK [devsec.hardening.os_hardening : Set OS family dependent variables] *******
ok: [default]
TASK [devsec.hardening.os_hardening : Set OS dependent variables] **************
TASK [devsec.hardening.os_hardening : install auditd package | package-08] *****
The following additional packages will be installed:
libauparse0
Suggested packages:
audispd-plugins
The following NEW packages will be installed:
auditd libauparse0
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
changed: [default]
TASK [devsec.hardening.os_hardening : configure auditd | package-08] ***********
--- before: /etc/audit/auditd.conf
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmppogqkpxk/auditd.conf.j2
@@ -1,32 +1,28 @@
#
-# This file controls the configuration of the audit daemon
+# Ansible managed
#
-local_events = yes
-write_logs = yes
log_file = /var/log/audit/audit.log
-log_group = adm
log_format = RAW
-flush = INCREMENTAL_ASYNC
-freq = 50
-max_log_file = 8
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
num_logs = 5
-priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
-max_log_file_action = ROTATE
+max_log_file = 6
+max_log_file_action = keep_logs
space_left = 75
space_left_action = SYSLOG
-verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
-use_libwrap = yes
-##tcp_listen_port = 60
+##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
@@ -34,4 +30,3 @@
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
-distribute_network = no
changed: [default]
TASK [devsec.hardening.os_hardening : create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b] ***
ok: [default]
TASK [devsec.hardening.os_hardening : create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b] ***
changed: [default]
TASK [devsec.hardening.os_hardening : set 10.hardcore.conf perms to 0400 and root ownership] ***
--- before
+++ after
@@ -1,5 +1,5 @@
{
- "mode": "0644",
+ "mode": "0440",
"path": "/etc/security/limits.d/10.hardcore.conf",
- "state": "file"
+ "state": "touch"
}
changed: [default]
TASK [devsec.hardening.os_hardening : remove 10.hardcore.conf config file] *****
skipping: [default]
TASK [devsec.hardening.os_hardening : create login.defs | os-05, os-05b] *******
--- before: /etc/login.defs
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpracx7jkv/login.defs.j2
@@ -1,307 +1,176 @@
#
-# /etc/login.defs - Configuration control definitions for the login package.
-#
-# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
-# If unspecified, some arbitrary (and possibly incorrect) value will
-# be assumed. All other items are optional - if not specified then
-# the described action or option will be inhibited.
-#
-# Comment lines (lines beginning with "#") and blank lines are ignored.
-#
-# Modified for Linux. --marekm
-
-# REQUIRED for useradd/userdel/usermod
-# Directory where mailboxes reside, _or_ name of file, relative to the
-# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
-# MAIL_DIR takes precedence.
-#
-# Essentially:
-# - MAIL_DIR defines the location of users mail spool files
-# (for mbox use) by appending the username to MAIL_DIR as defined
-# below.
-# - MAIL_FILE defines the location of the users mail spool files as the
-# fully-qualified filename obtained by prepending the user home
-# directory before $MAIL_FILE
-#
-# NOTE: This is no more used for setting up users MAIL environment variable
-# which is, starting from shadow 4.0.12-1 in Debian, entirely the
-# job of the pam_mail PAM modules
-# See default PAM configuration files provided for
-# login, su, etc.
-#
-# This is a temporary situation: setting these variables will soon
-# move to /etc/default/useradd and the variables will then be
-# no more supported
-MAIL_DIR /var/mail
-#MAIL_FILE .mail
-
-#
-# Enable logging and display of /var/log/faillog login failure info.
-# This option conflicts with the pam_tally PAM module.
-#
-FAILLOG_ENAB yes
-
-#
+# Ansible managed
+#
+
+# Configuration control definitions for the login package.
+#
+# Three items must be defined: `MAIL_DIR`, `ENV_SUPATH`, and `ENV_PATH`. If unspecified, some arbitrary (and possibly incorrect) value will be assumed. All other items are optional - if not specified then the described action or option will be inhibited.
+#
+# Comment lines (lines beginning with `#`) and blank lines are ignored.
+#
+#-- Modified for Linux. --marekm
+
+# *REQUIRED for useradd/userdel/usermod*
+#
+# Directory where mailboxes reside, _or_ name of file, relative to the home directory. If you _do_ define `MAIL_DIR` and `MAIL_FILE`, `MAIL_DIR` takes precedence.
+# Essentially:
+#
+# * `MAIL_DIR` defines the location of users mail spool files (for mbox use) by appending the username to `MAIL_DIR` as defined below.
+# * `MAIL_FILE` defines the location of the users mail spool files as the fully-qualified filename obtained by prepending the user home directory before `$MAIL_FILE`
+#
+# *NOTE*: This is no more used for setting up users MAIL environment variable which is, starting from shadow 4.0.12-1 in Debian, entirely the job of the pam_mail PAM modules.
+#
+# See default PAM configuration files provided for login, su, etc.
+# This is a temporary situation: setting these variables will soon move to `/etc/default/useradd` and the variables will then be no more supported
+MAIL_DIR /var/mail
+
+# Enable logging and display of `/var/log/faillog` login failure info. This option conflicts with the `pam_tally` PAM module.
+FAILLOG_ENAB yes
+
# Enable display of unknown usernames when login failures are recorded.
#
-# WARNING: Unknown usernames may become world readable.
-# See #290803 and #298773 for details about how this could become a security
-# concern
-LOG_UNKFAIL_ENAB no
-
-#
+# *WARNING*: Unknown usernames may become world readable. See #290803 and #298773 for details about how this could become a security concern
+LOG_UNKFAIL_ENAB no
+
# Enable logging of successful logins
-#
-LOG_OK_LOGINS no
-
-#
+LOG_OK_LOGINS yes
+
# Enable "syslog" logging of su activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp and sg.
-#
-SYSLOG_SU_ENAB yes
-SYSLOG_SG_ENAB yes
-
-#
+SYSLOG_SU_ENAB yes
+
+# Enable "syslog" logging of newgrp and sg.
+SYSLOG_SG_ENAB yes
+
# If defined, all su activity is logged to this file.
-#
-#SULOG_FILE /var/log/sulog
-
-#
-# If defined, file which maps tty line to TERM environment parameter.
-# Each line of the file is in a format something like "vt100 tty01".
-#
-#TTYTYPE_FILE /etc/ttytype
-
-#
-# If defined, login failures will be logged here in a utmp format
-# last, when invoked as lastb, will read /var/log/btmp, so...
