Encryption and major changes

This commit is contained in:
2024-09-28 23:12:19 +02:00
parent 1f060541c3
commit 6248286ad2
159 changed files with 153 additions and 129 deletions
@@ -0,0 +1,21 @@
# {{ ansible_managed }}
DSHELL=/bin/false
DHOME=/home
GROUPHOMES=no
LETTERHOMES=no
SKEL=/etc/skel
FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999
FIRST_SYSTEM_GID=100
LAST_SYSTEM_GID=999
FIRST_UID=1000
LAST_UID=29999
FIRST_GID=1000
LAST_GID=29999
USERGROUPS=yes
USERS_GID=100
DIR_MODE=0750
SETGID_HOME=no
QUOTAUSER=""
SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
@@ -0,0 +1,6 @@
#!/bin/sh
if grep -sqo rdrand /proc/cpuinfo; then
echo "{ \"rdrand\" : true }"
else
echo "{ \"rdrand\" : false }"
fi
@@ -0,0 +1,39 @@
#!/bin/sh
set -u
ssh_keys() {
HOST="$(hostname -s)"
TMPFILE="$(mktemp)"
I=0
{
echo "{ \"keys\": {"
find -L /etc/ssh /home/*/.ssh /root /Users/*/.ssh \( -name '*.pub' -o -name 'authorized_keys*' \) -type f 2>/dev/null |\
while read -r SSHFILE; do
grep -vE '^#|^$' "${SSHFILE}" | while read -r SSHKEY; do
KEYINFO="$(echo "${SSHKEY}" | ssh-keygen -lf -)"
KEYSTAT="$(stat -c "%Y %U %G %u %g %a" "${SSHFILE}")"
KEYFILE="\"file\" : \"${SSHFILE}\""
KEYSIZE="\"size\" : $(echo "${KEYINFO}" | awk '{print $1}')"
KEYHASH="\"hash\" : \"$(echo "${KEYINFO}" | awk '{print $2}')\""
KEYTYPE="\"type\" : \"$(echo "${KEYINFO}" | awk '{print $NF}' | tr -d '()')\""
KEYCOMMENT="\"comment\" : \"$(echo "${KEYINFO}" | awk '{$1=$2=$NF="";print}' | sed -e "s/^ *//" -e "s/ *$//")\""
FILEMODEPOCH="\"modified_epoch\" : $(echo "${KEYSTAT}" | awk '{print $1}')"
FILEMODHUMAN="\"modified_human\" : \"$(stat -c "%y" "${SSHFILE}")\""
FILEOWNERNAME="\"user_name\" : \"$(echo "${KEYSTAT}" | awk '{print $2}')\""
FILEGROUPNAME="\"group_name\" : \"$(echo "${KEYSTAT}" | awk '{print $3}')\""
FILEOWNERID="\"user_id\" : $(echo "${KEYSTAT}" | awk '{print $4}')"
FILEGROUPID="\"group_id\" : $(echo "${KEYSTAT}" | awk '{print $5}')"
FILEPERM="\"permissions\": $(echo "${KEYSTAT}" | awk '{print $6}')"
echo "\"${HOST}_${I}\": { ${KEYFILE}, ${KEYSIZE}, ${KEYHASH}, ${KEYCOMMENT}, ${KEYTYPE}, ${FILEMODEPOCH}, ${FILEMODHUMAN}, ${FILEOWNERNAME}, ${FILEGROUPNAME}, ${FILEOWNERID}, ${FILEGROUPID}, ${FILEPERM} },"
done
I=$((I + 1))
done
echo "} }"
} > "${TMPFILE}"
grep -v '^#' "${TMPFILE}" | tr '\n' ' ' | sed 's/ }, } }/ } } }/g'
rm "${TMPFILE}"
}
ssh_keys
@@ -0,0 +1,6 @@
#!/bin/sh
if command -v systemctl 1>/dev/null; then
echo "{ \"version\" : $(systemctl --version | grep '^systemd\s' | awk '{print $2}') }"
else
echo "{ \"version\" : false }"
fi
@@ -0,0 +1,352 @@
# {{ ansible_managed }}
# Remove any existing rules
-D
# Buffer Size
-b 8192
# Report errors
-c
# Failure Mode
-f {{ auditd_mode|int }}
# File and directory access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/root -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/srv -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/tmp -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -k access
-a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -k access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/root -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/tmp -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k access
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k access
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=-1 -S execve -k actions
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=-1 -S execve -k actions
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k actions
