:

:

Thank you for your great repo!

Describe the bug
Using this playbook:

---
- hosts: www
  user: root
  any_errors_fatal: true
  tasks:
    - include_role:
        name: konstruktoid.hardening
      vars:
        - sshd_admin_net:
            - 1.2.3.0/24
        - ufw_outgoing_traffic:
            - 22
            - 53
            - 80
            - 123
            - 443
            - 853
            - 3128
            - 10051

To success this task, I need to manually remove/install packages. All apt commands ends with:

TASK [konstruktoid.hardening : debian family package installation] ***********************************************************
fatal: [1.2.3.4]: FAILED! => {"changed": false, "cmd": "None -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold install audispd-plugins -o APT::Install-Recommends=no", "msg": "[Errno 2] No such file or directory: b'None': b'None'", "rc": 2}

Not sure why apt is not found and 'None' is used.

Expected behavior
Packages should be installed/deinstalled

System (lsb_release -a or similar):
ansible client and server:

No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

Additional context
Tried to create other playbook just to install/deinstall packages by apt and everything works.
So it must be some defaults inside your tree but I was not able to find it.

:

:

Use nobest (https://docs.ansible.com/ansible/latest/collections/ansible/builtin/dnf_module.html#parameter-nobest)

fatal: [arctic]: FAILED! => {"changed": false, "failures": [], "msg": "Depsolve Error occurred: \n Problem: cannot install both openssl-libs-1:1.1.1k-7.el8_6.x86_64 and openssl-libs-1:1.1.1k-6.el8_5.x86_64\n  - package openssl-1:1.1.1k-7.el8_6.x86_64 requires openssl-libs(x86-64) = 1:1.1.1k-7.el8_6, but none of the providers can be installed\n  - cannot install the best update candidate for package openssl-libs-1:1.1.1k-6.el8_5.x86_64\n  - cannot install the best update candidate for package openssl-1:1.1.1k-6.el8_5.x86_64", "rc": 1, "results": []}

Looking at /var/log/ufw.log, I'm seeing blocked traffic with DST=224.0.0.1

Which, looking that up: https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml

Is a multicast address. From what I'm reading, this is basic network functionality. However, I assume it might be abused for attacks?

Is this to be blocked at all, considering it is such basic functionality?

And if so, is there a way to not log UFW blocks on this specific subnet? Like, tell UFW to not log anything going over 224.0.0.0/24 ?

Not really a bug, I guess, though in terms of functionality and generated logs, is kind of weird to see these show up in the logs. And after a while gets annoying to have to ignore them and look for other stuff in between them.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hey, this seems like a really cool script so thanks! I am wondering if I would be able to use this with a Raspberry Pi with PiHole and cloudflared installed as well. I realize this is a general question. Are there any modules included in this that might impact a PiHole setup? I notice there are DNS configurations but the PiHole needs to manage those itself.

Is it possible to add a switch to disable ipv6 it completely? seems to be a pretty common use case.

(I am not an Ansible person by any stretch of the imagination) this does not seem to account for the (not uncommon) case when one might have more than one version of a compiler (or multiple compilers) installed (even in a server context).

$ ls -l /usr/bin/cc /usr/bin/gcc /usr/bin/gcc-? /usr/bin/clang-?
lrwxrwxrwx 1 root root 20 Feb 24  2018 /usr/bin/cc -> /etc/alternatives/cc
lrwxrwxrwx 1 root root 23 Jan 31  2020 /usr/bin/clang-9 -> ../lib/llvm-9/bin/clang
lrwxrwxrwx 1 root root  5 May 20  2019 /usr/bin/gcc -> gcc-7
lrwxrwxrwx 1 root root 22 Dec  4  2019 /usr/bin/gcc-7 -> x86_64-linux-gnu-gcc-7
lrwxrwxrwx 1 root root 22 Mar 10  2020 /usr/bin/gcc-8 -> x86_64-linux-gnu-gcc-8

As far as I understand this task (or whatever it is called :) would leave gcc-8 in this example open (granted, locked-down as mitigates that). However, I suppose Clang would also need to be accounted for, as it doesn't necessarily need to use GNU as, so the current state completely misses it.

