Use Ansible

[pyllyukko]

• Create variable for the users group (login.access etc.)
• Include tasks that are applicable for the distro in question so the output isn't that cluttered
• [x] ansible-lint
• Should we use roles?
• Avoid using ignore_errors: yes
• Use tags
  • packages
  • pam
  • filesystem and/or permissions
  • configuration (maybe also include service state changes?)
  • crypto and/or pki
  • network and/or firewall
  • authentication, authorization & accounting
  • services
  • Some tags will be generic (like services) but others could be used to limit the amount of hardening (e.g. pam or pki)
  • service/software specific (e.g. aide, ssh, lynis, chkrootkit, rkhunter, audit, sysstat, ssh, debsecan, debsums & clamav)
  • kernel
  • passwords? (include faillock etc.?)
  • logging
  • cron?
  • accounts (user management)
  • banners
  • [ ] TODO: How to handle OS specific tags (e.g. slackware & debian)? Do we tag every task that applies to that particular OS or tag only the tasks that apply only to that OS? E.g.: Should the user run ansible-playbook --tags slackware or ansible-playbook --skip-tags centos,debian? Or have a separate common/generic that applies to all (e.g. ansible-playbook --tags common,slackware)?
  • What else?
• [x] TODO: Rename sysstat.yml to accounting.yml as it contains process accounting also (or maybe services-accounting.yml?)
• Use handlers
  • sysctl
  • rkhunter --propupd
  • update-ca-certificates
  • AIDE
  • pam-auth-update
• Use files/ & templates/ instead of newconfs/
• Rename project from harden.sh to harden.yml :D

Easy (or important) ones

• [x] modprobe.d
• [x] Install security related Debian packages
• [x] Install Lynis? (Debian)
• [ ] auditd
  • /etc/default/grub
• [x] Disable core dumps
• [x] sysstat
  • /etc/default/sysstat
• [ ] PAM
  • useradd -D -f (see f53a7fe468bf5f428661ec96ae363df6193711fe)
  • Use pamd
• [x] fstab
• [x] CA certs
• [ ] Banners
  • GDM
  • LightDM -> seems to be difficult or requires a custom theme
  • SDDM
• [x] /etc/ftpusers
• [ ] /etc/shells
• [x] Process accounting

Not easy, but I'll list this here anyway:

• [ ] Slackware: install all the necessary security tools from custom repo with slackpkg+

Services / app specific

• [x] SSH
• [x] ssh_config also
  • FingerprintHash
• [ ] AppArmor
• [ ] PHP
• [ ] NTP

Network

• [x] Firewall
• [x] inetd?
• [ ] IPv6
  • GRUB
• [x] TCP wrappers

Not-so-easy ones

TODO: list here the stuff we will want to do with scripts and not .yml

• [ ] Apache

Modifying configuration files

• ini_file
• assemble
• template
  • Needs distro specific templates for at least some configs
  • Maybe the greatest benefit when we utilize variables
• replace
  • Problematic, because if the regexp doesn't match Ansible just says "ok: [localhost] => {"changed": false, "msg": ""}"
  • ansible: lineinfile for several lines?
• [x] Consider replace vs. lineinfile

https://stackoverflow.com/questions/44922281/which-module-to-use-to-edit-files-ansible/44923355#44923355:

• The lineinfile - module is the best option, if you just want to add, replace or remove one line.
• The replace - module is best, if you want to add, replace or delete several lines.
• The blockinfile - module can add several lines, surrounded by markers.

Pros

• Easily applied against remote hosts
• when: ansible_distribution == "Slackware"
• You actually have to name all the performed tasks 😃

[pyllyukko]

b55b9d7b15833f03e48772b5f0d6dfbd867329e1