diff --git a/src/base.yml b/src/base.yml index 70077f4..4208c31 100644 --- a/src/base.yml +++ b/src/base.yml @@ -19,9 +19,6 @@ - name: Install and configure htop ansible.builtin.include_role: name: htop - - name: Configure JournalD to preserve logs across reboots - ansible.builtin.include_role: - name: persist_journald - name: Install and configure systemd-resolved ansible.builtin.include_role: name: systemd_resolved diff --git a/src/harden.yml b/src/harden.yml index 1f6b7f7..97b10cc 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -15,15 +15,61 @@ - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/issue - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/motd - name: Harden system - # This role is forked from konstruktoid/ansible-role-hardening - # and we do not control the names of the role variables. This + # We do not control the names of the role variables. This # is the reason for the noqa comment. - ansible.builtin.include_role: # noqa var-naming[no-role-prefix] - name: harden + ansible.builtin.import_role: # noqa var-naming[no-role-prefix] + name: konstruktoid.hardening vars: - # Point the role to the correct issue and motd templates + automatic_updates: false + fallback_ntp: + # AWS-provided NTP server + - 169.254.169.123 + # Use the COOL issue template issue_template: /tmp/issue + journald_storage: persistent + manage_timesyncd: false + manage_resolved: false + manage_ufw: false + # Use the COOL MOTD template motd_template: /tmp/motd + ntp_servers: + # AWS-provided NTP server + - 169.254.169.123 + sshd_admin_net: + - "0.0.0.0/0" + system_upgrade: false + packages_blocklist: + - apport* + - autofs + - avahi* + - avahi-* + - beep + - git + - pastebinit + - popularity-contest + - prelink + - rpcbind + - rsh* + - rsync + - talk* + - telnet* + - tftp* + - tuned + - whoopsie + - xinetd + - yp-tools + - ypbind + packages_debian: + - auditd + - cracklib-runtime + - libpam-pwquality + packages_ubuntu: [] + pass_max_days: 365 + pass_min_days: 7 + sshd_max_sessions: 4 + suid_sgid_permissions: false + # Necessary for FreeIPA + umask_value: "027" - name: Delete local copies of issue and motd files ansible.builtin.file: path: "{{ item }}" diff --git a/src/ipa-initial-seeding-script.yml b/src/ipa-initial-seeding-script.yml index c079c67..af9911a 100644 --- a/src/ipa-initial-seeding-script.yml +++ b/src/ipa-initial-seeding-script.yml @@ -2,6 +2,6 @@ - name: Install create-ipa-initial-seeding-script.sh ansible.builtin.get_url: dest: /usr/local/sbin - mode: 0500 + mode: "0500" url: > https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh diff --git a/src/requirements.yml b/src/requirements.yml index 306f7e5..16a0257 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -20,16 +20,15 @@ roles: src: https://github.com/cisagov/ansible-role-crowdstrike - name: freeipa_client src: https://github.com/cisagov/ansible-role-freeipa-client - - name: harden - src: https://github.com/cisagov/ansible-role-hardening-2 + - name: konstruktoid.hardening + src: https://github.com/konstruktoid/ansible-role-hardening + version: v2.0.4 - name: htop src: https://github.com/cisagov/ansible-role-htop - name: nvme src: https://github.com/cisagov/ansible-role-nvme - name: openvpn src: https://github.com/cisagov/ansible-role-openvpn - - name: persist_journald - src: https://github.com/cisagov/ansible-role-persist-journald - name: pip src: https://github.com/cisagov/ansible-role-pip - name: python @@ -40,5 +39,3 @@ roles: src: https://github.com/cisagov/ansible-role-systemd-resolved - name: ufw src: https://github.com/cisagov/ansible-role-ufw - - name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade