hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port

This commit is contained in:
Josh Lay 2021-04-05 00:21:25 -05:00
parent c9bfb20e2a
commit 0c3c602b5e

View file

@ -1,27 +1,21 @@
--- ---
#- name: Disallow root SSH access
# lineinfile:
# dest: /etc/ssh/sshd_config
# regexp: "^PermitRootLogin"
# line: "PermitRootLogin no"
# state: present
# notify: Restart ssh
- name: include SELinux package tasks for EL (CentOS/RHEL)
include_tasks: centos-selinux.yml
when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])
# untested on debian/ubuntu - name: include SELinux package tasks for Fedora (non-atomic)
- name: disable services include_tasks: fedora-selinux.yml
when: (ansible_distribution in ["Fedora"] and not is_atomic)
# likely to break on non-RHEL/derivatives, could use improvement.
- name: enable firewalld
service: service:
name: "{{ item }}" name: firewalld
state: stopped state: started
enabled: no enabled: yes
with_items:
- postfix
- rpcbind
- rsyncd.service
- rsyncd.socket
ignore_errors: true
- name: disable password auth - name: SSH - disable password auth
lineinfile: lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication" regexp: "^PasswordAuthentication"
@ -29,4 +23,27 @@
state: present state: present
notify: restart sshd notify: restart sshd
- name: SSH - config port 1181
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Port '
line: 'Port 1181'
insertbefore: "(^|#)AddressFamily.*"
validate: '/usr/sbin/sshd -t -f %s'
notify: restart sshd
- name: allow custom SSH port in selinux
seport:
ports: 1181
proto: tcp
setype: ssh_port_t
state: present
when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')
# also likely to break on non-RHEL/derivatives, could use improvement too.
- name: allow custom SSH port in firewalld
firewalld:
port: 1181/tcp
permanent: yes
immediate: yes
state: enabled