Warezjoe/ansible_uni_deploy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added again ansible-role-security

Browse Source
This commit is contained in:
git
2024-01-25 14:48:21 +01:00
parent 6dcf62acd7
commit eee0e16ae8
19 changed files with 460 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/ansible-role-security/.ansible-lint Normal file
View File

@@ -0,0 +1,3 @@
skip_list:
- 'yaml'
- 'role-name'

10
roles/ansible-role-security/.yamllint Normal file
View File

@@ -0,0 +1,10 @@
---
extends: default
rules:
line-length:
max: 120
level: warning
ignore: |
.github/workflows/stale.yml

20
roles/ansible-role-security/LICENSE Normal file
View File

@@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

126
roles/ansible-role-security/README.md Normal file
View File

@@ -0,0 +1,126 @@
# Ansible Role: Security (Basics)
[![CI](https://github.com/geerlingguy/ansible-role-security/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-security/actions?query=workflow%3ACI)
**First, a major, MAJOR caveat**: the security of your servers is YOUR responsibility. If you think simply including this role and adding a firewall makes a server secure, then you're mistaken. Read up on Linux, network, and application security, and know that no matter how much you know, you can always make every part of your stack more secure.
That being said, this role performs some basic security configuration on RedHat and Debian-based linux systems. It attempts to:
- Install software to monitor bad SSH access (fail2ban)
- Configure SSH to be more secure (disabling root login, requiring key-based authentication, and allowing a custom SSH port to be set)
- Set up automatic updates (if configured to do so)
There are a few other things you may or may not want to do (which are not included in this role) to make sure your servers are more secure, like:
- Use logwatch or a centralized logging server to analyze and monitor log files
- Securely configure user accounts and SSH keys (this role assumes you're not using password authentication or logging in as root)
- Have a well-configured firewall (check out the `geerlingguy.firewall` role on Ansible Galaxy for a flexible example)
Again: Your servers' security is *your* responsibility.
## Requirements
For obvious reasons, `sudo` must be installed if you want to manage the sudoers file with this role.
On RedHat/CentOS systems, make sure you have the EPEL repository installed (you can include the `geerlingguy.repo-epel` role to get it installed).
No special requirements for Debian/Ubuntu systems.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
security_ssh_port: 22
The port through which you'd like SSH to be accessible. The default is port 22, but if you're operating a server on the open internet, and have no firewall blocking access to port 22, you'll quickly find that thousands of login attempts per day are not uncommon. You can change the port to a nonstandard port (e.g. 2849) if you want to avoid these thousands of automated penetration attempts.
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`. **NOTE: It is _very_ important that you quote the 'yes' or 'no' values. Failure to do so may lock you out of your server.**
security_ssh_allowed_users: []
# - alice
# - bob
# - charlie
A list of users allowed to connect to the host over SSH. If no user is defined in the list, the task will be skipped.
security_ssh_allowed_groups: []
# - admins
# - devs
A list of groups allowed to connect to the host over SSH. If no group is defined in the list, the task will be skipped.
security_sshd_state: started
The state of the SSH daemon. Typically this should remain `started`.
security_ssh_restart_handler_state: restarted
The state of the `restart ssh` handler. Typically this should remain `restarted`.
security_sudoers_passwordless: []
security_sudoers_passworded: []
A list of users who should be added to the sudoers file so they can run any command as root (via `sudo`) either without a password or requiring a password for each command, respectively.
security_autoupdate_enabled: true
Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgrades` (Debian-based systems). System restarts will not happen automatically in any case, and automatic upgrades are no excuse for sloppy patch and package management, but automatic updates can be helpful as yet another security measure.
security_autoupdate_blacklist: []
(Debian/Ubuntu only) A listing of packages that should not be automatically updated.
security_autoupdate_reboot: false
(Debian/Ubuntu only) Whether to reboot when needed during unattended upgrades.
security_autoupdate_reboot_time: "03:00"
(Debian/Ubuntu only) The time to trigger a reboot, when needed, if `security_autoupdate_reboot` is set to `true`. In 24h "hh:mm" clock format.
security_autoupdate_mail_to: ""
security_autoupdate_mail_on_error: true
(Debian/Ubuntu only) If `security_autoupdate_mail_to` is set to an non empty value, unattended upgrades will send an e-mail to that address when some error occurs. You may either set this to a full email: `ops@example.com` or to something like `root`, which will use `/etc/aliases` to route the message. If you set `security_autoupdate_mail_on_error` to `false` you'll get an email after every package install.
security_fail2ban_enabled: true
Whether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)).
security_fail2ban_custom_configuration_template: "jail.local.j2"
The name of the template file used to generate `fail2ban`'s configuration.
## Dependencies
None.
## Example Playbook
- hosts: servers
vars_files:
- vars/main.yml
roles:
- geerlingguy.security
*Inside `vars/main.yml`*:
security_sudoers_passworded:
- johndoe
- deployacct
## License
MIT (Expat) / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

