Polish infrastructure portfolio projects

enterprise-infra-simulator/playbooks/hardening.yml

@@ -0,0 +1,210 @@
+---
+- name: Harden Enterprise Infrastructure Nodes
+  hosts: all
+  become: true
+  gather_facts: true
+  vars:
+    cis_level: 1
+    disable_root_login: true
+    secure_ssh_config: true
+    firewall_policy: deny
+    auditd_enabled: true
+    selinux_mode: enforcing
+    apparmor_enabled: true
+
+  tasks:
+    - name: Include CIS hardening tasks
+      include_tasks: tasks/cis_hardening.yml
+
+    - name: Configure SSH hardening
+      block:
+        - name: Disable root SSH login
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^PermitRootLogin'
+            line: 'PermitRootLogin no'
+          when: disable_root_login
+
+        - name: Disable password authentication
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^PasswordAuthentication'
+            line: 'PasswordAuthentication no'
+
+        - name: Set MaxAuthTries
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^MaxAuthTries'
+            line: 'MaxAuthTries 3'
+
+        - name: Disable empty passwords
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^PermitEmptyPasswords'
+            line: 'PermitEmptyPasswords no'
+
+        - name: Set ClientAliveInterval
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^ClientAliveInterval'
+            line: 'ClientAliveInterval 300'
+
+        - name: Set ClientAliveCountMax
+          lineinfile:
+            path: /etc/ssh/sshd_config
+            regexp: '^ClientAliveCountMax'
+            line: 'ClientAliveCountMax 2'
+
+      notify: restart sshd
+
+    - name: Configure firewall
+      ufw:
+        state: enabled
+        policy: "{{ firewall_policy }}"
+        rules:
+          - rule: allow
+            port: '22'
+            proto: tcp
+            from: 10.0.0.0/8
+          - rule: allow
+            port: '22'
+            proto: tcp
+            from: 172.16.0.0/12
+          - rule: allow
+            port: '22'
+            proto: tcp
+            from: 192.168.0.0/16
+
+    - name: Disable unnecessary services
+      service:
+        name: "{{ item }}"
+        state: stopped
+        enabled: no
+      loop:
+        - cups
+        - avahi-daemon
+        - bluetooth
+        - nfs-server
+        - rpcbind
+      ignore_errors: true
+
+    - name: Remove unnecessary packages
+      apt:
+        name: "{{ item }}"
+        state: absent
+        purge: yes
+      loop:
+        - telnet
+        - rsh-client
+        - talk
+        - ntalk
+      when: ansible_os_family == "Debian"
+      ignore_errors: true
+
+    - name: Configure auditd
+      block:
+        - name: Install auditd
+          apt:
+            name: auditd
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Configure audit rules
+          template:
+            src: templates/audit.rules.j2
+            dest: /etc/audit/rules.d/hardening.rules
+
+        - name: Enable auditd service
+          service:
+            name: auditd
+            state: started
+            enabled: yes
+      when: auditd_enabled
+
+    - name: Configure AppArmor
+      block:
+        - name: Install apparmor
+          apt:
+            name: apparmor
+            state: present
+          when: ansible_os_family == "Debian"
+
+        - name: Enable apparmor service
+          service:
+            name: apparmor
+            state: started
+            enabled: yes
+      when: apparmor_enabled and ansible_os_family == "Debian"
+
+    - name: Configure sysctl hardening
+      sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
+        state: present
+        reload: yes
+      loop:
+        - { key: 'net.ipv4.ip_forward', value: '0' }
+        - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
+        - { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
+        - { key: 'net.ipv4.tcp_syncookies', value: '1' }
+        - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
+
+    - name: Set secure file permissions
+      file:
+        path: "{{ item }}"
+        mode: '0644'
+        owner: root
+        group: root
+      loop:
+        - /etc/passwd
+        - /etc/group
+        - /etc/shadow
+        - /etc/gshadow
+
+    - name: Lock inactive user accounts
+      command: usermod -L "{{ item }}"
+      loop: "{{ inactive_users | default([]) }}"
+      ignore_errors: true
+
+    - name: Configure password policies
+      pam_limits:
+        domain: '*'
+        limit_type: hard
+        limit_item: nofile
+        value: 1024
+
+    - name: Generate hardening report
+      template:
+        src: templates/hardening_report.j2
+        dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
+
+  handlers:
+    - name: restart sshd
+      service:
+        name: ssh
+        state: restarted
+
+    - name: restart auditd
+      service:
+        name: auditd
+        state: restarted
+      when: auditd_enabled
+
+  post_tasks:
+    - name: Run CIS compliance check
+      command: >
+        bash -c "
+        score=0
+        total=0
+        echo 'CIS Compliance Check Results:' > /tmp/cis_check.log
+        # Add CIS checks here
+        echo 'Overall Score: $score/$total' >> /tmp/cis_check.log
+        cat /tmp/cis_check.log
+        "
+      register: cis_check
+      changed_when: false
+
+    - name: Archive CIS results
+      copy:
+        content: "{{ cis_check.stdout }}"
+        dest: "/var/log/cis_compliance_{{ ansible_date_time.iso8601 }}.log"