wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-27 19:49:24 +02:00
Code Issues Projects Releases Wiki Activity

fix

Browse source
This commit is contained in:
Jack Ivanov 2016-08-25 22:20:53 +03:00
commit cf08c5ff61
14 changed files with 178 additions and 183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
digitalocean.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
@ -50,27 +51,27 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
@ -131,10 +132,10 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
handlers: handlers:
- name: reload eth0 - name: reload eth0

27
ec2.yml
View file

@ -21,7 +21,6 @@
"11": "sa-east-1" "11": "sa-east-1"
vars_prompt: vars_prompt:
- name: "aws_access_key" - name: "aws_access_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes private: yes
@ -58,27 +57,27 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
@ -102,7 +101,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

27
gce.yml
View file

@ -1,3 +1,4 @@
# vim:ft=ansible:
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: localhost hosts: localhost
gather_facts: false gather_facts: false
@ -54,27 +55,27 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
@ -98,7 +99,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

31
non-cloud.yml
View file

@ -1,9 +1,10 @@
# vim:ft=ansible:
- hosts: localhost - hosts: localhost
gather_facts: False gather_facts: False
vars_files: vars_files:
- config.cfg - config.cfg
vars_prompt:
vars_prompt:
- name: "server_ip" - name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n" prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost default: localhost
@ -15,32 +16,32 @@
private: no private: no
- name: "dns_enabled" - name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "proxy_enabled" - name: "proxy_enabled"
prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "auditd_enabled" - name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n" prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want to use SSH tunneling ? (Y or N):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "Y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter the password for p12 certificates:\n" prompt: "Enter a password for p12 certificates:\n"
default: "vpn" default: "vpn"
private: yes private: yes
- name: "IP_subject" - name: "IP_subject"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
private: no private: no
tasks: tasks:
@ -76,7 +77,7 @@
- common - common
- security - security
- vpn - vpn
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

13
roles/common/templates/sshd_config.j2
View file

@ -24,7 +24,6 @@ PubkeyAuthentication yes
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
# Turn off a lot of features # Turn off a lot of features
AllowAgentForwarding no
IgnoreRhosts yes IgnoreRhosts yes
RhostsRSAAuthentication no RhostsRSAAuthentication no
RSAAuthentication no RSAAuthentication no
@ -33,7 +32,6 @@ PermitEmptyPasswords no
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
PasswordAuthentication no PasswordAuthentication no
UseDNS no UseDNS no
X11Forwarding no
# Do not enable sftp # Do not enable sftp
# If you DO enable it, use this line to log which files sftp users read/write # If you DO enable it, use this line to log which files sftp users read/write
@ -51,21 +49,16 @@ HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
###
# TODO: I haven't seen anyone review these yet # TODO: I haven't seen anyone review these yet
# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I haven't seen anyone review these yet # TODO: I haven't seen anyone review these yet
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
# TODO: I think we want to enable tunnels but disable stream local fowarding?
# PermitTunnel yes
# AllowStreamLocalForwarding no
{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %} {% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
Match Group algo Match Group algo
AllowTcpForwarding remote AllowTcpForwarding remote
AllowAgentForwarding no
AllowStreamLocalForwarding no AllowStreamLocalForwarding no
PermitTunnel no
X11Forwarding no
{% endif %} {% endif %}

2
roles/dns_adblocking/tasks/main.yml
View file

@ -10,7 +10,7 @@
- restart dnsmasq - restart dnsmasq
- name: The dnsmasq directory created - name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- name: Enforce the dnsmasq AppArmor policy - name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq shell: aa-enforce usr.sbin.dnsmasq