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=-1 -k actions
# su and sudo
-w /bin/su -p x -k actions
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d -p wa -k actions
-w /usr/bin/sudo -p x -k actions
-a always,exit -S all -F dir=/home/ -F uid=0 -C auid!=obj_uid -k admin-user-home
# Apparmor configuration and tools
-w /etc/apparmor -p wa -k apparmor
-w /etc/apparmor.d -p wa -k apparmor
-w /sbin/apparmor_parser -p x -k apparmor-tools
-w /usr/sbin/aa-complain -p x -k apparmor-tools
-w /usr/sbin/aa-disable -p x -k apparmor-tools
-w /usr/sbin/aa-enforce -p x -k apparmor-tools
# Auditd configuration
-w /etc/audisp -p wa -k audispconfig
-w /etc/audit -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /var/log/audit -p rwxa -k auditlog
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools
# Cron
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs -p rwxa -k cron
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
# Docker configuration and tools
-a exit,always -F path=/var/lib/docker -F perm=war -k docker
-w /etc/default/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
-w /etc/sysconfig/docker -p rwxa -k docker
-w /etc/sysconfig/docker-network -p rwxa -k docker
-w /etc/sysconfig/docker-registry -p rwxa -k docker
-w /etc/sysconfig/docker-storage -p rwxa -k docker
-w /etc/systemd/system/docker-registry.service -p rwxa -k docker
-w /etc/systemd/system/docker.service -p rwxa -k docker
-w /lib/systemd/system/docker-registry.service -p rwxa -k docker
-w /lib/systemd/system/docker.service -p rwxa -k docker
-w /lib/systemd/system/docker.socket -p rwxa -k docker
-w /usr/bin/containerd -p rwxa -k docker
-w /usr/bin/containerd-shim -p rwxa -k docker
-w /usr/bin/containerd-shim-runc-v1 -p rwxa -k docker
-w /usr/bin/containerd-shim-runc-v2 -p rwxa -k docker
-w /usr/bin/ctr -p rwxa -k docker
-w /usr/bin/docker -p rwxa -k docker
-w /usr/bin/docker-containerd -p rwxa -k docker
-w /usr/bin/docker-containerd-ctr -p rwxa -k docker
-w /usr/bin/docker-containerd-shim -p rwxa -k docker
-w /usr/bin/docker-init -p rwxa -k docker
-w /usr/bin/docker-proxy -p rwxa -k docker
-w /usr/bin/docker-runc -p rwxa -k docker
-w /usr/bin/dockerd -p rwxa -k docker
-w /usr/bin/dockerd-ce -p rwxa -k docker
-w /usr/bin/rootlesskit -p rwxa -k docker
-w /usr/bin/rootlesskit-docker-proxy -p rwxa -k docker
-w /usr/bin/runc -p rwxa -k docker
-w /usr/lib/systemd/system/docker-registry.service -p rwxa -k docker
-w /usr/lib/systemd/system/docker.service -p rwxa -k docker
-w /usr/sbin/runc -p rwxa -k docker
-w /var/run/docker.sock -p rwxa -k docker
# Group modifications
-w /etc/group -p wa -k group-modification
-w /etc/gshadow -p wa -k group-modification
-w /etc/passwd -p wa -k group-modification
-w /etc/security/opasswd -p wa -k group-modification
-w /etc/shadow -p wa -k group-modification
-w /usr/sbin/addgroup -p x -k group-modification
-w /usr/sbin/groupadd -p x -k group-modification
-w /usr/sbin/groupmod -p x -k group-modification
# Startup scripts
-w /etc/init -p wa -k init
-w /etc/init.d -p wa -k init
-w /etc/inittab -p wa -k init
# Library lookup paths
-w /etc/ld.so.conf -p wa -k libpath
-w /etc/ld.so.conf.d/ -p wa -k libpath
# Local time
-w /etc/localtime -p wa -k localtime
# Login monitoring
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
-w /var/run/faillock -p wa -k login
# SELinux configuration
-w /etc/selinux -p wa -k mac-policy
# Postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix -p wa -k mail
# Kernel module configuration and tools
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/modprobe.d -p wa -k modprobe
