Init

Author: sysadt

group_vars/variables.yml

@@ -0,0 +1,11 @@
+sshpub_location: SSH_PUBKEY_HERE #the full path to your SSH public key ( e.g. /Users/username/.ssh/id_ed25519.pub )
+root_pw: "PASSWORD_HERE" #root password that should be set
+user_name: USERNAME_HERE #username for the created user
+user_pw: "PASSWORD_HERE" #password for the new user
+ssh_port: 55899 #port number for ssh
+mail_to: [email protected] #the mail address where mails should be sent to
+mail_from: [email protected] #the mail address where mails are sent from 
+mail_smtp_server: smtp.example.com #mail server, e.g. smtp.gmail.com
+mail_pw: PASSWORD_HERE #password for the mail_from mail address
+mail_port: 587 #the port where mails are sent to the mail server, e.g. 587
+

hosts.yml

@@ -0,0 +1,2 @@
+[debian-server]
+SERVER-IPADDRESS-HERE

main-playbook.yml

@@ -0,0 +1,17 @@
+    - name: Main-Playbook
+      hosts: debian-server
+      remote_user: "{{ user_name }}"
+      gather_facts: yes
+      vars_files: ./group_vars/variables.yml
+
+      roles:
+        - packages
+        - ssh
+        - password-quality
+        - unattended-upgrades
+        - firewall
+        - mail
+        - clamav
+        - rkhunter
+        - auditd
+        - lynis

requirements-playbook.yml

@@ -0,0 +1,7 @@
+    - name: Requirements-Playbook
+      hosts: debian-server
+      remote_user: root
+      vars_files: ./group_vars/variables.yml
+
+      roles:
+        - requirements

roles/auditd/tasks/main.yml

@@ -0,0 +1,8 @@
+
+    - name: remove default auditd rules and download best practice rules
+      become: true
+      shell: |
+        rm /etc/audit/rules.d/audit.rules
+        wget -P /etc/audit/rules.d/ https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
+        service auditd restart
+

roles/clamav/tasks/main.yml

@@ -0,0 +1,16 @@
+
+    - name: set cron MAILTO
+      become: true
+      cronvar:
+        user: root
+        name: MAILTO
+        value: "{{ mail_to }}"
+
+    - name: add crontab to run clamav daily at 3 AM
+      become: true
+      cron:
+        name: clamav daily run
+        minute: "0"
+        hour: "3"
+        job: "/usr/bin/clamscan -ri --exclude-dir=\"^/sys\" --no-summary /"
+        user: root

roles/firewall/handlers/main.yml

@@ -0,0 +1,17 @@
+    - name: restart ufw service
+      become: yes
+      service: 
+        name: ufw
+        state: restarted
+
+    - name: restart psad service
+      become: yes
+      service: 
+        name: psad
+        state: restarted
+
+    - name: restart fail2ban service
+      become: yes
+      service: 
+        name: fail2ban
+        state: restarted

