dev-sec / ansible-collection-hardening Goto Github PK

View Code? Open in Web Editor NEW

3.7K 117.0 695.0 2.03 MB

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL

Home Page: http://dev-sec.io/

License: Apache License 2.0

Jinja 100.00%

ansible sysctl protection hardening role playbook linux os-hardening collection mysql-hardening

ansible-collection-hardening's Introduction

Ansible Collection - devsec.hardening

Description

This collection provides battle tested hardening for:

Linux operating systems:
- CentOS 7/8/9
- Rocky Linux 8/9
- Debian 10/11/12
- Ubuntu 18.04/20.04/22.04
- Amazon Linux (some roles supported)
- Arch Linux (some roles supported)
- Fedora 37/38 (some roles supported)
- Suse Tumbleweed (some roles supported)
MySQL
- MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
- MySQL >= 5.7.31, >= 8.0.3
Nginx 1.0.16 or later
OpenSSH 5.3 and later

The hardening is intended to be compliant with the Inspec DevSec Baselines:

Looking for the old roles?

The roles are now part of the hardening-collection. We have kept the old releases of the os-hardening role in this repository, so you can find the them by exploring older tags. The last release of the standalone role was 6.2.0.

The other roles are in separate archives repositories:

Minimum required Ansible-version

Ansible >= 2.9.10

Included content

In progress, not working:

Installation

Install the collection via ansible-galaxy:

ansible-galaxy collection install devsec.hardening

Using this collection

Please refer to the examples in the readmes of the role.

See Ansible Using collections for more details.

Contributing to this collection

See the contributor guideline.

Release notes

See the changelog.

Roadmap

Todos:

Work on apache_hardening and windows_hardening
Add support for more operating systems

More information

General information:

Licensing

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

ansible-collection-hardening's People

Contributors

Stargazers

Watchers

Forkers

ruckuus devops-id msavary albsen lmasiero fitz123 number0 iflowfor8hours skornehl brockresearch jameel-rean felixrising rhidayat1980 techraf vivekagr bollwarm jjediny bossjones endocode juju4 phpceo ebarrere bcduggan support-capensis qrkourier reregistered beejhuff carlessanagustin pabit dogbonnahnb albertogviana norjuliana ypid port-zero bboykeen tyrken infosecsecurity johnsonyi johnwidhalm rbramwell shdobxr magnologan 0utsider angrox arbabnazar ukhomeoffice cjsteel linuxadmn satheeshagowda danzelziggy swachalit leers9 janssenlima ip-2014 rcalderini heliocampos manuelprinz lingyew duk3luk3 hajnej meg23 blackwellops itoc icute1349 cgama ankurpshah tomaszklosinski rajanbaski martinbydefault ltsampros armenr apurv11 dhirenshumsher fordjes oakey-b1 zemmali absk1317 artithw suresh4service gmarkey zbrojny120 cloudxtreme rohitk89 paulfantom sunil777 latapiat thomasjpfan ngocngv mohammed90 ageis kyroskoh alval5280 shafiqalibhai clovis818 adslboy bugwrangler friendlyadvice alexander-baeshko sfgroups saurabh1611

ansible-collection-hardening's Issues

Role configuration. vars/main.yml?

It seems that it is not intended/easy to change the configuration of the role via inventory variables for example or do I miss something?

What to you think about moving vars/main.yml to defaults/main.yml?

Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf

Red Hat 7 has exec-shield enabled by default and removed the /proc entry.

Exec-shield is no longer an option in sysctl for kernel tuning.
This is a security measure, as documented in the RHEL 7 Security Guide.

network related sysctl rewritten by ufw in ubuntu

So, there's a thing.
By default in ubuntu if you enable(or reload) ufw (or reboot the system), you have applied all sort of different sysctl values from /etc/ufw/sysctl.conf over standard /etc/sysctl.conf
This behavior can be disabled by commenting out IPT_SYSCTL=/etc/ufw/sysctl.conf line in /etc/default/ufw

I'm going to add replace task in sysctl.yml to comment out this line. Is there any ideas to deal with it by another way? Or objections to use replace module?