You might plausibly consider including Rust and Go on this list as well, "just in case".

On platforms where supported (deb-derived), using dpkg-statoverride would probably be a good thing. Don't know if RPM and friends have similar facilities.

A action failed.

:

:

:

See here:

Certain values can have more than 1 setting. Example:

net.ipv4.tcp_wmem: 4096 87380 8388608

Granted, that isn't a security/hardening related setting. So I'm just wondering if it would be ok to remove the cast, or leave it in as long as it doesn't come up for a hardening-related idea.

:

A action failed.

:

:

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

:

:

There is an detection of BIOS and if it is VMware, open-vm-tools are installed automatically.
For hosts virtualized by kvm, name of BIOS is SeaBIOS.
If BIOS is SeaBIOS or ansible_chassis_vendor is QEMU, open-vm-tools should be installed too.

    "ansible_architecture": "x86_64",
        "ansible_bios_date": "04/01/2014",
        "ansible_bios_vendor": "SeaBIOS",
        "ansible_bios_version": "rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org",
        "ansible_board_asset_tag": "NA",
        "ansible_board_name": "NA",
        "ansible_board_serial": "NA",
        "ansible_board_vendor": "NA",
        "ansible_board_version": "NA",
        "ansible_chassis_asset_tag": "NA",
        "ansible_chassis_serial": "NA",
        "ansible_chassis_vendor": "QEMU",
        "ansible_chassis_version": "pc-i440fx-5.2",

Describe the bug

TASK [konstruktoid.hardening : install python3-pexpect]

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to update apt cache: W:Updating from such a repository can't be done securely, and is therefore disabled by default., W:See apt-secure(8) manpage for repository creation and user configuration details., E:The repository 'http://ppa.launchpad.net/certbot/certbot/ubuntu focal Release' does not have a Release file."}

To Reproduce

---
- hosts: localhost
  any_errors_fatal: true
  tasks:
    - name: include the hardening role
      include_role:
        name: konstruktoid.hardening
      vars:
        ansible_sudo_pass: NeuroLF!
        ansible_ssh_user: positrigo
        block_blacklisted: true
        sshd_admin_net:
          - 10.0.2.0/24
          - 192.168.0.0/24
          - 192.168.1.0/24
        suid_sgid_permissions: true

ansible-playbook playbook.yml

Expected behavior
Works. Doesn't throw error.

System (lsb_release -a or similar):
Ubuntu 20.04.3 LTS

:

A action failed.

:

Describe the bug
After running this playbook: https://github.com/konstruktoid/ansible-role-hardening/blob/master/tasks/password.yml

I couldn't log in anymore after a reboot.

The login screen would flicker and give the message "that didn't work".

entering the password showed everything in cleartext.

Going to the console also fails. I can only enter the username, it hangs for a few seconds, and then says "login failed" and asks for a username again.

SSH also fails.

Be it my user or root, nothing works.

To Reproduce
Run the playbook on Popos 20.04 or Ubuntu 20.04

Expected behavior
For this not to happen.

System (lsb_release -a or similar):

$ lsb_release -a
No LSB modules are available.
Distributor ID: Pop
Description:    Pop!_OS 20.04 LTS
Release:        20.04
Codename:       focal

:

See here: https://github.com/konstruktoid/ansible-role-hardening/blob/master/tasks/path.yml

Includes /snap/bin

Snap uses squashfs to mount its programs.

Now, as part of another playbook, squashfs is blocked. See here: https://github.com/konstruktoid/ansible-role-hardening/blob/master/tasks/disablefs.yml

Where a list is blocked, list found here: https://github.com/konstruktoid/ansible-role-hardening/blob/master/defaults/main/module_blocklists.yml

It appears to not make sense that /snap/bin is included, as blocking squashfs means snap cannot run, I would think.

