wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 22:54:01 +02:00
Code Issues Projects Releases Wiki Activity

improved readability with native yaml (#530)

Browse source
This commit is contained in:
Ruben Jongejan 2017-05-08 22:34:24 +02:00 committed by Dan Guido
parent 97369c303a
commit 07ddb5863b
10 changed files with 164 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
roles/dns_adblocking/tasks/main.yml
View file

@ -21,12 +21,19 @@
when: ansible_distribution == 'FreeBSD'
- name: Dnsmasq configured
template: src=dnsmasq.conf.j2 dest="{{ config_prefix|default('/') }}etc/dnsmasq.conf"
template:
src: dnsmasq.conf.j2
dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf"
notify:
- restart dnsmasq
- name: Adblock script created
template: src=adblock.sh dest=/usr/local/sbin/adblock.sh owner=root group="{{ root_group|default('root') }}" mode=0755
template:
src: adblock.sh
dest: /usr/local/sbin/adblock.sh
owner: root
group: "{{ root_group|default('root') }}"
mode: 0755
- name: Adblock script added to cron
cron:
@ -43,7 +50,10 @@
- meta: flush_handlers
- name: Dnsmasq enabled and started
service: name=dnsmasq state=started enabled=yes
service:
name: dnsmasq
state: started
enabled: yes
rescue:
- debug: var=fail_hint
tags: always

18
roles/dns_adblocking/tasks/ubuntu.yml
View file

@ -1,7 +1,12 @@
---
- name: Ubuntu | Dnsmasq profile for apparmor configured
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
template:
src: usr.sbin.dnsmasq.j2
dest: /etc/apparmor.d/usr.sbin.dnsmasq
owner: root
group: root
mode: 0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify:
- restart dnsmasq
@ -12,10 +17,17 @@
tags: ['apparmor']
- name: Ubuntu | Ensure that the dnsmasq service directory exist
file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root
file:
path: /etc/systemd/system/dnsmasq.service.d/
state: directory
mode: 0755
owner: root
group: root
- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
template:
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart dnsmasq

95
roles/security/tasks/main.yml
View file

@ -6,10 +6,20 @@
- unattended-upgrades
- name: Configure unattended-upgrades
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
template:
src: 50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
template:
src: 10periodic.j2
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: 0644
- name: Find directories for minimizing access
stat:
@ -24,16 +34,27 @@
- '/bin'
- name: Minimize access
file: path='{{ item.stat.path }}' mode='go-w' recurse=yes
file:
path: '{{ item.stat.path }}'
mode: 'go-w'
recurse: yes
when: item.stat.isdir
with_items: "{{ minimize_access_directories.results }}"
no_log: True
- name: Change shadow ownership to root and mode to 0600
file: dest='/etc/shadow' owner=root group=root mode=0600
file:
dest: '/etc/shadow'
owner: root
group: root
mode: 0600
- name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode=0750
file:
dest: '/bin/su'
owner: root
group: root
mode: 0750
- name: Collect Use of privileged commands
shell: >
@ -45,15 +66,30 @@
# Core dumps
- name: Restrict core dumps (with PAM)
lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present
lineinfile:
dest: /etc/security/limits.conf
line: "* hard core 0"
state: present
- name: Restrict core dumps (with sysctl)
sysctl: name=fs.suid_dumpable value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: fs.suid_dumpable
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
# Kernel fixes
- name: Disable Source Routed Packet Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items:
- net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route
@ -61,13 +97,25 @@
- flush routing cache
- name: Disable ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- name: Disable Secure ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items:
- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects
@ -75,12 +123,24 @@
- flush routing cache
- name: Enable Bad Error Message Protection
sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: 1
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
notify:
- flush routing cache
- name: Enable RFC-recommended Source Route Validation
sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
sysctl:
name: "{{item}}"
value: 1
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items:
- net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter
@ -88,10 +148,17 @@
- flush routing cache
- name: Do not send ICMP redirects (we are not a router)
sysctl: name=net.ipv4.conf.all.send_redirects value=0
sysctl:
name: net.ipv4.conf.all.send_redirects
value: 0
- name: SSH config
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
notify:
- restart ssh
rescue:

