Ansible playbook to harden your Linux system.
- Debian (Bookworm)
- Kali
- Raspberry Pi OS
- Slackware (>= 15.0)
- Limited hardening for CentOS 7 (see CentOS specific tasks with
ansible-playbook --list-tasks --tags centos harden.yml
)
- Bastille is obsolete
- Not a member of CIS, so no downloading of the ready made scripts
- For learning
- For minimizing the effort needed to tweak fresh installations
- Also for consistency
For a complete list you can run ansible-playbook --list-tasks harden.yml
.
- Enables TCP wrappers
- Some people consider TCP wrappers as obsolete and unnecessary, because nowadays firewall(s) take care of this kind of network level access. I disagree, because TCP wrappers still provide an additional layer of control in a case where the firewall(s) might fail for any number of reasons (usually misconfiguration). TCP wrappers also work as an network level ACL for the programs that utilize it and is a "native" control for those programs.
- IP stack hardening via sysctl settings
- For the complete list, see network.conf.new
- Creates a basic firewall
- Configure log retention time to be 6 months
- Configures
logrotate
toshred
files- NOTE: Read the fine print in SHRED(1): "CAUTION: shred assumes the file system and hardware overwrite data in place. Although this is common, many platforms operate otherwise."
- Run
ansible-playbook --list-tasks --tags logging harden.yml
for a full list
- Enables system accounting (sysstat)
- Sets it's log retention to 99999 days (the logs are really small, so it doesn't eat up disk space)
- Enables process accounting
- Run
ansible-playbook --list-tasks --tags accounting harden.yml
for a full list
- Disables the use of certain kernel modules via
modprobe
- Disable Firewire
- sysctl settings hardening
- Enables SAK and disables the other magic SysRq stuff
- Restricts the use of
dmesg
by regular users - Enable YAMA
- For the complete list, see sysctl.conf.new
- Run
ansible-playbook --list-tasks --tags kernel harden.yml
for a full list
- Hardens mount options (creates
/etc/fstab.new
) (see fstab.awk) - Sets strict permissions to users home directories
- Limits permissions to various configuration files and directories that might contain sensitive content (see
permissions
tag for a complete list) - Clean up
/tmp
during boot - Removes SUID and/or SGID bits from various binaries (see
ansible-playbook --list-tasks --tags suid,sgid harden.yml
for details)
- Configures basic auditing based on stig.rules if audit is installed (see audit.yml)
- Configures
sshd_config
andssh_config
(seeansible-playbook --list-tasks --tags ssh harden.yml
for details) - Configures sudo (see sudoers.j2)
- WARNING: If there are rules in
/etc/sudoers.d/
that match ourbecome: true
tasks that do not have explicitEXEC
, it can "break"sudo
as we defineDefaults noexec
in the mainsudoers
file. There is a "Fix NOPASSWD rules" task insudoers.yml
which tries to tackle this problem, but it's not guaranteed to work. - You can set the
sudo_iolog
invars.yml
totrue
to enable I/O logging - You can set the
sudo_ids
invars.yml
totrue
to enable "Intrusion Detection" as described in Sudo Mastery chapter 9 (#59)
- WARNING: If there are rules in
- ClamAV configuration (see clamav.yml)
- Configures
clamd
&freshclam
by first generating fresh configurations with clamconf - Configured ClamAV to unarchive with password "infected" (see Passwords for archive files & ClamAV and ZIP File Decryption)
- Downloads YARA rules from Neo23x0, GCTI, Elastic, YaraRules Project, JPCERT/CC, Malpedia, Citizen Lab, GoDaddy, Didier Stevens & Open-Source-YARA-rules for ClamAV to use
- Configures
- rkhunter configuration (see rkhunter.yml)
- Tiger: Configures
tigerrc
&tiger.ignore
- Lynis configuration (see lynis.yml)
- Configures AIDE (see aide.yml)
- Display managers:
- Disables user lists in GDM3 & LightDM
- Disables guest sessions and VNC in LightDM
- Minor Apache HTTP server hardening
- Minor PHP (
php.ini
) hardening
- Sets default umask to a more stricter
077
(see https://github.com/pyllyukko/harden.yml/wiki/umask) - Sets console session timeout via
$TMOUT
(Bash) - Properly locks down system accounts (0 -
SYS_UID_MAX
&& !root
)- Lock the user's password
- Sets shell to
/sbin/nologin
- Expire the account
- Set
RLIMIT_NPROC
to0
in pam_limits for those system accounts that don't need to run any processes
- Configures the default password inactivity period
- Run
ansible-playbook --list-tasks --tags passwords harden.yml
to list all password related tasks
- Run
- Makes minor modifications to existing accounts. See
ansible-playbook --list-tasks --tags accounts harden.yml
for details.