-#
-FTMP_FILE /var/log/btmp
-
-#
-# If defined, the command name to display when running "su -". For
-# example, if this is defined as "su" then a "ps" will display the
-# command is "-su". If not defined, then "ps" would display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME su
-
-#
-# If defined, file which inhibits all the usual chatter during the login
-# sequence. If a full pathname, then hushed mode will be enabled if the
-# user's name or shell are found in the file. If not a full pathname, then
-# hushed mode will be enabled if the file exists in the user's home directory.
-#
-HUSHLOGIN_FILE .hushlogin
-#HUSHLOGIN_FILE /etc/hushlogins
-
-#
-# *REQUIRED* The default PATH settings, for superuser and normal users.
-#
-# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
-
-#
+#SULOG_FILE /var/log/sulog
+
+# If defined, file which maps tty line to `TERM` environment parameter. Each line of the file is in a format something like "vt100 tty01".
+#TTYTYPE_FILE /etc/ttytype
+
+# If defined, login failures will be logged here in a utmp format last, when invoked as lastb, will read `/var/log/btmp`, so...
+FTMP_FILE /var/log/btmp
+
+# If defined, the command name to display when running "su -". For # example, if this is defined as "su" then a "ps" will display the command is "-su". If not defined, then "ps" would display the name of the shell actually being run, e.g. something like "-sh".
+SU_NAME su
+
+# If defined, file which inhibits all the usual chatter during the login sequence. If a full pathname, then hushed mode will be enabled if the user's name or shell are found in the file. If not a full pathname, then hushed mode will be enabled if the file exists in the user's home directory.
+#HUSHLOGIN_FILE /etc/hushlogins
+HUSHLOGIN_FILE .hushlogin
+
+# *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:
+
# Terminal permissions
-#
-# TTYGROUP Login tty will be assigned this group ownership.
-# TTYPERM Login tty will be set to this permission.
-#
-# If you have a "write" program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP to the group number and
-# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
-# TTYPERM to either 622 or 600.
-#
-# In Debian /usr/bin/bsd-write or similar programs are setgid tty
-# However, the default and recommended value for TTYPERM is still 0600
-# to not allow anyone to write to anyone else console or terminal
-
-# Users can still allow other people to write them by issuing
-# the "mesg y" command.
-
-TTYGROUP tty
-TTYPERM 0600
-
-#
-# Login configuration initializations:
-#
-# ERASECHAR Terminal ERASE character ('\010' = backspace).
-# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-# UMASK Default "umask" value.
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-#
-# UMASK is the default umask value for pam_umask and is used by
-# useradd and newusers to set the mode of the new home directories.
-# 022 is the "historical" value in Debian for UMASK
-# 027, or even 077, could be considered better for privacy
-# There is no One True Answer here : each sysadmin must make up his/her
-# mind.
-#
-# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
-# for private user groups, i. e. the uid is the same as gid, and username is
-# the same as the primary group name: for these, the user permissions will be
-# used as group permissions, e. g. 022 will become 002.
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR 0177
-KILLCHAR 025
-UMASK 022
-
-#
-# Password aging controls:
-#
-# PASS_MAX_DAYS Maximum number of days a password may be used.
-# PASS_MIN_DAYS Minimum number of days allowed between password changes.
-# PASS_WARN_AGE Number of days warning given before a password expires.
-#
-PASS_MAX_DAYS 99999
-PASS_MIN_DAYS 0
-PASS_WARN_AGE 7
-
-#
+# --------------------
+
+# Login tty will be assigned this group ownership.
+# If you have a "write" program which is "setgid" to a special group which owns the terminals, define `TTYGROUP` to the group number and `TTYPERM` to `0620`. Otherwise leave `TTYGROUP` commented out and assign `TTYPERM` to either `622` or `600`.
+TTYGROUP tty
+
+# Login tty will be set to this permission.
+# In Debian `/usr/bin/bsd-write` or similar programs are setgid tty. However, the default and recommended value for `TTYPERM` is still `0600` to not allow anyone to write to anyone else console or terminal
+# Users can still allow other people to write them by issuing the `mesg y` command.
+TTYPERM 0600
+
+# Login conf initializations
+# --------------------------
+
+# Terminal ERASE character ('\010' = backspace). Only used on System V.
+ERASECHAR 0177
+
+# Terminal KILL character ('\025' = CTRL/U). Only used on System V.
+KILLCHAR 025
+
+# The default umask value for `pam_umask` and is used by useradd and newusers to set the mode of the new home directories.
+# If `USERGROUPS_ENAB` is set to `yes`, that will modify this `UMASK` default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. `022` will become `002`.
+# Prefix these values with `0` to get octal, `0x` to get hexadecimal.
+# `022` is the "historical" value in Debian for UMASK
+# `027`, or even `077`, could be considered better for privacy.
+UMASK 027
+
+# Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
+# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.
+USERGROUPS_ENAB yes
+
+
+# Password aging controls
+# -----------------------
+
+# Maximum number of days a password may be used.
+PASS_MAX_DAYS 60
+
+# Minimum number of days allowed between password changes.
+PASS_MIN_DAYS 7
+
+# Number of days warning given before a password expires.
+PASS_WARN_AGE 7
+
# Min/max values for automatic uid selection in useradd
-#
-UID_MIN 1000
-UID_MAX 60000
+UID_MIN 1000
+UID_MAX 60000
# System accounts
-#SYS_UID_MIN 100
-#SYS_UID_MAX 999
-
-#
+SYS_UID_MIN 100
+SYS_UID_MAX 999
+
# Min/max values for automatic gid selection in groupadd
-#
-GID_MIN 1000
-GID_MAX 60000
+GID_MIN 1000
+GID_MAX 60000
# System accounts
-#SYS_GID_MIN 100
-#SYS_GID_MAX 999
-
-#
-# Max number of login retries if password is bad. This will most likely be
-# overriden by PAM, since the default pam_unix module has it's own built
-# in of 3 retries. However, this is a safe fallback in case you are using
-# an authentication module that does not enforce PAM_MAXTRIES.
-#
-LOGIN_RETRIES 5
-
-#
+SYS_GID_MIN 100
+SYS_GID_MAX 999
+
+# Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
+LOGIN_RETRIES 5
+
# Max time in seconds for login
-#
-LOGIN_TIMEOUT 60
-
-#
-# Which fields may be changed by regular users using chfn - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone). If not defined, no changes are allowed.
