WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore!: separated galaxy deps and own collections; modified ansible script generation to use two paths for collections

Browse source 
REQUIRES REGENERATING ansible.cfg!
This commit is contained in:
NaeiKinDus 2025-02-23 00:00:00 +00:00
parent 4af69c31ce
commit 888590ed9f
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
188 changed files with 30 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

31
ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml Normal file
View file

@ -0,0 +1,31 @@
---
security_apt_force_https: true
security_apt_https_ignore_list: []
security_clamav_version: 1.4.1
security_configure_resolve_conf: false
security_firewall_enabled: true
security_firewall_filter_policy_forward: drop
security_firewall_filter_policy_input: drop
security_firewall_filter_policy_output: drop
security_firewall_mangle_drop_privatenets: true
security_firewall_mangle_drop_reservednets: true
security_firewall_mangle_policy_forward: drop
security_firewall_mangle_policy_output: accept
security_firewall_mangle_policy_postrouting: accept
security_firewall_mangle_policy_prerouting: accept
security_firewall_nat_policy_input: accept
security_firewall_nat_policy_output: accept
security_firewall_nat_policy_postrouting: accept
security_firewall_nat_policy_prerouting: accept
security_ssh_port: 22
security_sysctl_configuration: {}
security_firewall_reserved_nets_ip4:
# - 0.0.0.0/8 # if blocked, will block DHCP provisioning
# - 169.254.0.0/16 # if blocked, will block DHCP provisioning
- 192.0.2.0/24
- 192.88.99.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 233.252.0.0/24
- 240.0.0.0/4

51
ansible_collections/nullified/infrastructure/roles/security/handlers/main.yml Normal file
View file

@ -0,0 +1,51 @@
---
- name: '[firewall] restart service'
become: true
ansible.builtin.systemd_service:
name: nftables.service
enabled: true
state: restarted
- name: '[ssh] restart service'
become: true
ansible.builtin.systemd_service:
name: sshd.service
enabled: true
state: restarted
- name: '[clamav] daemon reload'
become: true
ansible.builtin.systemd_service:
daemon_reload: true
- name: '[freshclam] restart service'
become: true
ansible.builtin.systemd_service:
name: clamav-freshclam.service
enabled: true
state: restarted
- name: '[clamd] wait for signatures'
become: true
ansible.builtin.wait_for:
path: /var/lib/clamav/main.cvd
timeout: 600
state: present
- name: '[clamd] restart service'
become: true
ansible.builtin.systemd_service:
name: clamav-clamd.service
enabled: true
state: restarted
- name: '[apt] update sources'
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
- name: '[system] reload sysctl configuration'
become: true
ansible.builtin.command:
cmd: sysctl --system

22
ansible_collections/nullified/infrastructure/roles/security/meta/main.yml Normal file
View file

@ -0,0 +1,22 @@
---
galaxy_info:
author: Florian L.
namespace: nullified
description: Deploy security tweaks to systems
# issue_tracker_url: http://example.com/issue/tracker
license: MIT
min_ansible_version: 2.15
# https://galaxy.ansible.com/api/v1/platforms/
platforms:
- name: Debian
versions:
- bookworm
galaxy_tags:
- github
- assets
- utils
- system
dependencies: []

62
ansible_collections/nullified/infrastructure/roles/security/tasks/firewall.yml Normal file
View file

