From 10a27341c4ce5be99ed980ef5248afbbe876f2e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 6 May 2024 15:10:20 +0000 Subject: [PATCH 01/12] Initial refactor for issue #96 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- src/automated-security-updates.yml | 9 ----- src/base.yml | 6 ---- src/harden.yml | 56 +++++++++++++++++++++++++++--- src/ipa-initial-seeding-script.yml | 2 +- src/packer.pkr.hcl | 6 ---- src/playbook.yml | 3 -- src/requirements.yml | 12 +++---- src/upgrade.yml | 9 ----- 8 files changed, 56 insertions(+), 47 deletions(-) delete mode 100644 src/automated-security-updates.yml delete mode 100644 src/upgrade.yml diff --git a/src/automated-security-updates.yml b/src/automated-security-updates.yml deleted file mode 100644 index d3a8212..0000000 --- a/src/automated-security-updates.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Configure for automated security updates - hosts: all - become: true - become_method: ansible.builtin.sudo - tasks: - - name: Set up automated security updates - ansible.builtin.include_role: - name: automated_security_updates diff --git a/src/base.yml b/src/base.yml index 70077f4..c8244c8 100644 --- a/src/base.yml +++ b/src/base.yml @@ -4,9 +4,6 @@ become: true become_method: ansible.builtin.sudo tasks: - - name: Install and configure automated security updates - ansible.builtin.include_role: - name: automated_security_updates - name: Install and configure login banner ansible.builtin.include_role: name: banner @@ -19,9 +16,6 @@ - name: Install and configure htop ansible.builtin.include_role: name: htop - - name: Configure JournalD to preserve logs across reboots - ansible.builtin.include_role: - name: persist_journald - name: Install and configure systemd-resolved ansible.builtin.include_role: name: systemd_resolved diff --git a/src/harden.yml b/src/harden.yml index 1f6b7f7..f3cac2a 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -15,15 +15,61 @@ - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/issue - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/motd - name: Harden system - # This role is forked from konstruktoid/ansible-role-hardening - # and we do not control the names of the role variables. This + # We do not control the names of the role variables. This # is the reason for the noqa comment. - ansible.builtin.include_role: # noqa var-naming[no-role-prefix] - name: harden + ansible.builtin.import_role: # noqa var-naming[no-role-prefix] + name: konstruktoid.hardening vars: - # Point the role to the correct issue and motd templates + automatic_updates: true + fallback_ntp: + - 169.254.169.123 issue_template: /tmp/issue + journald_storage: persistent + manage_timesyncd: false + manage_resolved: false + manage_ufw: false motd_template: /tmp/motd + ntp_servers: + - 169.254.169.123 + sshd_admin_net: + - "0.0.0.0/0" + system_upgrade: true + packages_blocklist: + - apport* + - autofs + - avahi* + - avahi-* + - beep + - git + - pastebinit + - popularity-contest + - prelink + - rpcbind + - rsh* + - rsync + - talk* + - telnet* + - tftp* + - tuned + - whoopsie + - xinetd + - yp-tools + - ypbind + packages_debian: + - auditd + - cracklib-runtime + - libpam-pwquality + packages_redhat: + - audit + - cracklib + - libpwquality + - python3-dnf-plugin-post-transaction-actions + packages_ubuntu: [] + pass_max_days: 365 + pass_min_days: 7 + sshd_max_sessions: 4 + suid_sgid_permissions: false + umask_value: "027" - name: Delete local copies of issue and motd files ansible.builtin.file: path: "{{ item }}" diff --git a/src/ipa-initial-seeding-script.yml b/src/ipa-initial-seeding-script.yml index c079c67..af9911a 100644 --- a/src/ipa-initial-seeding-script.yml +++ b/src/ipa-initial-seeding-script.yml @@ -2,6 +2,6 @@ - name: Install create-ipa-initial-seeding-script.sh ansible.builtin.get_url: dest: /usr/local/sbin - mode: 0500 + mode: "0500" url: > https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index ec31744..8ab2755 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -132,12 +132,6 @@ source "amazon-ebs" "openvpn" { build { sources = ["source.amazon-ebs.openvpn"] - provisioner "ansible" { - playbook_file = "src/upgrade.yml" - use_proxy = false - use_sftp = true - } - provisioner "ansible" { playbook_file = "src/python.yml" use_proxy = false diff --git a/src/playbook.yml b/src/playbook.yml index 0cd4991..3997e31 100644 --- a/src/playbook.yml +++ b/src/playbook.yml @@ -2,9 +2,6 @@ - name: Import base image playbook ansible.builtin.import_playbook: base.yml -- name: Import automated security updates playbook - ansible.builtin.import_playbook: automated-security-updates.yml - - name: Import UFW playbook ansible.builtin.import_playbook: ufw.yml diff --git a/src/requirements.yml b/src/requirements.yml index 306f7e5..3167891 