From 0c3c602b5ea907277eecaa87228d108d557559c6 Mon Sep 17 00:00:00 2001
From: Josh Lay <me@jlay.io>
Date: Mon, 5 Apr 2021 00:21:25 -0500
Subject: [PATCH] hardening: add SELinux for CentOS/Fedora, firewall, and
 custom SSH port

---
 roles/hardening/tasks/main.yml | 55 ++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 19 deletions(-)

diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index ee22bd3..ef53844 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -1,27 +1,21 @@
 ---
-#- name: Disallow root SSH access
-#  lineinfile:
-#    dest: /etc/ssh/sshd_config 
-#    regexp: "^PermitRootLogin"
-#    line: "PermitRootLogin no"
-#    state: present
-#  notify: Restart ssh
 
+- name: include SELinux package tasks for EL (CentOS/RHEL)
+  include_tasks: centos-selinux.yml
+  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
 
-# untested on debian/ubuntu
-- name: disable services
+- name: include SELinux package tasks for Fedora (non-atomic)
+  include_tasks: fedora-selinux.yml
+  when: (ansible_distribution in ["Fedora"] and not is_atomic)
+
+# likely to break on non-RHEL/derivatives, could use improvement.
+- name: enable firewalld
   service:
-    name: "{{ item }}"
-    state: stopped
-    enabled: no
-  with_items:
-    - postfix
-    - rpcbind
-    - rsyncd.service
-    - rsyncd.socket
-  ignore_errors: true
+    name: firewalld
+    state: started
+    enabled: yes
 
-- name: disable password auth
+- name: SSH - disable password auth
   lineinfile:
     dest: /etc/ssh/sshd_config 
     regexp: "^PasswordAuthentication" 
@@ -29,4 +23,27 @@
     state: present
   notify: restart sshd
 
+- name: SSH - config port 1181
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Port '
+    line: 'Port 1181'
+    insertbefore: "(^|#)AddressFamily.*"
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: restart sshd
 
+- name: allow custom SSH port in selinux
+  seport:
+    ports: 1181
+    proto: tcp
+    setype: ssh_port_t
+    state: present
+  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
+
+# also likely to break on non-RHEL/derivatives, could use improvement too.
+- name: allow custom SSH port in firewalld
+  firewalld:
+    port: 1181/tcp
+    permanent: yes
+    immediate: yes
+    state: enabled