Ansible playbook for Linux hardening
Ansible playbook to harden your Linux system.
ansible-playbook --list-tasks --tags centos harden.yml
)For a complete list you can run ansible-playbook --list-tasks harden.yml
.
logrotate
to shred
files
ansible-playbook --list-tasks --tags logging harden.yml
for a full listansible-playbook --list-tasks --tags accounting harden.yml
for a full listmodprobe
dmesg
by regular usersansible-playbook --list-tasks --tags kernel harden.yml
for a full list/etc/fstab.new
) (see fstab.awk)permissions
tag for a complete list)/tmp
during bootansible-playbook --list-tasks --tags suid,sgid harden.yml
for details)sshd_config
and ssh_config
(see ansible-playbook --list-tasks --tags ssh harden.yml
for details)/etc/sudoers.d/
that match our become: true
tasks that do not have explicit EXEC
, it can "break" sudo
as we define Defaults noexec
in the main sudoers
file. There is a "Fix NOPASSWD rules" task in sudoers.yml
which tries to tackle this problem, but it's not guaranteed to work.sudo_iolog
in vars.yml
to true
to enable I/O loggingsudo_ids
in vars.yml
to true
to enable "Intrusion Detection" as described in Sudo Mastery chapter 9 (#59)clamd
& freshclam
by first generating fresh configurations with clamconf
tigerrc
& tiger.ignore
php.ini
) hardening077
(see https://github.com/pyllyukko/harden.yml/wiki/umask)$TMOUT
(Bash)SYS_UID_MAX
&& !root
)
/sbin/nologin
RLIMIT_NPROC
to 0
in pam_limits for those system accounts that don't need to run any processesansible-playbook --list-tasks --tags passwords harden.yml
to list all password related tasksansible-playbook --list-tasks --tags accounts harden.yml
for details.securetty
/etc/ftpusers
at
ansible-playbook --list-tasks --tags authorization
for a full list/etc/security/namespace.conf
/etc/security/access.conf
for pam_access
(authorization) (see access.conf.j2)/etc/security/pwquality.conf
if available/etc/pam.d/su
/etc/security/limits.conf
as follows:
nproc
to 0 for system users that don't need to run any processesansible-playbook --list-tasks --tags pam harden.yml
to list all PAM related tasksansible-playbook --check --diff --tags pam harden.yml
to see details of the changes/etc/shells
)ansible-playbook --list-tasks --tags slackware harden.yml
for a full listadm
readable (as in Debian)cron
so that only users in the wheel group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README)hidepid=2
installpkg
store the MD5 checksumsacct
)inittab
to use shutdown -a
(and /etc/shutdown.allow
)ansible-playbook --list-tasks --tags slackware harden.yml | grep '\bservices\b'
for a full list)libcgroup
) into /etc/cg{config,rules}.conf
bootlogd
CONFIG_LEGACY_PTYS
(which KSPP recommends to disable)/etc/pam.d/system-auth
, which has the following changes:
pam_faildelay
pam_faillock
pam_access
nullok
from pam_unix
pam_unix
minlen
from 6 to 14/etc/pam.d/postlogin
:
pam_umask
pam_cgroup
pam_namespace
auth include postlogin
from several files, as postlogin
should (and has) only session
module types/etc/pam.d/sudo
, as that seemed to be missingsu
(see su.new)SUITE
in debsecan
debsums
and enable weekly cron jobchkrootkit
and enables daily checksCreates bunch of pam-config
s that are toggleable with pam-auth-update
:
PAM module | Type | Description |
---|---|---|
pam_wheel1 | auth | Require wheel group membership (su ) |
pam_succeed_if | auth & account | Require UID >= 1000 && UID <= 60000 (or 0 & login ) |
pam_unix1 | auth | Remove nullok |
pam_faildelay | auth | Delay on authentication failure |
pam_ssh_agent_auth | auth | SSH agent authentication for sudo3 |
pam_faillock |
auth & account | Deter brute-force attacks |
pam_access | account | Use login ACL (/etc/security/access.conf ) |
pam_time | account | /etc/security/time.conf |
pam_lastlog | account | Lock out inactive users (no login in 90 days) |
pam_namespace | session | Polyinstantiated temp directories |
pam_umask | session | Set file mode creation mask |
pam_lastlog | session | Display info about last login and update the lastlog and wtmp files2 |
pam_pwhistory | password | Limit password reuse |
pam-config
, but a modification to existing /etc/pam.d/
fileskrb5
or other password auths.
sshd
needs to have AllowAgentForwarding yes
sudo
with Defaults env_keep += "SSH_AUTH_SOCK"
harden.yml
and modify hosts
or create a completely new playbook by making a copy of the harden.yml
file
vars.yml
in case you want to tweak some of the settingsansible-playbook --list-tasks harden.yml
ansible-playbook harden.yml
allowed_group
groupnoexec
is on by default, so you need to take this into account in your custom rulesroot
have timeout, so use screen
for those longer administrative tasksloginuid
enabled in auditing in non-systemd systems (Slackware). See longer description of this in the wiki.Tags that you can use with ansible-playbook --tags
:
pki
kernel
rng
network
firewall
ipv6
logging
permissions
fstab
suid
& sgid
sysstat
ssh
rkhunter
chkrootkit
aide
audit
(use --skip-tags audit
in Slackware if you don't have audit installed)debsecan
debsums
lynis
(to only configure Lynis you can use --tags lynis --skip-tags packages
)sudo
kerberos
clamav
(use --skip-tags clamav
in Slackware if you don't have clamav installed)
yara
apparmor
cron
(also includes tasks regarding at
)php
apache
hsts
ntp
lightdm
gnome
tiger
john
banners
accounting
(includes sysstat
)authorization
passwords
accounts
pam
limits
cgroup
(Slackware)hidepid
(Slackware)shells
umask
There are also operating system tags for tasks that only apply to specific OS.
You can speed up the hardening by skipping OSs that don't apply. E.g. if you're
hardening a Slackware system you can use --skip-tags debian,centos
.
Other tags are just metadata for now. You can list all the tags with
ansible-playbook --list-tags harden.yml
.
lock_account.yml
playbook that you can use to lock user accounts. Just modify the hosts
& user
.sudo_ids
in vars.yml
, it enables "Sudo Intrusion Detection" as seen in chapter 9 of Sudo Mastery
SHELLS
Cmnd_Alias
for nowSome of these documents are quite old, but most of the stuff still applies.