Ansible Role: Security

Role for installing software and configuring security settings.

Requirements

None.

Role Variables

Available variables are listed below, along with their default values.

security_ssh_allow_agent_forwarding: no
security_ssh_allow_tcp_forwarding: no
security_ssh_challenge_response_authentication: no
security_ssh_client_alive_count: 3
security_ssh_client_alive_interval: 300
security_ssh_gss_api_authentication: no
security_ssh_max_auth_retries: 2
security_ssh_max_sessions: 10
security_ssh_password_authentication: no
security_ssh_permit_empty_password: no
security_ssh_permit_root_login: no
security_ssh_port: 22
security_ssh_print_motd: no
security_ssh_protocol: 2
security_ssh_tcp_keep_alive: no
security_ssh_use_dns: no
security_ssh_use_pam: yes
security_ssh_x11_forwarding: no

Security settings for SSH.

• security_ssh_allow_agent_forwarding:boolean - Specifies whether ssh-agent forwarding is permitted.
• security_ssh_allow_tcp_forwarding:boolean - Specifies whether TCP forwarding is permitted.
• security_ssh_challenge_response_authentication:boolean - Specifies whether challenge-response authentication is allowed.
• security_ssh_client_alive_count:int - Sets the number of client alive messages that may be sent before the client is disconected.
• security_ssh_client_alive_interval:int - Sets a timeout interval in seconds after which if no activity is detected from the client, a message requesting a response from the client will be sent. Set to '0' to disable this feature.
• security_ssh_gss_api_authentication:boolean - Specifies whether user authentication based on GSSAPI is allowed.
• security_ssh_max_auth_retries:int - Specifies the maximum number of authentication attempts permitted per connection.
• security_ssh_max_sessions:int - Specifies the maximum number of open sessions permitted per network connection.
• security_ssh_password_authentication:boolean - Specifies whether password authentication is allowed. When SSH keys are being used, password authetication can be disabled.
• security_ssh_permit_empty_password:boolean - Specifies whether users without a password can log in.
• security_ssh_permit_root_login:boolean - Specifies whether the root user can log in.
• security_ssh_port:int - The port on which SSH should listen. To prevent mis-configuring you should choose a port from the dynamic/private ports range: 49152-65535.
• security_ssh_print_motd:boolean - Specifies whether the MOTD message should be printed when a user logs in interactively.
• security_ssh_protocol:int - Specifies the protocol version to use. The possible values are '1' and '2'.
• security_ssh_tcp_keep_alive:boolean - Specifies whether the system should send TCP keepalive messages.
• security_ssh_use_dns:boolean - Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
• security_ssh_use_pam:boolean - Specifies whether the Pluggable Authentication Module interface is enabled.
• security_ssh_x11_forwarding:boolean - Specifies whether X11 forwarding is permitted.

security_apt_periodic_update_package_list: 1
security_apt_periodic_download_upgradable_packages: 1
security_apt_periodic_autoclean: 7
security_apt_periodic_unattended_upgrades: 1

The APT::Periodic configuration settings.

• security_apt_periodic_update_package_list:integer - Update the apt packages cache every security_apt_periodic_update_package_list numnber of days.
• security_apt_periodic_download_upgradable_packages:integer - Downloading packages that can be upgraded every security_apt_periodic_download_upgradable_packagesnumnber of days.
• security_apt_periodic_autoclean:integer - Removing redundant packages using apt's 'autoclean' every security_apt_periodic_autoclean numnber of days.
• security_apt_periodic_unattended_upgrades:integer - Install the available upgrades every security_apt_periodic_unattended_upgrades numnber of days.

security_unattended_upgrades_enabled: yes
security_unattended_upgrades_blacklist: []
security_unattended_upgrades_remove_unused_dependencies: no
security_unattended_upgrades_mail_to: ''
security_unattended_upgrades_mail_on_error: no
security_unattended_upgrades_reboot: no
security_unattended_upgrades_reboot_time: '02:00'

The unattended-upgrades configuration settings.

• security_unattended_upgrades_enabled:boolean - Specifies whether unattended-upgrades should be installed.
• security_unattended_upgrades_blacklist:list - A list of packages that will not be automatically upgraded.
• security_unattended_upgrades_remove_unused_dependencies:boolean - Specifies whether new unused dependencies should be removed after an upgrade (equivalent to apt-get autoremove).
• security_unattended_upgrades_mail_to:string - Send email to this address for problems or packages upgrades. If empty then no email is sent.
• security_unattended_upgrades_mail_on_error:boolean - Specifies whether emails should only be sent on errors. Default is to always send an email if security_unattended_upgrades_mail_to is set.
• security_unattended_upgrades_reboot:boolean - Specifies whether an automatic reboot should be performed after packages are upgraded.
• security_unattended_upgrades_reboot_time:string - If automatic reboot is enabled and needed, reboot at the specific time. Use the value 'now' to immediately reboot after upgrades.

security_fail2ban_enabled: yes

Fail2ban settings

• security_fail2ban_enabled:boolean - Specifies whether Fail2ban should be installed.

Dependencies

None.

Example Playbook

- hosts: server
  become: yes

  vars:
    security_ssh_permit_root_login: yes
    security_ssh_password_authentication: yes
    security_apt_periodic_autoclean: 21
    security_unattended_upgrades_blacklist:
    - vim
    - libc6
    security_unattended_upgrades_reboot_time: 'now'

  tasks:
  - import_role:
      name: damianlewis.security

License

MIT

Author

Damian Lewis