andrewvaughan / ansible-role-server-harden Goto Github PK
View Code? Open in Web Editor NEWImplements server security standards that should exist for every server.
License: MIT License
ansible-role-server-harden's People
Contributors
Watchers
ansible-role-server-harden's Issues
Remove Python helpers
No Python files are being used in this - just Ansible tasks.
Add email configuration for LogWatch
Add ability to configure logwatch to not use the server default; or set the server default for all emails.
Add standard GitHub documentation
- Support
- Issue Template
- Pull Request Template
- Code of Conduct
Add the Deploy user
Add the deploy user with full sudo access.
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
users:
deploy:
sudo : true
password : true
ssh_keys:
- PUB...KEY1
- PUB...KEY2If users is set to false, user configuration will be skipped.
As many users as needed can be created with the users block. By default, only the deploy user will be created, and the script will prompt for that user's password.
The sudo option will give the user full sudo access. Partial sudo is not currently supported.
trueto auto-generate a password for the userfalsefor no password (not recommended)- A String value to set the password from the script (e.g., from a vault)
- Omitted to prompt the user for a password (default)
ssh_keys can either be a string or an array. Note that if you don't set any SSH keys and password-login is disabled for SSH, a warning will be thrown, but configuration will continue.
Add editor configuration and git configuration files
Lock down SSH
This should be done last, as is prevents the root user from accessing via Ansible Ensure documentation provides an example of how to switch to a non-root user mid-playbook.
Set the following two lines in the /etc/ssh/sshd_config file:
PermitRootLogin no
PasswordAuthentication no
Then restart the SSH service with service ssh restart
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
ssh:
root_login : false
password_auth : falseIf ssh is set to false, configuration is skipped.
Install and configure fail2ban
No configuration required (for now). May add some capabilities at a later time.
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
fail2ban: truefail2ban can be set to false to skip installation.
Add PEP8 Linting
Add MIT LICENSE
Enable the Firewall
Configure UFW to allow ports 22, 80, and 443 by default.
Call ufw enable when complete.
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
firewall:
- 22
- 80
- 443firewall can be set to false to skip firewall configuration.
Firewall takes an array of ports to open on the server. A warning should be shown if port 22 is not included, but configuration should continue.
Enable Unattended Upgrades
Install apt-get install unattended-upgrades
Update /etc/apt/apt.conf.d/10periodic to:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
unattended_upgrades: trueunattended_upgrades can be set to false to skip setting up Unattended Upgrades.
Enable LogWatch
Install LogWatch with apt-get install logwatch
If a mail option is provided, edit vim /etc/cron.daily/00logwatch to add this line:
/usr/sbin/logwatch --output mail --mailto [email protected] --detail high
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
logwatch:
email: # (undefined)If email is set (and valid), the line will be added to logwatch to send emails.
Implement Continuous Integration
Add support for:
- TravisCI
- Coveralls
Add appropriate badges to the README
Add Contributing Guidelines
Add README
Emphasize that these hardening techniques are specific to my needs, and that they may not work for everyone. The changes (link) should be reviewed thoroughly before use. That said, all options can be turned on or off in the configuration (link).
Add warning prompt to beginning
Warn the user that this role is intended for untouched, just-provisioned servers, and that some of the changes may produce undesired effects if they are not fully understood. Provide a link to the README section that explains all changes that are made.
Make the user press "Y" in a [yN] prompt to continue, by default.
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
warning:
prompt : true
message : >
WARNING! The server-harden role is intended to be used to secure servers.
It has the potential to cause irreparable harm to the target system,
including access lockout and data loss. It is vital that you understand
the full context of this role before continuing execution.Additionally, warning can be set to false to skip the warning entirely.
Run aptitude updates
Run the following:
apt-get update -yapt-get update -yapt-get autoremove
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
package_update: trueSetting package_update to false will skip this step.
Change the user's root password
Provide an option to enter the server's root password.
Variables
The following are the available variables for configuration of this feature, along with their defaults:
vars:
server_harden:
root:
password: # (undefined)
ssh_keys: falseIf root is set to false, root user configuration will be skipped.
password can be set to the following:
trueto auto-generate a root password for the userfalseto skip setting the root password- A String value to set the root password from the script (e.g., from a vault)
- Omitted to prompt the user for a password (default)
ssh_keys can be one of the following:
falseto remove all SSH keys (default)- A String to set a single authorized key
- An array to set multiple SSH keys
Note that if you set SSH keys, but root login is disabled for SSH, a warning will be thrown, but configuration will continue.
Add Ansible Galaxy meta information
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.