+LOGIN_TIMEOUT 60
+
+# Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-#
-CHFN_RESTRICT rwh
-
-#
# Should login be allowed if we can't cd to the home directory?
-# Default in no.
-#
-DEFAULT_HOME yes
-
-#
+DEFAULT_HOME no
+
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
-#
-#USERDEL_CMD /usr/sbin/userdel_local
-
-#
-# Enable setting of the umask group bits to be the same as owner bits
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
-# the same as gid, and username is the same as the primary group name.
-#
-# If set to yes, userdel will remove the user's group if it contains no
-# more members, and useradd will create by default a group with the name
-# of the user.
-#
-USERGROUPS_ENAB yes
-
-#
-# Instead of the real user shell, the program specified by this parameter
-# will be launched, although its visible name (argv[0]) will be the shell's.
-# The program may do whatever it wants (logging, additional authentification,
-# banner, ...) before running the actual shell.
-#
-# FAKE_SHELL /bin/fakeshell
-
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names. Root logins will be allowed only
-# upon these devices.
-#
+#USERDEL_CMD /usr/sbin/userdel_local
+
+# Instead of the real user shell, the program specified by this parameter will be launched, although its visible name (`argv[0]`) will be the shell's. The program may do whatever it wants (logging, additional authentification, banner, ...) before running the actual shell.
+#FAKE_SHELL /bin/fakeshell
+
+# If defined, either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
# This variable is used by login and su.
-#
-#CONSOLE /etc/consoles
-#CONSOLE console:tty01:tty02:tty03:tty04
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in on the console (as determined by the CONSOLE
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in on the console.
-# How to do it is left as an exercise for the reader...
-#
+#CONSOLE /etc/consoles
+#CONSOLE console:tty01:tty02:tty03:tty04
+
+# List of groups to add to the user's supplementary group set when logging in on the console (as determined by the `CONSOLE` setting). Default is none.
+# Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
# This variable is used by login and su.
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm. Default is "no".
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD.
-#
-#MD5_CRYPT_ENAB no
-
-#
-# If set to MD5 , MD5-based algorithm will be used for encrypting password
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
+#CONSOLE_GROUPS floppy:audio:cdrom
+
+# If set to `MD5`, MD5-based algorithm will be used for encrypting password
+# If set to `SHA256`, SHA256-based algorithm will be used for encrypting password
+# If set to `SHA512`, SHA512-based algorithm will be used for encrypting password
+# If set to `DES`, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
-#
-ENCRYPT_METHOD SHA512
-
-#
-# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute forcing the password.
-# But note also that it more CPU resources will be needed to authenticate
-# users.
-#
-# If not specified, the libc will choose the default number of rounds (5000).
-# The values must be inside the 1000-999999999 range.
-# If only one of the MIN or MAX values is set, then this value will be used.
+MD5_CRYPT_ENAB no
+ENCRYPT_METHOD SHA512
+
+# Only used if `ENCRYPT_METHOD` is set to `SHA256` or `SHA512`: Define the number of SHA rounds.
+# With a lot of rounds, it is more difficult to brute forcing the password. But note also that it more CPU resources will be needed to authenticate users.
+# If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999999999 range. If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
-#
-# SHA_CRYPT_MIN_ROUNDS 5000
-# SHA_CRYPT_MAX_ROUNDS 5000
-
-################# OBSOLETED BY PAM ##############
-# #
-# These options are now handled by PAM. Please #
-# edit the appropriate file in /etc/pam.d/ to #
-# enable the equivelants of them.
-#
-###############
-
+#SHA_CRYPT_MIN_ROUNDS 5000
+#SHA_CRYPT_MAX_ROUNDS 5000
+
+
+# Obsoleted by PAM
+# ================
+# These options are now handled by PAM. Please edit the appropriate file in `/etc/pam.d/` to enable the equivelants of them.
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
@@ -323,19 +192,17 @@
#CHSH_AUTH
#FAIL_DELAY
-################# OBSOLETED #######################
-# #
-# These options are no more handled by shadow. #
-# #
-# Shadow utilities will display a warning if they #
-# still appear. #
-# #
-###################################################
-
-# CLOSE_SESSIONS
-# LOGIN_STRING
-# NO_PASSWORD_CONSOLE
-# QMAIL_DIR
-
-
-
+# Obsoleted
+# =========
+# These options are no more handled by shadow.
+# Shadow utilities will display a warning if they still appear.
+#CLOSE_SESSIONS
+#LOGIN_STRING
+#NO_PASSWORD_CONSOLE
+#QMAIL_DIR
+
+# If set to `yes`, new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings.
+# Set to `no` if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default is `no`.
+# This variable is deprecated. You should use ENCRYPT_METHOD.
+#
+#MD5_CRYPT_ENAB no
changed: [default]
TASK [devsec.hardening.os_hardening : find files with write-permissions for group] ***
ok: [default] => (item=/usr/local/sbin)
ok: [default] => (item=/usr/local/bin)
ok: [default] => (item=/usr/sbin)
ok: [default] => (item=/usr/bin)
ok: [default] => (item=/sbin)
ok: [default] => (item=/bin)
TASK [devsec.hardening.os_hardening : minimize access on found files] **********
TASK [devsec.hardening.os_hardening : change shadow ownership to root and mode to 0600 | os-02] ***
ok: [default]
TASK [devsec.hardening.os_hardening : change passwd ownership to root and mode to 0644 | os-03] ***
ok: [default]
TASK [devsec.hardening.os_hardening : change su-binary to only be accessible to user and group root] ***
--- before
+++ after
@@ -1,4 +1,4 @@
{
- "mode": "04755",
+ "mode": "0750",
"path": "/bin/su"
}
changed: [default]
TASK [devsec.hardening.os_hardening : set option hidepid for proc filesystem] ***
changed: [default]
TASK [devsec.hardening.os_hardening : update pam on Debian systems] ************
ok: [default]
TASK [devsec.hardening.os_hardening : remove pam ccreds to disable password caching] ***
ok: [default]
TASK [devsec.hardening.os_hardening : remove pam_cracklib, because it does not play nice with passwdqc] ***
ok: [default]
TASK [devsec.hardening.os_hardening : install the package for strong password checking] ***
The following additional packages will be installed:
libpasswdqc0 passwdqc
The following NEW packages will be installed:
libpam-passwdqc libpasswdqc0 passwdqc
0 upgraded, 3 newly installed, 0 to remove and 3 not upgraded.
