add security setting

ansible/bastion_roles.yaml

@@ -0,0 +1,6 @@
+---
+- hosts: default
+  become: true
+  roles:
+    - bastion
+    - security-settings

ansible/node_roles.yaml

@@ -0,0 +1,6 @@
+---
+- hosts: default
+  become: true
+  roles:
+    - node
+    - security-settings

ansible/roles.yaml

@@ -0,0 +1,7 @@
+---
+- name: 'Provision Image'
+  hosts: default
+  become: true
+  roles:
+    - bastion
+    - security-settings

ansible/roles/bastion/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible/roles/bastion/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for apache

ansible/roles/bastion/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for apache

ansible/roles/bastion/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/roles/bastion/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- name: echo hello
+  command: echo "Not Valid Ruby Version"

ansible/roles/bastion/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

ansible/roles/bastion/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - apache

ansible/roles/bastion/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for apache

ansible/roles/node/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible/roles/node/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for apache

ansible/roles/node/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for apache

ansible/roles/node/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/roles/node/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: echo hello
+  command: echo "Not Valid Ruby Version"
+
+- name: Update apt repo and cache on all Debian/Ubuntu boxes
+  apt: update_cache=yes cache_valid_time=3600
+
+- name: Install cifs-utils
+  apt: name=cifs-utils state=latest update_cache=yes
+
+- name: Install nfs-common
+  apt: name=nfs-common state=latest update_cache=yes

ansible/roles/node/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

ansible/roles/node/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - apache

ansible/roles/node/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for apache

ansible/roles/security-settings/defaults/main.yml

@@ -0,0 +1,29 @@
+# Password aging settings
+os_auth_pw_max_age: 90
+os_auth_pw_min_age: 10
+os_auth_pw_warn_age: 7
+passhistory: 2
+
+# Inactivity and Failed attempts lockout settings
+fail_deny: 5
+fail_unlock: 0
+inactive_lock: 0
+shell_timeout: 300
+
+# tally settings
+onerr: 'fail'
+deny: 5
+unlock_time: 300
+
+# Password complexity settings
+pwquality_minlen: 9
+pwquality_maxrepeat: 3
+pwquality_lcredit: -1
+pwquality_ucredit: -1
+pwquality_dcredit: -1
+pwquality_ocredit: -1
+
+# SSH settings
+sshrootlogin: 'no'
+sshmainport: 22
+ssh_service_name: sshd

ansible/roles/security-settings/files/login_banner

@@ -0,0 +1,20 @@
+#!/bin/sh
+printf '''
+  |-----------------------------------------------------------------|
+  | This system is for the use of authorized users only.            |
+  | Individuals using this computer system without authority, or in |
+  | excess of their authority, are subject to having all of their   |
+  | activities on this system monitored and recorded by system      |
+  | personnel.                                                      |
+  |                                                                 |
+  | In the course of monitoring individuals improperly using this   |
+  | system, or in the course of system maintenance, the activities  |
+  | of authorized users may also be monitored.                      |
+  |                                                                 |
+  | Anyone using this system expressly consents to such monitoring  |
+  | and is advised that if such monitoring reveals possible         |
+  | evidence of criminal activity, system personnel may provide the |
+  | evidence of such monitoring to law enforcement officials.       |
+  |-----------------------------------------------------------------|
+'''
+

ansible/roles/security-settings/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    enabled: true

ansible/roles/security-settings/tasks/banner.yml

@@ -0,0 +1,29 @@
+---
+- name: Create a tar.gz archive of a single file.
+  archive:
+    path: /etc/update-motd.d/*
+    dest: /etc/update-motd.d/motd.tar.gz
+    format: gz
+    force_archive: true
+
+- name: remove a motd.d files
+  file:
+    path: /etc/update-motd.d/{{ item }}
+    state: absent
+  with_items:
+    - 10-help-text
+    - 85-fwupd
+    - 90-updates-available
+    - 91-release-upgrade
+    - 95-hwe-eol
+    - 98-fsck-at-reboot
+    - 50-motd-news
+    - 88-esm-announce
+
+- name: Create login banner
+  copy:
+    src: login_banner
+    dest: /etc/update-motd.d/00-header
+    owner: root
+    group: root
+    mode: 0755