15
roles/ssh_tunneling/tasks/main.yml
View file

@ -18,7 +18,12 @@
group: name=algo state=present
- name: Ensure that the jail directory exist
file: path=/var/jail/ state=directory mode=0755 owner=root group="{{ root_group|default('root') }}"
file:
path: /var/jail/
state: directory
mode: 0755
owner: root
group: "{{ root_group|default('root') }}"
- name: Ensure that the SSH users exist
user:
@ -46,12 +51,14 @@
with_items: "{{ users }}"
- name: Generate SSH fingerprints
shell: >
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints
- name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes
fetch:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
flat: yes
with_items: "{{ users }}"
- name: Change mode for SSH private keys

11
roles/vpn/tasks/freebsd.yml
View file

@ -15,8 +15,7 @@
- "crypto"
- name: FreeBSD / HardenedBSD | Make the kernel config
shell: >
sysctl -b kern.conftxt > /tmp/IPSEC
shell: sysctl -b kern.conftxt > /tmp/IPSEC
when: rebuild_needed is defined and rebuild_needed == true
- name: FreeBSD / HardenedBSD | Ensure the all options are enabled
@ -100,8 +99,7 @@
msg: "Something went wrong. Check the debug output above."
- name: FreeBSD / HardenedBSD | Reboot
shell: >
sleep 2 && shutdown -r now
shell: sleep 2 && shutdown -r now
args:
executable: /usr/local/bin/bash
when: rebuild_needed is defined and rebuild_needed == true
@ -110,4 +108,7 @@
ignore_errors: true
- name: FreeBSD / HardenedBSD | Enable strongswan
lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"'
lineinfile:
dest: /etc/rc.conf
regexp: ^strongswan_enable=
line: 'strongswan_enable="YES"'

6
roles/vpn/tasks/ipec_configuration.yml
View file

@ -32,7 +32,11 @@
register: strongswan_plugins
- name: Disable unneeded plugins
lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present
lineinfile:
dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
regexp: '.*load.*'
line: 'load = no'
state: present
notify:
- restart strongswan
when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins

14
roles/vpn/tasks/iptables.yml
View file

@ -1,14 +1,24 @@
---
- name: Iptables configured
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
with_items:
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
notify:
- restart iptables
- name: Iptables configured
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
when: ipv6_support is defined and ipv6_support == true
with_items:
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }

3
roles/vpn/tasks/main.yml
View file

@ -16,8 +16,7 @@
package: name=strongswan state=present
- name: Get StrongSwan versions
shell: >
ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g"
shell: ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g"
register: strongswan_version
- include: ipec_configuration.yml

8
roles/vpn/tasks/ubuntu-hacks.yml
View file

@ -1,10 +1,14 @@
---
- name: Configure apt to use the Xenial release by default
template: src=01_xenial_aptconf.j2 dest=/etc/apt/apt.conf.d/01xenial
template:
src: 01_xenial_aptconf.j2
dest: /etc/apt/apt.conf.d/01xenial
- name: Configure packages preferences
template: src=01_strongswan.pref.j2 dest=/etc/apt/preferences.d/01_strongswan.pref
template:
src: 01_strongswan.pref.j2
dest: /etc/apt/preferences.d/01_strongswan.pref
- name: Configure the Ubuntu Zesty repository
apt_repository:

17
roles/vpn/tasks/ubuntu.yml
View file

@ -7,7 +7,11 @@
when: ansible_distribution_version == "16.04"
- name: Ubuntu | Install strongSwan
apt: name=strongswan state=latest update_cache=yes install_recommends=yes
apt:
name: strongswan
state: latest
update_cache: yes
install_recommends: yes
- name: Ubuntu | Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}"
@ -28,10 +32,17 @@
- netfilter-persistent
- name: Ubuntu | Ensure that the strongswan service directory exist
file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root
file:
path: /etc/systemd/system/strongswan.service.d/
state: directory
mode: 0755
owner: root
group: root
- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
template:
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart strongswan