changed: [default]
TASK [devsec.hardening.os_hardening : configure passwdqc] **********************
--- before: /usr/share/pam-configs/passwdqc
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmp4ndshk0b/pam_passwdqd.j2
@@ -1,7 +1,11 @@
+#
+# Ansible managed
+#
+
Name: passwdqc password strength enforcement
Default: yes
Priority: 1024
Conflicts: cracklib
Password-Type: Primary
Password:
- requisite pam_passwdqc.so
+ requisite pam_passwdqc.so min=disabled,disabled,16,12,8
changed: [default]
TASK [devsec.hardening.os_hardening : remove passwdqc] *************************
skipping: [default]
TASK [devsec.hardening.os_hardening : install tally2] **************************
skipping: [default]
TASK [devsec.hardening.os_hardening : configure tally2] ************************
skipping: [default]
TASK [devsec.hardening.os_hardening : delete tally2 when retries is 0] *********
skipping: [default]
TASK [devsec.hardening.os_hardening : remove pam_cracklib, because it does not play nice with passwdqc] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : install the package for strong password checking] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : remove passwdqc] *************************
skipping: [default]
TASK [devsec.hardening.os_hardening : configure passwdqc and tally via central system-auth confic] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : Gather package facts] ********************
ok: [default]
TASK [devsec.hardening.os_hardening : NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : install modprobe to disable filesystems | os-10] ***
ok: [default]
TASK [devsec.hardening.os_hardening : check if efi is installed] ***************
ok: [default]
TASK [devsec.hardening.os_hardening : remove vfat from fs-list if efi is used] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : remove used filesystems from fs-list] ****
ok: [default]
TASK [devsec.hardening.os_hardening : disable unused filesystems | os-10] ******
--- before
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmputq_jwz0/modprobe.j2
@@ -0,0 +1,15 @@
+#
+# Ansible managed
+#
+
+install cramfs /bin/true
+install freevxfs /bin/true
+install jffs2 /bin/true
+install hfs /bin/true
+install hfsplus /bin/true
+install udf /bin/true
+install vfat /bin/true
+install tipc /bin/true
+install sctp /bin/true
+install dccp /bin/true
+install rds /bin/true
changed: [default]
TASK [devsec.hardening.os_hardening : add pinerolo_profile.sh to profile.d] ****
--- before
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpbgtr5nr4/profile.conf.j2
@@ -0,0 +1,6 @@
+#
+# Ansible managed
+#
+
+# Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
+ulimit -S -c 0 > /dev/null 2>&1
changed: [default]
TASK [devsec.hardening.os_hardening : remove pinerolo_profile.sh from profile.d] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : create securetty] ************************
--- before
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpfvwh097x/securetty.j2
@@ -0,0 +1,13 @@
+#
+# Ansible managed
+#
+
+# A list of TTYs, from which root can log in
+# see `man securetty` for reference
+console
+tty1
+tty2
+tty3
+tty4
+tty5
+tty6
changed: [default]
TASK [devsec.hardening.os_hardening : remove suid/sgid bit from binaries in blacklist | os-06] ***
ok: [default] => (item=/usr/bin/rcp)
ok: [default] => (item=/usr/bin/rlogin)
ok: [default] => (item=/usr/bin/rsh)
ok: [default] => (item=/usr/libexec/openssh/ssh-keysign)
--- before
+++ after
@@ -1,4 +1,4 @@
{
- "mode": "04755",
+ "mode": "0755",
"path": "/usr/lib/openssh/ssh-keysign"
}
changed: [default] => (item=/usr/lib/openssh/ssh-keysign)
ok: [default] => (item=/sbin/netreport)
ok: [default] => (item=/usr/sbin/usernetctl)
ok: [default] => (item=/usr/sbin/userisdnctl)
ok: [default] => (item=/usr/sbin/pppd)
ok: [default] => (item=/usr/bin/lockfile)
ok: [default] => (item=/usr/bin/mail-lock)
ok: [default] => (item=/usr/bin/mail-unlock)
ok: [default] => (item=/usr/bin/mail-touchlock)
ok: [default] => (item=/usr/bin/dotlockfile)
ok: [default] => (item=/usr/bin/arping)
ok: [default] => (item=/usr/sbin/uuidd)
ok: [default] => (item=/usr/bin/mtr)
ok: [default] => (item=/usr/lib/evolution/camel-lock-helper-1.2)
ok: [default] => (item=/usr/lib/pt_chown)
--- before
+++ after
@@ -1,4 +1,4 @@
{
- "mode": "04755",
+ "mode": "0755",
"path": "/usr/lib/eject/dmcrypt-get-device"
}
changed: [default] => (item=/usr/lib/eject/dmcrypt-get-device)
ok: [default] => (item=/usr/lib/mc/cons.saver)
TASK [devsec.hardening.os_hardening : find binaries with suid/sgid set | os-06] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : gather files from which to remove suids/sgids and remove system white-listed files | os-06] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : remove suid/sgid bit from all binaries except in system and user whitelist | os-06] ***
TASK [devsec.hardening.os_hardening : protect sysctl.conf] *********************
--- before
+++ after
@@ -1,5 +1,5 @@
{
- "mode": "0644",
+ "mode": "0440",
"path": "/etc/sysctl.conf",
- "state": "file"
+ "state": "touch"
}
changed: [default]
TASK [devsec.hardening.os_hardening : set Daemon umask, do config for rhel-family | NSA 2.2.4.1] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : install initramfs-tools] *****************
ok: [default]
TASK [devsec.hardening.os_hardening : rebuild initramfs with starting pack of modules, if module loading at runtime is disabled] ***
--- before: /etc/initramfs-tools/modules
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpyqzwoznb/modules.j2
@@ -1,11 +1,95 @@
-# List of modules that you want to include in your initramfs.
-# They will be loaded at boot time in the order below.
#
-# Syntax: module_name [args ...]
+# Ansible managed
#
-# You must run update-initramfs(8) to effect this change.
+
+# This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
#
-# Examples:
+# A list of all available kernel modules kann be found with `find /lib/modules/$(uname -r)/kernel/`
+# We will sort by folder.
+
+
+# Arch
+# ----
#
-# raid1
-# sd_mod
+# Modules for certains builds, contains support modules and some CPU-specific optimizations.
