fix(cis): remove deprecated sshd options and update hardening values
This commit is contained in:
@@ -5,6 +5,7 @@
|
|||||||
regexp: "^(\\s*)umask\\s+\\d+"
|
regexp: "^(\\s*)umask\\s+\\d+"
|
||||||
line: "umask 027"
|
line: "umask 027"
|
||||||
|
|
||||||
|
# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
|
||||||
- name: Prevent Login to Accounts With Empty Password
|
- name: Prevent Login to Accounts With Empty Password
|
||||||
ansible.builtin.replace:
|
ansible.builtin.replace:
|
||||||
dest: "{{ item }}"
|
dest: "{{ item }}"
|
||||||
|
|||||||
@@ -9,4 +9,4 @@
|
|||||||
ansible.builtin.command: >
|
ansible.builtin.command: >
|
||||||
{{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
|
{{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
|
||||||
register: cis_mask_services_result
|
register: cis_mask_services_result
|
||||||
changed_when: cis_mask_services_result.rc == 0
|
changed_when: "'Created symlink' in cis_mask_services_result.stderr"
|
||||||
|
|||||||
@@ -10,6 +10,7 @@
|
|||||||
install hfs /bin/false
|
install hfs /bin/false
|
||||||
install hfsplus /bin/false
|
install hfsplus /bin/false
|
||||||
install cramfs /bin/false
|
install cramfs /bin/false
|
||||||
|
# Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts.
|
||||||
install squashfs /bin/false
|
install squashfs /bin/false
|
||||||
install udf /bin/false
|
install udf /bin/false
|
||||||
install usb-storage /bin/false
|
install usb-storage /bin/false
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
|
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
|
||||||
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
|
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
|
||||||
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
|
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
|
||||||
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000 }
|
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 }
|
||||||
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
|
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
|
||||||
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
|
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
|
||||||
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
|
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
|
||||||
|
|||||||
@@ -21,7 +21,7 @@
|
|||||||
- { option: GSSAPIAuthentication, value: "no" }
|
- { option: GSSAPIAuthentication, value: "no" }
|
||||||
- { option: AllowAgentForwarding, value: "no" }
|
- { option: AllowAgentForwarding, value: "no" }
|
||||||
- { option: AllowTcpForwarding, value: "no" }
|
- { option: AllowTcpForwarding, value: "no" }
|
||||||
- { option: ChallengeResponseAuthentication, value: "no" }
|
- { option: KbdInteractiveAuthentication, value: "no" }
|
||||||
- { option: GatewayPorts, value: "no" }
|
- { option: GatewayPorts, value: "no" }
|
||||||
- { option: X11Forwarding, value: "no" }
|
- { option: X11Forwarding, value: "no" }
|
||||||
- { option: PermitUserEnvironment, value: "no" }
|
- { option: PermitUserEnvironment, value: "no" }
|
||||||
@@ -36,7 +36,6 @@
|
|||||||
marker: "# {mark} CIS SSH HARDENING"
|
marker: "# {mark} CIS SSH HARDENING"
|
||||||
block: |-
|
block: |-
|
||||||
## CIS Specific
|
## CIS Specific
|
||||||
Protocol 2
|
|
||||||
### Ciphers and keying ###
|
### Ciphers and keying ###
|
||||||
RekeyLimit 512M 6h
|
RekeyLimit 512M 6h
|
||||||
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
|
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
|
||||||
|
|||||||
@@ -5,9 +5,12 @@
|
|||||||
mode: "0644"
|
mode: "0644"
|
||||||
content: |
|
content: |
|
||||||
## CIS Sysctl configurations
|
## CIS Sysctl configurations
|
||||||
|
fs.suid_dumpable=0
|
||||||
|
kernel.dmesg_restrict=1
|
||||||
kernel.yama.ptrace_scope=1
|
kernel.yama.ptrace_scope=1
|
||||||
kernel.randomize_va_space=2
|
kernel.randomize_va_space=2
|
||||||
# Network
|
# Network
|
||||||
|
# Disable forwarding; override in inventory for routers/containers
|
||||||
net.ipv4.ip_forward=0
|
net.ipv4.ip_forward=0
|
||||||
net.ipv4.tcp_syncookies=1
|
net.ipv4.tcp_syncookies=1
|
||||||
net.ipv4.icmp_echo_ignore_broadcasts=1
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
||||||
@@ -24,6 +27,7 @@
|
|||||||
net.ipv4.conf.default.send_redirects=0
|
net.ipv4.conf.default.send_redirects=0
|
||||||
net.ipv4.conf.default.accept_redirects=0
|
net.ipv4.conf.default.accept_redirects=0
|
||||||
net.ipv6.conf.all.accept_redirects=0
|
net.ipv6.conf.all.accept_redirects=0
|
||||||
|
# Disable IPv6; override in inventory if IPv6 is needed
|
||||||
net.ipv6.conf.all.disable_ipv6=1
|
net.ipv6.conf.all.disable_ipv6=1
|
||||||
net.ipv6.conf.default.accept_redirects=0
|
net.ipv6.conf.default.accept_redirects=0
|
||||||
net.ipv6.conf.default.disable_ipv6=1
|
net.ipv6.conf.default.disable_ipv6=1
|
||||||
|
|||||||
Reference in New Issue
Block a user