@ -0,0 +1,62 @@
---
- name: gather facts if required
ansible.builtin.setup:
gather_subset:
- distribution
- virtualization_type
- name: install and configure nftables
when: security_firewall_enabled is truthy
become: true
notify:
- 'security : [firewall] restart service'
block:
- name: install nftables
ansible.builtin.apt:
pkg:
- nftables
- name: enable nftables
ansible.builtin.systemd:
name: nftables
enabled: true
masked: false
- name: create config dir
ansible.builtin.file:
path: /etc/nftables.d
mode: '0700'
state: directory
- name: set firewall templates facts
ansible.builtin.set_fact:
security_firewall_supervisors_ip4: '{{ external_provisioner_source_ips | default(provisioner_facts.controllers_list.values()) | list | ansible.utils.ipv4 }}'
security_firewall_supervisors_ip6: '{{ external_provisioner_source_ips | default(provisioner_facts.controllers_list.values()) | list | ansible.utils.ipv6 }}'
security_firewall_dns4_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns4'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv4, true) }}"
security_firewall_dns6_servers: "{{ hostvars[inventory_hostname]['global_dns_{}_dns6'.format(global_dns_type)] | default(ansible_facts.dns.nameservers | ansible.utils.ipv6, true) }}"
- name: base config file
ansible.builtin.template:
src: "../templates/system/{{ ansible_facts['distribution'] | lower }}/nftables.conf.j2"
dest: /etc/nftables.conf
mode: '0700'
- name: base tables definition
ansible.builtin.template:
src: "../templates/system/nftables/{{ item }}.table.j2"
dest: "/etc/nftables.d/{{ item }}.table"
mode: '0600'
loop:
- 01-nat
- 02-mangle
- 03-filter
- name: common firewall rules
ansible.builtin.template:
src: "{{ item }}"
dest: "/etc/nftables.d/{{ (item.split('/') | last)[:-3] }}"
mode: '0600'
loop: "{{ q('fileglob', '../templates/system/nftables.d/*.j2') }}"
- name: flush handlers
ansible.builtin.meta: flush_handlers

229
ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml Normal file
View file

@ -0,0 +1,229 @@
---
- name: '[setup] gather facts if not already done'
setup:
gather_subset:
- distribution
- name: '[system] setup DNS server'
block:
- name: disable resolv.conf updates from dhclient
ansible.builtin.copy:
dest: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
content: |
#!/bin/sh
make_resolv_conf(){
:
}
owner: root
group: root
mode: '0755'
- name: update resolv.conf
ansible.builtin.template:
src: ../templates/system/debian/resolv.conf.j2
dest: /etc/resolv.conf
mode: '0644'
owner: root
group: root
become: true
when: security_configure_resolve_conf is truthy
- name: '[system] re-allow DHCP client to setup DNS resolvers'
become: true
ansible.builtin.file:
path: /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
state: absent
failed_when: false
when : security_configure_resolve_conf is falsy
- name: '[system] add sysctl tweaks'
become: true
ansible.builtin.template:
src: ../templates/system/debian/sysctld.local.conf.j2
dest: /etc/sysctl.d/local.conf
mode: '0644'
when: security_sysctl_configuration is truthy
vars:
sysctl_values: "{{ security_sysctl_configuration }}"
notify:
- 'security : [system] reload sysctl configuration'
- ansible.builtin.include_tasks:
file: firewall.yml
apply:
tags: [firewall]
tags: [firewall]
- name: '[apt] force HTTPS sources'
become: true
when: security_apt_force_https is truthy
block:
- name: '[apt] fetch apt information'
ansible.builtin.command:
cmd: find /etc/apt -maxdepth 2 -path \*sources.list -o -path \*sources.list.d\* -type f
register: apt_source_files
changed_when: false
- name: '[apt] updating sources'
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'http://'
replace: 'https://'
loop: "{{ apt_source_files.stdout_lines | difference(security_apt_https_ignore_list) }}"
notify:
- 'security : [apt] update sources'
- name: '[ssh] hardening sshd'
become: true
block:
- name: '[ssh] setup sshd_config'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.j2
dest: /etc/ssh/sshd_config
mode: '0600'
- name: '[ssh] ensure directories exist'
ansible.builtin.file:
path: /etc/ssh/sshd_config.d
state: directory
mode: '0700'
- name: '[ssh] setup sshd_config.d'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
dest: /etc/ssh/sshd_config.d/encryption.conf
mode: '0600'
- name: '[ssh] remove low security keys'
ansible.builtin.file:
path: "/etc/ssh/{{ item }}"
state: absent
loop:
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
notify:
- 'security : [ssh] restart service'
- name: '[utils] install security and audit tools'
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- lsof # rkhunter
- rkhunter
- unhide # rkhunter
state: present
- name: '[system] configure rkhunter'
become: true
block:
- name: '[rkhunter] create include dir'
ansible.builtin.file:
path: /etc/rkhunter.d
state: directory
mode: '0750'
- name: '[rkhunter] copy configuration'
ansible.builtin.template:
src: ../templates/rkhunter/rkhunter.conf.local.j2
dest: /etc/rkhunter.conf.local
mode: '0640'
- name: '[rkhunter] setup cronjob'
ansible.builtin.cron:
name: rkhunter check
minute: 0
hour: 4
day: "*/3"
job: "/usr/bin/rkhunter -c 2>&1"
state: present
- name: get current clamav version
ansible.builtin.shell: >
dpkg -l | awk '$2=="clamav"{ print $3 }' | cut -d '-' -f 1
register: clamav_version_cmd
changed_when: false
failed_when: false
- name: '[system] clamav'
become: true
block:
- name: '[clamav] retrieve and install clamav package'
ansible.builtin.apt:
deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
state: present
when: clamav_version_cmd.get("stdout", "") != security_clamav_version
- name: '[clamav] add clamav group'
ansible.builtin.group:
name: clamav
system: true
state: present
- name: '[clamav] add clamav user'
ansible.builtin.user:
name: clamav
comment: clamav
create_home: false
expires: -1
group: clamav
shell: /bin/false
system: true
state: present
- name: '[clamav] setup directories'
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: clamav
group: clamav
mode: '0750'
loop:
- /etc/clamav
- /var/lib/clamav/quarantine
- /var/log/clamav
- name: '[clamav] copy clamd.conf'
ansible.builtin.template:
src: '../templates/clamav/clamd.conf.j2'
dest: /etc/clamav/clamd.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] copy freshclam.conf'
ansible.builtin.template:
src: '../templates/clamav/freshclam.conf.j2'
dest: /etc/clamav/freshclam.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] copy freshclam service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-freshclam.service.j2'
dest: /usr/lib/systemd/system/clamav-freshclam.service
mode: '0644'
- name: '[clamav] copy clamd service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-clamd.service.j2'
dest: /usr/lib/systemd/system/clamav-clamd.service
mode: '0644'
- name: '[clamav] setup cron job'
ansible.builtin.cron:
name: clamav full system scan
minute: 30
hour: 5
weekday: 0
job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1"
state: present
notify:
- 'security : [clamav] daemon reload'
- 'security : [freshclam] restart service'
- 'security : [clamd] wait for signatures'
- 'security : [clamd] restart service'
- name: '[system] hardening system'
become: true
block:
- name: '[system] login.defs'
ansible.builtin.template:
src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/login.defs.j2'
dest: /etc/login.defs
mode: '0644'
- name: '[system] limits.conf'
ansible.builtin.template:
src: '../templates/system/{{ ansible_facts["distribution"] | lower }}/limits.conf.j2'
dest: /etc/security/limits.conf
mode: '0644'