Or maybe reasons don't do it at all?
I think it's a security issue, which prevents from applying a lot of important sysctl values, so as for me, It's clearly framework's job do deal with it

Warning about "include" for tasks for ansible-playbook 2.4.0 (devel f0a5854e39)

Ansible gives the following message about this playbook:
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
This PR make the necessary changes using 'import_tasks' where necessary for static inclusions.

ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined

Hi, when running the hardening against ubuntu 16.04 I get the below error, seems to think it is rhel ?

    c360-ubuntu: fatal: [127.0.0.1]: FAILED! =>
    c360-ubuntu:
    c360-ubuntu: {
    c360-ubuntu:    "_host": "127.0.0.1",
    c360-ubuntu:    "_result": {
    c360-ubuntu:       "failed": true,
    c360-ubuntu:       "msg": "ERROR! 'sysctl_rhel_config' is undefined"
    c360-ubuntu:    },
    c360-ubuntu:    "_task": "TASK: ansible-os-hardening : Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation"
    c360-ubuntu: }
    c360-ubuntu: 
    c360-ubuntu: fatal: [127.0.0.1]: FAILED! => {"failed": true, "msg": "ERROR! 'sysctl_rhel_config' is undefined"}
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [nginx : restart nginx] ****************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [nginx : reload nginx] *****************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [php5 : restart php-fpm] ***************************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [codedeploy : start codedeploy-agent] **************************
    c360-ubuntu:
    c360-ubuntu: RUNNING HANDLER [postfix : restart postfix] ************************************
    c360-ubuntu:
    c360-ubuntu: PLAY RECAP *********************************************************************
    c360-ubuntu: 127.0.0.1                  : ok=76   changed=44   unreachable=0    failed=1
    c360-ubuntu:
==> c360-ubuntu: Terminating the source AWS instance...
==> c360-ubuntu: Cleaning up any extra volumes...
==> c360-ubuntu: No volumes to clean up, skipping
==> c360-ubuntu: Deleting temporary security group...
==> c360-ubuntu: Deleting temporary keypair...
Build 'c360-ubuntu' errored: Error executing Ansible: Non-zero exit status: 2

"irc" user always changed after reboot

Task: change system accounts not on the user provided ignore-list
always changes something for "irc" user after refoor

~$ cat /etc/*rel*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

with apt: update_cache=yes upgrade=dist

Cannot find what's the reason/

Hardening fails on Centos 7.1 at task 'minimize access'

Hardening fails on a brand new Centos 7.1 box:

failed: [idp-centos] => (item=/sbin) => {"failed": true, "item": "/sbin", "msg": "src and dest are required for creating links"}
failed: [idp-centos] => (item=/bin) => {"failed": true, "item": "/bin", "msg": "src and dest are required for creating links"}

Can anyone reproduce the issue?

Removal of core dump hardening configuration if core dumps are allowed

See dev-sec/puppet-os-hardening#68 and dev-sec/puppet-os-hardening#91

Fix directory structure.

Currently when installed from Ansible Galaxy or via git submodules this role can not be used like other roles. To use this role, one has to extend the roles_path to something like roles_path = /home/user/.ansible/roles:/home/user/.ansible/roles/hardening.os-hardening/roles/ansible-os-hardening/ for the role to be found. Also the name in the README is inconvenient. Ansible has a naming convention and it is expected that the role is called hardening.os-hardening not ansible-os-hardening. Also note that role dependencies would probably not work with this layout.

