CIS + inital

roles/system_hardening/defaults/main.yml

@@ -0,0 +1,128 @@
+---
+# System Hardening Role - Default Variables
+
+# SSH Configuration
+ssh_port: 22
+ssh_permit_root_login: "no"
+ssh_password_authentication: "no"
+ssh_pubkey_authentication: "yes"
+ssh_challenge_response_auth: "no"
+ssh_x11_forwarding: "no"
+ssh_max_auth_tries: 3
+ssh_client_alive_interval: 300
+ssh_client_alive_count_max: 2
+ssh_allowed_users: []  # List of users allowed to SSH
+ssh_listen_address: "0.0.0.0"
+
+# Strong SSH ciphers and algorithms
+ssh_ciphers:
+  - "chacha20-poly1305@openssh.com"
+  - "aes256-gcm@openssh.com"
+  - "aes128-gcm@openssh.com"
+ssh_macs:
+  - "hmac-sha2-512-etm@openssh.com"
+  - "hmac-sha2-256-etm@openssh.com"
+ssh_kex_algorithms:
+  - "curve25519-sha256"
+  - "curve25519-sha256@libssh.org"
+  - "diffie-hellman-group-exchange-sha256"
+
+# System packages
+hardening_install_packages:
+  - ufw
+  - fail2ban
+  - unattended-upgrades
+  - apt-listchanges
+  - auditd
+  - aide
+  - rkhunter
+  - lynis
+
+hardening_remove_packages:
+  - telnet
+  - rsh-client
+  - rsh-redone-client
+
+# Automatic security updates
+unattended_upgrades_enabled: true
+unattended_upgrades_auto_reboot: false
+unattended_upgrades_auto_reboot_time: "03:00"
+
+# Fail2ban configuration
+fail2ban_enabled: true
+fail2ban_bantime: 3600
+fail2ban_findtime: 600
+fail2ban_maxretry: 5
+fail2ban_destemail: "root@localhost"
+
+# Sysctl hardening
+sysctl_config:
+  # IP Forwarding (required for VPN)
+  net.ipv4.ip_forward: 1
+  
+  # Disable IPv6 (optional, set to 0 to enable)
+  net.ipv6.conf.all.disable_ipv6: 1
+  net.ipv6.conf.default.disable_ipv6: 1
+  
+  # Protect against SYN flood attacks
+  net.ipv4.tcp_syncookies: 1
+  net.ipv4.tcp_syn_retries: 2
+  net.ipv4.tcp_synack_retries: 2
+  net.ipv4.tcp_max_syn_backlog: 4096
+  
+  # Protect against IP spoofing
+  net.ipv4.conf.all.rp_filter: 1
+  net.ipv4.conf.default.rp_filter: 1
+  
+  # Ignore ICMP redirects
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+  
+  # Do not send ICMP redirects
+  net.ipv4.conf.all.send_redirects: 0
+  net.ipv4.conf.default.send_redirects: 0
+  
+  # Ignore ICMP ping requests
+  net.ipv4.icmp_echo_ignore_all: 0
+  net.ipv4.icmp_echo_ignore_broadcasts: 1
+  
+  # Ignore bogus ICMP error responses
+  net.ipv4.icmp_ignore_bogus_error_responses: 1
+  
+  # Log martian packets
+  net.ipv4.conf.all.log_martians: 1
+  net.ipv4.conf.default.log_martians: 1
+  
+  # Disable source packet routing
+  net.ipv4.conf.all.accept_source_route: 0
+  net.ipv4.conf.default.accept_source_route: 0
+  
+  # Increase system file descriptor limit
+  fs.file-max: 65535
+  
+  # Protect against time-wait assassination
+  net.ipv4.tcp_rfc1337: 1
+  
+  # Kernel hardening
+  kernel.dmesg_restrict: 1
+  kernel.kptr_restrict: 2
+  kernel.yama.ptrace_scope: 1
+
+# Auditd configuration
+auditd_enabled: true
+auditd_rules:
+  - "-w /etc/passwd -p wa -k identity"
+  - "-w /etc/group -p wa -k identity"
+  - "-w /etc/shadow -p wa -k identity"
+  - "-w /etc/sudoers -p wa -k actions"
+  - "-w /var/log/auth.log -p wa -k auth"
+  - "-w /var/log/faillog -p wa -k logins"
+  - "-w /etc/ssh/sshd_config -p wa -k sshd"
+
+# Timezone
+system_timezone: "UTC"
+
+# Hostname
+system_hostname: ""  # Leave empty to keep current hostname

roles/system_hardening/defaults/main_cis.yml

@@ -0,0 +1,19 @@
+---
+# CIS-Specific Variables for System Hardening
+
+# AppArmor (CIS 1.3.x)
+apparmor_enabled: true
+apparmor_enforce_all: true
+
+# Auditd (CIS 4.1.x)
+auditd_enabled: true
+auditd_max_log_file: 8  # MB
+
+# Network (CIS 3.x)
+disable_ipv6: true  # Set to false if IPv6 is needed
+
+# Core dumps (CIS 1.5.1)
+disable_core_dumps: true
+
+# Uncommon protocols (CIS 3.3.x)
+disable_uncommon_protocols: true