ansible/roles/security-settings/tasks/login_defs.yml

@@ -0,0 +1,48 @@
+---
+- name: Set pass max days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MAX_DAYS.*$'
+    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
+    backrefs: yes
+
+- name: Set pass min days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_DAYS.*$'
+    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
+    backrefs: yes
+
+- name: Set pass min length
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_LEN.*$'
+    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
+    backrefs: yes
+
+- name: Set pass warn days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_WARN_AGE.*$'
+    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
+    backrefs: yes
+
+- name: Set password encryption to SHA512
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^ENCRYPT_METHOD\s.*$'
+    line: "ENCRYPT_METHOD\tSHA512"
+    backrefs: yes
+
+- name: Disable MD5 crypt explicitly
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^MD5_CRYPT_ENAB.*$'
+    line: "MD5_CRYPT_ENAB NO"
+    backrefs: yes

ansible/roles/security-settings/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- include: login_defs.yml
+  tags: login_defs
+
+- include: pam.yml
+  tags: pam
+
+- include: sshd_config.yml
+  tags: sshd_config
+
+- include: profile.yml
+  tags: profile
+
+- include: banner.yml
+  tags: banner

ansible/roles/security-settings/tasks/pam.yml

@@ -0,0 +1,50 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"

ansible/roles/security-settings/tasks/profile.yml

@@ -0,0 +1,24 @@
+---
+- name: Set session timeout
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^TMOUT=.*'
+    insertbefore: '^readonly TMOUT'
+    line: 'TMOUT={{shell_timeout}}'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^readonly TMOUT'
+    insertafter: 'TMOUT={{shell_timeout}}'
+    line: 'readonly TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^export TMOUT.*'
+    insertafter: 'readonly TMOUT'
+    line: 'export TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/roles/security-settings/tasks/sshd_config.yml

@@ -0,0 +1,23 @@
+---
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd

ansible/roles/security-settings/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
+
+# here are the per-package modules (the "Primary" block)
+auth    [success=1 default=ignore]      pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+auth    required                        pam_permit.so
+# since the modules above will each just jump around
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so
+# end of pam-auth-update config

ansible/roles/security-settings/templates/pwquality.conf.j2

@@ -0,0 +1,50 @@
+# Configuration for systemwide password quality limits
+# Defaults:
+#
+# Number of characters in the new password that must not be present in the
+# old password.
+# difok = 5
+#
+# Minimum acceptable size for the new password (plus one if
+# credits are not disabled which is the default). (See pam_cracklib manual.)
+# Cannot be set to lower value than 6.
+minlen = {{pwquality_minlen}}
+#
+# The maximum credit for having digits in the new password. If less than 0
+# it is the minimum number of digits in the new password.
+dcredit = {{pwquality_dcredit}}
+#
+# The maximum credit for having uppercase characters in the new password.
+# If less than 0 it is the minimum number of uppercase characters in the new
+# password.
+ucredit = {{pwquality_ucredit}}
+#
+# The maximum credit for having lowercase characters in the new password.
+# If less than 0 it is the minimum number of lowercase characters in the new
+# password.
+lcredit = {{pwquality_lcredit}}
+#
+# The maximum credit for having other characters in the new password.
+# If less than 0 it is the minimum number of other characters in the new
+# password.
+ocredit = {{pwquality_ocredit}}
+#
+# The minimum number of required classes of characters for the new
+# password (digits, uppercase, lowercase, others).
+# minclass = 0
+#
+# The maximum number of allowed consecutive same characters in the new password.
+# The check is disabled if the value is 0.
+maxrepeat = {{pwquality_maxrepeat}}
+#
+# The maximum number of allowed consecutive characters of the same class in the
+# new password.
+# The check is disabled if the value is 0.
+# maxclassrepeat = 0
+#
+# Whether to check for the words from the passwd entry GECOS string of the user.
+# The check is enabled if the value is not 0.
+# gecoscheck = 0
+#
+# Path to the cracklib dictionaries. Default is to use the cracklib default.
+# dictpath =

ansible/test.yaml

@@ -0,0 +1,30 @@
+---
+- name: Set session timeout
+  hosts: all
+  tasks:
+  - lineinfile:
+      dest: /etc/profile
+      regexp: '^TMOUT=.*'
+      insertbefore: '^readonly TMOUT'
+      line: 'TMOUT={{shell_timeout}}'
+      state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  hosts: all
+  tasks:
+  - lineinfile:
+      dest: /etc/profile
+      regexp: '^readonly TMOUT'
+      insertafter: 'TMOUT={{shell_timeout}}'
+      line: 'readonly TMOUT'
+      state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  hosts: all
+  tasks:
+  - lineinfile:
+      dest: /etc/profile
+      regexp: '^export TMOUT.*'
+      insertafter: 'readonly TMOUT'
+      line: 'export TMOUT'
+      state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"