From f6155571048693570cd07bbc9e4ef80c17ef4c66 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Feb 2018 19:03:17 +0300 Subject: [PATCH] Remove the security role --- .travis.yml | 2 +- algo | 6 - deploy.yml | 1 - roles/security/handlers/main.yml | 5 - roles/security/meta/main.yml | 4 - roles/security/tasks/main.yml | 161 ------------------ roles/security/templates/10periodic.j2 | 4 - .../templates/50unattended-upgrades.j2 | 59 ------- roles/security/templates/sshd_config.j2 | 51 ------ 9 files changed, 1 insertion(+), 292 deletions(-) delete mode 100644 roles/security/handlers/main.yml delete mode 100644 roles/security/meta/main.yml delete mode 100644 roles/security/tasks/main.yml delete mode 100644 roles/security/templates/10periodic.j2 delete mode 100644 roles/security/templates/50unattended-upgrades.j2 delete mode 100644 roles/security/templates/sshd_config.j2 diff --git a/.travis.yml b/.travis.yml index c751a6eb..ae0adc43 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,7 +52,7 @@ script: # - shellcheck algo # - ansible-lint deploy.yml users.yml deploy_client.yml - ansible-playbook deploy.yml --syntax-check - - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" + - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" after_script: - ./tests/update-users.sh diff --git a/algo b/algo index 38bbc9dd..dca852c3 100755 --- a/algo +++ b/algo @@ -48,12 +48,6 @@ Do you want each user to have their own account for SSH tunneling? ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi -read -p " -Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config) -[y/N]: " -r security_enabled -security_enabled=${security_enabled:-n} -if [[ "$security_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" security"; fi - read -p " Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N]: " -r Win10_Enabled diff --git a/deploy.yml b/deploy.yml index fa38b336..fa5212ec 100644 --- a/deploy.yml +++ b/deploy.yml @@ -63,7 +63,6 @@ tags: always roles: - - { role: security, tags: [ 'security' ] } - { role: dns_adblocking, tags: ['dns', 'adblock' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - { role: vpn, tags: [ 'vpn' ] } diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml deleted file mode 100644 index ab98db63..00000000 --- a/roles/security/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart ssh - service: name="{{ ssh_service_name|default('ssh') }}" state=restarted - -- name: flush routing cache - shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/meta/main.yml b/roles/security/meta/main.yml deleted file mode 100644 index e985f927..00000000 --- a/roles/security/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -dependencies: - - { role: common, tags: common } diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml deleted file mode 100644 index 2f279122..00000000 --- a/roles/security/tasks/main.yml +++ /dev/null @@ -1,161 +0,0 @@ ---- -- block: - - name: Install tools - apt: name="{{ item }}" state=latest - with_items: - - unattended-upgrades - - - name: Configure unattended-upgrades - template: - src: 50unattended-upgrades.j2 - dest: /etc/apt/apt.conf.d/50unattended-upgrades - owner: root - group: root - mode: 0644 - - - name: Periodic upgrades configured - template: - src: 10periodic.j2 - dest: /etc/apt/apt.conf.d/10periodic - owner: root - group: root - mode: 0644 - - - name: Find directories for minimizing access - stat: - path: "{{ item }}" - register: minimize_access_directories - with_items: - - '/usr/local/sbin' - - '/usr/local/bin' - - '/usr/sbin' - - '/usr/bin' - - '/sbin' - - '/bin' - - - name: Minimize access - file: - path: '{{ item.stat.path }}' - mode: 'go-w' - recurse: yes - when: item.stat.isdir - with_items: "{{ minimize_access_directories.results }}" - no_log: True - - - name: Change shadow ownership to root and mode to 0600 - file: - dest: '/etc/shadow' - owner: root - group: root - mode: 0600 - - - name: change su-binary to only be accessible to user and group root - file: - dest: '/bin/su' - owner: root - group: root - mode: 0750 - - # Core dumps - - - name: Restrict core dumps (with PAM) - lineinfile: - dest: /etc/security/limits.conf - line: "* hard core 0" - state: present - - - name: Restrict core dumps (with sysctl) - sysctl: - name: fs.suid_dumpable - value: 0 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - - # Kernel fixes - - - name: Disable Source Routed Packet Acceptance - sysctl: - name: "{{item}}" - value: 0 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv4.conf.default.accept_source_route - notify: - - flush routing cache - - - name: Disable ICMP Redirect Acceptance - sysctl: - name: "{{item}}" - value: 0 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - - - name: Disable Secure ICMP Redirect Acceptance - sysctl: - name: "{{item}}" - value: 0 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - with_items: - - net.ipv4.conf.all.secure_redirects - - net.ipv4.conf.default.secure_redirects - notify: - - flush routing cache - - - name: Enable Bad Error Message Protection - sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: 1 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - notify: - - flush routing cache - - - name: Enable RFC-recommended Source