7 files changed, 218 insertions, 0 deletions

diff --git a/attackbox/tasks/apt_packages.yaml b/attackbox/tasks/apt_packages.yaml
new file mode 100644
index 0000000..4ed8331
--- /dev/null
+++ b/attackbox/tasks/apt_packages.yaml
@@ -0,0 +1,5 @@
+- name: install apt packages
+  apt:
+    name: "{{ apt_packages }}"
+    state: present
+    update_cache: yes
diff --git a/attackbox/tasks/chrome_install.yaml b/attackbox/tasks/chrome_install.yaml
new file mode 100644
index 0000000..4b9bf4f
--- /dev/null
+++ b/attackbox/tasks/chrome_install.yaml
@@ -0,0 +1,24 @@
+- name: remove old google signing key
+  file:
+    path: /etc/apt/trusted.gpg.d/google-signing-key.gpg
+    state: absent
+
+- name: download and install google signing key
+  shell: |
+    curl -sSL https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /etc/apt/trusted.gpg.d/google-signing-key.gpg
+
+- name: add google chrome repo
+  copy:
+    dest: /etc/apt/sources.list.d/google-chrome.list
+    content: |
+      deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/google-signing-key.gpg] https://dl.google.com/linux/chrome/deb stable main
+
+- name: update apt cache
+  apt:
+    update_cache: yes
+
+- name: install google chrome
+  apt:
+    name: google-chrome-stable
+    state: present
+
diff --git a/attackbox/tasks/generate_readme.yaml b/attackbox/tasks/generate_readme.yaml
new file mode 100644
index 0000000..691d08b
--- /dev/null
+++ b/attackbox/tasks/generate_readme.yaml
@@ -0,0 +1,7 @@
+- name: generate ~/README.txt on the target server
+  ansible.builtin.template:
+    src: templates/readme.txt.j2
+    dest: "{{ ansible_env.HOME }}/README.txt"
+    owner: "{{ ansible_user | default('root') }}"
+    group: "{{ ansible_user | default('root') }}"
+    mode: '0644'
diff --git a/attackbox/tasks/github_repos.yaml b/attackbox/tasks/github_repos.yaml
new file mode 100644
index 0000000..042ea6c
--- /dev/null
+++ b/attackbox/tasks/github_repos.yaml
@@ -0,0 +1,15 @@
+- name: ensure /opt/tools exists
+  ansible.builtin.file:
+    path: /opt/tools
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: clone github repos into /opt/tools
+  ansible.builtin.git:
+    repo: "{{ item }}"
+    dest: "/opt/tools/{{ item | basename | regex_replace('\\.git$', '') }}"
+    update: yes
+    force: yes
+  loop: "{{ github_repos }}"
diff --git a/attackbox/tasks/go_tools.yaml b/attackbox/tasks/go_tools.yaml
new file mode 100644
index 0000000..18c0346
--- /dev/null
+++ b/attackbox/tasks/go_tools.yaml
@@ -0,0 +1,6 @@
+- name: install go tools
+  ansible.builtin.command:
+    cmd: "/usr/local/go/bin/go install -trimpath -v {{ item }}"
+  environment:
+    GOBIN: /usr/local/bin
+  loop: "{{ go_tools }}"
diff --git a/attackbox/tasks/golang_install.yaml b/attackbox/tasks/golang_install.yaml
new file mode 100644
index 0000000..df9c266
--- /dev/null
+++ b/attackbox/tasks/golang_install.yaml
@@ -0,0 +1,39 @@
+- name: check if golang is installed
+  stat:
+    path: /usr/local/go/bin/go
+  register: golang_installed
+
+- name: download and extract golang
+  when: not golang_installed.stat.exists
+  block:
+    - name: get latest golang version
+      shell: |
+        curl -sSL https://golang.org/dl/ | awk -F '"' '/dl\/.*linux-amd64.*tar.gz/{print $(NF-1)}' | awk -F '/' '{print $3}' | head -1
+      register: latest_golang
+      changed_when: false
+
+    - name: download golang
+      get_url:
+        url: "https://golang.org/dl/{{ latest_golang.stdout }}"
+        dest: /tmp/golang.tar.gz