This:

$ tree hardening.os-hardening
hardening.os-hardening
├── CHANGELOG.md
├── CONTRIBUTING.md
├── Gemfile
├── meta
│   └── main.yml
├── README.md
├── roles
│   └── ansible-os-hardening
│       ├── defaults
│       │   └── main.yml
│       ├── tasks
│       │   ├── limits.yml
│       │   ├── login_defs.yml
│       │   ├── main.yml
│       │   ├── minimize_access.yml
│       │   ├── pam.yml
│       │   ├── profile.yml
│       │   ├── rhosts.yml
│       │   ├── securetty.yml
│       │   ├── suid_sgid.yml
│       │   ├── sysctl.yml
│       │   ├── user_accounts.yml
│       │   └── yum.yml
│       ├── templates
│       │   ├── limits.conf.j2
│       │   ├── login.defs.j2
│       │   ├── modules.j2
│       │   ├── pam_passwdqd.j2
│       │   ├── pam_tally2.j2
│       │   ├── profile.conf.j2
│       │   ├── rhel_libuser.conf.j2
│       │   ├── rhel_sysconfig_init.j2
│       │   ├── rhel_system_auth.j2
│       │   └── securetty.j2
│       └── vars
│           ├── Debian.yml
│           ├── main.yml
│           ├── Oracle Linux.yml
│           ├── RedHat.yml
│           └── sysctl.yml
├── spec
│   └── travis.yml
├── Thorfile
└── TODO.md

8 directories, 36 files

Should look something like this:

$ tree hardening.os-hardening
hardening.os-hardening
├── CHANGELOG.md
├── CONTRIBUTING.md
├── defaults
│   └── main.yml
├── Gemfile
├── meta
│   └── main.yml
├── README.md
├── spec
│   └── travis.yml
├── tasks
│   ├── limits.yml
│   ├── login_defs.yml
│   ├── main.yml
│   ├── minimize_access.yml
│   ├── pam.yml
│   ├── profile.yml
│   ├── rhosts.yml
│   ├── securetty.yml
│   ├── suid_sgid.yml
│   ├── sysctl.yml
│   ├── user_accounts.yml
│   └── yum.yml
├── templates
│   ├── limits.conf.j2
│   ├── login.defs.j2
│   ├── modules.j2
│   ├── pam_passwdqd.j2
│   ├── pam_tally2.j2
│   ├── profile.conf.j2
│   ├── rhel_libuser.conf.j2
│   ├── rhel_sysconfig_init.j2
│   ├── rhel_system_auth.j2
│   └── securetty.j2
├── Thorfile
├── TODO.md
└── vars
    ├── Debian.yml
    ├── main.yml
    ├── Oracle Linux.yml
    ├── RedHat.yml
    └── sysctl.yml

6 directories, 36 files

Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist'

Related to issue #71 . After commenting out the lines causing error in the previous issue, I get the following:

TASK [hardening.os-hardening : remove suid/sgid bit from all binaries except in system and user whitelist] ***
fatal: [idp-centos]: FAILED! => {"failed": true, "msg": "ERROR! 'suid' is undefined"}

Can anyone reproduce?

Deprecation warning always_run

always_run is deprecated. Use check_mode = no instead..

TASK [ansible-os-hardening :Get user accounts | DTAG SEC Req 3.21-4 ] ***************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..
This feature will be removed in version 2.4. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

Add tasks for new controls

Missing:
https://github.com/dev-sec/linux-baseline/blob/master/controls/package_spec.rb

package-07

Fedora support?

Looking over the code I see parts indicating that there was some work to introduce fedora as a supported distro or it was even supported in the past. However when I ran this role against fedora 27 server edition, it failed due to some compatibility issues (like using yum module which needs python2-yum packages which are unavailable on fedora). Are you planning on adding support for this distro?

The role fails when conditionally included

Hi,

I need to use your role only on specific environments so I'm using a when instruction in my role statement in my playbook like below to choose whether or not I want to deploy security rules :

roles: 
    - { role: security, when: deploy_security_rules }

Then in the task file of my "security" role I use the statements below to include your role

- name: OS Security related configurations
  include_role:
    name: dev-sec.os-hardening

The problem occurs when I don't want to deploy security rules, i.e when deploy_security_rules = false

Here is the output I obtain during failure :

TASK [dev-sec.os-hardening : get all system accounts] **************************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..

