-
-
Notifications
You must be signed in to change notification settings - Fork 112
/
genREADME.sh
223 lines (169 loc) · 6.25 KB
/
genREADME.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
#!/bin/sh
if [ -z "${ANSIBLE_V}" ]; then
ANSIBLE_V="$(grep min_ansible_version meta/main.yml | awk '{print $NF}' | tr -d '\"')"
fi
{
echo "# Ansible Role for Server Hardening
This is an [Ansible](https://www.ansible.com/) role designed to enhance the
security of servers running on AlmaLinux, Debian, or Ubuntu.
It's [systemd](https://freedesktop.org/wiki/Software/systemd/) focused
and requires Ansible version 2.15 or higher.
The role supports the following operating systems:
- [AlmaLinux 9](https://wiki.almalinux.org/release-notes/#almalinux-9)
- [Debian 11 (Bullseye)](https://www.debian.org/releases/bullseye/)
- [Debian 12 (Bookworm)](https://www.debian.org/releases/bookworm/)
- [Ubuntu 22.04 (Jammy Jellyfish)](https://releases.ubuntu.com/jammy/)
- [Ubuntu 24.04 (Noble Numbat)](https://releases.ubuntu.com/noble/)
For those using AWS or Azure, there are also hardened Ubuntu Amazon
Machine Images (AMIs) and Azure virtual machine images available.
These are available in the [konstruktoid/hardened-images](https://github.com/konstruktoid/hardened-images)
repository. These images are built using [Packer](https://www.packer.io/) and
this Ansible role is used for configuration.
> **Note**
> Do not use this role without first testing in a non-operational environment.
> **Note**
> There is a [SLSA](https://slsa.dev/) artifact present under the
> [slsa action workflow](https://github.com/konstruktoid/ansible-role-hardening/actions/workflows/slsa.yml)
> for verification.
## Dependencies
None.
## Examples
### Requirements
\`\`\`yaml
---
roles:
- name: konstruktoid.hardening
version: v2.2.0
src: https://github.com/konstruktoid/ansible-role-hardening.git
scm: git
\`\`\`
### Playbook
\`\`\`yaml
---
- name: Import and use the hardening role
hosts: localhost
any_errors_fatal: true
tasks:
- name: Import the hardening role
ansible.builtin.import_role:
name: konstruktoid.hardening
vars:
sshd_admin_net:
- 10.0.2.0/24
- 192.168.0.0/24
- 192.168.1.0/24
suid_sgid_permissions: false
\`\`\`
### Local playbook using git checkout
\`\`\`yaml
---
- name: Checkout and configure konstruktoid.hardening
hosts: localhost
any_errors_fatal: true
tasks:
- name: Clone hardening repository
become: true
tags:
- always
block:
- name: Install git
ansible.builtin.package:
name: git
state: present
- name: Checkout konstruktoid.hardening
become: true
ansible.builtin.git:
repo: https://github.com/konstruktoid/ansible-role-hardening
dest: /etc/ansible/roles/konstruktoid.hardening
version: v2.2.0
- name: Remove git
ansible.builtin.package:
name: git
state: absent
- name: Include the hardening role
ansible.builtin.include_role:
name: konstruktoid.hardening
vars:
sshd_allow_groups:
- ubuntu
sshd_login_grace_time: 60
sshd_max_auth_tries: 10
sshd_use_dns: false
sshd_update_moduli: true
\`\`\`
## Note regarding UFW firewall rules
Instead of resetting \`ufw\` every run and by doing so causing network traffic
disruption, the role deletes every \`ufw\` rule without
\`comment: ansible managed\` task parameter and value.
The role also sets default deny policies, which means that firewall rules
needs to be created for any additional ports except those specified in
the \`sshd_ports\` and \`ufw_outgoing_traffic\` variables.
See [ufw(8)](https://manpages.ubuntu.com/manpages/noble/en/man8/ufw.8.html)
for more information.
## Task Execution and Structure
See [STRUCTURE.md](STRUCTURE.md) for tree of the role structure.
## Role testing
See [TESTING.md](TESTING.md).
"
echo '## Role Variables with defaults'
for variables in $(find ./defaults -type f | sort); do
echo; echo "### $variables"
echo
echo '```yaml'
grep -vE '^#|---|\.\.\.' "$variables"
echo '```'
done
echo
echo "## Recommended Reading
[Comparing the DISA STIG and CIS Benchmark values](https://github.com/konstruktoid/publications/blob/master/ubuntu_comparing_guides_benchmarks.md)
[Center for Internet Security Linux Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
[Common Configuration Enumeration](https://nvd.nist.gov/cce/index.cfm)
[DISA Security Technical Implementation Guides](https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux)
[SCAP Security Guides](https://complianceascode.github.io/content-pages/guides/index.html)
[Security focused systemd configuration](https://github.com/konstruktoid/hardening/blob/master/systemd.adoc)
## Contributing
Do you want to contribute? Great! Contributions are always welcome,
no matter how large or small. If you found something odd, feel free to submit a
issue, improve the code by creating a pull request, or by
[sponsoring this project](https://github.com/sponsors/konstruktoid).
## License
Apache License Version 2.0
## Author Information
[https://github.com/konstruktoid](https://github.com/konstruktoid \"github.com/konstruktoid\")"
} > ./README.md
{
echo "# Testing
Before running any test:
- ensure [Vagrant](https://www.vagrantup.com/),
[VirtualBox](https://www.virtualbox.org/) and/or
[Docker](https://www.docker.com/) is installed.
- ensure all Python [requirements](./requirements-dev.txt) are installed.
- ensure that the role is installed as \`konstruktoid.hardening\`
## Distribution boxes used by Molecule and Vagrant
"
echo '```console'
git grep -E 'box:|box =|image:' Vagrantfile molecule/ | awk '{print $NF}' |\
tr -d '"' | sort | uniq
echo '```'
echo
echo "If the [runTests.sh](runTests.sh) script is executed as \`runTests.sh vagrant\`,
[Vagrant](https://www.vagrantup.com/ \"Vagrant\") will configure hosts and run the
\`konstruktoid.hardening\` role, it will then run
[Lynis](https://github.com/CISOfy/lynis/ \"Lynis\") and \`bats\` tests from the
[konstruktoid/hardening](https://github.com/konstruktoid/hardening \"konstruktoid/hardening\")
repository if the host is using [Ubuntu](https://ubuntu.com/ \"Ubuntu\")."
echo
echo "### tox environments
"
echo '```console'
tox -l
echo '```'
} > ./TESTING.md
rm ./*.log ./*.html ./*.list
{
echo "# Structure
"
echo '```sh'
tree .
echo '```'
} > ./STRUCTURE.md