roles/firewall/tasks/main.yml

@@ -0,0 +1,127 @@
+
+    - name: default config for ufw
+      become: true
+      ufw:
+        state: enabled
+        logging: on
+      notify: restart ufw service
+
+    - name: ufw - default deny in
+      become: true
+      ufw:
+        policy: deny
+        direction: incoming
+      notify: restart ufw service
+
+    - name: ufw - default deny out
+      become: true
+      ufw:
+        policy: deny
+        direction: outgoing
+      notify: restart ufw service
+
+    - name: ufw - configure ssh rule
+      become: true
+      ufw:
+        rule: limit
+        direction: in
+        to_port: "{{ ssh_port }}"
+      notify: restart ufw service
+
+    - name: ufw - allow outgoing ports
+      become: true
+      ufw: 
+        rule: allow
+        direction: out
+        to_port: "{{ item }}"
+      with_items:
+        - "53"
+        - "123"
+        - "80"
+        - "443"
+        - "{{ mail_port }}" #outgoing mail port
+      notify: restart ufw service
+
+    - name: configure psad
+      become: true
+      lineinfile:
+        dest: /etc/psad/psad.conf
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+      loop:
+        - { regexp: '^EMAIL_ADDRESSES', line: 'EMAIL_ADDRESSES {{ mail_to }};' }
+        - { regexp: '^EXPECT_TCP_OPTIONS', line: 'EXPECT_TCP_OPTIONS Y;'}
+        - { regexp: '^ENABLE_PSADWATCHD', line: 'ENABLE_PSADWATCHD Y;'}
+        - { regexp: '^ENABLE_AUTO_IDS ', line: 'ENABLE_AUTO_IDS Y;'}
+        - { regexp: '^ENABLE_AUTO_IDS_EMAILS', line: 'ENABLE_AUTO_IDS_EMAILS Y;'}
+        - { regexp: '^AUTO_IDS_DANGER_LEVEL', line: 'AUTO_IDS_DANGER_LEVEL 3;'}
+        - { regexp: '^HOSTNAME', line: 'HOSTNAME {{ ansible_hostname }};'}
+      notify: restart psad service
+
+    - name: add logging to ufw before.rules
+      become: true
+      blockinfile:
+        dest: /etc/ufw/before.rules
+        insertbefore: "COMMIT"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          # log all traffic so psad can analyze
+          -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
+          -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
+      notify: restart ufw service
+
+    - name: add logging to ufw before6.rules
+      become: true
+      blockinfile:
+        dest: /etc/ufw/before6.rules
+        insertbefore: "COMMIT"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          # log all traffic so psad can analyze
+          -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
+          -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
+      notify: restart ufw service
+
+    - name: update psad signatures
+      become: true
+      shell: |
+        psad --sig-update
+
+    - name: configure fail2ban
+      become: true
+      blockinfile:
+        path: /etc/fail2ban/jail.local
+        block: |
+          [DEFAULT]
+          # the IP address range we want to ignore
+          ignoreip = 127.0.0.1/8 
+
+          # who to send e-mail to
+          destemail = {{ mail_to }}
+
+          # who is the email from
+          sender = {{ mail_from }}
+
+          # since we're using exim4 to send emails
+          mta = mail
+
+          # get email alerts
+          action = %(action_mwl)s
+        create: true
+      notify: restart fail2ban service
+
+    - name: fail2ban - configure ssh jail 
+      become: true
+      blockinfile:
+        path: /etc/fail2ban/jail.d/ssh.local
+        block: |
+          [sshd]
+          enabled = true
+          banaction = ufw
+          port = {{ ssh_port }}
+          filter = sshd
+          logpath = %(sshd_log)s
+          maxretry = 5
+        create: true
+      notify: restart fail2ban service
+

roles/lynis/tasks/main.yml

@@ -0,0 +1,24 @@
+    - name: prepare lynis installation
+      become: true
+      shell: |
+        wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
+        echo "deb https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
+
+    - name: update and upgrade
+      become: true
+      apt:
+        update_cache: yes
+        upgrade: yes
+
+    - name: install lynis
+      become: true
+      apt:
+        name: lynis
+        state: present
+
+    - name: update and run first lynis audit
+      become: true
+      shell: |
+        lynis update info
+        lynis audit system | ansi2html -l > /tmp/lynis-report.html 
+        echo "First Lynis report see attachment" | mail -A /tmp/lynis-report.html -s "Lynis report" {{ mail_to }}

roles/mail/tasks/main.yml

@@ -0,0 +1,51 @@
+
+    - name: configure mail settings
+      become: true
+      blockinfile:
+        path: /etc/msmtprc
+        block: |
+          defaults
+          port {{ mail_port }}
+          tls on
+          tls_trust_file /etc/ssl/certs/ca-certificates.crt
+          account {{ mail_from }}
+          host {{ mail_smtp_server }}
+          set_from_header on
+          from {{ mail_from }}
+          auth on
+          user {{ mail_from }}
+          password {{ mail_pw }}
+          account default: {{ mail_from }}
+          aliases /etc/aliases
+          logfile /var/log/msmtp
+        create: true
+
+    - name: chmod mail config file
+      become: true
+      file:
+        path: /etc/msmtprc
+        group: msmtp
+        mode: '640'
+
+    - name: configure mail settings pt. 2
+      become: true
+      lineinfile:
+        dest: /etc/aliases
+        regexp: "{{ item.regexp }}"
+        line: "{{ item.line }}"
+        create: true
+      loop:
+        - { regexp: '^root:', line: 'root: {{ mail_to }}' }
+        - { regexp: '^default:', line: 'default: {{ mail_to }}' }
+
+    - name: configure mail settings pt. 3
+      become: true
+      lineinfile:
+        path: /etc/mail.rc
+        regexp: '^set sendmail'
+        line: 'set sendmail="/usr/bin/msmtp -t"'
+        create: yes
+
+    - name: send a testmail
+      become: true
+      shell: echo "Testmail content" | mail -s "Testmail subject" {{ mail_to }}