So I'd suggest removing it.

I'd like to use a custom ClientAliveInterval in the sshd_config. I'm using commands that might take up to 10m to complete, and the current default configuration (5m) disconnects the session in the middle.

:

Describe the bug
In Debian 11.0.0 users can no longer login to the console, switch user with su or perform elivated commands with sudo after play name: common-auth in tasks/password.yml is run. The user can sudo if named in sudoers, but not if the group is named only. Login via SSH still functions correctly.

To Reproduce
Run role on Debian 11.0.0 or just play name: common-auth in tasks/password.yml then attempt to perform su from any non-root user to any other user, or perform any sudo command as a user in the sudo group with %sudo in /etc/sudoers.

Expected behavior
Console login, su and sudo function as normal.

Additional context
Fresh install on bare metal. This result is guaranteed every time.

It would be nice to have an option to set group which has access to /proc for seeing other processes (like for zabbix agent)

More info here:
https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/

I had to manually add gid=zabbix to fstab entry. But this would probably need some variable which would be better.

Describe the bug
Registering of variable is missing tag so if we run playbook only with tag sshd, it fails that variable sshd_config_d_exists does not exists

To Reproduce

ansible-playbook -t sshd ./hardenize.yml

Expected behavior
sshconfig.yml needs to add tags:

- name: check if sshd_config.d exits
  stat:
    path: /etc/ssh/sshd_config.d
  register: sshd_config_d_exists
  tags:
    - sshd
    - sshd_config

Describe the bug
After hardenize, pam complains about missing library:
Apr 28 17:11:19 fcpa-fc-cz saslauthd[737]: PAM unable to dlopen(pam_cap.so): /lib/security/pam_cap.so: cannot open shared object file: No such file or directory

Seems that pam_cap is referenced in hardening template common-auth.j2 but it is not installed as mandatory package

Expected behavior
add libpam-cap to required debian packages

Hallo.

I have checked hardened VM instance of the RHEL/CentOS8 by OSCAP security scanner with the CIS Red Hat Enterprise Linux 8 Benchmark policy.

I have got many notices related to the auditd config. They are caused in many cases only by improper line check (for example it expects auid=unset instead of the auid=-1)

I have changed the hardening.rules.j2 to remove these problems. But I can ask you if you use some simmilar checks. Maybe my fix will repair Centos/Rhel 8 but can brings Centos 7 or other OS to the trouble....

So can be better to make decision if you can include these changes to the role. When the answer i yes, then please specify if you can do that globally or can you provide different file versions for different OS families and OS versions.

Looking forward to your answer

Best Regards, Zdenek

Thanks @konstruktoid for this great repo!
I am new to security on linux systems. This doesnt seem to be a bug but my lack of knowledge/understanding. Can you help me what am i missing here?

Describe the bug
When running the hardening role, many hardening tasks complete well but after finishing 'common-auth' task... I get 'incorrect sudo password' while running next task 'common-account' and all subsequent tasks fail.

To Reproduce
Both master and hosts node are running Ubuntu 20.04.2 LTS on oracle vm virtual box for testing. have created user named ubuntu with sudo privileges on both machines and also part of sudo group. Calling your hardening role from playbook with command:
ansible-playbook playbook_harden.yaml -kK

Playbook_harden.yaml code:

- hosts: dbserver2
  become: true
  roles:
    - konstruktoid.hardening

Expected behavior
Should be able to run all hardening tasks

System (lsb_release -a or similar):
Ubuntu 20.04.2 LTS

Additional context
some logs:

TASK [konstruktoid.hardening : check if ssh_config.d exits] ********************
ok: [dbserver2]

TASK [konstruktoid.hardening : configure ssh client] ***************************
changed: [dbserver2]

TASK [konstruktoid.hardening : common-password] ********************************
changed: [dbserver2]

TASK [konstruktoid.hardening : common-auth] ************************************
changed: [dbserver2]

TASK [konstruktoid.hardening : common-account] *********************************
fatal: [dbserver2]: FAILED! => {"msg": "Incorrect sudo password"}

RUNNING HANDLER [konstruktoid.hardening : restart sysctl] **********************

Thanks very much for your hard work on this repo, I just recently switched to linux in general. I plan to run a Lubuntu VPS which doesn't interact with the outside world but allows an admin to remote desktop in.

