Done Lab 6

ansible/roles/hardening/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+# tasks file for hardening
+
+- name: Improve kernel security (hardening)
+  ansible.posix.sysctl:
+          name: "{{  item.key }}"
+          value: "{{ item.value }}"
+          state: present
+          reload: yes
+  loop:
+          - { key: 'net.ipv4.conf.all.accept_redirects', value: '0' }
+          - { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
+          - { key: 'net.ipv4.conf.all.accept_source_route', value: '0' }
+          - { key: 'net.ipv4.conf.all.rp_filter', value: '1' } # Prevent IP Spoofing
+          - { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' } # Prevent smurf attacks
+
+
+- name: Hardening SSH configuration
+  lineinfile:
+          path: /etc/ssh/sshd_config
+          regexp: "{{ item.regexp }}"
+          line: "{{ item.line }}"
+          state: present
+  loop:
+          - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' } # Prevent login as root
+          - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication yes' }
+          - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 3' } # Auto kick out after three times failed login
+          - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300' } # Auto logout after 5 minutes
+  notify: Restart SSH
+
+- name: Add issue banner
+  copy:
+          content: |
+                  *******************************************************
+                  * WARNING: AUTHORIZED ACCESS ONLY.                    *
+                  * All activities are monitored and logged.            *
+                  * If you are not authorized, disconnect NOW!          *
+                  *******************************************************
+          dest: /etc/issue.net
+
+- name: Enable banner in SSH
+  lineinfile:
+          path: /etc/ssh/sshd_config
+          regexp: '^#?Banner'
+          line: 'Banner /etc/issue.net'
+          state: present
+  notify: Restart SSH