22
ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-clamd.service.j2 Normal file
View file

@ -0,0 +1,22 @@
[Unit]
Description=ClamAV virus scanner
Documentation=man:clamd(1) man:clamd.conf(5) https://docs.clamav.net/
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
Wants=network-online.target
After=network-online.target
[Service]
User=clamav
Group=clamav
Type=simple
ExecStart=/usr/local/sbin/clamd --foreground=true --config-file=/etc/clamav/clamd.conf
ExecReload=/bin/kill -USR2 $MAINPID
TimeoutStartSec=300
RuntimeDirectory=clamav
RuntimeDirectoryMode=0755
LogsDirectory=clamav
LogsDirectoryMode=0750
[Install]
WantedBy=multi-user.target

14
ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-freshclam.service.j2 Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5) https://docs.clamav.net/
ConditionPathExists=!/etc/cron.d/clamav-freshclam
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/freshclam -d --foreground=true --config-file=/etc/clamav/freshclam.conf
LogsDirectory=clamav
LogsDirectoryMode=0750
[Install]
WantedBy=multi-user.target

298
ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamav-milter.conf.j2 Normal file
View file

@ -0,0 +1,298 @@
##
## Example config file for clamav-milter
##
# Comment or remove the line below.
Example
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket /run/clamav/clamav-milter.sock
#MilterSocket /tmp/clamav-milter.sock
#MilterSocket inet:7357
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
#MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option
# to work)
#
# Default: unset (don't drop privileges)
#User clamav
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before
# dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon.
# This file will be owned by root, as long as clamav-milter was started by
# root. It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
#
# Default: disabled
#PidFile /run/clamav/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
#TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/run/clamav/clamd.sock
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.
#
# Default: no default
#ClamdSocket tcp:scanner.mydomain:7357
#ClamdSocket unix:/run/clamav/clamd.sock
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally originated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be allowed.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#AllowList /etc/allowed_addresses
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no allowing based on SMTP auth)
#SkipAuthenticated ^(tom|dick|henry)$
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
#MaxFileSize 10M
##
## Actions
##
# The following group of options controls the delivery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delivery
# - Reject
# Immediately refuse delivery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
#OnClean Accept
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
#OnFail Defer
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
#RejectMsg
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
#AddHeader Replace
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
#ReportHostname my.mail.server.name
# Execute a command (possibly searching PATH) when an infected message is
# found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delivery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /tmp/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
#LogInfected Basic
# This option allows to tune what is logged when no threat is found in
# a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
#LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default
# value
# is currently set to off for legacy reasons.
# Default: no
#SupportMultipleRecipients yes

