diff options
| -rw-r--r-- | ansible.cfg | 36 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/ignore.d.server/common.local | 4 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo | 7 | ||||
| -rw-r--r-- | roles/common/tasks/logging.yml | 1 | ||||
| -rw-r--r-- | roles/common/tasks/rkhunter.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 |
6 files changed, 38 insertions, 14 deletions
diff --git a/ansible.cfg b/ansible.cfg index 6afc1ef..82de41a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -11,88 +11,100 @@ # location of ansible library, eliminates need to specify --module-path library = ./lib/:/usr/share/ansible/ # default module name used in /usr/bin/ansible when -m is not specified module_name = command # home directory where temp files are stored on remote systems. Should # almost always contain $HOME or be a directory writeable by all users remote_tmp = $HOME/.ansible/tmp # the default pattern for ansible-playbooks ("hosts:") pattern = * # the default number of forks (parallelism) to be used. Usually you # can crank this up. -forks=5 +forks = 5 # the timeout used by various connection types. Usually this corresponds # to an SSH timeout -timeout=10 +timeout = 10 # when using --poll or "poll:" in an ansible playbook, and not specifying # an explicit poll interval, use this interval -poll_interval=15 +poll_interval = 15 # when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook, # and not specifying "--sudo-user" or "sudo_user" respectively, sudo # to this user account -sudo=True -#sudo_user=root +sudo = True +#sudo_user = root + +# what flags to pass to sudo +sudo_flags = -H LC_ALL=C # the following forces ansible to always ask for the sudo password (instead of having # to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS) -ask_sudo_pass=True +ask_sudo_pass = True # the following forces ansible to always ask for the ssh-password (-k) # can also be set by the environment variable ANSIBLE_ASK_PASS -#ask_pass=True +#ask_pass = True # connection to use when -c <connection_type> is not specified -transport=ssh +transport = ssh # remote SSH port to be used when --port or "port:" or an equivalent inventory # variable is not specified. -remote_port=22 +remote_port = 22 # if set, always run /usr/bin/ansible commands as this user, and assume this value # if "user:" is not set in a playbook. If not set, use the current Unix user # as the default -#remote_user=root +#remote_user = root + +# if set, always use this private key file for authentication, same as if passing +# --private-key to ansible or ansible-playbook + +#private_key_file=/path/to/file # format of string $ansible_managed available within Jinja2 templates, replacing # {file}, {host} and {uid} with template filename, host and owner respectively. # The resulting string is passed through strftime(3) so it may contain any # time-formatting specifiers. # # Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host} # additional plugin paths for non-core plugins action_plugins = /usr/share/ansible_plugins/action_plugins callback_plugins = /usr/share/ansible_plugins/callback_plugins connection_plugins = /usr/share/ansible_plugins/connection_plugins lookup_plugins = /usr/share/ansible_plugins/lookup_plugins vars_plugins = /usr/share/ansible_plugins/vars_plugins -legacy_playbook_variables = no - [ssh_connection] +# if uncommented, sets the ansible ssh arguments to the following. Leaving off ControlPersist +# will result in poor performance, so use transport=paramiko on older platforms rather than +# removing it + ssh_args = -F ../virtualenv/.ssh/config -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r + +pipelining = True diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common.local b/roles/common/files/etc/logcheck/ignore.d.server/common.local index 22fe621..331edeb 100644 --- a/roles/common/files/etc/logcheck/ignore.d.server/common.local +++ b/roles/common/files/etc/logcheck/ignore.d.server/common.local @@ -1,6 +1,8 @@ # Ansible Managed # Do NOT edit this file directly! # +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/master\[[[:digit:]]+\]: reload -- version +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ) # Ansible logs everything into syslog -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-[a-z]+: Invoked +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([a-z]+|<stdin>): Invoked with diff --git a/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo new file mode 100644 index 0000000..e474019 --- /dev/null +++ b/roles/common/files/etc/logcheck/violations.ignore.d/logcheck-sudo @@ -0,0 +1,7 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$ +# ignore sudo with custom ENV +#^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ (; ENV=([_a-zA-Z]+=\S* )+)?; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$ diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index 06f06b0..d25a75e 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -3,37 +3,38 @@ with_items: - rsyslog - syslog-summary - logcheck - logcheck-database - logrotate - name: Start rsyslog service: name=rsyslog state=started tags: - syslog - name: Configure logcheck copy: src=etc/logcheck/{{ item }} dest=/etc/logcheck/{{ item }} owner=root group=logcheck mode=0640 with_items: - logcheck.conf - ignore.d.server/common.local + - violations.ignore.d/logcheck-sudo - name: Minimal logging policy (1) lineinfile: dest=/etc/logrotate.d/rsyslog regexp="^/var/log/mail.(log|info)$" state=absent - name: Minimal logging policy (2) copy: src=etc/logrotate.d/fripost-mail dest=/etc/logrotate.d/fripost-mail owner=root group=root mode=0644 tags: - logrotate # TODO: We also have specialized per-role logcheck rulesets, per-role # logrotate configuration (/etc/logrotate.d), and per-role rsyslog # configuration (/etc/rsyslog.d). diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml index f6a4d71..78eec90 100644 --- a/roles/common/tasks/rkhunter.yml +++ b/roles/common/tasks/rkhunter.yml @@ -1,24 +1,26 @@ - name: Install rkhunter apt: pkg={{ item }} with_items: - rkhunter - curl - iproute - lsof - unhide - unhide.rb +# To test the configuration: +# ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo' - name: Configure rkhunter copy: src=etc/{{ item }} dest=/etc/{{ item }} owner=root group=root mode=0644 with_items: - rkhunter.conf - default/rkhunter notify: # This might not always be necessary, but it's not like we would # change the config every day... - Update rkhunter's data file - meta: flush_handlers diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 9adeece..6ac7feb 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} value={{ item.value }} +- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). |