summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ansible.cfg97
-rw-r--r--roles/common/tasks/main.yml2
-rw-r--r--roles/common/tasks/sysctl.yml52
-rw-r--r--site.yml6
4 files changed, 157 insertions, 0 deletions
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..c7343c6
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,97 @@
+# config file for ansible -- http://ansible.github.com
+# nearly all parameters can be overridden in ansible-playbook or with command line flags
+# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
+
+[defaults]
+
+# location of inventory file, eliminates need to specify -i
+
+#hostfile = ./stage_vms
+
+# location of ansible library, eliminates need to specify --module-path
+
+library = /usr/share/ansible
+
+# default module name used in /usr/bin/ansible when -m is not specified
+
+module_name = command
+
+# home directory where temp files are stored on remote systems. Should
+# almost always contain $HOME or be a directory writeable by all users
+
+remote_tmp = $HOME/.ansible/tmp
+
+# the default pattern for ansible-playbooks ("hosts:")
+
+pattern = *
+
+# the default number of forks (parallelism) to be used. Usually you
+# can crank this up.
+
+forks=5
+
+# the timeout used by various connection types. Usually this corresponds
+# to an SSH timeout
+
+timeout=10
+
+# when using --poll or "poll:" in an ansible playbook, and not specifying
+# an explicit poll interval, use this interval
+
+poll_interval=15
+
+# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
+# and not specifying "--sudo-user" or "sudo_user" respectively, sudo
+# to this user account
+
+#sudo_user=root
+
+# the following forces ansible to always ask for the sudo password (instead of having
+# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS)
+
+ask_sudo_pass=True
+
+# the following forces ansible to always ask for the ssh-password (-k)
+# can also be set by the environment variable ANSIBLE_ASK_PASS
+
+#ask_pass=True
+
+# connection to use when -c <connection_type> is not specified
+
+transport=ssh
+
+# remote SSH port to be used when --port or "port:" or an equivalent inventory
+# variable is not specified.
+
+remote_port=22
+
+# if set, always run /usr/bin/ansible commands as this user, and assume this value
+# if "user:" is not set in a playbook. If not set, use the current Unix user
+# as the default
+
+#remote_user=root
+
+# format of string $ansible_managed available within Jinja2 templates, replacing
+# {file}, {host} and {uid} with template filename, host and owner respectively.
+# The resulting string is passed through strftime(3) so it may contain any
+# time-formatting specifiers.
+#
+# Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes
+ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host}
+
+# additional plugin paths for non-core plugins
+
+action_plugins = /usr/share/ansible_plugins/action_plugins
+callback_plugins = /usr/share/ansible_plugins/callback_plugins
+connection_plugins = /usr/share/ansible_plugins/connection_plugins
+lookup_plugins = /usr/share/ansible_plugins/lookup_plugins
+vars_plugins = /usr/share/ansible_plugins/vars_plugins
+
+legacy_playbook_variables = no
+
+[ssh_connection]
+
+ssh_args = -F ../virtualenv/.ssh/config
+ -o ControlMaster=auto
+ -o ControlPersist=60s
+ -o ControlPath=/tmp/ansible-ssh-%h-%p-%r
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..acc9611
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- include: sysctl.yml tags=sysctl
diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml
new file mode 100644
index 0000000..4f52d3e
--- /dev/null
+++ b/roles/common/tasks/sysctl.yml
@@ -0,0 +1,52 @@
+- sysctl: name={{ item.name }} value={{ item.value }}
+ with_items:
+ - { name: 'kernel.domainname', value: '{{ ansible_domain }}' }
+
+ # Networking. See
+ # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+ # Enable Spoof protection (reverse-path filter). Turn on Source
+ # Address Verification in all interfaces to prevent some spoofing
+ # attacks.
+ - { name: 'net.ipv4.conf.default.rp_filter', value: 1 }
+ - { name: 'net.ipv4.conf.all.rp_filter', value: 1 }
+
+ # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We
+ # rate-limit not only the default ICMP types 3, 4, 11 and 12
+ # (0x1818), but also types 0 and 8. See icmp(7).
+ - { name: 'net.ipv4.tcp_syncookies', value: 1 }
+ - { name: 'net.ipv4.icmp_ratemask', value: 6425 }
+ - { name: 'net.ipv4.icmp_ratelimit', value: 1000 }
+
+ # Disable paquet forwarding between interfaces (we are not a router).
+ - { name: 'net.ipv4.ip_forward', value: 0 }
+ - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+
+ # Enable IPv6 Privacy Extensions.
+ - { name: 'net.ipv6.conf.default.use_tempaddr', value: 2 }
+ - { name: 'net.ipv6.conf.all.use_tempaddr', value: 2 }
+ - { name: 'net.ipv6.conf.all.autoconf', value: 0 }
+
+ # Do not accept ICMP redirects (prevent MITM attacks).
+ - { name: 'net.ipv4.conf.all.accept_redirects', value: 0 }
+ - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
+
+ # Do not send ICMP redirects (we are not a router).
+ - { name: 'net.ipv4.conf.default.send_redirects', value: 0 }
+ - { name: 'net.ipv4.conf.all.send_redirects', value: 0 }
+
+ # Do not accept IP source route packets (we are not a router).
+ - { name: 'net.ipv4.conf.all.accept_source_route', value: 0 }
+ - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+
+ # Log Martian Packets.
+ - { name: 'net.ipv4.conf.all.log_martians', value: 1 }
+
+ # Ignore ICMP broadcasts.
+ - { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1 }
+
+ # Ignore bogus ICMP errors.
+ - { name: 'net.ipv4.icmp_ignore_bogus_error_responses', value: 1 }
+
+ # Enable connection tracking flow accounting.
+ - { name: 'net.netfilter.nf_conntrack_acct', value: 1 }
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..52da197
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,6 @@
+---
+# ansible-playbook -i stage_vms site.yml -t rkhunter
+- name: all
+ hosts: all
+ roles:
+ - common