250
ansible_collections/nullified/infrastructure/roles/security/templates/clamav/clamd.conf.j2 Normal file
View file

@ -0,0 +1,250 @@
LogFile /var/log/clamav/clamd.log
LogFileUnlock no
LogFileMaxSize 2M
LogTime yes
LogClean no
LogSyslog no
LogFacility LOG_LOCAL6
LogVerbose no
LogRotate no
PreludeEnable no
PreludeAnalyzerName ClamAV
ExtendedDetectionInfo yes
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
#FailIfCvdOlderThan 7
User clamav
# Default: disabled (must be specified by a user)
LocalSocket /var/run/clamav/clamd.sock
#LocalSocket /tmp/clamd.sock
# Default: disabled (the primary group of the user running clamd)
LocalSocketGroup clamav
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
#FixStaleSocket yes
# Default: no
#TCPSocket 3310
# Default: no
#TCPAddr localhost
# Default: 200
#MaxConnectionQueueLength 30
# Default: 100M
#StreamMaxLength 25M
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Default: 10
#MaxThreads 20
# Default: 120
#ReadTimeout 300
CommandReadTimeout 30
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Default: 30
#IdleTimeout 60
# Default: scan all
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
# Default: no
#FollowDirectorySymlinks yes
# Default: no
#FollowFileSymlinks yes
CrossFilesystems yes
SelfCheck 600
# Default: yes
#ConcurrentDatabaseReload no
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
#ExitOnOOM yes
# Default: no
#Foreground yes
# Default: no
#Debug yes
# Default: no
#LeaveTemporaryFiles yes
# Default: no
#GenerateMetadataJson yes
# Default: yes
#AllowAllMatchScan no
DetectPUA yes
# Default: Load all categories (if DetectPUA is activated)
ExcludePUA Tool
ForceToDisk no
# Default: no
#DisableCache yes
#CacheSize 65536
HeuristicAlerts yes
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# Default: no
#AlertBrokenExecutables yes
# Default: no
#AlertBrokenMedia yes
# Default: no
#AlertEncrypted yes
# Default: no
#AlertEncryptedArchive yes
# Default: no
#AlertEncryptedDoc yes
# Default: no
AlertOLE2Macros yes
# Default: no
#AlertPhishingSSLMismatch yes
# Default: no
#AlertPhishingCloak yes
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# Default: yes
ScanPE yes
# Default: no
#DisableCertCheck yes
# Default: yes
ScanELF yes
##
## Documents
##
ScanOLE2 yes
ScanPDF yes
ScanSWF yes
ScanXMLDOCS yes
ScanHWP3 yes
##
## Mail files
##
ScanMail yes
# Default: no
#ScanPartialMessages yes
PhishingSignatures yes
PhishingScanURLs yes
##
## Data Loss Prevention (DLP)
##
# Default: No
#StructuredDataDetection yes
# Default: 3
StructuredMinCreditCardCount 5
# Default: no
#StructuredCCOnly yes
# Default: 3
StructuredMinSSNCount 5
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped yes
##
## HTML
##
ScanHTML yes
##
## Archives
##
ScanArchive yes
##
## Limits
##
# Default: 120000
#MaxScanTime 300000
# Default: 400M
MaxScanSize 500M
# Default: 100M
MaxFileSize 400M
# Default: 17
#MaxRecursion 10
# Default: 10000
#MaxFiles 15000
# Default: 40M
MaxEmbeddedPE 80M
# Default: 40M
#MaxHTMLNormalize 100M
# Default: 8M
#MaxHTMLNoTags 16M
# Default: 20M
#MaxScriptNormalize 50M
# Default: 1M
#MaxZipTypeRcg 1M
# Default: 50
#MaxPartitions 128
# Default: 100
#MaxIconsPE 200
# Default: 16
#MaxRecHWP3 16
# Default: 100000
#PCREMatchLimit 20000
# Default: 2000
#PCRERecMatchLimit 10000
# Default: 100M
#PCREMaxFileSize 400M
# Default: no
AlertExceedsMax yes
##
## On-access Scan Settings
##
# Default: 5M
#OnAccessMaxFileSize 10M
# Default: 5
#OnAccessMaxThreads 10
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Default: no
#OnAccessDisableDDD yes
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Default: disabled
#OnAccessExcludePath /home/user
# Default: no
OnAccessPrevention yes
# Default: no
#OnAccessDenyOnError yes
# Default: no
#OnAccessExtraScanning yes
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# Default: no
#OnAccessExcludeRootUID no
# Default: disabled
#OnAccessExcludeUID -1
# Default: disabled
OnAccessExcludeUname clamav
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeUnsigned no
# Default: 10000
# BytecodeTimeout 1000

