Mateusz Suski
7757020014
CI Pipeline / lint-ansible (push) Waiting to run
CI Pipeline / test-python (push) Waiting to run
CI Pipeline / validate-docker (push) Waiting to run
CI Pipeline / security-scan (push) Waiting to run
CI Pipeline / documentation (push) Waiting to run
CI Pipeline / integration-test (push) Blocked by required conditions
210 lines
5.3 KiB
YAML
210 lines
5.3 KiB
YAML
---
|
|
- name: Harden Enterprise Infrastructure Nodes
|
|
hosts: all
|
|
become: true
|
|
gather_facts: true
|
|
vars:
|
|
cis_level: 1
|
|
disable_root_login: true
|
|
secure_ssh_config: true
|
|
firewall_policy: deny
|
|
auditd_enabled: true
|
|
selinux_mode: enforcing
|
|
apparmor_enabled: true
|
|
|
|
tasks:
|
|
- name: Include CIS hardening tasks
|
|
include_tasks: tasks/cis_hardening.yml
|
|
|
|
- name: Configure SSH hardening
|
|
block:
|
|
- name: Disable root SSH login
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
when: disable_root_login
|
|
|
|
- name: Disable password authentication
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
|
|
- name: Set MaxAuthTries
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^MaxAuthTries'
|
|
line: 'MaxAuthTries 3'
|
|
|
|
- name: Disable empty passwords
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitEmptyPasswords'
|
|
line: 'PermitEmptyPasswords no'
|
|
|
|
- name: Set ClientAliveInterval
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^ClientAliveInterval'
|
|
line: 'ClientAliveInterval 300'
|
|
|
|
- name: Set ClientAliveCountMax
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^ClientAliveCountMax'
|
|
line: 'ClientAliveCountMax 2'
|
|
|
|
notify: restart sshd
|
|
|
|
- name: Configure firewall
|
|
ufw:
|
|
state: enabled
|
|
policy: "{{ firewall_policy }}"
|
|
rules:
|
|
- rule: allow
|
|
port: '22'
|
|
proto: tcp
|
|
from: 10.0.0.0/8
|
|
- rule: allow
|
|
port: '22'
|
|
proto: tcp
|
|
from: 172.16.0.0/12
|
|
- rule: allow
|
|
port: '22'
|
|
proto: tcp
|
|
from: 192.168.0.0/16
|
|
|
|
- name: Disable unnecessary services
|
|
service:
|
|
name: "{{ item }}"
|
|
state: stopped
|
|
enabled: no
|
|
loop:
|
|
- cups
|
|
- avahi-daemon
|
|
- bluetooth
|
|
- nfs-server
|
|
- rpcbind
|
|
ignore_errors: true
|
|
|
|
- name: Remove unnecessary packages
|
|
apt:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
purge: yes
|
|
loop:
|
|
- telnet
|
|
- rsh-client
|
|
- talk
|
|
- ntalk
|
|
when: ansible_os_family == "Debian"
|
|
ignore_errors: true
|
|
|
|
- name: Configure auditd
|
|
block:
|
|
- name: Install auditd
|
|
apt:
|
|
name: auditd
|
|
state: present
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Configure audit rules
|
|
template:
|
|
src: templates/audit.rules.j2
|
|
dest: /etc/audit/rules.d/hardening.rules
|
|
|
|
- name: Enable auditd service
|
|
service:
|
|
name: auditd
|
|
state: started
|
|
enabled: yes
|
|
when: auditd_enabled
|
|
|
|
- name: Configure AppArmor
|
|
block:
|
|
- name: Install apparmor
|
|
apt:
|
|
name: apparmor
|
|
state: present
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Enable apparmor service
|
|
service:
|
|
name: apparmor
|
|
state: started
|
|
enabled: yes
|
|
when: apparmor_enabled and ansible_os_family == "Debian"
|
|
|
|
- name: Configure sysctl hardening
|
|
sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
reload: yes
|
|
loop:
|
|
- { key: 'net.ipv4.ip_forward', value: '0' }
|
|
- { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
|
|
- { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
|
|
- { key: 'net.ipv4.tcp_syncookies', value: '1' }
|
|
- { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
|
|
|
|
- name: Set secure file permissions
|
|
file:
|
|
path: "{{ item }}"
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- /etc/passwd
|
|
- /etc/group
|
|
- /etc/shadow
|
|
- /etc/gshadow
|
|
|
|
- name: Lock inactive user accounts
|
|
command: usermod -L "{{ item }}"
|
|
loop: "{{ inactive_users | default([]) }}"
|
|
ignore_errors: true
|
|
|
|
- name: Configure password policies
|
|
pam_limits:
|
|
domain: '*'
|
|
limit_type: hard
|
|
limit_item: nofile
|
|
value: 1024
|
|
|
|
- name: Generate hardening report
|
|
template:
|
|
src: templates/hardening_report.j2
|
|
dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
|
|
|
|
handlers:
|
|
- name: restart sshd
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: restart auditd
|
|
service:
|
|
name: auditd
|
|
state: restarted
|
|
when: auditd_enabled
|
|
|
|
post_tasks:
|
|
- name: Run CIS compliance check
|
|
command: >
|
|
bash -c "
|
|
score=0
|
|
total=0
|
|
echo 'CIS Compliance Check Results:' > /tmp/cis_check.log
|
|
# Add CIS checks here
|
|
echo 'Overall Score: $score/$total' >> /tmp/cis_check.log
|
|
cat /tmp/cis_check.log
|
|
"
|
|
register: cis_check
|
|
changed_when: false
|
|
|
|
- name: Archive CIS results
|
|
copy:
|
|
content: "{{ cis_check.stdout }}"
|
|
dest: "/var/log/cis_compliance_{{ ansible_date_time.iso8601 }}.log" |