28
roles/ansible-role-security/defaults/main.yml Normal file
View File

@@ -0,0 +1,28 @@
---
security_ssh_port: 22
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
security_ssh_usedns: "no"
security_ssh_permit_empty_password: "no"
security_ssh_challenge_response_auth: "no"
security_ssh_gss_api_authentication: "no"
security_ssh_x11_forwarding: "no"
security_sshd_state: started
security_ssh_restart_handler_state: restarted
security_ssh_allowed_users: []
security_ssh_allowed_groups: []
security_sudoers_passwordless: []
security_sudoers_passworded: []
security_autoupdate_enabled: true
security_autoupdate_blacklist: []
# Autoupdate mail settings used on Debian/Ubuntu only.
security_autoupdate_reboot: "false"
security_autoupdate_reboot_time: "03:00"
security_autoupdate_mail_to: ""
security_autoupdate_mail_on_error: true
security_fail2ban_enabled: true
security_fail2ban_custom_configuration_template: "jail.local.j2"

10
roles/ansible-role-security/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: restart ssh
service:
name: "{{ security_sshd_name }}"
state: "{{ security_ssh_restart_handler_state }}"
- name: reload fail2ban
service:
name: fail2ban
state: reloaded

30
roles/ansible-role-security/meta/main.yml Normal file
View File

@@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
role_name: security
author: geerlingguy
description: Security software installation and configuration.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.10
platforms:
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- system
- security
- fail2ban
- automatic
- updates
- yum
- apt
- dnf
- hardening

44
roles/ansible-role-security/molecule/default/converge.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- name: Converge
hosts: all
become: true
pre_tasks:
- name: Update apt cache.
package:
update_cache: true
cache_valid_time: 600
when: ansible_os_family == 'Debian'
- name: Ensure build dependencies are installed (RedHat).
package:
name:
- openssh-server
- openssh-clients
state: present
when: ansible_os_family == 'RedHat'
- name: Ensure build dependencies are installed (Fedora).
package:
name: procps
state: present
when: ansible_distribution == 'Fedora'
- name: Ensure build dependencies are installed (Debian).
package:
name:
- openssh-server
- openssh-client
state: present
when: ansible_os_family == 'Debian'
- name: Ensure auth.log file is present.
copy:
dest: /var/log/auth.log
content: ""
force: false
mode: 0644
when: ansible_distribution == 'Debian'
roles:
- role: geerlingguy.security

21
roles/ansible-role-security/molecule/default/molecule.yml Normal file
View File

@@ -0,0 +1,21 @@
---
role_name_check: 1
dependency:
name: galaxy
options:
ignore-errors: true
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux8}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

16
roles/ansible-role-security/tasks/autoupdate-Debian.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Install unattended upgrades package.
package:
name: unattended-upgrades
state: present
- name: Copy unattended-upgrades configuration files in place.
template:
src: "{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- 10periodic
- 50unattended-upgrades