- Create a strict
securetty
- Creates
/etc/ftpusers
- Restricts the use of cron and
at
- Run
ansible-playbook --list-tasks --tags authorization
for a full list
- Configures
/etc/security/namespace.conf
- Configures
/etc/security/access.conf
forpam_access
(authorization) (see access.conf.j2) - Configures
/etc/security/pwquality.conf
if available - Require pam_wheel in
/etc/pam.d/su
- Creates a secure /etc/pam.d/other
- See also A strong /etc/pam.d/other
- Configures
/etc/security/limits.conf
as follows:- Disable core dumps
- Sets maximum amount of processes (or threads, see setrlimit(2))
- Sets
nproc
to 0 for system users that don't need to run any processes
- Run
ansible-playbook --list-tasks --tags pam harden.yml
to list all PAM related tasks - You can also run
ansible-playbook --check --diff --tags pam harden.yml
to see details of the changes
- Creates legal banners (see banners.yml)
- Reduce the amount of trusted CAs (see ca-certificates.conf.new)
- Restricts the number of available shells (
/etc/shells
)
- Run
ansible-playbook --list-tasks --tags slackware harden.yml
for a full list - Make Xorg rootless
- Makes default log files group
adm
readable (as in Debian) - Restricts the use of
cron
so that only users in the wheel group are able to create cronjobs (as described in /usr/doc/dcron-4.5/README) - Mount /proc with
hidepid=2
- Make
installpkg
store the MD5 checksums - Enable process accounting (
acct
) - Does some housekeeping regarding group memberships (see login_defs-slackware.yml)
- Configures
inittab
to useshutdown -a
(and/etc/shutdown.allow
) - Reconfigured bunch of services (run
ansible-playbook --list-tasks --tags slackware harden.yml | grep '\bservices\b'
for a full list) - Configures cgroups (v1, because of too old
libcgroup
) into/etc/cg{config,rules}.conf
- Enables
bootlogd
- NOTE: Requires
CONFIG_LEGACY_PTYS
(which KSPP recommends to disable)
- NOTE: Requires
- Creates a custom
/etc/pam.d/system-auth
, which has the following changes:- Use
pam_faildelay
- Use
pam_faillock
- Use
pam_access
- Removes
nullok
frompam_unix
- Sets crypt rounds for
pam_unix
- Change password
minlen
from 6 to 14
- Use
- The following PAM modules are added to
/etc/pam.d/postlogin
:pam_umask
pam_cgroup
pam_keyinit
- Add
pam_namespace
to/etc/pam.d/{login,sddm,sshd,xdm}
- Removes
auth include postlogin
from several files, aspostlogin
should (and has) onlysession
module types - Creates
/etc/pam.d/sudo
, as that seemed to be missing - Disallows the use of
su
(see su.new) - Block
/etc/pam.d/remote
(see /etc/pam.d/remote)
- Disables unnecessary systemd services
- Enables AppArmor
- Configure
SUITE
indebsecan
- Install
debsums
and enable weekly cron job - Installs a bunch of security related packages (see debian_packages.yml)
- Configures
chkrootkit
and enables daily checks - Configures APT not to install suggested packages
Creates bunch of pam-config
s that are toggleable with pam-auth-update
:
PAM module | Type | Description |
---|---|---|
pam_wheel1 | auth | Require wheel group membership (su ) |
pam_succeed_if | auth & account | Require UID >= 1000 && UID <= 60000 (or 0 & login ) |
pam_unix1 | auth | Remove nullok |
pam_faildelay | auth | Delay on authentication failure |
pam_ssh_agent_auth | auth | SSH agent authentication for sudo3 |
pam_faillock |
auth & account | Deter brute-force attacks |
pam_access | account | Use login ACL (/etc/security/access.conf ) |
pam_time | account | /etc/security/time.conf |
pam_lastlog | account | Lock out inactive users (no login in 90 days) |
pam_namespace | session | Polyinstantiated temp directories |
pam_umask | session | Set file mode creation mask |
pam_lastlog | session | Display info about last login and update the lastlog and wtmp files2 |
pam_pwhistory | password | Limit password reuse |
- Not a
pam-config
, but a modification to existing/etc/pam.d/
files - For all login methods and not just the console login
- Disabled by default and requires libpam-ssh-agent-auth package. Needs to have higher priority than