+
+# Optimize for x86_64 cryptographic features
+twofish-x86_64-3way
+twofish-x86_64
+aes-x86_64
+salsa20-x86_64
+blowfish-x86_64
+
+# Intel-specific optimizations
+ghash-clmulni-intel
+aesni-intel
+kvm-intel
+
+kvm
+
+# Crypto
+# ------
+
+# Some core modules which comprise strong cryptography.
+blowfish_common
+blowfish_generic
+ctr
+cts
+lrw
+lzo
+rmd160
+rmd256
+rmd320
+serpent
+sha512_generic
+twofish_common
+twofish_generic
+xts
+zlib
+
+
+# Drivers
+# -------
+
+# Basics
+lp
+rtc
+loop
+
+# Filesystems
+ext2
+btrfs
+
+
+# Lib
+# ---
+xz
+
+
+# Net
+# ---
+
+# All packets needed for netfilter rules (ie iptables, ebtables).
+ip_tables
+x_tables
+iptable_filter
+iptable_nat
+
+# Targets
+ipt_LOG
+ipt_REJECT
+
+# Modules
+xt_connlimit
+xt_tcpudp
+xt_recent
+xt_limit
+xt_conntrack
+nf_conntrack
+nf_conntrack_ipv4
+nf_defrag_ipv4
+xt_state
+nf_nat
+
+# Addons
+xt_pknock
changed: [default]
TASK [devsec.hardening.os_hardening : create a combined sysctl-dict if overwrites are defined] ***
ok: [default]
TASK [devsec.hardening.os_hardening : Change various sysctl-settings, look at the sysctl-vars file for documentation] ***
changed: [default] => (item={'key': 'net.ipv4.ip_forward', 'value': 1})
changed: [default] => (item={'key': 'net.ipv6.conf.all.forwarding', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.all.accept_ra', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.accept_ra', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.rp_filter', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.default.rp_filter', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.icmp_echo_ignore_broadcasts', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.icmp_ignore_bogus_error_responses', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.icmp_ratelimit', 'value': 100})
changed: [default] => (item={'key': 'net.ipv4.icmp_ratemask', 'value': 88089})
changed: [default] => (item={'key': 'net.ipv6.conf.all.disable_ipv6', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.tcp_timestamps', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.arp_ignore', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.all.arp_announce', 'value': 2})
changed: [default] => (item={'key': 'net.ipv4.tcp_rfc1337', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.all.shared_media', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.default.shared_media', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.all.accept_source_route', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.default.accept_source_route', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.default.accept_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.accept_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.secure_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.default.secure_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.accept_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.all.accept_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.send_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.default.send_redirects', 'value': 0})
changed: [default] => (item={'key': 'net.ipv4.conf.all.log_martians', 'value': 1})
changed: [default] => (item={'key': 'net.ipv4.conf.default.log_martians', 'value': 1})
changed: [default] => (item={'key': 'net.ipv6.conf.default.router_solicitations', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.accept_ra_rtr_pref', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.accept_ra_pinfo', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.accept_ra_defrtr', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.autoconf', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.dad_transmits', 'value': 0})
changed: [default] => (item={'key': 'net.ipv6.conf.default.max_addresses', 'value': 1})
changed: [default] => (item={'key': 'kernel.sysrq', 'value': 0})
changed: [default] => (item={'key': 'fs.suid_dumpable', 'value': 0})
changed: [default] => (item={'key': 'kernel.randomize_va_space', 'value': 2})
changed: [default] => (item={'key': 'kernel.core_uses_pid', 'value': 1})
changed: [default] => (item={'key': 'kernel.yama.ptrace_scope', 'value': 1})
changed: [default] => (item={'key': 'vm.mmap_min_addr', 'value': 65536})
changed: [default] => (item={'key': 'fs.protected_hardlinks', 'value': 1})
changed: [default] => (item={'key': 'fs.protected_symlinks', 'value': 1})
changed: [default] => (item={'key': 'vm.mmap_rnd_bits', 'value': 32})
changed: [default] => (item={'key': 'vm.mmap_rnd_compat_bits', 'value': 16})
changed: [default] => (item={'key': 'kernel.kptr_restrict', 'value': 2})
changed: [default] => (item={'key': 'kernel.kexec_load_disabled', 'value': 1})
TASK [devsec.hardening.os_hardening : Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : Apply ufw defaults] **********************
--- before: /etc/default/ufw
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpjo6mjbdg/ufw.j2
@@ -1,10 +1,14 @@
+#
+# Ansible managed
+#
+
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
-IPV6=yes
+IPV6=no
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
@@ -26,22 +30,19 @@
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
-MANAGE_BUILTINS=no
+MANAGE_BUILTINS="no"
#
# IPT backend
#
-# only enable if using iptables backend
-IPT_SYSCTL=/etc/ufw/sysctl.conf
+# only enable if using iptables backend and want to overwrite /etc/sysctl.conf
+#IPT_SYSCTL=
-# Extra connection tracking modules to load. IPT_MODULES should typically be
-# empty for new installations and modules added only as needed. See
-# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can
-# be found in net/netfilter/Kconfig of your kernel source. Some common modules:
+# Extra connection tracking modules to load. Complete list can be found in
+# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
-# nf_conntrack_sane: sane support
-IPT_MODULES=""
+IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
changed: [default]
TASK [devsec.hardening.os_hardening : get UID_MIN from login.defs] *************
ok: [default]
TASK [devsec.hardening.os_hardening : calculate UID_MAX from UID_MIN by substracting 1] ***
ok: [default]
TASK [devsec.hardening.os_hardening : set UID_MAX on Debian-systems if no login.defs exist] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : set UID_MAX on other systems if no login.defs exist] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : get all system accounts] *****************
ok: [default]
TASK [devsec.hardening.os_hardening : remove always ignored system accounts from list] ***
ok: [default]
TASK [devsec.hardening.os_hardening : change system accounts not on the user provided ignore-list] ***
ok: [default] => (item=daemon)
ok: [default] => (item=bin)
ok: [default] => (item=sys)
ok: [default] => (item=games)
ok: [default] => (item=man)
ok: [default] => (item=lp)
ok: [default] => (item=mail)
ok: [default] => (item=news)
ok: [default] => (item=uucp)
ok: [default] => (item=proxy)
ok: [default] => (item=www-data)
ok: [default] => (item=backup)
ok: [default] => (item=list)
ok: [default] => (item=irc)
ok: [default] => (item=gnats)
ok: [default] => (item=systemd-network)
ok: [default] => (item=systemd-resolve)
ok: [default] => (item=systemd-timesync)
