harden.yml

Ansible playbook to harden your Linux system.

Supported distros

• Debian (Bullseye)
  • Kali
  • Raspbian
• Slackware (>= 15.0)

Why I made this

• Bastille is obsolete
• Not a member of CIS, so no downloading of the ready made scripts
• For learning
• For minimizing the effort needed to tweak fresh installations
  • Also for consistency

What does it do?

For a complete list you can run ansible-playbook --list-tasks harden.yml.

Network

• Enables TCP wrappers
• IP stack hardening via sysctl settings
• Creates a basic firewall

Logging

• Configure log retention time to be 6 months
• Run ansible-playbook --list-tasks --tags logging harden.yml for a full list

Accounting

• Enables system accounting (sysstat)
  • Sets it's log retention to 99999 days (the logs are really small, so it doesn't eat up disk space)
• Enables process accounting

Kernel

• Disables the use of certain kernel modules via modprobe
  • Disable Firewire
• sysctl settings hardening
  • Enables SAK and disables the other magic SysRq stuff
  • Restricts the use of dmesg by regular users
  • Enable YAMA
  • For the complete list, see sysctl.conf.new

Filesystem

• Hardens mount options (creates /etc/fstab.new)
• Sets strict permissions to users home directories
• Limits permissions to various configuration files and directories that might contain sensitive content (see permissions tag for a complete list)
• Clean up /tmp during boot

Application specific

• Configures basic auditing based on stig.rules if audit is installed
• Configures sshd_config and ssh_config
• Configures sudo
• ClamAV configuration
• rkhunter configuration
• Lynis configuration
• Display managers:
  • Disables user lists in GDM3 & LightDM
  • Disables guest sessions and VNC in LightDM

User accounts / authentication / authorization

• Create a strict securetty
• Sets default umask to a more stricter 077
• Sets console session timeout via $TMOUT (Bash)
• Creates /etc/ftpusers
• Restricts the use of cron and at
• Properly locks down system accounts (0 - SYS_UID_MAX && !root)
  • Lock the user's password
  • Sets shell to /sbin/nologin
  • Expire the account
• Configures the default password inactivity period
  • Run ansible-playbook --list-tasks --tags passwords harden.yml to list all password related tasks

PAM

• Configures /etc/security/namespace.conf
• Configures /etc/security/access.conf
• Configures /etc/security/pwquality.conf if available
• Require pam_wheel in /etc/pam.d/su
• Creates a secure /etc/pam.d/other
• Run ansible-playbook --list-tasks --tags pam harden.yml to list all PAM related tasks

Miscellaneous

• Creates legal banners
• Disable core dumps in /etc/security/limits.conf
• Reduce the amount of trusted CAs

Slackware specific

Run ansible-playbook --list-tasks --tags slackware harden.yml for a list.

Debian specific

• Configure AIDE
• Disables unnecessary systemd services
• Enables AppArmor
• Configure SUITE in debsecan
• Installs a bunch of security related packages
• Configures chkrootkit and enables daily checks

Creates bunch of pam-configs that are toggleable with pam-auth-update:

PAM module	Type	Description
pam_wheel1	auth	Require wheel group membership (su)
pam_succeed_if	auth & account	Require UID >= 1000 && UID <= 60000 (or 0 & login)
pam_unix1	auth	Remove nullok
pam_faildelay	auth	Delay on authentication failure
pam_faillock	auth & account	Deter brute-force attacks
pam_access	account	Use login ACL (/etc/security/access.conf)
pam_time	account	/etc/security/time.conf
pam_lastlog	account	Lock out inactive users (no login in 90 days)
pam_namespace	session	Polyinstantiated temp directories
pam_umask	session	Set file mode creation mask
pam_lastlog	session	Display info about last login and update the lastlog and wtmp files2
pam_pwhistory	password	Limit password reuse

1. Not a pam-config, but a modification to existing /etc/pam.d/ files
2. For all login methods and not just the console login

LXC tests

• In order to build Debian container in Slackware you need debootstrap
• It doesn't work the other way around, so it's not currently possible to build the Slackware container in Debian because it lacks Slackware's pkgtools

In order to run the LXC tests (lxc.yml), you need to configure SSH as described in this post:

Host 10.0.3.*
        StrictHostKeyChecking no
        UserKnownHostsFile=/dev/null

Tags

Tags that you can use with ansible-playbook --tags:

• pki
• kernel
• rng
• Specific software:
  • sysstat
  • ssh
  • rkhunter
  • aide
• passwords
• pam?

Other tags are just metadata for now.

References

Hardening guides

Some of these documents are quite old, but most of the stuff still applies.

• CIS Slackware Linux 10.2 Benchmark v1.1.0
• Slackware System Hardening by Jeffrey Denton
• CIS Debian Linux Benchmark
• CIS CentOS Linux 7 Benchmark
• SlackDocs: Security HOWTOs
• Alien's Wiki: Security issues
• SlackWiki: Basic Security Fixes
• Wikipedia: Fork bomb Prevention

Other docs

• Linux Standard Base Core Specification 4.1
  • Chapter 21. Users & Groups
• Filesystem Hierarchy Standard 2.3
• https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx
• PAM Mastery book by Michael W Lucas
• The Linux-PAM System Administrators' Guide
• Sudo Mastery, 2nd Edition
• Linux Firewalls
• Secure Secure Shell
• Securing Debian Manual