fix cis support for all distros

This commit is contained in:
Sandwich 2024-04-17 14:09:32 +02:00
parent 4b98ec1434
commit 6dd31cc95f
3 changed files with 21 additions and 13 deletions

View File

@ -1,6 +1,7 @@
almalinux: almalinux:
- bind-utils - bind-utils
- cloud-init - cloud-init
- dbus-daemon
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- glibc-langpack-de - glibc-langpack-de
@ -13,6 +14,7 @@ almalinux:
- nfs-utils - nfs-utils
- nfsv4-client-utils - nfsv4-client-utils
- open-vm-tools - open-vm-tools
- ppp
- shim - shim
- telnet - telnet
- vim - vim
@ -30,6 +32,7 @@ archlinux:
- fish - fish
- grub - grub
- htop - htop
- libpwquality
- linux - linux
- logrotate - logrotate
- lrzsz - lrzsz
@ -41,6 +44,7 @@ archlinux:
- nfs-utils - nfs-utils
- openssh - openssh
- open-vm-tools - open-vm-tools
- ppp
- prometheus-node-exporter - prometheus-node-exporter
- python-psycopg2 - python-psycopg2
- qemu-guest-agent - qemu-guest-agent
@ -140,18 +144,22 @@ fedora:
- bind-utils - bind-utils
- btrfs-progs - btrfs-progs
- cloud-init - cloud-init
- cronie
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- glibc-langpack-de - glibc-langpack-de
- glibc-langpack-en - glibc-langpack-en
- grub2 - grub2
- grub2-efi - grub2-efi
- logrotate
- lrzsz - lrzsz
- lvm2 - lvm2
- nc - nc
- nfs-utils - nfs-utils
- nfsv4-client-utils - nfsv4-client-utils
- open-vm-tools - open-vm-tools
- polkit
- ppp
- shim - shim
- telnet - telnet
- vim-default-editor - vim-default-editor
@ -189,6 +197,7 @@ rhel9:
rocky: rocky:
- bind-utils - bind-utils
- cloud-init - cloud-init
- dbus-daemon
- dhcp-client - dhcp-client
- efibootmgr - efibootmgr
- glibc-langpack-de - glibc-langpack-de
@ -201,6 +210,7 @@ rocky:
- nfs-utils - nfs-utils
- nfsv4-client-utils - nfsv4-client-utils
- open-vm-tools - open-vm-tools
- ppp
- shim - shim
- telnet - telnet
- util-linux-core - util-linux-core

View File

@ -65,7 +65,7 @@
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' } # - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
# - { regexp: '^UMASK.*', replace: 'UMASK 027' } # - { regexp: '^UMASK.*', replace: 'UMASK 027' }
- name: Create allow files - name: Ensure files exist
file: file:
path: "{{ item }}" path: "{{ item }}"
state: touch state: touch
@ -73,6 +73,8 @@
loop: loop:
- /mnt/etc/at.allow - /mnt/etc/at.allow
- /mnt/etc/cron.allow - /mnt/etc/cron.allow
- /mnt/etc/hosts.allow
- /mnt/etc/hosts.deny
- name: Add Security related lines into config files - name: Add Security related lines into config files
lineinfile: lineinfile:
@ -85,14 +87,14 @@
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' } - { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
- { path: '/mnt/etc/bash.bashrc', content: 'umask 077' } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' }
- { path: '/mnt/etc/bash.bashrc', content: 'export TMOUT=3000' } - { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' }
- { path: '/mnt/etc/systemd/journald.conf', content: 'Storage=persistent' } - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' }
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' } - { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' } - { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
- { path: '/mnt/etc/pam.d/common-auth', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' } - { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
- { path: '/mnt/etc/pam.d/common-account', content: 'account required pam_faillock.so' } - { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' }
- { path: '/mnt/etc/pam.d/common-password', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' } - { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' } - { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' } - { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
@ -112,12 +114,8 @@
- { path: '/mnt/etc/crontab', mode: '0600' } - { path: '/mnt/etc/crontab', mode: '0600' }
- { path: '/mnt/etc/logrotate.conf', mode: '0644' } - { path: '/mnt/etc/logrotate.conf', mode: '0644' }
- { path: '/mnt/usr/sbin/pppd', mode: '754' } - { path: '/mnt/usr/sbin/pppd', mode: '754' }
- { path: '/mnt/usr/lib/dbus-1.0/dbus-daemon-launch-helper', mode: '754' } - { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' }
- { path: '/mnt/usr/libexec/polkit-agent-helper-1', mode: '755' }
- { path: '/mnt/usr/bin/{{ "fusermount" if os == "debian11" else "fusermount3" }}', mode: '755' }
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' } - { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
- { path: '/mnt/usr/lib/x86_64-linux-gnu/utempter/utempter', mode: '755' }
- { path: '/mnt/home/svcansible', mode: '750' }
- name: Adjust SSHD config - name: Adjust SSHD config
lineinfile: lineinfile:

View File

@ -97,7 +97,6 @@
command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %} command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
- name: Extra Configuration - name: Extra Configuration
when: os | lower != "archlinux"
block: block:
- name: Append lines to vimrc - name: Append lines to vimrc
ignore_errors: true ignore_errors: true
@ -113,6 +112,7 @@
- "set mouse=a" - "set mouse=a"
- name: Copy FirstRun Script - name: Copy FirstRun Script
when: os | lower != "archlinux"
template: template:
src: firstrun.sh.j2 src: firstrun.sh.j2
dest: /mnt/root/firstrun.sh dest: /mnt/root/firstrun.sh