From 91cd5480b5a1ca1103d5e239af3d331477c41c2c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 21 Nov 2017 22:28:39 +0100 Subject: initial commit as copy from helsinki ansible repo --- roles/base/defaults/main.yaml | 7 +++++ roles/base/tasks/main.yaml | 59 +++++++++++++++++++++++++++++++++++++++++++ roles/base/vars/main.yaml | 45 +++++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 roles/base/defaults/main.yaml create mode 100644 roles/base/tasks/main.yaml create mode 100644 roles/base/vars/main.yaml (limited to 'roles/base') diff --git a/roles/base/defaults/main.yaml b/roles/base/defaults/main.yaml new file mode 100644 index 00000000..282c4fd7 --- /dev/null +++ b/roles/base/defaults/main.yaml @@ -0,0 +1,7 @@ +--- +sysctl_config_user: {} + +modules_blacklist: + net: [dccp, sctp, rds, tipc] + fs: [cramfs, freevxfs, hfs, hfsplus, jffs2] + misc: [bluetooth, firewire-core, n_hdlc, net-pf-31, soundcore, thunderbolt, usb-midi] diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml new file mode 100644 index 00000000..91349e50 --- /dev/null +++ b/roles/base/tasks/main.yaml @@ -0,0 +1,59 @@ +--- +- name: apt - Install base system tools + apt: name={{ item }} state=present + with_items: + - htop + - dstat + - lsof + - gawk + - psmisc + - less + - debian-goodies + - screen + - mtr-tiny + - tcpdump + - unp + - sudo + - haveged + - dbus + - libpam-systemd + - aptitude + - ca-certificates + - file + +- name: Remove startup message from screen + lineinfile: + regexp: "^startup_message" + line: "startup_message off" + dest: /etc/screenrc + mode: 0644 + tags: + - screen + +- name: Ensure /root is not world accessible + file: + path: /root + mode: 0700 + owner: root + group: root + state: directory + +- name: disable net/fs/misc kernel modules + lineinfile: + dest: /etc/modprobe.d/disablemod.conf + line: "install {{ item }} /bin/true" + create: yes + owner: root + group: root + mode: 0644 + with_items: "{{ modules_blacklist.net | union(modules_blacklist.fs) | union(modules_blacklist.misc) }}" + +- name: Change various sysctl-settings, look at the sysctl-vars file for documentation + sysctl: + name: '{{ item.key }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + with_dict: '{{ sysctl_config | combine(sysctl_config_user) }}' diff --git a/roles/base/vars/main.yaml b/roles/base/vars/main.yaml new file mode 100644 index 00000000..557a4a7c --- /dev/null +++ b/roles/base/vars/main.yaml @@ -0,0 +1,45 @@ +# SYSTEM CONFIGURATION +# ==================== +# These are not meant to be modified by the user + +# +# To adjust these settings use sysctl_config_user dict +# +sysctl_config: + + # Enable RFC-recommended source validation feature. + net.ipv4.conf.all.rp_filter: 1 + net.ipv4.conf.default.rp_filter: 1 + + # Log packets with impossible addresses to kernel log? yes + net.ipv4.conf.all.log_martians: 1 + net.ipv4.conf.default.log_martians: 1 + + # Reduce the surface on SMURF attacks. + # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. + net.ipv4.icmp_echo_ignore_broadcasts: 1 + + # There is no reason to accept bogus error responses from ICMP, so ignore them instead. + net.ipv4.icmp_ignore_bogus_error_responses: 1 + + # Limit the amount of traffic the system uses for ICMP. + net.ipv4.icmp_ratelimit: 1000 + + # Send redirects, if router, but this is just server + net.ipv4.conf.all.send_redirects: 0 + net.ipv4.conf.default.send_redirects: 0 + net.ipv4.conf.all.accept_redirects: 0 + net.ipv4.conf.default.accept_redirects: 0 + net.ipv6.conf.all.accept_redirects: 0 + net.ipv6.conf.default.accept_redirects: 0 + net.ipv4.conf.all.secure_redirects: 0 + net.ipv4.conf.default.secure_redirects: 0 + + net.ipv4.conf.all.accept_source_route: 0 + net.ipv4.conf.default.accept_source_route: 0 + + # Protect against wrapping sequence numbers at gigabit speeds + net.ipv4.tcp_timestamps: 0 + + # Prevent against the common 'syn flood attack' + net.ipv4.tcp_syncookies: 1 -- cgit v1.2.3