-w /etc/modules -p wa -k modprobe
-a always,exit -F arch=b32 -S finit_module -k modules
-a always,exit -F arch=b32 -S init_module -k modules
-a always,exit -F arch=b64 -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /bin/kmod -p x -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /usr/bin/kmod -p x -k modules
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
# Mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k mounts
# Network configuration
-w /etc/hosts -p wa -k network-config
-w /etc/issue -p wa -k network-config
-w /etc/issue.net -p wa -k network-config
-w /etc/netplan -p wa -k network-config
-w /etc/network -p wa -k network-config
-w /etc/sysconfig/network -p wa -k network-config
# PAM configuration
-w /etc/pam.d -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
# Password modifications
-w /usr/bin/passwd -p x -k passwd-modification
# Power state
-w /sbin/halt -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/shutdown -p x -k power
# Use of privileged commands
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/cgexec -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/mlocate -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/traceroute6.iputils -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/snapd/snap-confine -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/fping -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/fping6 -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/pam_extrausers_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/pam-tmpdir-helper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/usernetct -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
-a always,exit -F path=/usr/sbin/vlock-main -F perm=x -F auid>=1000 -F auid!=-1 -k privileged
#
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/run/utmp -p wa -k session
# Special files
-a always,exit -F arch=b32 -S mknod,mknodat -k specialfiles
-a always,exit -F arch=b64 -S mknod,mknodat -k specialfiles
# sshd configuration
-w /etc/ssh/sshd_config -p rwxa -k sshd
-w /etc/ssh/sshd_config.d/ -p rwxa -k sshd
# Kernel modification
-w /etc/sysctl.conf -p wa -k sysctl
-w {{ sysctl_conf_dir }}/zz-hardening.conf -p wa -k sysctl
# Hostname changes
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
# systemd configuration and tools
-w /etc/systemd -p wa -k systemd
-w /lib/systemd -p wa -k systemd
-w /bin/journalctl -p x -k systemd-tools
-w /bin/systemctl -p x -k systemd-tools
# Time modification
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/timezone -p wa -k time-changezone
# /tmp directories
-w /tmp -p wxa -k tmp
-w /var/tmp -p wxa -k tmp
# User modification
-w /usr/sbin/adduser -p x -k user-modification
-w /usr/sbin/useradd -p x -k user-modification
-w /usr/sbin/usermod -p x -k user-modification
-e 2
@@ -0,0 +1,9 @@
# {{ ansible_managed }}
CRON_DAILY_RUN="yes"
CRON_DB_UPDATE=""
DB_UPDATE_EMAIL="false"
REPORT_EMAIL="root"
APT_AUTOGEN="yes"
NICE="0"
RUN_CHECK_ON_BATTERY="false"
@@ -0,0 +1,4 @@
# {{ ansible_managed }}
SHELL=/bin/false
INACTIVE=30
@@ -0,0 +1,4 @@
# {{ ansible_managed }}
sshd : ALL : ALLOW
ALL: LOCAL, 127.0.0.1
@@ -0,0 +1,3 @@
# {{ ansible_managed }}
ALL: ALL
+6
View File
@@ -0,0 +1,6 @@
By accessing this system, you consent to the following conditions:
- This system is for authorized use only.
- Any or all uses of this system and all files on this system may be monitored.
- Communications using, or data stored on, this system are not private.
