wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 07:33:52 +02:00
Code Issues Projects Releases Wiki Activity

improved readability with native yaml (#530)

Browse source
This commit is contained in:
Ruben Jongejan 2017-05-08 22:34:24 +02:00 committed by Dan Guido
parent 97369c303a
commit 07ddb5863b
10 changed files with 164 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
roles/dns_adblocking/tasks/main.yml
View file

@ -21,12 +21,19 @@
when: ansible_distribution == 'FreeBSD' when: ansible_distribution == 'FreeBSD'
- name: Dnsmasq configured - name: Dnsmasq configured
template: src=dnsmasq.conf.j2 dest="{{ config_prefix|default('/') }}etc/dnsmasq.conf" template:
src: dnsmasq.conf.j2
dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf"
notify: notify:
- restart dnsmasq - restart dnsmasq
- name: Adblock script created - name: Adblock script created
template: src=adblock.sh dest=/usr/local/sbin/adblock.sh owner=root group="{{ root_group|default('root') }}" mode=0755 template:
src: adblock.sh
dest: /usr/local/sbin/adblock.sh
owner: root
group: "{{ root_group|default('root') }}"
mode: 0755
- name: Adblock script added to cron - name: Adblock script added to cron
cron: cron:
@ -43,7 +50,10 @@
- meta: flush_handlers - meta: flush_handlers
- name: Dnsmasq enabled and started - name: Dnsmasq enabled and started
service: name=dnsmasq state=started enabled=yes service:
name: dnsmasq
state: started
enabled: yes
rescue: rescue:
- debug: var=fail_hint - debug: var=fail_hint
tags: always tags: always

18
roles/dns_adblocking/tasks/ubuntu.yml
View file

@ -1,7 +1,12 @@
--- ---
- name: Ubuntu | Dnsmasq profile for apparmor configured - name: Ubuntu | Dnsmasq profile for apparmor configured
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 template:
src: usr.sbin.dnsmasq.j2
dest: /etc/apparmor.d/usr.sbin.dnsmasq
owner: root
group: root
mode: 0600
when: apparmor_enabled is defined and apparmor_enabled == true when: apparmor_enabled is defined and apparmor_enabled == true
notify: notify:
- restart dnsmasq - restart dnsmasq
@ -12,10 +17,17 @@
tags: ['apparmor'] tags: ['apparmor']
- name: Ubuntu | Ensure that the dnsmasq service directory exist - name: Ubuntu | Ensure that the dnsmasq service directory exist
file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root file:
path: /etc/systemd/system/dnsmasq.service.d/
state: directory
mode: 0755
owner: root
group: root
- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon - name: Ubuntu | Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf template:
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
notify: notify:
- daemon-reload - daemon-reload
- restart dnsmasq - restart dnsmasq