This feature will be removed in version 2.4. Deprecation warnings can be 
disabled by setting deprecation_warnings=False in ansible.cfg.
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

TASK [dev-sec.os-hardening : remove always ignored system accounts from list] **
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

TASK [dev-sec.os-hardening : change system accounts not on the user provided ignore-list] ***
fatal: [vagrant-debian8.6]: FAILED! => {"failed": true, "msg": "'sys_accs_cond' is undefined"}

Any idea why the role is failing ?

playbook makes OS undetectable

I launched an AWS Linux AMI, ami-275ffe31, which is their ECS-optimized image. Inspec detects it as a AWS box. But then when I run this playbook, Inspec can no longer detect the OS. When I run Inspec detect after running this playbook, I get:

== Operating System Details

Name:      
Family:    unknown
Release:   
Arch:      This account is currently not available.

Is this expected behavior? Or has anyone else seen similar behavior? I basically can't use Inspec anymore after running this playbook.

os_security_kernel_enable_sysrq is not implemented

Despite README.md claiming otherwise, the os_security_kernel_enable_sysrq setting (corresponding to "sysctl-30: Kernel Parameter kernel.sysrq value should eq 0" from linux-baseline) is not implemented in this Ansible role at all.

^{taking a look if I can fix it}

Permissions on /etc/shadow can lock out GUI users

The role restricts /etc/shadow to root:root 0400. That's fine for servers, but on desktops it causes GUI lockscreen logins to fail:

$ grep chpwd /var/log/auth.log
unix_chkpwd[21667]: password check failed for user (conor)

The problem is that the screenlocker can no longer read /etc/shadow as the normal user. The setgid on /sbin/unix_chkpwd (2755 root:shadow) doesn't work with 0400 perms on /etc/shadow. Both Debian and Ubuntu expect /etc/shadow to be 0640 root:shadow. One workaround would be to adjust unix_chkpwd to setuid root, but that's a step backward from a hardening perspective.

For simplicity's sake, we can use the os_desktop_enable boolean to skip updating permissions on /etc/shadow when true. Then the role will continue to work as expected in headless environments (likely 95% of the use case for this role), and also be trivially reusable on interactive workstations.

Another more complicated option is to provide custom logic that enforces root:shadow 0640 under Debian-like systems. I haven't tested Fedora and similar yet, so I don't know whether they will need a similar setup.

Sysctl reloading

See this discussion.
@ypid, can you please provide context on what solution you would like to see to make the sysctl-tasks clearer?

Disable System Accounts

See here: dev-sec/puppet-os-hardening#54

Strongly recommend against disabling vfat by default

This should include a huge warning ⚠️ with it. It stopped my system from booting because my EFI partition at /boot/efi is vfat. I later noticed the recommended whitelist in default.yml but many people will apply this role to their systems not expecting things to break so badly.

Enable pam_pwquality in rhel-family > 7

we should add the fix from https://github.com/hardening-io/chef-os-hardening/pull/104/files here as well

ansible-os-hardening/tasks/minimize_access.yml

mode = 0750 is missing for :

name: MINIMIZE ACCESS - Change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode
when: access.security_users_allow|default(None) != None

intent of role?

Is this role intended to make this spec(https://github.com/dev-sec/linux-baseline) pass? Just curious, since that repo links to this role but currently it does not pass that spec.

Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...]

TASK [ansible-os-hardening : Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation] ***
task path: /home/felis/ansible/roles/ansible-os-hardening/tasks/sysctl.yml:28
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{sysctl_rhel_config}}'). This feature will be 
removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
failed: [localhost] => (item={'value': 1, 'key': u'kernel.exec-shield'}) => {"failed": true, "item": {"key": "kernel.exec-shield", "value": 1}, "msg": "setting kernel.exec-shield failed: sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory\n"}

Some searching suggests that RHEL 7 has disallowed modification to exec-shield and is enabled by default.

System completely unresponsive after role execution

The role/playbook executes without any sign of error.

The system was even responsive for a few minutes after execution. Some minutes later the active SSH connection interrupted (timeout). After that the system seemed to be unable to process any incoming requests. SSH connection attempts, ping requests and also HTTP requests to Node.JS apps behind a nginx seem to load but run into timeouts.

When restarting the server it may be that the system is responsive again but this works only for some minutes. It then quickly becomes unresponsive again.

