-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* rename role harden-linux to harden_linux to follow Ansible Galaxy requirements * README.md: add information about Molecule test * rename molecule/kvm to molecule/default * remove support for Ubuntu 18.04 (reached EOL) * defaults/main.yml: fix link * molecule/default/molecule.yml: rename host test-harden-linux-ubuntu1804-openntpd to test-harden-linux-ubuntu2204-openntpd * molecule/default/molecule.yml: adjust verifier * molecule/default/molecule.yml: rename test-harden-linux-ubuntu1804-openntpd to test-harden-linux-ubuntu2204-openntpd * molecule/default/molecule.yml: rename scenario kvm to default * molecule/default/molecule.yml: move memory and cpus properties to hosts * molecule/default/molecule.yml: use generic/ubuntu2204 VM image instead of alvistack/ubuntu-22.04 * molecule/default/molecule.yml: remove role_name_check (no longer needed) * tasks/ufw.yml: use community.general.ufw module instead of ansible.builtin.ufw (recommended by ansible-lint) * tasks/sshguard.yml: formatting * tasks/sshguard-archlinux.yml: fix mode value * tasks/setup-ubuntu.yml: fix mode value * remove tasks/sshguard-ubuntu-18.yml * .ansible-lint: remove role-name / add name[template] * tasks/setup-archlinux.yml: use community.general.pacman module instead of ansible.builtin.pacman (as recommended by ansible-lint) * tasks/ntp_systemd-timesyncd.yml: improve the task key order * tasks/main.yml: use ansible.posix.sysctl module instead of ansible.builtin.sysctl (as recommended by ansible-lint) * handlers/main.yml: use community.general.ufw module instead of ansible.builtin.ufw (as recommended by ansible-lint) * tasks/deployuser.yml: use ansible.posix.authorized_key module instead of ansible.builtin.authorized_key (as recommended by ansible-lint) * update README * remove vars/ubuntu-18.yml * molecule/default/molecule.yml: put hosts into groups / move harden_linux_root_password for all hosts to only specific hosts * Molecule: add verify step * update CHANGELOG * update CHANGELOG
- Loading branch information
Showing
22 changed files
with
195 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
--- | ||
skip_list: | ||
- 'role-name' | ||
- 'name[template]' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
- name: Reload ufw | ||
ansible.builtin.ufw: | ||
community.general.ufw: | ||
state: reloaded | ||
|
||
- name: Restart ssh | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
- name: Ensure sshd_config setting | ||
ansible.builtin.lineinfile: | ||
path: /etc/ssh/sshd_config | ||
regexp: '{{ harden_linux__sshd_config_setting }}' | ||
line: "PasswordAuthentication yes" | ||
register: harden_linux__sshd_config_setting_status | ||
|
||
- name: Ensure sshd_config setting and value is present | ||
ansible.builtin.assert: | ||
that: | ||
- harden_linux__sshd_config_setting_status is not changed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
--- | ||
- name: Verify sshguard | ||
hosts: all | ||
tasks: | ||
- name: Get sshguard status | ||
ansible.builtin.systemd: | ||
service: sshguard | ||
state: started | ||
register: sshguard__status | ||
|
||
- name: Ensure sshguard is started | ||
ansible.builtin.assert: | ||
that: | ||
- sshguard__status.state == "started" | ||
|
||
- name: Verify systemd-timesyncd | ||
hosts: timesyncd | ||
tasks: | ||
- name: Get systemd-timesyncd status | ||
ansible.builtin.systemd: | ||
service: systemd-timesyncd | ||
state: started | ||
register: timesyncd__status | ||
|
||
- name: Ensure systemd-timesyncd is started | ||
ansible.builtin.assert: | ||
that: | ||
- timesyncd__status.state == "started" | ||
|
||
- name: Verify openntpd | ||
hosts: openntpd | ||
tasks: | ||
- name: Get openntpd status | ||
ansible.builtin.systemd: | ||
service: openntpd | ||
state: started | ||
register: openntpd__status | ||
|
||
- name: Ensure openntpd is started | ||
ansible.builtin.assert: | ||
that: | ||
- openntpd__status.state == "started" | ||
|
||
- name: Verify UFW | ||
hosts: all | ||
tasks: | ||
- name: Execute ufw status to capture output | ||
ansible.builtin.command: | ||
cmd: /usr/sbin/ufw status | ||
register: harden_linux__ufw_status | ||
changed_when: false | ||
|
||
- name: Ensure ufw status output contains correct output | ||
ansible.builtin.assert: | ||
that: | ||
- "'{{ harden_linux__ufw_status_output }}' in harden_linux__ufw_status.stdout" | ||
loop: | ||
- "22/tcp ALLOW Anywhere" | ||
- "80/tcp ALLOW Anywhere" | ||
- "443/tcp ALLOW Anywhere" | ||
- "Anywhere ALLOW 10.0.0.0/8" | ||
- "Anywhere ALLOW 172.16.0.0/12" | ||
- "Anywhere ALLOW 192.168.0.0/16" | ||
- "22/tcp (v6) ALLOW Anywhere (v6)" | ||
- "80/tcp (v6) ALLOW Anywhere (v6)" | ||
- "443/tcp (v6) ALLOW Anywhere (v6)" | ||
loop_control: | ||
loop_var: harden_linux__ufw_status_output | ||
|
||
- name: Verify sshd_config settings | ||
hosts: all | ||
vars: | ||
harden_linux__sshd_settings: | ||
password_authentication: | ||
regex: '^PasswordAuthentication' | ||
value: 'PasswordAuthentication yes' | ||
x11forwarding: | ||
regex: '^X11Forwarding' | ||
value: 'X11Forwarding no' | ||
tasks: | ||
- name: Check sshd_config settings | ||
ansible.builtin.include_tasks: | ||
file: tasks/sshd_config_settings.yml | ||
loop: "{{ harden_linux__sshd_settings | dict2items }}" | ||
loop_control: | ||
loop_var: harden_linux__sshd_config_setting |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.