@@ -0,0 +1,36 @@
# {{ ansible_managed }}
CHFN_RESTRICT rwh
DEFAULT_HOME no
ENCRYPT_METHOD SHA512
ENV_PATH PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
ERASECHAR 0177
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
GID_MAX 60000
GID_MIN 1000
HUSHLOGIN_FILE .hushlogin
KILLCHAR 025
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
LOG_OK_LOGINS yes
LOG_UNKFAIL_ENAB no
MAIL_DIR /var/mail
PASS_MAX_DAYS 60
PASS_MIN_DAYS 1
{% if ansible_distribution == "CentOS" %}
PASS_MIN_LEN 15
{% endif %}
PASS_WARN_AGE 7
SHA_CRYPT_MAX_ROUNDS 65536
SHA_CRYPT_MIN_ROUNDS 10000
SU_NAME su
SYSLOG_SG_ENAB yes
SYSLOG_SU_ENAB yes
TTYGROUP tty
TTYPERM 0600
UID_MAX 60000
UID_MIN 1000
UMASK {{ umask_value }}
USERGROUPS_ENAB no
@@ -0,0 +1,17 @@
# {{ ansible_managed }}
# CCE-80195-1
daily
{% if ansible_distribution == 'Ubuntu' %}
su root syslog
{% endif %}
rotate 7
create
dateext
compress
compresscmd /usr/bin/xz
uncompresscmd /usr/bin/unxz
compressext .xz
include /etc/logrotate.d
+6
View File
@@ -0,0 +1,6 @@
By accessing this system, you consent to the following conditions:
- This system is for authorized use only.
- Any or all uses of this system and all files on this system may be monitored.
- Communications using, or data stored on, this system are not private.
@@ -0,0 +1,10 @@
# {{ ansible_managed }}
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
{% if faillock.matched >= 1 %}
account required pam_faillock.so
{% else %}
account required pam_tally2.so
{% endif %}
@@ -0,0 +1,14 @@
# {{ ansible_managed }}
{% if faillock.matched >= 1 %}
auth required pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
{% else %}
auth [success=1 default=ignore] pam_unix.so
auth required pam_tally2.so onerr=fail audit silent deny=3 unlock_time=900
{% endif %}
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
@@ -0,0 +1,11 @@
# {{ ansible_managed }}
password requisite pam_pwquality.so retry=3
{% if ansible_os_family == 'Debian' %}
password required pam_pwhistory.so use_authtok remember=5
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536
{% else %}
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 rounds=65536 remember=5
{% endif %}
password requisite pam_deny.so
password required pam_permit.so
@@ -0,0 +1,33 @@
# {{ ansible_managed }}
auth optional pam_faildelay.so delay=4000000
{% if (ansible_distribution_major_version < '11' and ansible_distribution == "Debian") or ansible_distribution == "Ubuntu" %}
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
{% endif %}
auth requisite pam_nologin.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so showfailed
session optional pam_mail.so standard
session optional pam_keyinit.so force revoke
@include common-account
@include common-session
@include common-password
@@ -0,0 +1,8 @@
#!/bin/bash
# {{ ansible_managed }}
if [[ $EUID -eq 0 ]]; then
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
else
export PATH=/usr/local/bin:/usr/sbin:/usr/bin:/bin:/snap/bin
fi
@@ -0,0 +1,6 @@
# {{ ansible_managed }}
* hard maxlogins 10
* hard core 0
* soft nproc {{ limit_nproc_soft }}
* hard nproc {{ limit_nproc_hard }}
@@ -0,0 +1,13 @@
# {{ ansible_managed }}
{% if ssh_config_d.stat.exists and ssh_config_d.stat.isdir %}
Include /etc/ssh/ssh_config.d/*.conf
{% endif %}
Host *
Ciphers {{ sshd_ciphers }}
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
HashKnownHosts yes
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
KexAlgorithms {{ sshd_kex_algorithms }}
MACs {{ sshd_macs }}