23
ansible_collections/nullified/infrastructure/roles/security/templates/clamav/freshclam.conf.j2 Normal file
View file

@ -0,0 +1,23 @@
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

4
ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.d/encryption.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com

24
ansible_collections/nullified/infrastructure/roles/security/templates/openssh-server/sshd_config.j2 Normal file
View file

@ -0,0 +1,24 @@
AcceptEnv LANG LC_*
AddressFamily any
AllowAgentForwarding no
ChallengeResponseAuthentication no
ClientAliveCountMax 2
ClientAliveInterval 300
HostKey /etc/ssh/ssh_host_ed25519_key
IgnoreRhosts yes
LogLevel INFO
MaxAuthTries 3
MaxSessions 5
PermitEmptyPasswords no
PermitRootLogin no
PrintMotd yes
Protocol 2
PubkeyAuthentication yes
Port 22
TCPKeepAlive no
UseDNS no
UsePAM yes
X11Forwarding no
Subsystem sftp /usr/lib/openssh/sftp-server
Include /etc/ssh/sshd_config.d/*.conf

76
ansible_collections/nullified/infrastructure/roles/security/templates/rkhunter/rkhunter.conf.local.j2 Normal file
View file

@ -0,0 +1,76 @@
# No end-of-line comments;
# No quotes around path names;
# To unset previous configuration, set it to "" (empty) beforehand;
# Some options allow multiple definitions, leads to a concatenation;
ROTATE_MIRRORS=1
UPDATE_MIRRORS=1
MIRRORS_MODE=0
MAIL-ON-WARNING=naeikindus@pounce.tech
MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
TMPDIR=/var/lib/rkhunter/tmp
DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/share/rkhunter/scripts
BINDIR=/bin /usr/bin /sbin /usr/sbin
BINDIR=+/usr/local/bin +/usr/local/sbin
UPDATE_LANG="en"
LOGFILE=/var/log/rkhunter.log
APPEND_LOG=0
COPY_LOG_ON_ERROR=0
USE_SYSLOG=authpriv.warning
AUTO_X_DETECT=0
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
ENABLE_TESTS=ALL
DISABLE_TESTS=NONE
HASH_CMD=SHA256
PKGMGR=NONE
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf.local
EXISTWHITELIST=""
ATTRWHITELIST=""
WRITEWHITELIST=""
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/which.debianutils
SCRIPTWHITELIST=/usr/sbin/adduser
IMMUTABLE_SET=0
SKIP_INODE_CHECK=0
ALLOWPROMISCIF=""
SCAN_MODE_DEV=THOROUGH
ALLOWDEVFILE=""
ALLOW_SYSLOG_REMOTE_LOGGING=0
### Needs update to add user-controller dirs like upload and user generated content dirs from webserver
SUSPSCAN_DIRS=/tmp /var/tmp
SUSPSCAN_TEMP=/dev/shm
SUSPSCAN_MAXSIZE=1024000
SUSPSCAN_THRESH=200
SUSPSCAN_WHITELIST=""
# Examples:
#
# PORT_WHITELIST=TCP:2001 UDP:32011
# PORT_PATH_WHITELIST=/usr/sbin/squid
# PORT_PATH_WHITELIST=/usr/sbin/squid:TCP:3801
PORT_WHITELIST=""
PORT_PATH_WHITELIST=""
WARN_ON_OS_CHANGE=1
USE_LOCKING=1
LOCK_TIMEOUT=300
SCANROOTKITMODE=""
SHOW_SUMMARY_WARNINGS_NUMBER=1
GLOBSTAR=0
INSTALLDIR=/usr

