common: Remove/Replace dev-sec hardening roles

JGoutin / ansible_home

A collection of Ansible roles for home free software self-hosting.

https://galaxy.ansible.com/jgoutin/home

GNU General Public License v3.0

31 stars 6 forks source link

common: Remove/Replace dev-sec hardening roles #25

Closed JGoutin closed 2 years ago

JGoutin commented 3 years ago

Replace dev-sec roles Because:

Theses roles are mainly done for other OS and provides many changes not useful on Fedora.
Theses roles are not really tested on Fedora and may break Fedora on upgrade (For instance SSH hardening broke sshd service when upgrading Fedora 33 to 34)
Currently some changes are disabled because does not works great with this project's roles.

Theses roles are great on Ubuntu and CentOS, but something more specific to Fedora is required.

So the idea is to progressively integrates some of the security changes directly in the "common"/"mysql"/"nginx" roles. Most of the changes should be optional and reversible.

Status:

[x] mysql
[x] nginx
[x] #36
[x] ssh

JGoutin commented 3 years ago

To disable devsec SSH hardening role changes, runs the following (Can be run from SSH without issue):

sudo dnf erase openssh-server openssh-clients -y
sudo dnf install openssh-server openssh-clients -y
sudo rm /etc/sysconfig/sshd.rpmsave /etc/ssh/sshd_config.rpmsave /etc/pam.d/sshd.rpmsave /etc/ssh/revoked_keys /etc/ssh/ssh_config.rpmsave /etc/ssh/moduli.rpmsave
sudo systemctl restart sshd

:warning: This should be done before upgrading to Fedora 34, because this hardening role may breaks sshd and make connexion impossible after update.

Then re-apply the "common" role.

JGoutin commented 2 years ago

Removed dev-sec roles for 2.0.0 milestone, with partial Fedora specific security hardening implemented.