diff --git a/src/automated-security-updates.yml b/src/automated-security-updates.yml deleted file mode 100644 index d3a8212..0000000 --- a/src/automated-security-updates.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Configure for automated security updates - hosts: all - become: true - become_method: ansible.builtin.sudo - tasks: - - name: Set up automated security updates - ansible.builtin.include_role: - name: automated_security_updates diff --git a/src/base.yml b/src/base.yml index 70077f4..c8244c8 100644 --- a/src/base.yml +++ b/src/base.yml @@ -4,9 +4,6 @@ become: true become_method: ansible.builtin.sudo tasks: - - name: Install and configure automated security updates - ansible.builtin.include_role: - name: automated_security_updates - name: Install and configure login banner ansible.builtin.include_role: name: banner @@ -19,9 +16,6 @@ - name: Install and configure htop ansible.builtin.include_role: name: htop - - name: Configure JournalD to preserve logs across reboots - ansible.builtin.include_role: - name: persist_journald - name: Install and configure systemd-resolved ansible.builtin.include_role: name: systemd_resolved diff --git a/src/harden.yml b/src/harden.yml index 1f6b7f7..f3cac2a 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -15,15 +15,61 @@ - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/issue - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/motd - name: Harden system - # This role is forked from konstruktoid/ansible-role-hardening - # and we do not control the names of the role variables. This + # We do not control the names of the role variables. This # is the reason for the noqa comment. - ansible.builtin.include_role: # noqa var-naming[no-role-prefix] - name: harden + ansible.builtin.import_role: # noqa var-naming[no-role-prefix] + name: konstruktoid.hardening vars: - # Point the role to the correct issue and motd templates + automatic_updates: true + fallback_ntp: + - 169.254.169.123 issue_template: /tmp/issue + journald_storage: persistent + manage_timesyncd: false + manage_resolved: false + manage_ufw: false motd_template: /tmp/motd + ntp_servers: + - 169.254.169.123 + sshd_admin_net: + - "0.0.0.0/0" + system_upgrade: true + packages_blocklist: + - apport* + - autofs + - avahi* + - avahi-* + - beep + - git + - pastebinit + - popularity-contest + - prelink + - rpcbind + - rsh* + - rsync + - talk* + - telnet* + - tftp* + - tuned + - whoopsie + - xinetd + - yp-tools + - ypbind + packages_debian: + - auditd + - cracklib-runtime + - libpam-pwquality + packages_redhat: + - audit + - cracklib + - libpwquality + - python3-dnf-plugin-post-transaction-actions + packages_ubuntu: [] + pass_max_days: 365 + pass_min_days: 7 + sshd_max_sessions: 4 + suid_sgid_permissions: false + umask_value: "027" - name: Delete local copies of issue and motd files ansible.builtin.file: path: "{{ item }}" diff --git a/src/ipa-initial-seeding-script.yml b/src/ipa-initial-seeding-script.yml index c079c67..af9911a 100644 --- a/src/ipa-initial-seeding-script.yml +++ b/src/ipa-initial-seeding-script.yml @@ -2,6 +2,6 @@ - name: Install create-ipa-initial-seeding-script.sh ansible.builtin.get_url: dest: /usr/local/sbin - mode: 0500 + mode: "0500" url: > https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index ec31744..8ab2755 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -132,12 +132,6 @@ source "amazon-ebs" "openvpn" { build { sources = ["source.amazon-ebs.openvpn"] - provisioner "ansible" { - playbook_file = "src/upgrade.yml" - use_proxy = false - use_sftp = true - } - provisioner "ansible" { playbook_file = "src/python.yml" use_proxy = false diff --git a/src/playbook.yml b/src/playbook.yml index 0cd4991..3997e31 100644 --- a/src/playbook.yml +++ b/src/playbook.yml @@ -2,9 +2,6 @@ - name: Import base image playbook ansible.builtin.import_playbook: base.yml -- name: Import automated security updates playbook - ansible.builtin.import_playbook: automated-security-updates.yml - - name: Import UFW playbook ansible.builtin.import_playbook: ufw.yml diff --git a/src/requirements.yml b/src/requirements.yml index 306f7e5..3167891 100644 --- a/src/requirements.yml +++ b/src/requirements.yml @@ -4,8 +4,6 @@ collections: roles: - name: amazon_ssm_agent src: https://github.com/cisagov/ansible-role-amazon-ssm-agent - - name: automated_security_updates - src: https://github.com/cisagov/ansible-role-automated-security-updates - name: banner src: https://github.com/cisagov/ansible-role-banner - name: cdm_nessus_agent @@ -20,16 +18,16 @@ roles: src: https://github.com/cisagov/ansible-role-crowdstrike - name: freeipa_client src: https://github.com/cisagov/ansible-role-freeipa-client - - name: harden - src: https://github.com/cisagov/ansible-role-hardening-2 + - name: konstruktoid.hardening + version: v2.0.4 + src: https://github.com/konstruktoid/ansible-role-hardening.git + scm: git - name: htop src: https://github.com/cisagov/ansible-role-htop - name: nvme src: https://github.com/cisagov/ansible-role-nvme - name: openvpn src: https://github.com/cisagov/ansible-role-openvpn - - name: persist_journald - src: https://github.com/cisagov/ansible-role-persist-journald - name: pip src: https://github.com/cisagov/ansible-role-pip - name: python @@ -40,5 +38,3 @@ roles: src: https://github.com/cisagov/ansible-role-systemd-resolved - name: ufw src: https://github.com/cisagov/ansible-role-ufw - - name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade diff --git a/src/upgrade.yml b/src/upgrade.yml deleted file mode 100644 index c065512..0000000 --- a/src/upgrade.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Upgrade base image - hosts: all - become: true - become_method: ansible.builtin.sudo - tasks: - - name: Upgrade all packages - ansible.builtin.include_role: - name: upgrade