From 0c3c602b5ea907277eecaa87228d108d557559c6 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:21:25 -0500 Subject: [PATCH 01/10] hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port --- roles/hardening/tasks/main.yml | 55 ++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 19 deletions(-) diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml index ee22bd3..ef53844 100644 --- a/roles/hardening/tasks/main.yml +++ b/roles/hardening/tasks/main.yml @@ -1,27 +1,21 @@ --- -#- name: Disallow root SSH access -# lineinfile: -# dest: /etc/ssh/sshd_config -# regexp: "^PermitRootLogin" -# line: "PermitRootLogin no" -# state: present -# notify: Restart ssh +- name: include SELinux package tasks for EL (CentOS/RHEL) + include_tasks: centos-selinux.yml + when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"]) -# untested on debian/ubuntu -- name: disable services +- name: include SELinux package tasks for Fedora (non-atomic) + include_tasks: fedora-selinux.yml + when: (ansible_distribution in ["Fedora"] and not is_atomic) + +# likely to break on non-RHEL/derivatives, could use improvement. +- name: enable firewalld service: - name: "{{ item }}" - state: stopped - enabled: no - with_items: - - postfix - - rpcbind - - rsyncd.service - - rsyncd.socket - ignore_errors: true + name: firewalld + state: started + enabled: yes -- name: disable password auth +- name: SSH - disable password auth lineinfile: dest: /etc/ssh/sshd_config regexp: "^PasswordAuthentication" @@ -29,4 +23,27 @@ state: present notify: restart sshd +- name: SSH - config port 1181 + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Port ' + line: 'Port 1181' + insertbefore: "(^|#)AddressFamily.*" + validate: '/usr/sbin/sshd -t -f %s' + notify: restart sshd +- name: allow custom SSH port in selinux + seport: + ports: 1181 + proto: tcp + setype: ssh_port_t + state: present + when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled') + +# also likely to break on non-RHEL/derivatives, could use improvement too. +- name: allow custom SSH port in firewalld + firewalld: + port: 1181/tcp + permanent: yes + immediate: yes + state: enabled From 877cff8d0c7707b8675ca32ed4f372be28dddce9 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:21:54 -0500 Subject: [PATCH 02/10] hardening: +centos/fedora task files --- roles/hardening/tasks/centos-selinux.yml | 13 +++++++++++++ roles/hardening/tasks/fedora-selinux.yml | 13 +++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 roles/hardening/tasks/centos-selinux.yml create mode 100644 roles/hardening/tasks/fedora-selinux.yml diff --git a/roles/hardening/tasks/centos-selinux.yml b/roles/hardening/tasks/centos-selinux.yml new file mode 100644 index 000000000..2b3a4e2 --- /dev/null +++ b/roles/hardening/tasks/centos-selinux.yml @@ -0,0 +1,13 @@ +--- + +- name: Install required dependency libsemanage-python + yum: + name: libsemanage-python + state: latest + when: (ansible_distribution_major_version is version('7', '=')) + +- name: Install required dependency python3-policycoreutils + dnf: + name: python3-policycoreutils + state: latest + when: (ansible_distribution_major_version is version('8', '>=')) diff --git a/roles/hardening/tasks/fedora-selinux.yml b/roles/hardening/tasks/fedora-selinux.yml new file mode 100644 index 000000000..6a91c6e --- /dev/null +++ b/roles/hardening/tasks/fedora-selinux.yml @@ -0,0 +1,13 @@ +--- + +- name: Install required dependency python3-libsemanage + dnf: + name: python3-libsemanage + state: latest + when: (ansible_distribution_major_version is version('31', '>=')) + +- name: Install required dependency libsemanage-python + dnf: + name: libsemanage-python + state: latest + when: (ansible_distribution_major_version is version('30', '<=')) From f931d40998a0450feea50e6cf673f9fa2c3dd597 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:22:20 -0500 Subject: [PATCH 03/10] install-packages: +mosh and ioping --- roles/install-packages/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/install-packages/defaults/main.yml b/roles/install-packages/defaults/main.yml index 6dd9710..3369ece 100644 --- a/roles/install-packages/defaults/main.yml +++ b/roles/install-packages/defaults/main.yml @@ -12,6 +12,7 @@ COMMON_PKGS: - rsync - lsof - firewalld + - mosh EL_PKGS: - iperf3 - nmap @@ -20,5 +21,6 @@ EL_PKGS: - psmisc # may work on deb/ubuntu also? - provides killall - wget - cockpit + - ioping DEB_PKGS: - dnsutils From ab781c6e104b6206cbc79557e91725881ecf4f1c Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:23:10 -0500 Subject: [PATCH 04/10] tuned: update Apt caches, custom profile on RHEL, +realtime --- roles/tuned/tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml index 4ae643c..6428d51 100644 --- a/roles/tuned/tasks/main.yml +++ b/roles/tuned/tasks/main.yml @@ -1,5 +1,10 @@ --- +- name: update apt caches + apt: + update_cache: yes + when: (ansible_os_family in ["Debian"] ) + - name: install packages package: name: "{{ item }}" @@ -7,6 +12,7 @@ with_items: - tuned - tuned-utils + - tuned-profiles-realtime - name: start service service: @@ -22,4 +28,4 @@ - name: deploy {{ tuned_custom_profile }} based on {{ tuned_base_profile }} include: configure-custom-profile.yml - when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic) + when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) From 1d0a47541c10c0058e752824260b7dc03ca0fe1f Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:23:43 -0500 Subject: [PATCH 05/10] hardening: defaults, bad/unwanted services --- roles/hardening/defaults/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 roles/hardening/defaults/main.yml diff --git a/roles/hardening/defaults/main.yml b/roles/hardening/defaults/main.yml new file mode 100644 index 000000000..499477d --- /dev/null +++ b/roles/hardening/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +BAD_SERVICES: + - postfix + - rpcbind + - rsyncd.service + - rsyncd.socket From 52b3031fb8e458f9dafa587ceefae95580b11594 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 5 Apr 2021 00:24:23 -0500 Subject: [PATCH 06/10] zfs: add RedHat OS variation to condition --- roles/zfs/defaults/main.yml | 4 ++++ roles/zfs/tasks/main.yml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/zfs/defaults/main.yml b/roles/zfs/defaults/main.yml index 1be7c4d..3c0c98c 100644 --- a/roles/zfs/defaults/main.yml +++ b/roles/zfs/defaults/main.yml @@ -6,6 +6,10 @@ EL_ZFS_PKGS: - kernel-devel - "@Development tools" - dkms + - libuuid-devel + - libblkid-devel + - libtirpc-devel + - openssl-devel - zfs UBUNTU_ZFS_PKGS: - zfsutils-linux diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml index e975e34..0fb926c 100644 --- a/roles/zfs/tasks/main.yml +++ b/roles/zfs/tasks/main.yml @@ -2,7 +2,7 @@ - name: include zfs-release tasks (CentOS/RHEL/Fedora) include_tasks: zfs-release.yml - when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ]) + when: ('zfs-release' not in ansible_facts.packages) and (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ]) - name: include zfs installation tasks (Ubuntu) include_tasks: ubuntu.yml @@ -10,7 +10,7 @@ - name: include zfs installation tasks (CentOS/RHEL/Fedora) include_tasks: el.yml - when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora" ] and not is_atomic) + when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat", "Fedora" ] and not is_atomic) - name: load zfs module modprobe: From 00000000e2b31a6e295713a1a5972aac3dd8e32a Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Fri, 9 Jul 2021 20:35:14 -0500 Subject: [PATCH 07/10] bootstrap: install updates w/ dnf-automatic --- roles/bootstrap/tasks/dnf.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml index 48fbca9..f8ecaeb 100644 --- a/roles/bootstrap/tasks/dnf.yml +++ b/roles/bootstrap/tasks/dnf.yml @@ -19,6 +19,7 @@ with_items: - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - { regexp: '^emit_via.=', line: 'emit_via = stdio' } + - { regexp: '^apply_updates.=', line: 'apply_updates = yes' } - name: enable dnf-automatic timer systemd: From 000000084fc9ae299b211cee15fc945d8f3cae78 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Sun, 11 Jul 2021 12:50:24 -0500 Subject: [PATCH 08/10] tuned: don't look for 'tuned-profiles-realtime' pkg --- roles/tuned/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml index 6428d51..62b1542 100644 --- a/roles/tuned/tasks/main.yml +++ b/roles/tuned/tasks/main.yml @@ -12,7 +12,7 @@ with_items: - tuned - tuned-utils - - tuned-profiles-realtime +# - tuned-profiles-realtime # only on Fedora? not on centos 8 stream - name: start service service: From f1ed88a6a82b3d6c18166f63b598c2a1add88421 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 28 Feb 2022 20:36:13 -0600 Subject: [PATCH 09/10] dnf-automatic: +emit via motd, escalate privs during config --- roles/bootstrap/tasks/dnf.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/bootstrap/tasks/dnf.yml b/roles/bootstrap/tasks/dnf.yml index f8ecaeb..6db3cde 100644 --- a/roles/bootstrap/tasks/dnf.yml +++ b/roles/bootstrap/tasks/dnf.yml @@ -11,6 +11,7 @@ state: present - name: configure dnf-automatic + become: true lineinfile: path: /etc/dnf/automatic.conf state: present @@ -18,7 +19,7 @@ line: "{{ item.line }}" with_items: - { regexp: '^upgrade_type.=', line: 'upgrade_type = security' } - - { regexp: '^emit_via.=', line: 'emit_via = stdio' } + - { regexp: '^emit_via.=', line: 'emit_via = stdio,motd' } - { regexp: '^apply_updates.=', line: 'apply_updates = yes' } - name: enable dnf-automatic timer From dc0781b13b68ea5c7d3853ee89ec57b44d0c8db7 Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 28 Feb 2022 20:44:45 -0600 Subject: [PATCH 10/10] fedora-upgrade: support f35, drop f31/f32 support --- roles/fedora-upgrade/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/fedora-upgrade/defaults/main.yml b/roles/fedora-upgrade/defaults/main.yml index e15753b..e57fbbd 100644 --- a/roles/fedora-upgrade/defaults/main.yml +++ b/roles/fedora-upgrade/defaults/main.yml @@ -1,4 +1,4 @@ --- -fedora_latest: 33 -fedora_minimum: 31 +fedora_latest: 35 +fedora_minimum: 33 fedora_target: "{{ fedora_latest|int }}"