tux/ansible-test
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

base und sysupgrade role, some hardening

Browse Source
This commit is contained in:
Martin Wohlert 2021-06-13 00:15:16 +02:00
parent f00a20491a
commit 708dd41417
12 changed files with 183 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
host_vars/docker2 Normal file
View File

@ -0,0 +1,8 @@
mgmt:
ip: 192.168.122.32
mask: 255.255.255.0
gw: 192.168.122.1
dns:
- 192.168.122.1
- 8.8.8.8
ansible_host: "{{ mgmt.ip }}"

1
hosts
View File

@ -3,6 +3,7 @@ localhost ansible_connection=local
[docker_nodes] [docker_nodes]
docker1 docker1
docker2
[gitlab] [gitlab]

6
play-10-base.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: docker_nodes
gather_facts: false
become: true
roles:
- linux_base

6
play-90-system-upgrade.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: "{{ target }}"
become: true
roles:
- linux/upgrade
- linux/base

10
roles/linux/base/files/issue.net Normal file
View File

@ -0,0 +1,10 @@
##############################################################################
# #
# This is a private server. #
# #
# Unauthorized access to this system is prohibited ! #
# #
# This system is actively monitored and all connections may be logged. #
# By accessing this system, you consent to this monitoring. #
# #
##############################################################################

30
roles/linux/base/files/sysctl-50-hardening.conf Normal file
View File

@ -0,0 +1,30 @@
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
kernel.core_uses_pid = 1
kernel.ctrl-alt-del = 0
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.randomize_va_space = 2
kernel.sysrq = 0
kernel.yama.ptrace_scope = 1 2 3
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0

9
roles/linux/base/handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
- name: restart sshd
service:
name: sshd
state: restarted
- name: restart sysctl
service:
name: systemd-sysctl
state: restarted

32
roles/linux/base/tasks/hardening.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: disabling core dump
lineinfile:
path: /etc/security/limits.conf
line: "* hard core 0"
- name: default umask
lineinfile:
path: /etc/login.defs
line: UMASK 027
regexp: ^UMASK.*
- name: put myself to /etc/hosts
lineinfile:
path: /etc/hosts
line: "127.0.0.1 {{ ansible_hostname }}"
- name: SSH config
lineinfile:
path: /etc/ssh/sshd_config
line: "{{ item.conf }}"
regexp: "{{ item.regexp }}"
notify: restart sshd
loop:
- { conf: "Compression no", regexp: \#?Compression.* }
- { conf: "MaxAuthTries 3", regexp: \#?MaxAuthTries.* }
- name: sysctl
copy:
dest: /etc/sysctl.d/50-hardening.conf
src: files/sysctl-50-hardening.conf
notify: restart sysctl

44
roles/linux/base/tasks/main.yml Normal file
View File

@ -0,0 +1,44 @@
---
# base config
- name: basic tools
package:
state: present
name: htop
# cloud-init
- name: stop cloud-init
service:
name: cloud-init
state: stopped
- name: disable cloud-init
service:
name: cloud-init
enabled: false
# legal
- name: copy SSH disclaimer
copy:
src: files/issue.net
dest: /etc/issue.net
mode: u=rw,g=r,o=r
owner: root
group: root
notify: restart sshd
- name: set SSH Banner
lineinfile:
path: /etc/ssh/sshd_config
line: Banner /etc/issue.net
regexp: \#?Banner.*
state: present
notify: restart sshd
- name: link local banner to SSH banner
file:
src: /etc/issue.net
path: /etc/issue
state: hard
force: yes
- include_tasks: hardening.yml

14
roles/linux/upgrade/tasks/main.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: system upgrade
package:
name: "*"
state: latest
- name: autoremove
dnf:
autoremove: true
when: ansible_os_family == "RedHat"
- name: fstrim
shell:
cmd: fstrim -va

36
roles/virt_vm/tasks/create_vm.yml
View File

@ -77,23 +77,29 @@
# CLOUD-INIT CLEANUP # CLOUD-INIT CLEANUP
- name: shutdown VM # FEDORA-34: after rebooting the ssh login via key does not work anymore. weird.
delegate_to: "{{ virt.host }}" # name: shutdown VM
virt: # delegate_to: "{{ virt.host }}"
name: "{{ inventory_hostname }}" # virt:
state: shutdown # name: "{{ inventory_hostname }}"
# state: shutdown
- name: wait for shutdown # name: wait for shutdown
delegate_to: "{{ virt.host }}" # delegate_to: "{{ virt.host }}"
virt: # virt:
name: "{{ inventory_hostname }}" # name: "{{ inventory_hostname }}"
command: status # command: status
register: vmstate # register: vmstate
retries: 11 # retries: 11
delay: 10 # delay: 10
until: vmstate.status == "shutdown" # until: vmstate.status == "shutdown"
- name: detach CI from vm - name: detach CI from vm (live)
delegate_to: "{{ virt.host }}"
shell:
cmd: virsh change-media "{{ inventory_hostname }}" sda --eject
- name: detach CI from vm (config)
delegate_to: "{{ virt.host }}" delegate_to: "{{ virt.host }}"
shell: shell:
cmd: virsh change-media "{{ inventory_hostname }}" sda --eject --config cmd: virsh change-media "{{ inventory_hostname }}" sda --eject --config

6
roles/virt_vm/templates/ci-userdata.j2
View File

@ -10,7 +10,5 @@ users:
sudo: ['ALL=(ALL) NOPASSWD:ALL'] sudo: ['ALL=(ALL) NOPASSWD:ALL']
groups: sudo groups: sudo
shell: /bin/bash shell: /bin/bash
lock_passwd: false
runcmd: hased_passwd: $6$Cn$5aLlLb270IIO2zBMWL1/qOMiWeXABYIdYYRF7cSMXEisUUgEHxCq81sJyF9LNBxKbBv5XyJ9OWwWrt/o6qus./
- eject /dev/sr0
- systemctl disable cloud-init