+
+    - name: extract golang to /usr/local
+      unarchive:
+        src: /tmp/golang.tar.gz
+        dest: /usr/local
+        remote_src: yes
+
+    - name: remove tarball
+      file:
+        path: /tmp/golang.tar.gz
+        state: absent
+
+    - name: add golang to PATH
+      lineinfile:
+        path: "{{ ansible_env.HOME }}/.bashrc"
+        line: "{{ item }}"
+        create: yes
+      loop:
+        - "GOPATH={{ ansible_env.HOME }}/go"
+        - "PATH=$PATH:/usr/local/go/bin:{{ ansible_env.HOME }}/go:{{ ansible_env.HOME }}/go/bin"
+
diff --git a/attackbox/tasks/harden.yaml b/attackbox/tasks/harden.yaml
new file mode 100644
index 0000000..ad55699
--- /dev/null
+++ b/attackbox/tasks/harden.yaml
@@ -0,0 +1,122 @@
+- name: fail if system is not debian/ubuntu
+  ansible.builtin.assert:
+    that: "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()"
+    fail_msg: "this playbook supports only debian-based systems"
+
+- name: remove snap and snapd
+  apt:
+    name:
+      - snap
+      - snapd
+    state: absent
+    purge: true
+
+- name: clean apt cache
+  apt:
+    autoclean: yes
+
+- name: clear /etc/issue and /etc/motd
+  copy:
+    content: ""
+    dest: "{{ item }}"
+  loop:
+    - /etc/issue
+    - /etc/motd
+
+- name: enforce root-only cron/at
+  file:
+    path: "{{ item }}"
+    state: touch
+    owner: root
+    group: root
+    mode: '0600'
+  loop:
+    - /etc/cron.allow
+    - /etc/at.allow
+
+- name: remove deny files for cron and at
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron.deny
+    - /etc/at.deny
+
+- name: backup sshd_config
+  copy:
+    src: /etc/ssh/sshd_config
+    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
+    remote_src: yes
+
+- name: harden sshd_config
+  copy:
+    dest: /etc/ssh/sshd_config
+    content: |
+      Port 22
+      Banner /etc/issue
+      UsePAM yes
+      Protocol 2
+      Subsystem sftp /usr/libexec/openssh/sftp-server
+      LogLevel quiet
+      PrintMotd no
+      AcceptEnv LANG LC_*
+      MaxSessions 5
+      StrictModes yes
+      Compression no
+      MaxAuthTries 3
+      IgnoreRhosts yes
+      PrintLastLog yes
+      AddressFamily inet
+      X11Forwarding no
+      PermitRootLogin yes
+      AllowTcpForwarding no
+      ClientAliveInterval 1200
+      AllowAgentForwarding no
+      PermitEmptyPasswords no
+      ClientAliveCountMax 0
+      GSSAPIAuthentication no
+      KerberosAuthentication no
+      IgnoreUserKnownHosts yes
+      PermitUserEnvironment no
+      ChallengeResponseAuthentication no
+      MACs hmac-sha2-512,hmac-sha2-256
+      Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+
+- name: regenerate SSH host keys
+  shell: |
+    rm -f /etc/ssh/ssh_host_*key*
+    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+  args:
+    creates: /etc/ssh/ssh_host_ed25519_key
+
+- name: enable unattended-upgrades
+  shell: dpkg-reconfigure --priority=low unattended-upgrades
+  args:
+    creates: /etc/apt/apt.conf.d/50unattended-upgrades
+
+- name: enable unattended-upgrades service
+  systemd:
+    name: unattended-upgrades
+    enabled: true
+    state: started
+
+- name: disable ipv6 in grub
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX='
+    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
+  notify: update grub
+
+- name: allow ssh port and enable ufw
+  ufw:
+    rule: allow
+    port: 22
+    proto: tcp
+
+- name: enable ufw
+  ufw:
+    state: enabled
+    policy: deny
+
+