add seurity playbook

6 files changed, 207 insertions, 3 deletions

diff --git a/Makefile b/Makefile
index 9efcbaf..f79af57 100644
--- a/Makefile
+++ b/Makefile
@@ -29,3 +29,7 @@ ping:
 .PHONY: users
 users:
 	$(BIN)/ansible-playbook -e @vault.yaml -e "ansible_user=$(or $(ANSIBLE_USER),ansible)" playbooks/users.yaml
+
+.PHONY: security
+security:
+	$(BIN)/ansible-playbook -e @vault.yaml playbooks/security.yaml
diff --git a/README.md b/README.md
index 007440e..98df690 100644
--- a/README.md
+++ b/README.md
@@ -30,9 +30,10 @@ _Listed in alphabetical order._
 
 _Listed in applicable order._
 
-| Target                  | Description |
-| ----------------------- | ----------- |
-| `users`<sup>*</sup>     | Add users   |
+| Target                  | Description        |
+| ----------------------- | ------------------ |
+| `users`<sup>*</sup>     | Add users          |
+| `security`              | Security hardening |
 
 ### <sup>*</sup>Pre-bootstraped targets
 
diff --git a/playbooks/files/apt/auto-upgrades b/playbooks/files/apt/auto-upgrades
new file mode 100644
index 0000000..5d37e9f
--- /dev/null
+++ b/playbooks/files/apt/auto-upgrades
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/playbooks/files/apt/unattended-upgrades b/playbooks/files/apt/unattended-upgrades
new file mode 100644
index 0000000..3c45606
--- /dev/null
+++ b/playbooks/files/apt/unattended-upgrades
@@ -0,0 +1,11 @@
+Unattended-Upgrade::Allowed-Origins {
+  "${distro_id}:${distro_codename}";
+  "${distro_id}:${distro_codename}-security";
+  "${distro_id}ESMApps:${distro_codename}-apps-security";
+  "${distro_id}ESM:${distro_codename}-infra-security";
+};
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Automatic-Reboot "false";
diff --git a/playbooks/files/sshd_config b/playbooks/files/sshd_config
new file mode 100644
index 0000000..c8da404
--- /dev/null
+++ b/playbooks/files/sshd_config
@@ -0,0 +1,129 @@
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+# When systemd socket activation is used (the default), the socket
+# configuration must be re-generated after changing Port, AddressFamily, or
+# ListenAddress.
+#
+# For changes to take effect, run:
+#
+#   systemctl daemon-reload
+#   systemctl restart ssh.socket
+#
+# Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no # <- overwritten
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+PermitRootLogin no # <- overwritten
diff --git a/playbooks/security.yaml b/playbooks/security.yaml
new file mode 100644
index 0000000..14c3550
--- /dev/null
+++ b/playbooks/security.yaml
@@ -0,0 +1,55 @@
+- name: Security hardening
+  hosts: hollyhock
+  become: true
+  tasks:
+    - name: Configure ssh
+      ansible.builtin.copy:
+        src: sshd_config
+        dest: /etc/ssh/sshd_config
+        mode: "0644"
+        backup: true
+      notify: Restart ssh
+
+    - name: Deny all incoming traffic by default
+      community.general.ufw:
+        default: deny
+        direction: incoming
+
+    - name: Allow all outgoing traffic by default
+      community.general.ufw:
+        default: allow
+        direction: outgoing
+
+    - name: Allow ssh traffic through firewall
+      community.general.ufw:
+        rule: allow
+        port: 22
+        proto: tcp
+
+    - name: Enable ufw
+      community.general.ufw:
+        state: enabled
+
+    - name: Install unattended upgrades
+      ansible.builtin.apt:
+        name: unattended-upgrades
+        state: present
+        update_cache: true
+
+    - name: Configure unattended-upgrades
+      ansible.builtin.copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "0644"
+        backup: true
+      loop:
+        - src: apt/unattended-upgrades
+          dest: /etc/apt/apt.conf.d/50unattended-upgrades
+        - src: apt/auto-upgrades
+          dest: /etc/apt/apt.conf.d/20auto-upgrades
+
+  handlers:
+    - name: Restart ssh
+      ansible.builtin.systemd:
+        name: ssh
+        state: restarted