ok: [default] => (item=messagebus)
ok: [default] => (item=syslog)
ok: [default] => (item=_apt)
changed: [default] => (item=tss)
ok: [default] => (item=uuidd)
ok: [default] => (item=tcpdump)
ok: [default] => (item=sshd)
ok: [default] => (item=landscape)
changed: [default] => (item=pollinate)
changed: [default] => (item=systemd-coredump)
changed: [default] => (item=lxd)
TASK [devsec.hardening.os_hardening : Get user accounts | os-09] ***************
ok: [default]
TASK [devsec.hardening.os_hardening : delete rhosts-files from system | os-09] ***
ok: [default] => (item=root)
ok: [default] => (item=daemon)
ok: [default] => (item=bin)
ok: [default] => (item=sys)
ok: [default] => (item=sync)
ok: [default] => (item=games)
ok: [default] => (item=man)
ok: [default] => (item=lp)
ok: [default] => (item=mail)
ok: [default] => (item=news)
ok: [default] => (item=uucp)
ok: [default] => (item=proxy)
ok: [default] => (item=www-data)
ok: [default] => (item=backup)
ok: [default] => (item=list)
ok: [default] => (item=irc)
ok: [default] => (item=gnats)
ok: [default] => (item=nobody)
ok: [default] => (item=systemd-network)
ok: [default] => (item=systemd-resolve)
ok: [default] => (item=systemd-timesync)
ok: [default] => (item=messagebus)
ok: [default] => (item=syslog)
ok: [default] => (item=_apt)
ok: [default] => (item=tss)
ok: [default] => (item=uuidd)
ok: [default] => (item=tcpdump)
ok: [default] => (item=sshd)
ok: [default] => (item=landscape)
ok: [default] => (item=pollinate)
ok: [default] => (item=vagrant)
ok: [default] => (item=systemd-coredump)
ok: [default] => (item=ubuntu)
ok: [default] => (item=lxd)
TASK [devsec.hardening.os_hardening : delete hosts.equiv from system | os-01] ***
ok: [default]
TASK [devsec.hardening.os_hardening : delete .netrc-files from system | os-09] ***
ok: [default] => (item=root)
ok: [default] => (item=daemon)
ok: [default] => (item=bin)
ok: [default] => (item=sys)
ok: [default] => (item=sync)
ok: [default] => (item=games)
ok: [default] => (item=man)
ok: [default] => (item=lp)
ok: [default] => (item=mail)
ok: [default] => (item=news)
ok: [default] => (item=uucp)
ok: [default] => (item=proxy)
ok: [default] => (item=www-data)
ok: [default] => (item=backup)
ok: [default] => (item=list)
ok: [default] => (item=irc)
ok: [default] => (item=gnats)
ok: [default] => (item=nobody)
ok: [default] => (item=systemd-network)
ok: [default] => (item=systemd-resolve)
ok: [default] => (item=systemd-timesync)
ok: [default] => (item=messagebus)
ok: [default] => (item=syslog)
ok: [default] => (item=_apt)
ok: [default] => (item=tss)
ok: [default] => (item=uuidd)
ok: [default] => (item=tcpdump)
ok: [default] => (item=sshd)
ok: [default] => (item=landscape)
ok: [default] => (item=pollinate)
ok: [default] => (item=vagrant)
ok: [default] => (item=systemd-coredump)
ok: [default] => (item=ubuntu)
ok: [default] => (item=lxd)
TASK [devsec.hardening.os_hardening : remove unused repositories] **************
skipping: [default] => (item=CentOS-Debuginfo)
skipping: [default] => (item=CentOS-Media)
skipping: [default] => (item=CentOS-Vault)
TASK [devsec.hardening.os_hardening : get yum-repository-files] ****************
skipping: [default]
TASK [devsec.hardening.os_hardening : activate gpg-check for yum-repository-files] ***
TASK [devsec.hardening.os_hardening : activate gpg-check for config files] *****
skipping: [default] => (item=/etc/yum.conf)
skipping: [default] => (item=/etc/dnf/dnf.conf)
skipping: [default] => (item=/etc/yum/pluginconf.d/rhnplugin.conf)
TASK [devsec.hardening.os_hardening : remove deprecated or insecure packages | package-01 - package-09] ***
skipping: [default]
TASK [devsec.hardening.os_hardening : remove deprecated or insecure packages | package-01 - package-09] ***
ok: [default]
TASK [devsec.hardening.os_hardening : configure selinux | selinux-01] **********
skipping: [default]
TASK [devsec.hardening.ssh_hardening : include_tasks] **************************
included: /Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/hardening.yml for default
TASK [devsec.hardening.ssh_hardening : set OS dependent variables] *************
ok: [default] => (item=/Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/vars/Debian.yml)
TASK [devsec.hardening.ssh_hardening : get openssh-version] ********************
ok: [default]
TASK [devsec.hardening.ssh_hardening : parse openssh-version] ******************
ok: [default]
TASK [devsec.hardening.ssh_hardening : set default for ssh_host_key_files if not supplied] ***
included: /Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_hostkeys.yml for default
TASK [devsec.hardening.ssh_hardening : set hostkeys according to openssh-version if openssh >= 5.3] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set hostkeys according to openssh-version if openssh >= 6.0] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set hostkeys according to openssh-version if openssh >= 6.3] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set default for ssh_macs if not supplied] ***
included: /Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_macs.yml for default
TASK [devsec.hardening.ssh_hardening : set macs according to openssh-version if openssh >= 5.3] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports)] ***
skipping: [default]
TASK [devsec.hardening.ssh_hardening : set macs according to openssh-version if openssh >= 5.9] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set macs according to openssh-version if openssh >= 6.6] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set macs according to openssh-version if openssh >= 7.6] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set default for ssh_ciphers if not supplied] ***
included: /Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_ciphers.yml for default
TASK [devsec.hardening.ssh_hardening : set ciphers according to openssh-version if openssh >= 5.3] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set ciphers according to openssh-version if openssh >= 6.6] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set default for ssh_kex if not supplied] ***
included: /Users/zyun/.ansible/collections/ansible_collections/devsec/hardening/roles/ssh_hardening/tasks/crypto_kex.yml for default
TASK [devsec.hardening.ssh_hardening : set kex according to openssh-version if openssh >= 5.9] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set kex according to openssh-version if openssh >= 6.6] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : set kex according to openssh-version if openssh >= 8.0] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : create revoked_keys and set permissions to root/600] ***
--- before
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpbgjsebxg/revoked_keys.j2
@@ -0,0 +1,4 @@
+#
+# Ansible managed
+#
+
changed: [default]
TASK [devsec.hardening.ssh_hardening : create sshd_config and set permissions to root/600] ***
--- before: /etc/ssh/sshd_config
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpphj31r13/opensshd.conf.j2
@@ -1,123 +1,173 @@
-# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+#
+# Ansible managed
+#
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
+# This is the ssh client system-wide configuration file.
+# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
+# Basic configuration
+# ===================
-Include /etc/ssh/sshd_config.d/*.conf
+# Either disable or only allow root login via certificates.
+PermitRootLogin no
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
+# Define which port sshd should listen to. Default to `22`.
+Port 22
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+# Address family should always be limited to the active network configuration.
+AddressFamily inet
-# Ciphers and keying
-#RekeyLimit default none
+# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
+ListenAddress 0.0.0.0
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
+# List HostKeys here.
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
-# Authentication:
+# Specifies the host key algorithms that the server offers.
+#
+# HostKeyAlgorithms
+#
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
+# Security configuration
+# ======================
-#PubkeyAuthentication yes
+# Set the protocol version to 2 for security reasons. Disables legacy support.
+Protocol 2
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
+StrictModes yes
-#AuthorizedPrincipalsFile none
+# Logging, obsoletes QuietMode and FascistLogging
+SyslogFacility AUTH
+LogLevel VERBOSE
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
+# Cryptography
+# ------------
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
+# CBC: is true if you want to connect with OpenSSL-base libraries
+# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
+# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
+#
-# To disable tunneled clear text passwords, change to no here!
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
+# Weak HMAC is sometimes required if older package versions are used
+# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
+#
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+# Alternative setting, if OpenSSH version is below v5.9
+#MACs hmac-ripemd160
+
+# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
+# Weak kex is sometimes required if older package versions are used
+# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
+# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
+# Authentication
+# --------------
+
+# Secure Login directives.
+
+LoginGraceTime 30s
+MaxAuthTries 2
+MaxSessions 10
+MaxStartups 10:30:100
+
+# Enable public key authentication
+PubkeyAuthentication yes
+
+# Never use host-based authentication. It can be exploited.
+IgnoreRhosts yes
+IgnoreUserKnownHosts yes
+HostbasedAuthentication no
+
+# Enable PAM to enforce system wide rules
+UsePAM yes
+
+# Set AuthenticationMethods per default to publickey
+# AuthenticationMethods was introduced in OpenSSH 6.2 - https://www.openssh.com/txt/release-6.2
+AuthenticationMethods publickey
+
+# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
PasswordAuthentication no
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
+PermitEmptyPasswords no
ChallengeResponseAuthentication no
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
+# Only enable Kerberos authentication if it is configured.
+KerberosAuthentication no
+KerberosOrLocalPasswd no
+KerberosTicketCleanup yes
#KerberosGetAFSToken no
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
+# Only enable GSSAPI authentication if it is configured.
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
+# In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled.
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
+
+
+
+
+
+# Network
+# -------
+
+# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
+TCPKeepAlive no
+
+# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
+ClientAliveInterval 300
+ClientAliveCountMax 3
+
+# Disable tunneling
+PermitTunnel no
+
+# Disable forwarding tcp connections.
+# no real advantage without denied shell access
+AllowTcpForwarding no
+
+# Disable agent forwarding, since local agent could be accessed through forwarded connection.
+# no real advantage without denied shell access
+AllowAgentForwarding no
+
+# Do not allow remote port forwardings to bind to non-loopback addresses.
+GatewayPorts no
+
+# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
+X11Forwarding no
+X11UseLocalhost yes
+
+# User environment configuration
+# ==============================
+
+PermitUserEnvironment no
+
+
+# Misc. configuration
+# ===================
+
+Compression no
+
+UseDNS no
+
PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-# no default banner path
-#Banner none
+PrintLastLog no
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
+Banner none
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
+DebianBanner no
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
+# Reject keys that are explicitly blacklisted
+RevokedKeys /etc/ssh/revoked_keys
+
changed: [default]
TASK [devsec.hardening.ssh_hardening : disable dynamic MOTD] *******************
changed: [default]
TASK [devsec.hardening.ssh_hardening : create ssh_config and set permissions to root/644] ***
--- before: /etc/ssh/ssh_config
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmp1ymv_ayi/openssh.conf.j2
@@ -1,52 +1,99 @@
+#
+# Ansible managed
+#
-# This is the ssh client system-wide configuration file. See
-# ssh_config(5) for more information. This file provides defaults for
-# users, and the values can be changed in per-user configuration files
-# or on the command line.
+# This is the ssh client system-wide configuration file.
+# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
-# Configuration data is parsed as follows:
-# 1. command line options
-# 2. user-specific file
-# 3. system-wide file
-# Any configuration value is only changed the first time it is set.
-# Thus, host-specific definitions should be at the beginning of the
-# configuration file, and defaults at the end.
-# Site-wide defaults for some commonly used options. For a comprehensive
-# list of available options, their meanings and defaults, please see the
-# ssh_config(5) man page.
+# Basic configuration
+# ===================
-Include /etc/ssh/ssh_config.d/*.conf
+# Address family should always be limited to the active network configuration.
+AddressFamily inet
+
+# Global defaults for all Hosts
Host *
-# ForwardAgent no
-# ForwardX11 no
-# ForwardX11Trusted yes
-# PasswordAuthentication yes
-# HostbasedAuthentication no
-# GSSAPIAuthentication no
-# GSSAPIDelegateCredentials no
-# GSSAPIKeyExchange no
-# GSSAPITrustDNS no
-# BatchMode no
-# CheckHostIP yes
-# AddressFamily any
-# ConnectTimeout 0
-# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/id_rsa
-# IdentityFile ~/.ssh/id_dsa
-# IdentityFile ~/.ssh/id_ecdsa
-# IdentityFile ~/.ssh/id_ed25519
-# Port 22
-# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
-# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
-# EscapeChar ~
-# Tunnel no
-# TunnelDevice any:any
-# PermitLocalCommand no
-# VisualHostKey no
-# ProxyCommand ssh -q -W %h:%p gateway.example.com
-# RekeyLimit 1G 1h
- SendEnv LANG LC_*
- HashKnownHosts yes
- GSSAPIAuthentication yes
+
+# The port at the destination should be defined
+Port 22
+
+# Identity file configuration. You may restrict available identity files. Otherwise ssh will search for a pattern and use any that matches.
