diff options
Diffstat (limited to 'old/sliver-c2/tasks/harden.yaml')
| -rw-r--r-- | old/sliver-c2/tasks/harden.yaml | 144 |
1 files changed, 0 insertions, 144 deletions
diff --git a/old/sliver-c2/tasks/harden.yaml b/old/sliver-c2/tasks/harden.yaml deleted file mode 100644 index ec09ea2..0000000 --- a/old/sliver-c2/tasks/harden.yaml +++ /dev/null @@ -1,144 +0,0 @@ -- name: fail if system is not debian/ubuntu - ansible.builtin.assert: - that: "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()" - fail_msg: "this playbook supports only debian-based systems" - -- name: remove snap and snapd - apt: - name: - - snap - - snapd - state: absent - purge: true - -- name: clean apt cache - apt: - autoclean: true - -- name: clear /etc/issue and /etc/motd - copy: - content: "" - dest: "{{ item }}" - loop: - - /etc/issue - - /etc/motd - -- name: check if /etc/update-motd.d directory exists - stat: - path: /etc/update-motd.d - register: motd_dir - -- name: find files in /etc/update-motd.d - find: - paths: /etc/update-motd.d - file_type: file - register: motd_files - when: motd_dir.stat.exists - -- name: remove execute permissions from all files in /etc/update-motd.d - file: - path: "{{ item.path }}" - mode: u-x,g-x,o-x - loop: "{{ motd_files.files }}" - when: motd_dir.stat.exists - -- name: enforce root-only cron/at - file: - path: "{{ item }}" - state: touch - owner: root - group: root - mode: '0600' - loop: - - /etc/cron.allow - - /etc/at.allow - -- name: remove deny files for cron and at - file: - path: "{{ item }}" - state: absent - loop: - - /etc/cron.deny - - /etc/at.deny - -- name: backup sshd_config - copy: - src: /etc/ssh/sshd_config - dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}" - remote_src: yes - -- name: harden sshd_config - copy: - dest: /etc/ssh/sshd_config - content: | - Port 22 - Banner /etc/issue - UsePAM yes - Protocol 2 - Subsystem sftp /usr/lib/openssh/sftp-server - LogLevel verbose - PrintMotd no - AcceptEnv LANG LC_* - MaxSessions 5 - StrictModes yes - Compression no - MaxAuthTries 3 - IgnoreRhosts yes - PrintLastLog yes - AddressFamily inet - X11Forwarding no - PermitRootLogin yes - AllowTcpForwarding no - ClientAliveInterval 1200 - AllowAgentForwarding no - PermitEmptyPasswords no - ClientAliveCountMax 0 - GSSAPIAuthentication no - KerberosAuthentication no - IgnoreUserKnownHosts yes - PermitUserEnvironment no - ChallengeResponseAuthentication no - MACs hmac-sha2-512,hmac-sha2-256 - Ciphers aes128-ctr,aes192-ctr,aes256-ctr - -- name: regenerate SSH host keys - shell: | - rm -f /etc/ssh/ssh_host_*key* - ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" - ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" - args: - creates: /etc/ssh/ssh_host_ed25519_key - notify: restart ssh - -- name: enable unattended-upgrades - shell: dpkg-reconfigure --priority=low unattended-upgrades - args: - creates: /etc/apt/apt.conf.d/50unattended-upgrades - notify: restart unattended-upgrades - -- name: disable ipv6 in grub - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"' - notify: update grub - -- name: allow ssh port and enable ufw - ufw: - rule: allow - port: 22 - proto: tcp - notify: - - reload ufw - - restart ufw - -- name: deploy custom fail2ban jail.local - template: - src: templates/jail.local.j2 - dest: /etc/fail2ban/jail.local - owner: root - group: root - mode: '0644' - notify: - - restart fail2ban - - reload fail2ban |