Any ideas what is happening in this case?
Do you need any additional information?

Add a "don't fail on error" switch ?

Hello

I just added this role as a deps for my role, ended up removing it since it's breaking my playbook, especially my "molecule test". Logs are below.

   TASK [dev-sec.os-hardening : change su-binary to only be accessible to user and group root] ***
    fatal: [molecule-docker-gitlab-amazonlinux-2017.03]: FAILED! => {"changed": false, "failed": true, "msg": "file (/bin/su) is absent, cannot continue", "path": "/bin/su", "state": "absent"}
    fatal: [molecule-docker-gitlab-amazonlinux-2017.09]: FAILED! => {"changed": false, "failed": true, "msg": "file (/bin/su) is absent, cannot continue", "path": "/bin/su", "state": "absent"}
    changed: [molecule-docker-gitlab-centos-7]

   TASK [dev-sec.os-hardening : change su-binary to only be accessible to user and group root] ***
    fatal: [molecule-docker-gitlab-amazonlinux-2017.03]: FAILED! => {"changed": false, "failed": true, "msg": "file (/bin/su) is absent, cannot continue", "path": "/bin/su", "state": "absent"}
    fatal: [molecule-docker-gitlab-amazonlinux-2017.09]: FAILED! => {"changed": false, "failed": true, "msg": "file (/bin/su) is absent, cannot continue", "path": "/bin/su", "state": "absent"}
    changed: [molecule-docker-gitlab-centos-7]

As for me, I wish those lineinfile / ownership / mod checks could be ignored if files are missing, hence no security trouble there.

Change system accounts not on the user provided ignore-list items are not JSON serializable

Hi,

On some systems, I'm getting the error as below. For now I'm not seeing why this colud happen.

$ (ansible host) ansible --version
ansible 2.3.0.0
  python version = 3.5.2+ (default, Sep 22 2016, 12:18:14) [GCC 6.2.0 20160927]
$ (ansible host) lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.10
Release:	16.10
Codename:	yakkety
$ (provision host) lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.2 LTS
Release:	16.04
Codename:	xenial

TASK [os-hardening : remove always ignored system accounts from list] ***********************************************************************************************************************************************************************
task path: /root/ops/ansible/roles/os-hardening/tasks/user_accounts.yml:27
 [WARNING]: Failure using method (v2_runner_on_ok) in callback plugin (<ansible.plugins.callback.default.CallbackModule object at 0x7fe967f75898>): {'_apt', 'messagebus', 'dnsmasq', 'systemd-bus-proxy', 'systemd-timesync', 'mail',
'daemon', 'www-data', 'systemd-network', 'man', 'syslog', 'backup', 'uuidd', 'irc', 'proxy', 'systemd-resolve', 'ntp', 'uucp', 'lp', 'list', 'sys', 'gnats', 'pollinate', 'bin', 'news', 'lxd', 'games', 'sshd'} is not JSON serializable