I spent a few weeks reading linux books and learning about various hardening techniques and mainly UFW. Then I discovered ansible and found this repo, I was very intrigued to see if a script can perform a '1 click' hardening of the entire system.

I did get a few errors running your script but most of the results seemed to go ok. I rebooted the system and it seems to be fine although I had some concerns, avahi is gone but what about bluetooth service? does a server really need bluetooth lol? seems like a security nightmare to me, but then again I have very little experience in security in general.

My other concern was that I ran Lynis and there was a huge amount of UNSAFE, WARNING and so on. My OCD is really triggering me and thinking I should have a 100% Lynis score but the hardening index is only 87.

Please can you let me know is your script enough to make a server secure on a VPS? I am just so paranoid about these things.

Thanks

Describe the bug
When hardening, aide tries to build db:
aideinit --force --yes
but it takes too much time. And it could be done in background.

Expected behavior
Ability to run
aideinit --force --yes -b
so it will be build on background and hardening will continue

I have been working with your Ansible project and it has been a great tool. I wanted to provide a suggestion for the tasks/24_aide.yml. (This is based on testing I am doing on a clean install of Ubuntu 16.04.5) You install the aidecheck.service that references the use of /usr/bin/aide.wrapper to run. Looking at that wrapper script, it points to a specific configuration at /var/lib/aide/aide.conf.default. In the "initialize aide" task in 24_aide.yml, you initialize the db using the regular aide command. In the instance I am testing with, aide by itself does not have a configuration associated with it. You may want to change the shell line of that task to instead be:

shell: aide.wrapper --init -B 'database_out=file:/var/lib/aide/aide.db.gz'

Output of aide -v showing no configuration (last line):

Aide 0.16a2-19-g16ed855

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

Describe the bug
Unable to login remotely after applying the role on a Debian Bullseye (Debian 11) from in the Vultr instance server type library.

It seems that the pam module tally2 has been deprecated and needs to be replaces with faillock module. At least that's what the Redhat team is doing: dev-sec/ansible-collection-hardening#377

To Reproduce
Apply the role and try to log in using ssh.

In the file /var/log/auth.log the following entries can be found:

Oct 30 09:58:08 poc-cis sshd[2012]: Connection from xyz.xyz.xyz.xyz port 51416 on zyx.zyx.zyx.zyx port 22 rdomain ""
Oct 30 09:58:08 poc-cis sshd[2012]: PAM unable to dlopen(pam_tally2.so): /lib/security/pam_tally2.so: cannot open shared object file: No such file or directory
Oct 30 09:58:08 poc-cis sshd[2012]: PAM adding faulty module: pam_tally2.so

Expected behavior
Successful login using ssh.

System (lsb_release -a or similar):
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye

Additional context
I'm using packer to create the image, but I believe it's not relevant for this bug.

Describe the bug
A section in the readme says

Setting block_blacklisted: true will actually block, or disable, any blacklisted kernel modules. The reasoning behind this is that a blacklisted module can still be loaded manually with modprobe module_name. Using install module_name /bin/true prevents this.

It won't actually block or disable loading of modules. It will block modprobe, that's true enough, but there's still insmod, which will not even bat an eye on modprobe's configuration. While insmod may get a tad bit tedious with modules that have dependencies, it's still perfectly possible to load any module with it. A casual reader, or perhaps someone less familiar with Linux, might misconstrue the statement as "module disabled for good", whereas in reality it's more like "automatic loading of module" is disabled for good (even if the "automatic loading" is somewhat of the manual persuasion - I'm sure you get what I'm saying).

