mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-07 15:43:54 +02:00
security role and SSH fixes #77
This commit is contained in:
Jack Ivanov
parent
8c5f80bf8f
commit
00e4bcc1ec
14 changed files with 64 additions and 12 deletions
|
|
@ -70,6 +70,11 @@
|
||||||
default: "y"
|
default: "y"
|
||||||
private: no
|
private: no
|
||||||
|
|
||||||
|
- name: "security_enabled"
|
||||||
|
prompt: "Do you want to enable the security role? (y/n):\n"
|
||||||
|
default: "y"
|
||||||
|
private: no
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
- name: "easyrsa_p12_export_password"
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||||
default: "vpnpw"
|
default: "vpnpw"
|
||||||
|
|
@ -130,7 +135,7 @@
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- common
|
- common
|
||||||
- security
|
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||||
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
|
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||||
|
|
|
||||||
7
ec2.yml
7
ec2.yml
|
|
@ -76,6 +76,11 @@
|
||||||
default: "y"
|
default: "y"
|
||||||
private: no
|
private: no
|
||||||
|
|
||||||
|
- name: "security_enabled"
|
||||||
|
prompt: "Do you want to enable the security role? (y/n):\n"
|
||||||
|
default: "y"
|
||||||
|
private: no
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
- name: "easyrsa_p12_export_password"
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||||
default: "vpnpw"
|
default: "vpnpw"
|
||||||
|
|
@ -99,7 +104,7 @@
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- common
|
- common
|
||||||
- security
|
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||||
|
|
|
||||||
7
gce.yml
7
gce.yml
|
|
@ -74,6 +74,11 @@
|
||||||
default: "y"
|
default: "y"
|
||||||
private: no
|
private: no
|
||||||
|
|
||||||
|
- name: "security_enabled"
|
||||||
|
prompt: "Do you want to enable the security role? (y/n):\n"
|
||||||
|
default: "y"
|
||||||
|
private: no
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
- name: "easyrsa_p12_export_password"
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||||
default: "vpnpw"
|
default: "vpnpw"
|
||||||
|
|
@ -97,7 +102,7 @@
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- common
|
- common
|
||||||
- security
|
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||||
|
|
|
||||||
|
|
@ -35,6 +35,11 @@
|
||||||
default: "y"
|
default: "y"
|
||||||
private: no
|
private: no
|
||||||
|
|
||||||
|
- name: "security_enabled"
|
||||||
|
prompt: "Do you want to enable the security role? (y/n):\n"
|
||||||
|
default: "y"
|
||||||
|
private: no
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
- name: "easyrsa_p12_export_password"
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||||
default: "vpnpw"
|
default: "vpnpw"
|
||||||
|
|
@ -54,6 +59,7 @@
|
||||||
dns_enabled: "{{ dns_enabled }}"
|
dns_enabled: "{{ dns_enabled }}"
|
||||||
proxy_enabled: "{{ proxy_enabled }}"
|
proxy_enabled: "{{ proxy_enabled }}"
|
||||||
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
||||||
|
security_enabled: "{{ security_enabled }}"
|
||||||
auditd_enabled: " {{ auditd_enabled }}"
|
auditd_enabled: " {{ auditd_enabled }}"
|
||||||
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
||||||
IP_subject: "{{ IP_subject }}"
|
IP_subject: "{{ IP_subject }}"
|
||||||
|
|
@ -75,7 +81,7 @@
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- common
|
- common
|
||||||
- security
|
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@
|
||||||
dns_enabled: "{{ dns_enabled }}"
|
dns_enabled: "{{ dns_enabled }}"
|
||||||
proxy_enabled: "{{ proxy_enabled }}"
|
proxy_enabled: "{{ proxy_enabled }}"
|
||||||
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
||||||
|
security_enabled: "{{ security_enabled }}"
|
||||||
auditd_enabled: " {{ auditd_enabled }}"
|
auditd_enabled: " {{ auditd_enabled }}"
|
||||||
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
||||||
cloud_provider: digitalocean
|
cloud_provider: digitalocean
|
||||||
|
|
|
||||||
|
|
@ -72,6 +72,7 @@
|
||||||
dns_enabled: "{{ dns_enabled }}"
|
dns_enabled: "{{ dns_enabled }}"
|
||||||
proxy_enabled: "{{ proxy_enabled }}"
|
proxy_enabled: "{{ proxy_enabled }}"
|
||||||
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
||||||
|
security_enabled: "{{ security_enabled }}"
|
||||||
auditd_enabled: " {{ auditd_enabled }}"