TASK [os-hardening : change system accounts not on the user provided ignore-list] ***********************************************************************************************************************************************************
task path: /root/ops/ansible/roles/os-hardening/tasks/user_accounts.yml:32
The full traceback is:
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/ansible/executor/task_executor.py", line 97, in run
    item_results = self._run_loop(items)
  File "/usr/local/lib/python3.5/dist-packages/ansible/executor/task_executor.py", line 290, in _run_loop
    res = self._execute(variables=task_vars)
  File "/usr/local/lib/python3.5/dist-packages/ansible/executor/task_executor.py", line 521, in _execute
    result = self._handler.run(task_vars=variables)
  File "/usr/local/lib/python3.5/dist-packages/ansible/plugins/action/normal.py", line 45, in run
    results = merge_hash(results, self._execute_module(tmp=tmp, task_vars=task_vars, wrap_async=wrap_async))
  File "/usr/local/lib/python3.5/dist-packages/ansible/plugins/action/__init__.py", line 635, in _execute_module
    (module_style, shebang, module_data, module_path) = self._configure_module(module_name=module_name, module_args=module_args, task_vars=task_vars)
  File "/usr/local/lib/python3.5/dist-packages/ansible/plugins/action/__init__.py", line 160, in _configure_module
    task_vars=task_vars, module_compression=self._play_context.module_compression)
  File "/usr/local/lib/python3.5/dist-packages/ansible/executor/module_common.py", line 796, in modify_module
    (b_module_data, module_style, shebang) = _find_module_utils(module_name, b_module_data, module_path, module_args, task_vars, module_compression)
  File "/usr/local/lib/python3.5/dist-packages/ansible/executor/module_common.py", line 629, in _find_module_utils
    python_repred_params = repr(json.dumps(params))
  File "/usr/lib/python3.5/json/__init__.py", line 230, in dumps
    return _default_encoder.encode(obj)
  File "/usr/lib/python3.5/json/encoder.py", line 198, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/lib/python3.5/json/encoder.py", line 256, in iterencode
    return _iterencode(o, 0)
  File "/usr/lib/python3.5/json/encoder.py", line 179, in default
    raise TypeError(repr(o) + " is not JSON serializable")
TypeError: {'_apt', 'messagebus', 'dnsmasq', 'systemd-bus-proxy', 'systemd-timesync', 'mail', 'daemon', 'www-data', 'systemd-network', 'man', 'syslog', 'backup', 'uuidd', 'irc', 'proxy', 'systemd-resolve', 'ntp', 'uucp', 'lp', 'list', 'sys', 'gnats', 'pollinate', 'bin', 'news', 'lxd', 'games', 'sshd'} is not JSON serializable

fatal: [clap-instance-rh6g]: FAILED! => {
    "failed": true,
    "msg": "Unexpected failure during module execution.",
    "stdout": ""
}

Add selinux configuration

There should be an option to set the selinux-configuration. By default it should be in permissive, but it should be stated in the readme that it's preferable to set it to enforcing.

See: dev-sec/chef-os-hardening#173

The task sysctl fails when /etc/initramfs-tools is not present

Hi,

When I tried to run the playbook on a Debian Jessie 8.2 (Scaleway image : https://github.com/scaleway/image-debian), the task sysctl failed with the following message :

TASK [dev-sec.os-hardening : rebuild initramfs with starting pack of modules, if module loading at runtime is disabled] ***
fatal: [app0]: FAILED! => {"changed": true, "failed": true, "msg": "Destination directory /etc/initramfs-tools does not exist"}

I suppose that a simple fix would be adding a task ensuring that the directory is present :

- name: Create initramfs-tools directory
  file: path=/etc/initramfs-tools state=directory mode=0755

But I wonder why I have this issue as I don't have it with this Vagrant box https://atlas.hashicorp.com/bento/boxes/debian-8.2

Enhancement: Test with TestInfra and Molecule

I recommend taking away the dependency of Ruby and testing this role using Molecule and TestInfra. Molecule has a docker driver which works with with Travis CI (just like Vagrant has a docker driver). Molecule uses TestInfra and the VirtualBox/Vagrant driver by default.

I maintain the GIMP project CI infrastructure and have documented how I get started with Molecule when creating new roles.

Could not find gem 'ruby (>= 2.1.0)'

If I try to bundle install, I get the following error:

Could not find gem 'ruby (>= 2.1.0)', which is required by gem 'foodcritic (~> 4.0)', in any of the sources.

Im able to install foodcritic manually. Is there a problem in the dependency YAML?

Update some RH settings in this role

See dev-sec/linux-baseline#82, this are definitely the better defaults for RH systems.

Chef implementation is in dev-sec/chef-os-hardening#177

ubuntu xenial warning during activate gpg-check for yum-repos

ubuntu 16.04
ansible 2.1.2
dev-sec.os-hardening 3.1

Result:

TASK [dev-sec.os-hardening : activate gpg-check for yum-repos] *****************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.: 'dict object'
has no attribute 'stdout_lines'.
This feature will be removed in a future release. Deprecation warnings can be disabled
by setting deprecation_warnings=False in ansible.cfg.