Route Validation - sysctl: - name: "{{item}}" - value: 1 - ignoreerrors: yes - sysctl_set: yes - reload: yes - state: present - with_items: - - net.ipv4.conf.all.rp_filter - - net.ipv4.conf.default.rp_filter - notify: - - flush routing cache - - - name: Do not send ICMP redirects (we are not a router) - sysctl: - name: net.ipv4.conf.all.send_redirects - value: 0 - - - name: SSH config - template: - src: sshd_config.j2 - dest: /etc/ssh/sshd_config - owner: root - group: root - mode: 0644 - notify: - - restart ssh - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always diff --git a/roles/security/templates/10periodic.j2 b/roles/security/templates/10periodic.j2 deleted file mode 100644 index 75870203..00000000 --- a/roles/security/templates/10periodic.j2 +++ /dev/null @@ -1,4 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::AutocleanInterval "7"; -APT::Periodic::Unattended-Upgrade "1"; \ No newline at end of file diff --git a/roles/security/templates/50unattended-upgrades.j2 b/roles/security/templates/50unattended-upgrades.j2 deleted file mode 100644 index 5f8fb159..00000000 --- a/roles/security/templates/50unattended-upgrades.j2 +++ /dev/null @@ -1,59 +0,0 @@ -// Automatically upgrade packages from these (origin:archive) pairs -Unattended-Upgrade::Allowed-Origins { - "${distro_id}:${distro_codename}-security"; - "${distro_id}:${distro_codename}-updates"; -// "${distro_id}:${distro_codename}-proposed"; -// "${distro_id}:${distro_codename}-backports"; -}; - -// List of packages to not update (regexp are supported) -Unattended-Upgrade::Package-Blacklist { -// "vim"; -// "libc6"; -// "libc6-dev"; -// "libc6-i686"; -}; - -// This option allows you to control if on a unclean dpkg exit -// unattended-upgrades will automatically run -// dpkg --force-confold --configure -a -// The default is true, to ensure updates keep getting installed -//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; - -// Split the upgrade into the smallest possible chunks so that -// they can be interrupted with SIGUSR1. This makes the upgrade -// a bit slower but it has the benefit that shutdown while a upgrade -// is running is possible (with a small delay) -//Unattended-Upgrade::MinimalSteps "true"; - -// Install all unattended-upgrades when the machine is shuting down -// instead of doing it in the background while the machine is running -// This will (obviously) make shutdown slower -//Unattended-Upgrade::InstallOnShutdown "true"; - -// Send email to this address for problems or packages upgrades -// If empty or unset then no email is sent, make sure that you -// have a working mail setup on your system. A package that provides -// 'mailx' must be installed. E.g. "user@example.com" -//Unattended-Upgrade::Mail "root"; - -// Set this value to "true" to get emails only on errors. Default -// is to always send a mail if Unattended-Upgrade::Mail is set -//Unattended-Upgrade::MailOnlyOnError "true"; - -// Do automatic removal of new unused dependencies after the upgrade -// (equivalent to apt-get autoremove) -//Unattended-Upgrade::Remove-Unused-Dependencies "false"; - -// Automatically reboot *WITHOUT CONFIRMATION* -// if the file /var/run/reboot-required is found after the upgrade -//Unattended-Upgrade::Automatic-Reboot "false"; - -// If automatic reboot is enabled and needed, reboot at the specific -// time instead of immediately -// Default: "now" -//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; - -// Use apt bandwidth limit feature, this example limits the download -// speed to 70kb/sec -//Acquire::http::Dl-Limit "70"; diff --git a/roles/security/templates/sshd_config.j2 b/roles/security/templates/sshd_config.j2 deleted file mode 100644 index 4bdb2601..00000000 --- a/roles/security/templates/sshd_config.j2 +++ /dev/null @@ -1,51 +0,0 @@ -Port 22 -# ListenAddress :: -# ListenAddress 0.0.0.0 -Protocol 2 - -# LogLevel VERBOSE logs user's key fingerprint on login. -# Needed to have a clear audit log of which keys were used to log in. -SyslogFacility AUTH -LogLevel VERBOSE - -# Use kernel sandbox mechanisms where possible -# Systrace on OpenBSD, Seccomp on Linux, seatbelt on macOS X (Darwin), rlimit elsewhere. -UsePrivilegeSeparation sandbox - -# Handy for keeping network connections alive -TCPKeepAlive yes -ClientAliveInterval 120 - -# Authentication -UsePAM yes -PermitRootLogin without-password -StrictModes yes -PubkeyAuthentication yes -AcceptEnv LANG LC_* - -# Turn off a lot of features -IgnoreRhosts yes -HostbasedAuthentication no -PermitEmptyPasswords no -ChallengeResponseAuthentication no -PasswordAuthentication no -UseDNS no - -# Do not enable sftp -# If you DO enable it, use this line to log which files sftp users read/write -# Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO - -# This makes ansible faster -PrintMotd no -PrintLastLog yes - -# Use only modern host keys -HostKey /etc/ssh/ssh_host_ed25519_key -HostKey /etc/ssh/ssh_host_ecdsa_key - -# Use only modern ciphers -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256 -Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com -MACs hmac-sha2-256-etm@openssh.com -HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp256 -# PubkeyAcceptedKeyTypes accept anything