95
roles/security/tasks/main.yml
View file

@ -6,10 +6,20 @@
- unattended-upgrades - unattended-upgrades
- name: Configure unattended-upgrades - name: Configure unattended-upgrades
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 template:
src: 50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
- name: Periodic upgrades configured - name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 template:
src: 10periodic.j2
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: 0644
- name: Find directories for minimizing access - name: Find directories for minimizing access
stat: stat:
@ -24,16 +34,27 @@
- '/bin' - '/bin'
- name: Minimize access - name: Minimize access
file: path='{{ item.stat.path }}' mode='go-w' recurse=yes file:
path: '{{ item.stat.path }}'
mode: 'go-w'
recurse: yes
when: item.stat.isdir when: item.stat.isdir
with_items: "{{ minimize_access_directories.results }}" with_items: "{{ minimize_access_directories.results }}"
no_log: True no_log: True
- name: Change shadow ownership to root and mode to 0600 - name: Change shadow ownership to root and mode to 0600
file: dest='/etc/shadow' owner=root group=root mode=0600 file:
dest: '/etc/shadow'
owner: root
group: root
mode: 0600
- name: change su-binary to only be accessible to user and group root - name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode=0750 file:
dest: '/bin/su'
owner: root
group: root
mode: 0750
- name: Collect Use of privileged commands - name: Collect Use of privileged commands
shell: > shell: >
@ -45,15 +66,30 @@
# Core dumps # Core dumps
- name: Restrict core dumps (with PAM) - name: Restrict core dumps (with PAM)
lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present lineinfile:
dest: /etc/security/limits.conf
line: "* hard core 0"
state: present
- name: Restrict core dumps (with sysctl) - name: Restrict core dumps (with sysctl)
sysctl: name=fs.suid_dumpable value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: fs.suid_dumpable
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
# Kernel fixes # Kernel fixes
- name: Disable Source Routed Packet Acceptance - name: Disable Source Routed Packet Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items: with_items:
- net.ipv4.conf.all.accept_source_route - net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route - net.ipv4.conf.default.accept_source_route
@ -61,13 +97,25 @@
- flush routing cache - flush routing cache
- name: Disable ICMP Redirect Acceptance - name: Disable ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items: with_items:
- net.ipv4.conf.all.accept_redirects - net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_redirects
- name: Disable Secure ICMP Redirect Acceptance - name: Disable Secure ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: "{{item}}"
value: 0
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items: with_items:
- net.ipv4.conf.all.secure_redirects - net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects - net.ipv4.conf.default.secure_redirects
@ -75,12 +123,24 @@
- flush routing cache - flush routing cache
- name: Enable Bad Error Message Protection - name: Enable Bad Error Message Protection
sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: 1
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
notify: notify:
- flush routing cache - flush routing cache
- name: Enable RFC-recommended Source Route Validation - name: Enable RFC-recommended Source Route Validation
sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present sysctl:
name: "{{item}}"
value: 1
ignoreerrors: yes
sysctl_set: yes
reload: yes
state: present
with_items: with_items:
- net.ipv4.conf.all.rp_filter - net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter - net.ipv4.conf.default.rp_filter
@ -88,10 +148,17 @@
- flush routing cache - flush routing cache
- name: Do not send ICMP redirects (we are not a router) - name: Do not send ICMP redirects (we are not a router)
sysctl: name=net.ipv4.conf.all.send_redirects value=0 sysctl:
name: net.ipv4.conf.all.send_redirects
value: 0
- name: SSH config - name: SSH config
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
notify: notify:
- restart ssh - restart ssh
rescue: rescue:

15
roles/ssh_tunneling/tasks/main.yml
View file

@ -18,7 +18,12 @@
group: name=algo state=present group: name=algo state=present
- name: Ensure that the jail directory exist - name: Ensure that the jail directory exist
file: path=/var/jail/ state=directory mode=0755 owner=root group="{{ root_group|default('root') }}" file:
path: /var/jail/
state: directory
mode: 0755
owner: root
group: "{{ root_group|default('root') }}"
- name: Ensure that the SSH users exist - name: Ensure that the SSH users exist
user: user:
@ -46,12 +51,14 @@
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Generate SSH fingerprints - name: Generate SSH fingerprints
shell: > shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints register: ssh_fingerprints
- name: Fetch users SSH private keys - name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes fetch:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
flat: yes
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Change mode for SSH private keys - name: Change mode for SSH private keys

