-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathfreebsd.yml
107 lines (107 loc) · 3.69 KB
/
freebsd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
# Minor FreeBSD hardening
- hosts: freebsd
vars_files:
- vars.yml
tasks:
- name: Minimal FreeBSD hardening
block:
- name: Harden sysctl settings
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
with_dict:
kern.coredump: 0
kern.securelevel: 1
security.bsd.see_other_uids: 0
security.bsd.see_other_gids: 0
security.bsd.unprivileged_read_msgbuf: 0
#kern.racct.enable: 1
- name: Enable firewall
ansible.builtin.blockinfile:
path: /etc/rc.conf
block: |
firewall_enable="YES"
firewall_type="open"
# https://www.freebsd.org/doc/handbook/audit-config.html
- name: Enable & start auditing
ansible.builtin.service:
name: auditd
enabled: true
state: started
- name: Create audit log rotation
ansible.builtin.cron:
name: "audit log rotation"
hour: "*/12"
minute: "0"
job: /usr/sbin/audit -n 1>/dev/null
# https://www.freebsd.org/doc/handbook/consoles.html#consoles-singleuser
- name: Ask for password in single User Mode
ansible.builtin.replace:
path: /etc/ttys
regexp: '^(console\s+.+\s+)secure$'
replace: '\g<1>insecure'
validate: '/usr/bin/grep "^console.\+insecure$" %s'
- name: Set uucp user's shell to nologin
ansible.builtin.user:
name: uucp
shell: /usr/sbin/nologin
- name: Remove the user 'toor'
ansible.builtin.user:
name: toor
state: absent
remove: yes
# https://www.freebsd.org/doc/handbook/security-pkg.html
- name: Stat /etc/periodic.conf
ansible.builtin.stat:
path: /etc/periodic.conf
register: stat_result
- name: Run pkg audit daily
ansible.builtin.replace:
path: /etc/periodic.conf
regexp: '^(daily_status_security_pkgaudit_enable)="[A-Z]+"$'
replace: '\g<1>="YES"'
validate: '/usr/bin/grep "^daily_status_security_pkgaudit_enable=\"YES\"$" %s'
# https://www.freebsd.org/doc/handbook/security-accounting.html#idp56794616
- name: Enable process accounting
block:
- name: Create process accounting file
ansible.builtin.copy:
content: ""
dest: /var/account/acct
force: false
group: wheel
owner: root
mode: 0600
- name: Start process accounting
ansible.builtin.command: accton /var/account/acct
- name: Enable accounting
ansible.builtin.service:
name: accounting
enabled: true
- name: Get kern.ident sysctl value
ansible.builtin.command: sysctl -n kern.ident
register: kern_ident
- name: Add rrdcached to allowed_services
ansible.builtin.set_fact:
allowed_services: "{{ allowed_services + [ \"rrdcached\" ] }}"
when: kern_ident.stdout == "FREENAS64"
- name: 'TCP wrappers: create /etc/hosts.allow'
ansible.builtin.template:
src: "{{ playbook_dir }}/templates/hosts.allow-{{ ansible_system }}.j2"
dest: /etc/hosts.allow
- name: chmod /root
ansible.builtin.file:
path: /root
mode: '0700'
- name: Set default umask to 077
tags: umask
ansible.builtin.replace:
path: /etc/login.conf
regexp: '^(\s+:umask=)022:\\$'
replace: '\g<1>077:\\'
- name: Update the login.conf database
ansible.builtin.command: cap_mkdb
become: true
when: ansible_distribution == "FreeBSD"