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -4,8 +4,6 @@ collections: roles: - name: amazon_ssm_agent src: https://github.com/cisagov/ansible-role-amazon-ssm-agent - - name: automated_security_updates - src: https://github.com/cisagov/ansible-role-automated-security-updates - name: banner src: https://github.com/cisagov/ansible-role-banner - name: cdm_nessus_agent @@ -20,16 +18,16 @@ roles: src: https://github.com/cisagov/ansible-role-crowdstrike - name: freeipa_client src: https://github.com/cisagov/ansible-role-freeipa-client - - name: harden - src: https://github.com/cisagov/ansible-role-hardening-2 + - name: konstruktoid.hardening + version: v2.0.4 + src: https://github.com/konstruktoid/ansible-role-hardening.git + scm: git - name: htop src: https://github.com/cisagov/ansible-role-htop - name: nvme src: https://github.com/cisagov/ansible-role-nvme - name: openvpn src: https://github.com/cisagov/ansible-role-openvpn - - name: persist_journald - src: https://github.com/cisagov/ansible-role-persist-journald - name: pip src: https://github.com/cisagov/ansible-role-pip - name: python @@ -40,5 +38,3 @@ roles: src: https://github.com/cisagov/ansible-role-systemd-resolved - name: ufw src: https://github.com/cisagov/ansible-role-ufw - - name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade diff --git a/src/upgrade.yml b/src/upgrade.yml deleted file mode 100644 index c065512..0000000 --- a/src/upgrade.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Upgrade base image - hosts: all - become: true - become_method: ansible.builtin.sudo - tasks: - - name: Upgrade all packages - ansible.builtin.include_role: - name: upgrade From a1d5abb8a0c74120f738fc6e079baedb80a9f15d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:32:20 +0200 Subject: [PATCH 02/12] Update src/requirements.yml Co-authored-by: Shane Frasier --- src/requirements.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/requirements.yml b/src/requirements.yml index 3167891..6c6c316 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -19,9 +19,8 @@ roles: - name: freeipa_client src: https://github.com/cisagov/ansible-role-freeipa-client - name: konstruktoid.hardening + src: https://github.com/konstruktoid/ansible-role-hardening version: v2.0.4 - src: https://github.com/konstruktoid/ansible-role-hardening.git - scm: git - name: htop src: https://github.com/cisagov/ansible-role-htop - name: nvme From 169c613b318716ca29bf544ca6bb6a284fc9bf79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:32:51 +0200 Subject: [PATCH 03/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/harden.yml b/src/harden.yml index f3cac2a..1d11dea 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -33,7 +33,7 @@ - 169.254.169.123 sshd_admin_net: - "0.0.0.0/0" - system_upgrade: true + system_upgrade: false packages_blocklist: - apport* - autofs From e9d163b372e042d79d41dea85a2a91457f340558 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:34:04 +0200 Subject: [PATCH 04/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/harden.yml b/src/harden.yml index 1d11dea..53a7c73 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -59,11 +59,6 @@ - auditd - cracklib-runtime - libpam-pwquality - packages_redhat: - - audit - - cracklib - - libpwquality - - python3-dnf-plugin-post-transaction-actions packages_ubuntu: [] pass_max_days: 365 pass_min_days: 7 From 0b3232f02f981982ca88ebc8001ecf3064e2ed8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:34:19 +0200 Subject: [PATCH 05/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/harden.yml b/src/harden.yml index 53a7c73..92f27d3 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -64,6 +64,7 @@ pass_min_days: 7 sshd_max_sessions: 4 suid_sgid_permissions: false + # Necessary for FreeIPA umask_value: "027" - name: Delete local copies of issue and motd files ansible.builtin.file: From 8e8d5e2bfb8e6223c90743e6b7acc8e726c32cf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:49:50 +0200 Subject: [PATCH 06/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/harden.yml b/src/harden.yml index 92f27d3..9e75dfb 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -23,6 +23,7 @@ automatic_updates: true fallback_ntp: - 169.254.169.123 + # Use the COOL issue template issue_template: /tmp/issue journald_storage: persistent manage_timesyncd: false From 8294bcf74ab6c6de2f61fd6602c110480d397a11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:50:03 +0200 Subject: [PATCH 07/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/harden.yml b/src/harden.yml index 9e75dfb..23a9bbd 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -29,6 +29,7 @@ manage_timesyncd: false manage_resolved: false manage_ufw: false + # Use the COOL MOTD template motd_template: /tmp/motd ntp_servers: - 169.254.169.123 From 