Harden your Linux server Using Ansible
Ways to harden your Linux server with Ansible
- name: Linux Server hardening
hosts: all_servers
gather_facts: yes
tasks:
- name: Ensure firewall package is installed
ansible.builtin.dnf:
name: firewalld
state: present
- name: Ensure firewall service is up and running
ansible.builtin.service:
name: firewalld
state: started
enabled: yes
- name: Block non-required services
ansible.posix.firewalld:
service: "{{ item }}"
state: disabled
permanent: yes
immediate: yes
loop:
- cockpit
- dhcpv6-client
- name: Enable required services
ansible.posix.firewalld:
service: "ssh"
state: enabled
permanent: yes
immediate: yes
- name: Ensure SELinux is enabled and enforcing
ansible.posix.selinux:
policy: targeted
state: enforcing
register: selinux_status
- name: Verify if reboot needed
ansible.builtin.debug:
msg: "Reboot needed: {{ selinux_status.reboot_required }}"
changed_when: "{{ selinux_status.reboot_required | bool }}"
notify: reboot_host
- name: Harden kernel parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/90-kernel.conf
loop:
- name: kernel.randomize_va_space
value: 2
- name: kernel.dmesg_restrict
value: 1
- name: kernel.perf_event_paranoid
value: 2
- name: Harden network parameters
ansible.posix.sysctl:
name: "{{ item.name }}"
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/90-net.conf
loop:
- name: net.ipv4.tcp_syncookies
value: 1
- name: net.ipv4.conf.default.log_martians
value: 1
- name: net.ipv4.conf.all.log_martians
value: 1
- name: net.ipv4.conf.all.accept_source_route
value: 0
- name: net.ipv4.conf.default.accept_source_route
value: 0
- name: net.ipv6.conf.all.accept_source_route
value: 0
- name: net.ipv6.conf.default.accept_source_route
value: 0
- name: Disable ip forwarding
ansible.posix.sysctl:
name: "{{ item.name }}"
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/90-ip.conf
loop:
- name: net.ipv4.ip_forward
value: 0
- name: net.ipv6.conf.all.forwarding
value: 0
- name: Disable ICMP echo and redirects
ansible.posix.sysctl:
name: "{{ item.name }}"
value: '{{ item.value }}'
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/90-icmp.conf
loop:
- name: net.ipv4.icmp_echo_ignore_broadcasts
value: 1
- name: net.ipv4.icmp_echo_ignore_all
value: 1
- name: net.ipv4.conf.default.accept_redirects
value: 0
- name: net.ipv4.conf.all.accept_redirects
value: 0
- name: net.ipv6.conf.all.accept_redirects
value: 0
- name: net.ipv6.conf.default.accept_redirects
value: 0
- name: net.ipv4.conf.default.send_redirects
value: 0
- name: net.ipv4.conf.all.send_redirects
value: 0
- name: Ensure audit package is installed
ansible.builtin.dnf:
name: audit
state: present
- name: Ensure auditd service is up and running
ansible.builtin.service:
name: auditd
state: started
enabled: yes
- name: Add a basic audit config
ansible.builtin.copy:
src: audit.rules
dest: /etc/audit/rules.d/audit.rules
owner: root
group: root
mode: 0600
notify: reboot_host
handlers:
- name: reboot_host
ansible.builtin.reboot:
reboot_timeout: 360
Comments
Post a Comment