attackbox/tasks/harden.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

- name: fail if system is not debian/ubuntu
  ansible.builtin.assert:
    that: "'debian' in ansible_facts.os_family.lower() or 'ubuntu' in ansible_facts.distribution.lower()"
    fail_msg: "this playbook supports only debian-based systems"

- name: remove snap and snapd
  apt:
    name:
      - snap
      - snapd
    state: absent
    purge: true

- name: clean apt cache
  apt:
    autoclean: yes

- name: clear /etc/issue and /etc/motd
  copy:
    content: ""
    dest: "{{ item }}"
  loop:
    - /etc/issue
    - /etc/motd

- name: enforce root-only cron/at
  file:
    path: "{{ item }}"
    state: touch
    owner: root
    group: root
    mode: '0600'
  loop:
    - /etc/cron.allow
    - /etc/at.allow

- name: remove deny files for cron and at
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/cron.deny
    - /etc/at.deny

- name: backup sshd_config
  copy:
    src: /etc/ssh/sshd_config
    dest: "/etc/ssh/sshd_config.bak_{{ ansible_date_time.iso8601_basic }}"
    remote_src: yes

- name: harden sshd_config
  copy:
    dest: /etc/ssh/sshd_config
    content: |
      Port 22
      Banner /etc/issue
      UsePAM yes
      Protocol 2
      Subsystem sftp /usr/libexec/openssh/sftp-server
      LogLevel quiet
      PrintMotd no
      AcceptEnv LANG LC_*
      MaxSessions 5
      StrictModes yes
      Compression no
      MaxAuthTries 3
      IgnoreRhosts yes
      PrintLastLog yes
      AddressFamily inet
      X11Forwarding no
      PermitRootLogin yes
      AllowTcpForwarding no
      ClientAliveInterval 1200
      AllowAgentForwarding no
      PermitEmptyPasswords no
      ClientAliveCountMax 0
      GSSAPIAuthentication no
      KerberosAuthentication no
      IgnoreUserKnownHosts yes
      PermitUserEnvironment no
      ChallengeResponseAuthentication no
      MACs hmac-sha2-512,hmac-sha2-256
      Ciphers aes128-ctr,aes192-ctr,aes256-ctr

- name: regenerate SSH host keys
  shell: |
    rm -f /etc/ssh/ssh_host_*key*
    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
  args:
    creates: /etc/ssh/ssh_host_ed25519_key

- name: enable unattended-upgrades
  shell: dpkg-reconfigure --priority=low unattended-upgrades
  args:
    creates: /etc/apt/apt.conf.d/50unattended-upgrades

- name: enable unattended-upgrades service
  systemd:
    name: unattended-upgrades
    enabled: true
    state: started

- name: disable ipv6 in grub
  lineinfile:
    path: /etc/default/grub
    regexp: '^GRUB_CMDLINE_LINUX='
    line: 'GRUB_CMDLINE_LINUX="ipv6.disable=1"'
  notify: update grub

- name: allow ssh port and enable ufw
  ufw:
    rule: allow
    port: 22
    proto: tcp

- name: enable ufw
  ufw:
    state: enabled
    policy: deny