diff options
| -rw-r--r-- | ansible.cfg | 97 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 52 | ||||
| -rw-r--r-- | site.yml | 6 |
4 files changed, 157 insertions, 0 deletions
diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..c7343c6 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,97 @@ +# config file for ansible -- http://ansible.github.com +# nearly all parameters can be overridden in ansible-playbook or with command line flags +# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first + +[defaults] + +# location of inventory file, eliminates need to specify -i + +#hostfile = ./stage_vms + +# location of ansible library, eliminates need to specify --module-path + +library = /usr/share/ansible + +# default module name used in /usr/bin/ansible when -m is not specified + +module_name = command + +# home directory where temp files are stored on remote systems. Should +# almost always contain $HOME or be a directory writeable by all users + +remote_tmp = $HOME/.ansible/tmp + +# the default pattern for ansible-playbooks ("hosts:") + +pattern = * + +# the default number of forks (parallelism) to be used. Usually you +# can crank this up. + +forks=5 + +# the timeout used by various connection types. Usually this corresponds +# to an SSH timeout + +timeout=10 + +# when using --poll or "poll:" in an ansible playbook, and not specifying +# an explicit poll interval, use this interval + +poll_interval=15 + +# when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook, +# and not specifying "--sudo-user" or "sudo_user" respectively, sudo +# to this user account + +#sudo_user=root + +# the following forces ansible to always ask for the sudo password (instead of having +# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS) + +ask_sudo_pass=True + +# the following forces ansible to always ask for the ssh-password (-k) +# can also be set by the environment variable ANSIBLE_ASK_PASS + +#ask_pass=True + +# connection to use when -c <connection_type> is not specified + +transport=ssh + +# remote SSH port to be used when --port or "port:" or an equivalent inventory +# variable is not specified. + +remote_port=22 + +# if set, always run /usr/bin/ansible commands as this user, and assume this value +# if "user:" is not set in a playbook. If not set, use the current Unix user +# as the default + +#remote_user=root + +# format of string $ansible_managed available within Jinja2 templates, replacing +# {file}, {host} and {uid} with template filename, host and owner respectively. +# The resulting string is passed through strftime(3) so it may contain any +# time-formatting specifiers. +# +# Example: ansible_managed = DONT TOUCH {file}: call {uid} at {host} for changes +ansible_managed = Ansible Managed: modified on %Y-%m-%d %H:%M:%S by {uid}@{host} + +# additional plugin paths for non-core plugins + +action_plugins = /usr/share/ansible_plugins/action_plugins +callback_plugins = /usr/share/ansible_plugins/callback_plugins +connection_plugins = /usr/share/ansible_plugins/connection_plugins +lookup_plugins = /usr/share/ansible_plugins/lookup_plugins +vars_plugins = /usr/share/ansible_plugins/vars_plugins + +legacy_playbook_variables = no + +[ssh_connection] + +ssh_args = -F ../virtualenv/.ssh/config + -o ControlMaster=auto + -o ControlPersist=60s + -o ControlPath=/tmp/ansible-ssh-%h-%p-%r diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml new file mode 100644 index 0000000..acc9611 --- /dev/null +++ b/roles/common/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include: sysctl.yml tags=sysctl diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml new file mode 100644 index 0000000..4f52d3e --- /dev/null +++ b/roles/common/tasks/sysctl.yml @@ -0,0 +1,52 @@ +- sysctl: name={{ item.name }} value={{ item.value }} + with_items: + - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } + + # Networking. See + # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt + + # Enable Spoof protection (reverse-path filter). Turn on Source + # Address Verification in all interfaces to prevent some spoofing + # attacks. + - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } + - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } + + # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We + # rate-limit not only the default ICMP types 3, 4, 11 and 12 + # (0x1818), but also types 0 and 8. See icmp(7). + - { name: 'net.ipv4.tcp_syncookies', value: 1 } + - { name: 'net.ipv4.icmp_ratemask', value: 6425 } + - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } + + # Disable paquet forwarding between interfaces (we are not a router). + - { name: 'net.ipv4.ip_forward', value: 0 } + - { name: 'net.ipv6.conf.all.forwarding', value: 0 } + + # Enable IPv6 Privacy Extensions. + - { name: 'net.ipv6.conf.default.use_tempaddr', value: 2 } + - { name: 'net.ipv6.conf.all.use_tempaddr', value: 2 } + - { name: 'net.ipv6.conf.all.autoconf', value: 0 } + + # Do not accept ICMP redirects (prevent MITM attacks). + - { name: 'net.ipv4.conf.all.accept_redirects', value: 0 } + - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 } + + # Do not send ICMP redirects (we are not a router). + - { name: 'net.ipv4.conf.default.send_redirects', value: 0 } + - { name: 'net.ipv4.conf.all.send_redirects', value: 0 } + + # Do not accept IP source route packets (we are not a router). + - { name: 'net.ipv4.conf.all.accept_source_route', value: 0 } + - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 } + + # Log Martian Packets. + - { name: 'net.ipv4.conf.all.log_martians', value: 1 } + + # Ignore ICMP broadcasts. + - { name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1 } + + # Ignore bogus ICMP errors. + - { name: 'net.ipv4.icmp_ignore_bogus_error_responses', value: 1 } + + # Enable connection tracking flow accounting. + - { name: 'net.netfilter.nf_conntrack_acct', value: 1 } diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..52da197 --- /dev/null +++ b/site.yml @@ -0,0 +1,6 @@ +--- +# ansible-playbook -i stage_vms site.yml -t rkhunter +- name: all + hosts: all + roles: + - common |