krb5
or other password auths.sshd
needs to haveAllowAgentForwarding yes
- You need to configure
sudo
withDefaults env_keep += "SSH_AUTH_SOCK"
- Edit the
harden.yml
and modifyhosts
or create a completely new playbook by making a copy of theharden.yml
file- You can comment out the "task sets" that you don't need
- Check
vars.yml
in case you want to tweak some of the settings - You can check all the tasks before running the playbook by running
ansible-playbook --list-tasks harden.yml
- Harden your system by running
ansible-playbook harden.yml
- Make sure regular users that should be able to login are members of the
allowed_group
group - Sudo hardening:
noexec
is on by default, so you need to take this into account in your custom rules- Interactive shells to
root
have timeout, so usescreen
for those longer administrative tasks
- Rebooting the system after running this is highly recommended
- The AIDE DB creation is made asynchronously and without polling, so let that finish before rebooting
- You might want to get additional (unofficial) rules for ClamAV with clamav-unofficial-sigs (although see #425). At least the following rulesets are freely available:
- Sanesecurity
- Porcupine ("The following databases are distributed by Sanesecurity, but produced by Porcupine Signatures")
- bofhland ("The following databases are distributed by Sanesecurity, but produced by bofhland")
- Linux Malware Detect
- InterServer
- URLhaus
- Sanesecurity
- WARNING: There is a hazard with immutable
loginuid
enabled in auditing in non-systemd systems (Slackware). See longer description of this in the wiki. - Review
/etc/fstab.new
manually and deploy applicable changes to/etc/fstab
Tags that you can use with ansible-playbook --tags
:
pki
kernel
rng
network
firewall
ipv6
logging
- Filesystem related:
permissions
fstab
suid
&sgid
- Specific software:
sysstat
ssh
rkhunter
chkrootkit
aide
audit
(use--skip-tags audit
in Slackware if you don't have audit installed)debsecan
debsums
lynis
(to only configure Lynis you can use--tags lynis --skip-tags packages
)sudo
kerberos
clamav
(use--skip-tags clamav
in Slackware if you don't have clamav installed)yara
apparmor
cron
(also includes tasks regardingat
)php
apache
hsts
ntp
lightdm
gnome
tiger
john
banners
- AAA:
accounting
(includessysstat
)authorization
passwords
accounts
pam
limits
cgroup
(Slackware)hidepid
(Slackware)shells
umask
There are also operating system tags for tasks that only apply to specific OS.
You can speed up the hardening by skipping OSs that don't apply. E.g. if you're
hardening a Slackware system you can use --skip-tags debian,centos
.
Other tags are just metadata for now. You can list all the tags with
ansible-playbook --list-tags harden.yml
.
- There is a
lock_account.yml
playbook that you can use to lock user accounts. Just modify thehosts
&user
. - Limited hardening for FreeBSD (see freebsd.yml)
- Experimental feature: If you enable
sudo_ids
invars.yml
, it enables "Sudo Intrusion Detection" as seen in chapter 9 of Sudo Mastery- Only for
SHELLS
Cmnd_Alias
for now
- Only for
- You can run
make pamcheck
to see how the hardening modifies your PAM configurations in Slackware
Some of these documents are quite old, but most of the stuff still applies.
- Slackware System Hardening by Jeffrey Denton
- Center for Internet Security:
- SlackDocs: Security HOWTOs
- Alien's Wiki: Security issues
- SlackWiki: Basic Security Fixes
- Wikipedia: Fork bomb Prevention
- Linux Standard Base Core Specification 4.1
- Filesystem Hierarchy Standard 2.3
- https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx
- PAM Mastery book by Michael W Lucas
- The Linux-PAM System Administrators' Guide
- Sudo Mastery, 2nd Edition
- Linux Firewalls
- Secure Secure Shell
- Securing Debian Manual
- ArchWiki: limits.conf
- Effectiveness of Linux Rootkit Detection Tools
- How to keep a detailed audit trail of what’s being done on your Linux systems