CentOS 7 selinux dependencies

Hello,
When running this role on a CentOS 7 I get the following errors:

TASK [dev-sec.ssh-hardening : check and compile policy] ************************
fatal: [192.168.77.10]: FAILED! => {"changed": true, "cmd": "checkmodule -M -m -o /etc/selinux/local-policies/ssh_password.mod /etc/selinux/local-policies/ssh_password", "delta": "0:00:00.002428", "end": "2016-10-10 11:48:41.962335", "failed": true, "rc": 127, "start": "2016-10-10 11:48:41.959907", "stderr": "/bin/sh: checkmodule: command not found", "stdout": "", "stdout_lines": [], "warnings": []}

Then I've installed the checkpolicy package and had this error:

TASK [dev-sec.ssh-hardening : create selinux policy module package] ************
fatal: [192.168.77.10]: FAILED! => {"changed": true, "cmd": "semodule_package -o /etc/selinux/local-policies/ssh_password.pp -m /etc/selinux/local-policies/ssh_password.mod", "delta": "0:00:00.002294", "end": "2016-10-10 11:50:04.572800", "failed": true, "rc": 127, "start": "2016-10-10 11:50:04.570506", "stderr": "/bin/sh: semodule_package: command not found", "stdout": "", "stdout_lines": [], "warnings": []}

Resolved by installing policycoreutils-python package.
Then the role applied correctly.

Should the ansible role manage its dependencies?
Romain

Custom sysctl

Hi there!

Is there any way to rewrite some sysctl values? You're using /var, it's most prioritize variables.
I'm not sure how to make vars as "default", not mandatory, to be able change them in host/group vars

Error running on RHEL 7 due to syntax issues

I've been trying to use this project to start securing some RHEL 7 images, and getting errors largely due to bracket/operator precedence mistakes in https://github.com/dev-sec/ansible-os-hardening/blob/master/tasks/pam.yml#L49-L55. (The install of pam_passwdqc intended for RHEL6 still fires on RHEL7.)

I'm developing a PR to echo my local fixes, and am planning to switch to testing for the more generic ansible_os_family == 'RedHat' rather than just fixing the brackets. Largely posting this issue in case anyone has strong thoughts to the contrary...

I also can't find any 'pam_pwfamily' package to install on RHEL 7, despite #94 suggesting it is. I've confirmed with RHEL Support that libpwquality is installed by default, and would assume the related distros follow suite.

@rndmh3ro - is there anything I've not thought of in the above?

Norm-Audit-Hardening-Audit

This project lacks a normative specification that can be used as a benchmark in an audit. If it would use CIS or DISA then we can use oscap to verify hardening deviations. Now the sysop did something without a standard to comply to.

ansible 2.0 | "remove suid/sgid" task fails

TASK [ansible-os-hardening : remove suid/sgid bit from all binaries except in system and user whitelist] ***
fatal: [testbuild]: FAILED! => {"failed": true, "msg": "ERROR! 'suid' is undefined"}

Ubuntu 14.04.3 LTS

Hint about debops.sysctl

I just wanted to drop a line that we at @debops have written debops.sysctl. I added the sysctl_config and made it configurable. Maybe debops.sysctl could be used as dependency role for hardening.os-hardening?

rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7

Sep 25 13:04:18 VH07 sudoedit[19076]: PAM unable to dlopen(/usr/lib64/security/pam_passwdqc.so): /usr/lib64/security/pam_passwdqc.so: cannot open shared object file: No such file or directory
Sep 25 13:04:18 VH07 sudoedit[19076]: PAM adding faulty module: /usr/lib64/security/pam_passwdqc.so

The /templates/rhel_system_auth.j2 is still referring to pam_passwdqc , which is no longer available in CentOS >7. This breaks some things like passwd.