The only way to really disable modules (that I know of, anyway) is kernel.modules_disabled. It however is global and irreversible (without a reboot).

An alternative method might be truly deleting the offending modules from the file system and using dpkg --path-exclude (/etc/dpkg/dpkg.cfg.d/ droplets) where available - I'm assuming other package managers must have similar facilities.

Describe the bug

efff947 introduces CtrlAltDelBurstAction=none in /etc/systemd/system.conf

https://manpages.debian.org/bullseye/systemd/systemd-system.conf.5.en.html says:

CtrlAltDelBurstAction=
Defines what action will be performed if user presses Ctrl-Alt-Delete more than 7 times in 2s. Can be set to "reboot-force", "poweroff-force", "reboot-immediate", "poweroff-immediate" or disabled with "none". Defaults to "reboot-force".

I would like to know possible security implications of leaving this to the default value (reboot-force). As far as I can see, this only opens up to this possible attack:

• a malicious user with keyboard access can reboot the machine and cause a denial of service

Correct? Or are there other reasons to set this option to none ?

Hi,

I traced back the addition of net_modules_blocklist to 6000ef9. From this commit I cannot tell why these particular modules (dccp, sctp, rds, tipc) were disabled.

What is the reason for disabling these modules? Is it a generic "disable what you don't need" task (in which case it might be better to leave the default list empty, as the modules could be in use on some systems)? Or is there a specific problem/security risk related to dccp/sctp/rds/tipc modules?

Thanks for this interesting role, I am learning from it and mixing it with https://github.com/dev-sec/ansible-collection-hardening/ and https://github.com/nodiscc/xsrv/tree/master/roles/common

How do you use this on an existing server? Do I clone the repo and run runPlaybook.sh? Why is vagrant required?

Describe the bug
Hi!
Hardening fails on:

 amazon-ebs: TASK [konstruktoid.hardening : set grub config permissions] ********************�[0m
�[0;32m    amazon-ebs: fatal: [default]: FAILED! => {"msg": "The conditional check 'item.mode|int > 0400' failed. The error was: template error while templating string: expected token 'end of statement block', got 'integer'. String: {% if item.mode|int > 0400 %} True {% else %} False {% endif %}\n\nThe error appears to be in '/root/.ansible/roles/konstruktoid.hardening/tasks/post.yml': line 15, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: set grub config permissions\n  ^ here\n"}�[0m

On a server:

stat -c "%a %n" /boot/grub/grub.cfg
444 /boot/grub/grub.cfg

stat -c "%a %n" /boot/grub/grubenv
644 /boot/grub/grubenv

ls /boot/grub/
default           fonts/            gfxblacklist.txt  grub.cfg          grubenv           i386-pc/          locale/           menu.lst          menu.lst~         unicode.pf2

To Reproduce
Running the playbook v1.3.2 on an AWS ubuntu EC2 instance

Expected behavior
Ansible finds the grub config files and set them to 400

System (lsb_release -a or similar):

Distributor ID: Ubuntu
Release:        20.04
Codename:       focal

Additional context

Is there anything we can do to override this in settings?

THANKS! :)

Question about PAM hardening

Hallo.

I have a problem on CentOS 8.3 with new user login.

I have created new user after role is applied, but user is not able to login on the console

Due this I have started analyze the PAM modifications provided by the role

At first, i have found that role copied

• common-auth
• common-password
• common-account

files on all platforms, but seems that on RedHat family these files are not used (included) by other pam config files. Then are really necessary to be copied here?

Why on RHEL family the sugroup is defined? Is here idea to use it as a wheel replacement or something else?

Thank you for your answers.

ZP

Hey @konstruktoid,

What is the usual release cycle that you try to follow for ansible-galaxy? I've faced the issue described here #100 and saw that you solved the issue in a recent commit.

Unfortunately, this is not released yet and I wanted to know if I'd better organize my code to use git clone or can I use ansible-galaxy, hopping for a release soon?

Thanks!