80196d22ff9c9a01746c56f8511d9fda1a654744 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:51:04 +0200 Subject: [PATCH 08/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/harden.yml b/src/harden.yml index 23a9bbd..cd8d129 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -22,6 +22,7 @@ vars: automatic_updates: true fallback_ntp: + # AWS-provided NTP server - 169.254.169.123 # Use the COOL issue template issue_template: /tmp/issue From 7f112e620bba5a6338bea8426fc1bd60613d54d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 23:51:30 +0200 Subject: [PATCH 09/12] Update src/harden.yml Co-authored-by: Shane Frasier --- src/harden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/harden.yml b/src/harden.yml index cd8d129..2b52802 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -33,6 +33,7 @@ # Use the COOL MOTD template motd_template: /tmp/motd ntp_servers: + # AWS-provided NTP server - 169.254.169.123 sshd_admin_net: - "0.0.0.0/0" From 0b8a7f52c472b0069d5a915f0531646b2996b22b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 22:02:27 +0000 Subject: [PATCH 10/12] readd src/upgrade.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- src/packer.pkr.hcl | 6 ++++++ src/upgrade.yml | 9 +++++++++ 2 files changed, 15 insertions(+) create mode 100644 src/upgrade.yml diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index 8ab2755..ec31744 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -132,6 +132,12 @@ source "amazon-ebs" "openvpn" { build { sources = ["source.amazon-ebs.openvpn"] + provisioner "ansible" { + playbook_file = "src/upgrade.yml" + use_proxy = false + use_sftp = true + } + provisioner "ansible" { playbook_file = "src/python.yml" use_proxy = false diff --git a/src/upgrade.yml b/src/upgrade.yml new file mode 100644 index 0000000..c065512 --- /dev/null +++ b/src/upgrade.yml @@ -0,0 +1,9 @@ +--- +- name: Upgrade base image + hosts: all + become: true + become_method: ansible.builtin.sudo + tasks: + - name: Upgrade all packages + ansible.builtin.include_role: + name: upgrade From 7bb90e9eeac42fc5f86536ea581383f51343695c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 22:05:35 +0000 Subject: [PATCH 11/12] dont configure automatic updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- src/harden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/harden.yml b/src/harden.yml index 2b52802..97b10cc 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -20,7 +20,7 @@ ansible.builtin.import_role: # noqa var-naming[no-role-prefix] name: konstruktoid.hardening vars: - automatic_updates: true + automatic_updates: false fallback_ntp: # AWS-provided NTP server - 169.254.169.123 From e5527025860846f2298b7eef76cac23a0d8cface Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 29 May 2024 22:19:57 +0000 Subject: [PATCH 12/12] readd automated security updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- src/automated-security-updates.yml | 9 +++++++++ src/base.yml | 3 +++ src/playbook.yml | 3 +++ src/requirements.yml | 2 ++ 4 files changed, 17 insertions(+) create mode 100644 src/automated-security-updates.yml diff --git a/src/automated-security-updates.yml b/src/automated-security-updates.yml new file mode 100644 index 0000000..d3a8212 --- /dev/null +++ b/src/automated-security-updates.yml @@ -0,0 +1,9 @@ +--- +- name: Configure for automated security updates + hosts: all + become: true + become_method: ansible.builtin.sudo + tasks: + - name: Set up automated security updates + ansible.builtin.include_role: + name: automated_security_updates diff --git a/src/base.yml b/src/base.yml index c8244c8..4208c31 100644 --- a/src/base.yml +++ b/src/base.yml @@ -4,6 +4,9 @@ become: true become_method: ansible.builtin.sudo tasks: + - name: Install and configure automated security updates + ansible.builtin.include_role: + name: automated_security_updates - name: Install and configure login banner ansible.builtin.include_role: name: banner diff --git a/src/playbook.yml b/src/playbook.yml index 3997e31..0cd4991 100644 --- a/src/playbook.yml +++ b/src/playbook.yml @@ -2,6 +2,9 @@ - name: Import base image playbook ansible.builtin.import_playbook: base.yml +- name: Import automated security updates playbook + ansible.builtin.import_playbook: automated-security-updates.yml + - name: Import UFW playbook ansible.builtin.import_playbook: ufw.yml diff --git a/src/requirements.yml b/src/requirements.yml index 6c6c316..16a0257 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -4,6 +4,8 @@ collections: roles: - name: amazon_ssm_agent src: https://github.com/cisagov/ansible-role-amazon-ssm-agent + - name: automated_security_updates + src: https://github.com/cisagov/ansible-role-automated-security-updates - name: banner src: https://github.com/cisagov/ansible-role-banner - name: cdm_nessus_agent