Currently I'm setting set os_auth_pam_passwdqc_enable to false.
A more permanent solution could be using password required pam_pwquality.so retry=3 and creating /etc/security/pwquality.conf as suggested in the
RHEL 7 Security Guide

This issue will probably apply on other *-os-hardening, although I can't verify this.

ansible >= 2.0 complains: Using bare variables is deprecated

TASK [os-hardening : delete rhosts-files from system | DTAG SEC Req 3.21-4 dest=~{{ item }}/.rhosts, state=absent] ***
task path: /Users/me/dev/roles.galaxy/os-hardening/tasks/rhosts.yml:7
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{users.stdout_lines}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.

usually, the variables need to be enclosed ({{ }}) to be safe. regards

Description of the Ansible roles of dev-sec says "This Ansible playbook"

These are not the playbooks you are looking for 😉

Example: https://github.com/dev-sec/ansible-os-hardening/blob/master/meta/main.yml

This Ansible playbook provides numerous security-related configurations, providing all-round base protection.

Could maybe changed to: Manage numerous security-related configurations, providing all-round base protection

Add conditions for disabling of ip forwarding

add condition to task: Disable IPv6 traffic forwarding and Disable IPv4 traffic forwarding.

bug in ufw.j2 template

Bug with Ubuntu 16.04+
With single quotes in /etc/default/ufw you encouter error when using ufw command.
F.ex.
srv1 # ufw status
ERROR: Missing policy for 'input'

Please change default POLICY values to be included into double quotes, not the single ones.
F.ex. change
DEFAULT_INPUT_POLICY='{{ ufw_default_input_policy }}'
to
DEFAULT_INPUT_POLICY="{{ ufw_default_input_policy }}"

disable password age

Is there a way to use this and disable the password age setting?

pam auth update error

Updating PAM results in an error:


TASK: [ansible-os-hardening | update pam] ************************************* 

changed: [localhost]

TASK: [ansible-os-hardening | debug var=output] ******************************* 

ok: [localhost] => {
    "var": {
        "output": {
            "changed": true, 
            "cmd": [
                "pam-auth-update", 
                "--package"
            ], 
            "delta": "0:00:00.106277", 
            "end": "2015-10-18 18:33:24.083934", 
            "invocation": {
                "module_args": "pam-auth-update --package", 
                "module_complex_args": {}, 
                "module_name": "command"
            }, 
            "rc": 0, 
            "start": "2015-10-18 18:33:23.977657", 
            "stderr": "Use of uninitialized value in join or string at /usr/sbin/pam-auth-update line 111, <STDIN> line 4.", 
            "stdout": "", 
            "stdout_lines": [], 
            "warnings": []
        }
    }
}

RHEL 7.4: Too many setuid bits removed

When running against RHEL 7.4 beta, these files have their setuid bits removed:

/usr/bin/su
/usr/sbin/netreport
/usr/libexec/openssh/ssh-keysign

This definitely breaks su. I don't know about the other files and if they should have setuid, but I suspect so.

I'll open a PR to add these files to the whitelist for RHEL 7.

As a workaround, add the files to the os_security_suid_sgid_whitelist var.

EDIT: I can't actually figure out how to apply the workaround - neither putting it into a group var nor in the playbook vars works... - I also don't know why it's acting as if os_security_suid_sgid_remove_from_unknown is set to true.

I am running ansibe 2.3.1.0, installed the role by doing git clone https://github.com/dev-sec/ansible-os-hardening.git dev-sec.os-hardening in /etc/ansible/roles, and this is my playbook:

- hosts: '*'
  roles:
    - dev-sec.os-hardening

Update readme to include baselines

Enhancement: Pin python dependencies for development and testing

In order to test reliably, I recommend pinning your Python pip dependencies. virtualenv is recommended for this practice.

#create a .venv directory in the current directory
virtualenv --python $(type -P python2.7) .venv
#activate the virtual environment
source .venv/bin/activate
#all python pip changes only happen in the virtualenv .venv directory
#upgrade the version of pip
pip install -U pip
pip install ansible
pip freeze > requirements.txt

Why is rsync removed?

Commit 0bba152 changes the package removal list from hardcoded to based on the os_security_packages_list variable and at the same time adds rsync to the default list.

What is the rationale for removing the rsync package? Was this an oversight? It is not listed in the Readme packages section either...