+#IdentityFile ~/.ssh/identity
+#IdentityFile ~/.ssh/id_rsa
+#IdentityFile ~/.ssh/id_dsa
+
+
+# Security configuration
+# ======================
+
+# Set the protocol version to 2 for security reasons. Disables legacy support.
+Protocol 2
+
+# Make sure passphrase querying is enabled
+BatchMode no
+
+# Prevent IP spoofing by checking to host IP against the `known_hosts` file.
+CheckHostIP yes
+
+# Always ask before adding keys to the `known_hosts` file. Do not set to `yes`.
+StrictHostKeyChecking ask
+
+
+# **Ciphers** -- If your clients don't support CTR (eg older versions), cbc will be added
+# CBC: is true if you want to connect with OpenSSL-base libraries
+# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
+# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
+#
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+# **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary.
+# Weak HMAC is sometimes required if older package versions are used
+# eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
+#
+
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+# Alternative setting, if OpenSSH version is below v5.9
+#MACs hmac-ripemd160
+
+# **Key Exchange Algorithms** -- Make sure not to use SHA1 for kex, unless it is really necessary
+# Weak kex is sometimes required if older package versions are used
+# eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case.
+# based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+
+# Disable agent forwarding, since local agent could be accessed through forwarded connection.
+ForwardAgent no
+
+# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
+ForwardX11 no
+
+# Never use host-based authentication. It can be exploited.
+HostbasedAuthentication no
+
+# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
+PasswordAuthentication no
+
+# Only use GSSAPIAuthentication if implemented on the network.
+GSSAPIAuthentication no
+GSSAPIDelegateCredentials no
+
+# Disable tunneling
+Tunnel no
+
+# Disable local command execution.
+PermitLocalCommand no
+
+
+# Misc. configuration
+# ===================
+
+Compression no
+
+#EscapeChar ~
+#VisualHostKey yes
+
changed: [default]
TASK [devsec.hardening.ssh_hardening : check if /etc/ssh/moduli contains weak DH parameters] ***
ok: [default]
TASK [devsec.hardening.ssh_hardening : remove all small primes] ****************
changed: [default]
TASK [devsec.hardening.ssh_hardening : include tasks to setup ca keys and principals] ***
skipping: [default]
TASK [devsec.hardening.ssh_hardening : include selinux specific tasks] *********
skipping: [default]
TASK [devsec.hardening.ssh_hardening : gather package facts] *******************
ok: [default]
TASK [devsec.hardening.ssh_hardening : disable SSH server CRYPTO_POLICY] *******
skipping: [default]
TASK [devsec.hardening.nginx_hardening : create additional configuration] ******
--- before
+++ after: /Users/zyun/.ansible/tmp/ansible-local-17596sli22rgo/tmpvs4781gq/hardening.conf.j2
@@ -0,0 +1,20 @@
+# #
+# Ansible managed
+#
+# Additional configuration for Nginx.
+
+client_header_buffer_size 1k;
+large_client_header_buffers 2 1k;
+client_body_timeout 10;
+client_header_timeout 10;
+send_timeout 10;
+limit_conn_zone $binary_remote_addr zone=default:10m;
+limit_conn default 5;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_session_tickets off;
+ssl_dhparam /etc/nginx/dh2048.pem;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header Strict-Transport-Security max-age=15768000;
+add_header Content-Security-Policy "script-src 'self'; object-src 'self'";
changed: [default]
TASK [devsec.hardening.nginx_hardening : change configuration in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -9,6 +9,7 @@
}
http {
+ server_tokens off;
##
# Basic Settings
--- before: /etc/nginx/nginx.conf (file attributes)
+++ after: /etc/nginx/nginx.conf (file attributes)
@@ -1,3 +1,3 @@
{
- "mode": "0644"
+ "mode": "0640"
}
changed: [default]
TASK [devsec.hardening.nginx_hardening : change ssl_protocols in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -32,7 +32,7 @@
# SSL Settings
##
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+ ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
##
changed: [default]
TASK [devsec.hardening.nginx_hardening : change ssl_prefer_server_ciphers in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -33,7 +33,7 @@
##
ssl_protocols TLSv1.2;
- ssl_prefer_server_ciphers on;
+ ssl_prefer_server_ciphers on;
##
# Logging Settings
changed: [default]
TASK [devsec.hardening.nginx_hardening : change client_max_body_size in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -9,6 +9,7 @@
}
http {
+ client_max_body_size 1k;
server_tokens off;
##
changed: [default]
TASK [devsec.hardening.nginx_hardening : change client_body_buffer_size in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -9,6 +9,7 @@
}
http {
+ client_body_buffer_size 1k;
client_max_body_size 1k;
server_tokens off;
changed: [default]
TASK [devsec.hardening.nginx_hardening : change keepalive_timeout in main nginx.conf] ***
--- before: /etc/nginx/nginx.conf (content)
+++ after: /etc/nginx/nginx.conf (content)
@@ -20,7 +20,7 @@
sendfile on;
tcp_nopush on;
tcp_nodelay on;
- keepalive_timeout 65;
+ keepalive_timeout 5 5;
types_hash_max_size 2048;
# server_tokens off;
changed: [default]
TASK [devsec.hardening.nginx_hardening : remove default.conf] ******************
ok: [default] => (item=/etc/nginx/conf.d/default.conf)
--- before
+++ after
@@ -1,4 +1,4 @@
{
"path": "/etc/nginx/sites-enabled/default",
- "state": "link"
+ "state": "absent"
}
changed: [default] => (item=/etc/nginx/sites-enabled/default)
TASK [devsec.hardening.nginx_hardening : generate dh group] ********************
changed: [default]
RUNNING HANDLER [devsec.hardening.os_hardening : update-initramfs] *************
changed: [default]
RUNNING HANDLER [devsec.hardening.ssh_hardening : restart sshd] ****************
changed: [default]
RUNNING HANDLER [devsec.hardening.nginx_hardening : restart nginx] *************
changed: [default]
PLAY RECAP *********************************************************************
default : ok=82 changed=36 unreachable=0 failed=0 skipped=31 rescued=0 ignored=0