2
ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/limits.conf.j2 Normal file
View file

@ -0,0 +1,2 @@
* soft core 0
* hard core 0

40
ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/login.defs.j2 Normal file
View file

@ -0,0 +1,40 @@
# Based on Debian 12 manual
CHFN_RESTRICT rwh
DEFAULT_HOME yes
ENCRYPT_METHOD YESCRYPT
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ERASECHAR 0177
FAILLOG_ENAB yes
FTMP_FILE /var/log/btmp
GID_MAX 60000
GID_MIN 1000
HOME_MODE 0700
HUSHLOGIN_FILE .hushlogin
KILLCHAR 025
LOGIN_RETRIES 3
LOGIN_TIMEOUT 60
LOG_OK_LOGINS yes
LOG_UNKFAIL_ENAB no
MAIL_DIR /var/mail
NONEXISTENT /nonexistent
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
PREVENT_NO_AUTH yes
SUB_GID_COUNT 65536
SUB_GID_MAX 600100000
SUB_GID_MIN 100000
SUB_UID_COUNT 65536
SUB_UID_MAX 600100000
SUB_UID_MIN 100000
SU_NAME su
SYSLOG_SG_ENAB yes
SYSLOG_SU_ENAB yes
TTYGROUP tty
TTYPERM 0600
UID_MAX 60000
UID_MIN 1000
UMASK 027
USERGROUPS_ENAB yes
YESCRYPT_COST_FACTOR 10

36
ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 Normal file
View file

@ -0,0 +1,36 @@
#!/usr/sbin/nft -f
flush ruleset
define ansible_controllers_ip4 = {
{{ security_firewall_supervisors_ip4 | join(", ") | wordwrap(40, wrapstring="\n ", break_long_words=False) }}
}
{% if security_firewall_supervisors_ip6 %}
define ansible_controllers_ip6 = {
{{ security_firewall_supervisors_ip6 | join(", ") | wordwrap(40, wrapstring="\n ", break_long_words=False) }}
}
{% endif %}
{% if security_firewall_dns4_servers -%}
define dns_servers = {
{{ security_firewall_dns4_servers | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
}
{% endif -%}
{% if security_firewall_dns6_servers -%}
define dns_servers6 = {
{{ security_firewall_dns6_servers | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
}
{% endif -%}
define private_nets = {
10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12,
192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
}
define reserved_nets = {
{{ security_firewall_reserved_nets_ip4 | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
}
define ssh_localport = {{ security_ssh_port }}
include "/etc/nftables.d/01-nat.table"
include "/etc/nftables.d/02-mangle.table"
include "/etc/nftables.d/03-filter.table"
include "/etc/nftables.d/*.nft"

12
ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/resolv.conf.j2 Normal file
View file

@ -0,0 +1,12 @@
{% set dns4_servers = hostvars[inventory_hostname]["global_dns_{}_dns4".format(global_dns_type)] | default([]) %}
{% set dns6_servers = hostvars[inventory_hostname]["global_dns_{}_dns6".format(global_dns_type)] | default([]) %}
{% if dns4_servers is defined and dns4_servers | length > 0 -%}
{% for server in dns4_servers -%}
nameserver {{ server }}
{% endfor %}
{% endif %}
{% if global_ip_dualstack | default(false) and dns6_servers is defined and dns6_servers | length > 0 -%}
{% for server in dns6_servers -%}
nameserver {{ server }}
{% endfor %}
{% endif %}

3
ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/sysctld.local.conf.j2 Normal file
View file

@ -0,0 +1,3 @@
{% for item in security_sysctl_configuration.keys() -%}
{{ item }} = {{ security_sysctl_configuration[item] }}
{% endfor %}

5
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/egress_http.nft.j2 Normal file
View file

@ -0,0 +1,5 @@
table inet filter {
chain output {
meta nfproto { ipv4, ipv6 } tcp dport { http, https } accept
}
}

14
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/egress_icmp.nft.j2 Normal file
View file

@ -0,0 +1,14 @@
table inet filter {
chain output {
icmp type {
echo-reply, destination-unreachable, source-quench, redirect, echo-request,
time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
} accept
icmpv6 type {
destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert, parameter-problem, mld2-listener-report
} accept
}
}