11
roles/vpn/tasks/freebsd.yml
View file

@ -15,8 +15,7 @@
- "crypto" - "crypto"
- name: FreeBSD / HardenedBSD | Make the kernel config - name: FreeBSD / HardenedBSD | Make the kernel config
shell: > shell: sysctl -b kern.conftxt > /tmp/IPSEC
sysctl -b kern.conftxt > /tmp/IPSEC
when: rebuild_needed is defined and rebuild_needed == true when: rebuild_needed is defined and rebuild_needed == true
- name: FreeBSD / HardenedBSD | Ensure the all options are enabled - name: FreeBSD / HardenedBSD | Ensure the all options are enabled
@ -100,8 +99,7 @@
msg: "Something went wrong. Check the debug output above." msg: "Something went wrong. Check the debug output above."
- name: FreeBSD / HardenedBSD | Reboot - name: FreeBSD / HardenedBSD | Reboot
shell: > shell: sleep 2 && shutdown -r now
sleep 2 && shutdown -r now
args: args:
executable: /usr/local/bin/bash executable: /usr/local/bin/bash
when: rebuild_needed is defined and rebuild_needed == true when: rebuild_needed is defined and rebuild_needed == true
@ -110,4 +108,7 @@
ignore_errors: true ignore_errors: true
- name: FreeBSD / HardenedBSD | Enable strongswan - name: FreeBSD / HardenedBSD | Enable strongswan
lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"' lineinfile:
dest: /etc/rc.conf
regexp: ^strongswan_enable=
line: 'strongswan_enable="YES"'

6
roles/vpn/tasks/ipec_configuration.yml
View file

@ -32,7 +32,11 @@
register: strongswan_plugins register: strongswan_plugins
- name: Disable unneeded plugins - name: Disable unneeded plugins
lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present lineinfile:
dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
regexp: '.*load.*'
line: 'load = no'
state: present
notify: notify:
- restart strongswan - restart strongswan
when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins

14
roles/vpn/tasks/iptables.yml
View file

@ -1,14 +1,24 @@
--- ---
- name: Iptables configured - name: Iptables configured
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
with_items: with_items:
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
notify: notify:
- restart iptables - restart iptables
- name: Iptables configured - name: Iptables configured
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: 0640
when: ipv6_support is defined and ipv6_support == true when: ipv6_support is defined and ipv6_support == true
with_items: with_items:
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }

3
roles/vpn/tasks/main.yml
View file

@ -16,8 +16,7 @@
package: name=strongswan state=present package: name=strongswan state=present
- name: Get StrongSwan versions - name: Get StrongSwan versions
shell: > shell: ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g"
ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g"
register: strongswan_version register: strongswan_version
- include: ipec_configuration.yml - include: ipec_configuration.yml

8
roles/vpn/tasks/ubuntu-hacks.yml
View file

@ -1,10 +1,14 @@
--- ---
- name: Configure apt to use the Xenial release by default - name: Configure apt to use the Xenial release by default
template: src=01_xenial_aptconf.j2 dest=/etc/apt/apt.conf.d/01xenial template:
src: 01_xenial_aptconf.j2
dest: /etc/apt/apt.conf.d/01xenial
- name: Configure packages preferences - name: Configure packages preferences
template: src=01_strongswan.pref.j2 dest=/etc/apt/preferences.d/01_strongswan.pref template:
src: 01_strongswan.pref.j2
dest: /etc/apt/preferences.d/01_strongswan.pref
- name: Configure the Ubuntu Zesty repository - name: Configure the Ubuntu Zesty repository
apt_repository: apt_repository:

17
roles/vpn/tasks/ubuntu.yml
View file

@ -7,7 +7,11 @@
when: ansible_distribution_version == "16.04" when: ansible_distribution_version == "16.04"
- name: Ubuntu | Install strongSwan - name: Ubuntu | Install strongSwan
apt: name=strongswan state=latest update_cache=yes install_recommends=yes apt:
name: strongswan
state: latest
update_cache: yes
install_recommends: yes
- name: Ubuntu | Enforcing ipsec with apparmor - name: Ubuntu | Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}" shell: aa-enforce "{{ item }}"
@ -28,10 +32,17 @@
- netfilter-persistent - netfilter-persistent
- name: Ubuntu | Ensure that the strongswan service directory exist - name: Ubuntu | Ensure that the strongswan service directory exist
file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root file:
path: /etc/systemd/system/strongswan.service.d/
state: directory
mode: 0755
owner: root
group: root
- name: Ubuntu | Setup the cgroup limitations for the ipsec daemon - name: Ubuntu | Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf template:
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
notify: notify:
- daemon-reload - daemon-reload
- restart strongswan - restart strongswan