35
roles/ansible-role-security/tasks/autoupdate-RedHat.yml Normal file
View File

@@ -0,0 +1,35 @@
---
- name: Set correct automatic update utility vars (RHEL >= 8).
set_fact:
update_utility: dnf-automatic
update_service: dnf-automatic-install.timer
update_conf_path: /etc/dnf/automatic.conf
when: ansible_distribution_major_version | int >= 8
- name: Set correct automatic update utility vars (RHEL <= 7).
set_fact:
update_utility: yum-cron
update_service: yum-cron
update_conf_path: /etc/yum/yum-cron.conf
when: ansible_distribution_major_version | int <= 7
- name: Install automatic update utility.
package:
name: '{{ update_utility }}'
state: present
- name: Ensure automatic update utility is running and enabled on boot.
service:
name: '{{ update_service }}'
state: started
enabled: true
- name: Configure autoupdates.
lineinfile:
dest: '{{ update_conf_path }}'
regexp: '^apply_updates = .+'
line: 'apply_updates = yes'
mode: 0644
when:
- security_autoupdate_enabled
- ansible_distribution_major_version | int in [7, 8]

29
roles/ansible-role-security/tasks/fail2ban.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Install fail2ban (RedHat).
package:
name: fail2ban
state: present
enablerepo: epel
when: ansible_os_family == 'RedHat'
- name: Install fail2ban (Debian).
package:
name: fail2ban
state: present
when: ansible_os_family == 'Debian'
- name: Copy fail2ban custom configuration file into place.
template:
src: "{{ security_fail2ban_custom_configuration_template }}"
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: 0644
notify:
- reload fail2ban
- name: Ensure fail2ban is running and enabled on boot.
service:
name: fail2ban
state: started
enabled: true

21
roles/ansible-role-security/tasks/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Include OS-specific variables.
include_vars: "{{ ansible_os_family }}.yml"
# Fail2Ban
- include_tasks: fail2ban.yml
when: security_fail2ban_enabled | bool
# SSH
- include_tasks: ssh.yml
# Autoupdate
- include_tasks: autoupdate-RedHat.yml
when:
- ansible_os_family == 'RedHat'
- security_autoupdate_enabled | bool
- include_tasks: autoupdate-Debian.yml
when:
- ansible_os_family == 'Debian'
- security_autoupdate_enabled | bool

33
roles/ansible-role-security/tasks/ssh.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- name: Ensure SSH daemon is running.
service:
name: "{{ security_sshd_name }}"
state: "{{ security_sshd_state }}"
- name: Update SSH configuration to be more secure.
lineinfile:
dest: "{{ security_ssh_config_path }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -T -f %s'
mode: 0644
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
- regexp: "^Port"
line: "Port {{ security_ssh_port }}"
- regexp: "^UseDNS"
line: "UseDNS {{ security_ssh_usedns }}"
- regexp: "^PermitEmptyPasswords"
line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
- regexp: "^ChallengeResponseAuthentication"
line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
- regexp: "^GSSAPIAuthentication"
line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
- regexp: "^X11Forwarding"
line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
notify: restart ssh

4
roles/ansible-role-security/templates/10periodic.j2 Normal file
View File

@@ -0,0 +1,4 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

20
roles/ansible-role-security/templates/50unattended-upgrades.j2 Normal file
View File

@@ -0,0 +1,20 @@
Unattended-Upgrade::Automatic-Reboot "{{ security_autoupdate_reboot }}";
Unattended-Upgrade::Automatic-Reboot-Time "{{ security_autoupdate_reboot_time }}";
{% if security_autoupdate_mail_to %}
Unattended-Upgrade::Mail "{{ security_autoupdate_mail_to }}";
{% if security_autoupdate_mail_on_error %}
Unattended-Upgrade::MailOnlyOnError "true";
{% endif %}
{% endif %}
Unattended-Upgrade::Allowed-Origins {
"${distro_id} ${distro_codename}-security";
// "${distro_id} ${distro_codename}-updates";
};
Unattended-Upgrade::Package-Blacklist{
{% for package in security_autoupdate_blacklist %}
"{{package}}";
{% endfor %}
}

4
roles/ansible-role-security/templates/jail.local.j2 Normal file
View File

@@ -0,0 +1,4 @@
[sshd]
enabled = true
port = {{ security_ssh_port }}
filter = sshd

3
roles/ansible-role-security/vars/Debian.yml Normal file
View File

@@ -0,0 +1,3 @@
---
security_ssh_config_path: /etc/ssh/sshd_config
security_sshd_name: ssh

3
roles/ansible-role-security/vars/RedHat.yml Normal file
View File

@@ -0,0 +1,3 @@
---
security_ssh_config_path: /etc/ssh/sshd_config
security_sshd_name: sshd