14
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables.d/ingress_icmp.nft.j2 Normal file
View file

@ -0,0 +1,14 @@
table inet filter {
chain input {
icmp type {
echo-reply, destination-unreachable, source-quench, redirect, echo-request,
time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request,
info-reply, address-mask-request, address-mask-reply, router-advertisement, router-solicitation
} accept
icmpv6 type {
destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query,
mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert, parameter-problem, mld2-listener-report
} accept
}
}

18
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/01-nat.table.j2 Normal file
View file

@ -0,0 +1,18 @@
# Setup
table inet nat {
chain prerouting {
type nat hook prerouting priority -100; policy {{ security_firewall_nat_policy_prerouting }};
}
chain input {
type nat hook input priority 100; policy {{ security_firewall_nat_policy_input }};
}
chain output {
type nat hook output priority -100; policy {{ security_firewall_nat_policy_output }};
}
chain postrouting {
type nat hook postrouting priority 100; policy {{ security_firewall_nat_policy_postrouting }};
}
}

59
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 Normal file
View file

@ -0,0 +1,59 @@
# Setup
table inet mangle {
chain prerouting {
type filter hook prerouting priority -150; policy {{ security_firewall_mangle_policy_prerouting }};
ip protocol icmp accept
ip frag-off & 0x1fff != 0 counter drop
ct state invalid counter drop
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn) == fin|syn counter drop
tcp flags & (syn|rst) == syn|rst counter drop
tcp flags & (fin|rst) == fin|rst counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (ack|urg) == urg counter drop
tcp flags & (fin|ack) == fin counter drop
tcp flags & (psh|ack) == psh counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|psh|urg counter drop
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|ack|urg counter drop
{% if security_firewall_supervisors_ip6 -%}
ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
{% endif -%}
ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
{% if security_firewall_mangle_drop_privatenets -%}
ip saddr $private_nets counter drop
{% endif -%}
{% if security_firewall_mangle_drop_reservednets -%}
ip saddr $reserved_nets counter drop
{% endif -%}
iifname != "lo" ip saddr 127.0.0.0/8 counter drop
}
chain output {
type route hook output priority -150; policy {{ security_firewall_mangle_policy_output }};
}
chain forward {
type filter hook forward priority -150; policy {{ security_firewall_mangle_policy_forward }};
}
chain postrouting {
type filter hook postrouting priority -150; policy {{ security_firewall_mangle_policy_postrouting }};
{% if security_firewall_supervisors_ip6 -%}
ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
{% endif -%}
ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
}
}

39
ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/03-filter.table.j2 Normal file
View file

@ -0,0 +1,39 @@
# Setup
table inet filter {
chain input {
type filter hook input priority 0; policy {{ security_firewall_filter_policy_input }};
{% if security_firewall_supervisors_ip6 -%}
ip6 saddr $ansible_controllers_ip6 tcp dport $ssh_localport accept
{% endif -%}
ip saddr $ansible_controllers_ip4 tcp dport $ssh_localport accept
iifname "lo" counter accept
ct state related,established counter accept
tcp dport $ssh_localport limit rate 10/hour burst 5 packets counter accept
}
chain output {
type filter hook output priority 0; policy {{ security_firewall_filter_policy_output }};
{% if security_firewall_supervisors_ip6 -%}
ip6 daddr $ansible_controllers_ip6 tcp sport $ssh_localport accept
{% endif -%}
ip daddr $ansible_controllers_ip4 tcp sport $ssh_localport accept
oifname "lo" counter accept
ct state related,established counter accept
tcp sport $ssh_localport counter accept
# Allow DNS queries using UDP, DoT and DoH
{% if security_firewall_dns4_servers -%}
ip daddr $dns_servers meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
{%- endif +%}
{% if security_firewall_dns6_servers -%}
ip6 daddr $dns_servers6 meta l4proto { tcp, udp } th dport { 53, 443, 953 } accept
{%- endif +%}
}
chain forward {
type filter hook forward priority 0; policy {{ security_firewall_filter_policy_forward }};
}
}

2
ansible_collections/nullified/infrastructure/roles/security/tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

1
ansible_collections/nullified/infrastructure/roles/security/vars/main.yml Normal file
View file

@ -0,0 +1 @@
---