|
auditd_enabled: " {{ auditd_enabled }}"
|
||||||
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
||||||
cloud_provider: ec2
|
cloud_provider: ec2
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@
|
||||||
proxy_enabled: "{{ proxy_enabled }}"
|
proxy_enabled: "{{ proxy_enabled }}"
|
||||||
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
||||||
auditd_enabled: " {{ auditd_enabled }}"
|
auditd_enabled: " {{ auditd_enabled }}"
|
||||||
|
security_enabled: "{{ security_enabled }}"
|
||||||
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
||||||
cloud_provider: gce
|
cloud_provider: gce
|
||||||
ipv6_support: no
|
ipv6_support: no
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,6 @@
|
||||||
- name: restart rsyslog
|
- name: restart rsyslog
|
||||||
service: name=rsyslog state=restarted
|
service: name=rsyslog state=restarted
|
||||||
|
|
||||||
- name: restart ssh
|
|
||||||
service: name=ssh state=restarted
|
|
||||||
|
|
||||||
- name: flush routing cache
|
- name: flush routing cache
|
||||||
shell: echo 1 > /proc/sys/net/ipv4/route/flush
|
shell: echo 1 > /proc/sys/net/ipv4/route/flush
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,11 +30,6 @@
|
||||||
when: reboot_required is defined and reboot_required.stdout == 'required'
|
when: reboot_required is defined and reboot_required.stdout == 'required'
|
||||||
become: false
|
become: false
|
||||||
|
|
||||||
- name: SSH config
|
|
||||||
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
|
|
||||||
notify:
|
|
||||||
- restart ssh
|
|
||||||
|
|
||||||
- name: Disable MOTD on login and SSHD
|
- name: Disable MOTD on login and SSHD
|
||||||
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
|
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
|
||||||
with_items:
|
with_items:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,9 @@
|
||||||
- name: restart rsyslog
|
- name: restart rsyslog
|
||||||
service: name=rsyslog state=restarted
|
service: name=rsyslog state=restarted
|
||||||
|
|
||||||
|
- name: restart ssh
|
||||||
|
service: name=ssh state=restarted
|
||||||
|
|
||||||
- name: restart iptables
|
- name: restart iptables
|
||||||
service: name=netfilter-persistent state=restarted
|
service: name=netfilter-persistent state=restarted
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -100,3 +100,8 @@
|
||||||
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
||||||
notify:
|
notify:
|
||||||
- restart iptables
|
- restart iptables
|
||||||
|
|
||||||
|
- name: SSH config
|
||||||
|
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
|
||||||
|
notify:
|
||||||
|
- restart ssh
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Ensure that the sshd_config file has desired options
|
||||||
|
blockinfile:
|
||||||
|
dest: /etc/ssh/sshd_config
|
||||||
|
marker: '# ANSIBLE_MANAGED_ssh_tunneling_role'
|
||||||
|
block: |
|
||||||
|
Match Group algo
|
||||||
|
AllowTcpForwarding remote
|
||||||
|
AllowAgentForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
PermitTunnel no
|
||||||
|
X11Forwarding no
|
||||||
|
notify:
|
||||||
|
- restart ssh
|
||||||
|
|
||||||
- name: Ensure that the algo group exist
|
- name: Ensure that the algo group exist
|
||||||
group: name=algo state=present
|
group: name=algo state=present
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,20 @@
|
||||||
- strongswan
|
- strongswan
|
||||||
- netfilter-persistent
|
- netfilter-persistent
|
||||||
|
|
||||||
|
- name: Configure iptables so IPSec traffic can traverse the tunnel
|
||||||
|
iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
|
||||||
|
when: (security_enabled is not defined) or
|
||||||
|
(security_enabled is defined and security_enabled != "y")
|
||||||
|
notify:
|
||||||
|
- save iptables
|
||||||
|
|
||||||
|
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
|
||||||
|
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
|
||||||
|
when: (security_enabled is not defined) or
|
||||||
|
(security_enabled is defined and security_enabled != "y")
|
||||||
|
notify:
|
||||||
|
- save iptables
|
||||||
|
|
||||||
- name: Ensure that the strongswan group exist
|
- name: Ensure that the strongswan group exist
|
||||||
group: name=strongswan state=present
|
group: name=strongswan state=present
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue