diff --git a/.github/workflows/ansible-apply.yaml b/.github/workflows/ansible-apply.yaml index 5180edf..b6aa6d7 100644 --- a/.github/workflows/ansible-apply.yaml +++ b/.github/workflows/ansible-apply.yaml @@ -80,6 +80,7 @@ jobs: SSH_AUTH_SOCK: /tmp/ssh_agent.sock run: | cd ansible + sectool exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml diff --git a/Readme.MD b/Readme.MD index 9c4d7c9..d752397 100644 --- a/Readme.MD +++ b/Readme.MD @@ -3,20 +3,3 @@ This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this code DELETE immediately. We have been warned. -# Download SecTool - -Download SecTool from https://github.com/a13labs/sectool/releases - -# Install Apps - -``` -export VAULT_MASTER_PASSWORD= - -# get the kubernetes configuration file -ssh provision@ -i ssh-keys/ansible/id_rsa microk8s config > ~/.kube/config - -# deploy the applications -cd terraform/k8s_apps -sectool exec terraform init -sectool exec terraform apply -``` diff --git a/ansible/apply.sh b/ansible/apply.sh index 5732a7a..3c41787 100755 --- a/ansible/apply.sh +++ b/ansible/apply.sh @@ -16,6 +16,11 @@ function help { exit 1 } +if [ -z $ANSIBLE_USER ]; then + echo "ANSIBLE_USER environment variable not set" + exit 1 +fi + # parse arguments while [ "$1" != "" ]; do case $1 in @@ -47,5 +52,4 @@ else fi # execute ansible-playbook -sectool exec ansible-playbook -i inventory/hosts $DRY_RUN $PLAYBOOK - +sectool exec ansible-playbook -u $ANSIBLE_USER $DRY_RUN $PLAYBOOK diff --git a/ansible/files/keys/ansible_user.pub b/ansible/files/keys/ansible_user.pub new file mode 120000 index 0000000..c113a91 --- /dev/null +++ b/ansible/files/keys/ansible_user.pub @@ -0,0 +1 @@ +../../../ssh-keys/ansible/id_ecdsa.pub \ No newline at end of file diff --git a/ansible/host_vars/contabo01.a13labs.pt.yaml b/ansible/host_vars/contabo01.a13labs.pt.yml similarity index 87% rename from ansible/host_vars/contabo01.a13labs.pt.yaml rename to ansible/host_vars/contabo01.a13labs.pt.yml index 41c6882..8d8d84e 100644 --- a/ansible/host_vars/contabo01.a13labs.pt.yaml +++ b/ansible/host_vars/contabo01.a13labs.pt.yml @@ -1,17 +1,15 @@ -# Hostname and other host settings hostname: contabo01.a13labs.pt - -# SSH Connection and security -sshd_port: 22 -ssh_allowed_networks: - - "0.0.0.0/0" -sshd_admin_net: "0.0.0.0/0" -sshd_allow_groups: "provision git users" -sshd_permit_root_login: "no" -sshd_password_authentication: "no" -sshd_allow_tcp_forwarding: "yes" ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" + +# Users login_users: + - username: "{{ ansible_user }}" + comment: "Managed by Ansible" + sudoer: true + sudoer_root_only: true + sudoer_no_password: true + pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}" + password_disabled: true - username: operator comment: "Managed by Ansible" sudoer: true @@ -19,6 +17,18 @@ login_users: - username: git comment: "Managed by Ansible" shell: "/usr/local/bin/gitea-shell" + password_disabled: true + password_expiration: false + +# SSH Connection and security +sshd_port: 22 +ssh_allowed_networks: + - "0.0.0.0/0" +sshd_admin_net: "0.0.0.0/0" +sshd_allow_groups: "{{ ansible_user }} git users" +sshd_permit_root_login: "no" +sshd_password_authentication: "no" +sshd_allow_tcp_forwarding: "yes" # Due to an issue increase the number of max auth tries sshd_max_auth_tries: 10 diff --git a/ansible/inventory/hosts b/ansible/inventory/hosts index 452af68..3624061 100644 --- a/ansible/inventory/hosts +++ b/ansible/inventory/hosts @@ -1,21 +1,12 @@ [all] contabo01.a13labs.pt -[a13labs] -contabo01.a13labs.pt - -[vms] -contabo01.a13labs.pt - [linux] contabo01.a13labs.pt [ubuntu] contabo01.a13labs.pt -[contabo] -contabo01.a13labs.pt - [gitea] contabo01.a13labs.pt diff --git a/ansible/playbook_cis.yml b/ansible/playbook_cis.yml index f10119e..55557bb 100644 --- a/ansible/playbook_cis.yml +++ b/ansible/playbook_cis.yml @@ -1,17 +1,9 @@ --- - name: CIS Hardening - hosts: contabo + hosts: linux gather_facts: true roles: - - role: "bootstrap" - tags: - - roles - - roles::bootstrap - - role: "login" - tags: - - roles - - roles::users - role: "cis" tags: - roles diff --git a/ansible/playbook_encryption.yml b/ansible/playbook_encryption.yml index 7cdbcae..3395cdd 100644 --- a/ansible/playbook_encryption.yml +++ b/ansible/playbook_encryption.yml @@ -1,6 +1,6 @@ --- - name: Setup encrypted volume for a13labs - hosts: contabo + hosts: linux become: true vars: disk_image_path: /a13labs.img diff --git a/ansible/playbook_login.yml b/ansible/playbook_login.yml new file mode 100644 index 0000000..87f91b7 --- /dev/null +++ b/ansible/playbook_login.yml @@ -0,0 +1,10 @@ +--- +- name: Login setup + hosts: linux + gather_facts: true + + roles: + - role: "login" + tags: + - roles + - roles::users diff --git a/ansible/roles/cis/tasks/main.yml b/ansible/roles/cis/tasks/main.yml index c22deba..cb821bb 100644 --- a/ansible/roles/cis/tasks/main.yml +++ b/ansible/roles/cis/tasks/main.yml @@ -86,7 +86,7 @@ - name: Configure login.defs ansible.builtin.include_tasks: logindefs.yml tags: - - roles::cis::logindefs + - roles::cis::logindefs - name: Set limits ansible.builtin.include_tasks: limits.yml @@ -224,4 +224,4 @@ - name: Miscellaneous tasks after all handlers ansible.builtin.include_tasks: post.yml tags: - - always \ No newline at end of file + - always diff --git a/ansible/roles/login/tasks/main.yml b/ansible/roles/login/tasks/main.yml index 23de699..4ad7513 100644 --- a/ansible/roles/login/tasks/main.yml +++ b/ansible/roles/login/tasks/main.yml @@ -13,6 +13,18 @@ shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}" loop: "{{ login_users }}" +- name: Disable password expiration + command: chage -M -1 "{{ item.username }}" + become: yes + when: item.password_expiration is defined and not item.password_expiration + loop: "{{ login_users }}" + +- name: Disable password login + command: passwd -d "{{ item.username }}" + become: yes + when: item.password_disabled is defined and item.password_disabled + loop: "{{ login_users }}" + - name: "Add SSH Authorized key" become: true ansible.posix.authorized_key: @@ -27,9 +39,21 @@ ansible.builtin.copy: dest: "/etc/sudoers.d/{{ item.username }}" content: | - {{ item.username }} ALL=(ALL) ALL + {{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL owner: root group: root mode: "0600" when: item.sudoer is defined and item.sudoer loop: "{{ login_users }}" + +- name: Disable user history + become: true + ansible.builtin.copy: + dest: "/etc/profile.d/disable_history.sh" + content: | + #!/bin/bash + readonly PROMPT_COMMAND='history -a' + readonly HISTFILE=/dev/null + owner: root + group: root + mode: "0755"