RekeyLimit {{ sshd_rekey_limit }}
@@ -0,0 +1,41 @@
# {{ ansible_managed }}
AcceptEnv {{ sshd_accept_env }}
AllowAgentForwarding {{ sshd_allow_agent_forwarding }}
AllowGroups {{ sshd_allow_groups }}
AllowTcpForwarding {{ sshd_allow_tcp_forwarding }}
AuthenticationMethods {{ sshd_authentication_methods }}
Banner {{ sshd_banner }}
ChallengeResponseAuthentication {{ sshd_challenge_response_authentication }}
Ciphers {{ sshd_ciphers }}
ClientAliveCountMax {{ sshd_client_alive_count_max|int }}
ClientAliveInterval {{ sshd_client_alive_interval|int }}
Compression {{ sshd_compression }}
GSSAPIAuthentication {{ sshd_gssapi_authentication }}
HostbasedAuthentication {{ sshd_hostbased_authentication }}
HostKeyAlgorithms {{ sshd_host_key_algorithms }}
IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts }}
KerberosAuthentication {{ sshd_kerberos_authentication }}
KexAlgorithms {{ sshd_kex_algorithms }}
LoginGraceTime {{ sshd_login_grace_time|int }}
LogLevel {{ sshd_log_level }}
Macs {{ sshd_macs }}
MaxAuthTries {{ sshd_max_auth_tries|int }}
MaxSessions {{ sshd_max_sessions|int }}
MaxStartups {{ sshd_max_startups }}
PasswordAuthentication {{ sshd_password_authentication }}
PermitEmptyPasswords {{ sshd_permit_empty_passwords }}
PermitRootLogin {{ sshd_permit_root_login }}
PermitUserEnvironment {{ sshd_permit_user_environment }}
Port {{ sshd_port|int }}
PrintLastLog {{ sshd_print_last_log }}
PrintMotd {{ sshd_print_motd }}
RekeyLimit {{ sshd_rekey_limit }}
{% if ssh_installed_version is version('9.1', '>') %}
RequiredRSASize {{ sshd_required_rsa_size }}
{% endif %}
StrictModes {{ sshd_strict_modes }}
Subsystem {{ sshd_subsystem }}
TCPKeepAlive {{ sshd_tcp_keep_alive }}
UseDNS {{ sshd_use_dns }}
UsePAM {{ sshd_use_pam }}
X11Forwarding {{ sshd_x11_forwarding }}
@@ -0,0 +1,5 @@
# {{ ansible_managed }}
[Coredump]
Storage=none
ProcessSizeMax=0
@@ -0,0 +1,6 @@
# {{ ansible_managed }}
[Journal]
Storage=persistent
ForwardToSyslog=yes
Compress=yes
@@ -0,0 +1,8 @@
# {{ ansible_managed }}
[Login]
KillUserProcesses=1
KillExcludeUsers=root
IdleAction=lock
IdleActionSec=15min
RemoveIPC=yes
@@ -0,0 +1,9 @@
# {{ ansible_managed }}
[Resolve]
DNS={{ dns }}
FallbackDNS={{ fallback_dns }}
DNSSEC={{ dnssec }}
{% if ansible_local.systemd.version|int >= 239 %}
DNSOverTLS={{ dns_over_tls }}
{% endif %}
@@ -0,0 +1,9 @@
# {{ ansible_managed }}
[Manager]
DumpCore=no
CrashShell=no
CtrlAltDelBurstAction=none
DefaultLimitCORE=0
DefaultLimitNOFILE={{ limit_nofile_hard }}
DefaultLimitNPROC={{ limit_nproc_hard }}
@@ -0,0 +1,8 @@
# {{ ansible_managed }}
[Time]
NTP={{ ntp }}
FallbackNTP={{ fallback_ntp }}
{% if ansible_local.systemd.version|int >= 236 %}
RootDistanceMaxSec=1
{% endif %}
@@ -0,0 +1,17 @@
[Unit]
Description=Temporary Directory /tmp
Documentation=man:file-hierarchy(7)
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nodev,noexec,nosuid
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,6 @@
# {{ ansible_managed }}
[Manager]
DefaultLimitCORE=0
DefaultLimitNOFILE={{ limit_nofile_hard }}
DefaultLimitNPROC={{ limit_nproc_hard }}
@@ -0,0 +1,13 @@
[Unit]
Description=Aide Check
[Service]
Type=simple
{% if ansible_os_family == 'Debian' %}
ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf
{% else %}
ExecStart=/usr/sbin/aide --check
{% endif %}
[Install]
WantedBy=multi-user.target
@@ -0,0 +1,9 @@
[Unit]
Description=Aide check every day at midnight
[Timer]
OnCalendar=*-*-* 00:00:00
Unit=aidecheck.service
[Install]
WantedBy=multi-user.target