diff --git a/.github_changelog_generator b/.github_changelog_generator new file mode 100644 index 0000000..312d7f8 --- /dev/null +++ b/.github_changelog_generator @@ -0,0 +1 @@ +unreleased=false diff --git a/.kitchen.yml b/.kitchen.yml index 524f716..b9a268d 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -21,7 +21,7 @@ provisioner: roles_path: ../ansible-nginx-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> - playbook: default.yml + playbook: tests/test.yml requirements_path: requirements.yml platforms: @@ -33,6 +33,10 @@ platforms: driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest @@ -40,11 +44,11 @@ platforms: - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest + run_command: /sbin/init platform: centos -- name: ubuntu1204-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1204-ansible:latest - platform: ubuntu + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: ubuntu1404-ansible-latest driver: image: rndmh3ro/docker-ubuntu1404-ansible:latest @@ -53,6 +57,9 @@ platforms: driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service - name: debian7-ansible-latest driver: image: rndmh3ro/docker-debian7-ansible:latest @@ -65,6 +72,18 @@ platforms: driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service +- name: amazon-ansible-latest + driver: + image: rndmh3ro/docker-amazon-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec diff --git a/.travis.yml b/.travis.yml index eec25ca..f88b304 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ env: init: /sbin/init - distro: centos7 - init: /usr/lib/systemd/systemd + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" version: latest @@ -29,20 +29,25 @@ env: version: latest init: /sbin/init -# - distro: debian7 -# version: latest -# init: /sbin/init + - distro: debian7 + version: latest + init: /sbin/init - distro: debian8 version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" init: /sbin/init + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro: debian9 version: latest init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: amazon + init: /lib/systemd/systemd + version: latest + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + before_install: # Pull container - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' @@ -56,7 +61,7 @@ script: - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/default.yml -vv' + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/test.yml -vv' # Verify role - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})' diff --git a/Gemfile b/Gemfile index c11b3bf..4791b15 100644 --- a/Gemfile +++ b/Gemfile @@ -16,3 +16,7 @@ end group :tools do gem 'github_changelog_generator', '~> 1' end + +gem 'kitchen-dokken' + +gem 'rb-readline' diff --git a/default.yml b/default.yml deleted file mode 100644 index 8020c5f..0000000 --- a/default.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings - hosts: localhost - roles: - - geerlingguy.nginx - - ansible-nginx-hardening diff --git a/defaults/main.yml b/defaults/main.yml index 2a84b97..434d9f7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,10 +17,15 @@ nginx_add_header: [ # disable content-type sniffing "X-Content-Type-Options nosniff", # XSS filter -"X-XSS-Protection \"1; mode=block\"" ] +"X-XSS-Protection \"1; mode=block\"", +"Strict-Transport-Security max-age=15768000", +"Content-Security-Policy \"script-src 'self'; object-src 'self'\"" ] -nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2" -nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" +nginx_set_cookie_flag: "* HttpOnly secure" nginx_ssl_prefer_server_ciphers: "on" +nginx_ssl_protocols: "TLSv1.2" +nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" +nginx_ssl_prefer_server_ciphers: "on" +nginx_ssl_session_tickets: "off" nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem" nginx_dh_size: "2048" diff --git a/requirements.yml b/requirements.yml index 86981f9..edf88b0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1 +1 @@ -- src: geerlingguy.nginx +- src: nginxinc.nginx diff --git a/spec/travis.yml b/spec/travis.yml deleted file mode 100644 index bb64498..0000000 --- a/spec/travis.yml +++ /dev/null @@ -1,4 +0,0 @@ -- hosts: localhost - roles: - - geerlingguy.nginx - - ansible-nginx-hardening diff --git a/tasks/main.yml b/tasks/main.yml index bd821c0..bd3848a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,14 +3,27 @@ include_vars: "{{ ansible_os_family }}.yml" - name: config should not be worldwide read- or writeable - file: path="/etc/nginx" mode="o-rw" owner="root" group="root" recurse=yes + file: + path: "/etc/nginx" + mode: "o-rw" + owner: "root" + group: "root" + recurse: yes - name: create additional configuration - template: src="hardening.conf.j2" dest="{{nginx_config_conf_dir}}/90.hardening.conf" owner="root" group="root" + template: + src: "hardening.conf.j2" + dest: "{{ nginx_config_conf_dir }}/90.hardening.conf" + owner: "root" + group: "root" notify: reload nginx - name: change configuration in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*server_tokens" line="server_tokens {{nginx_server_tokens}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*server_tokens" + line: "server_tokens {{ nginx_server_tokens }};" + insertafter: "http {" notify: reload nginx - name: change ssl_protocols in main nginx.conf @@ -22,22 +35,36 @@ notify: reload nginx - name: change client_max_body_size in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*client_max_body_size" line="client_max_body_size {{nginx_client_max_body_size}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*client_max_body_size" + line: "client_max_body_size {{ nginx_client_max_body_size }};" + insertafter: "http {" notify: reload nginx - name: change client_body_buffer_size in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*client_body_buffer_size" line="client_body_buffer_size {{nginx_client_body_buffer_size}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*client_body_buffer_size" + line: "client_body_buffer_size {{ nginx_client_body_buffer_size }};" + insertafter: "http {" notify: reload nginx - name: change keepalive_timeout in main nginx.conf - lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s*keepalive_timeout" line="keepalive_timeout {{nginx_keepalive_timeout}};" insertafter="http {" + lineinfile: + dest: "/etc/nginx/nginx.conf" + regexp: "^\\s*keepalive_timeout" + line: "keepalive_timeout {{ nginx_keepalive_timeout }};" + insertafter: "http {" notify: reload nginx - name: remove default.conf - file: path="{{nginx_default_conf}}" state=absent + file: + path: "{{ nginx_default_conf }}" + state: absent when: nginx_remove_default_site notify: reload nginx - name: generate dh group - command: openssl dhparam -out {{nginx_dh_param}} {{nginx_dh_size}} creates={{nginx_dh_param}} + command: openssl dhparam -out {{ nginx_dh_param }} {{ nginx_dh_size }} creates={{ nginx_dh_param }} notify: reload nginx diff --git a/templates/hardening.conf.j2 b/templates/hardening.conf.j2 index eb5a9cd..1e250cb 100644 --- a/templates/hardening.conf.j2 +++ b/templates/hardening.conf.j2 @@ -8,7 +8,10 @@ client_header_timeout {{nginx_client_header_timeout}}; send_timeout {{nginx_send_timeout}}; limit_conn_zone {{nginx_limit_conn_zone}}; limit_conn {{nginx_limit_conn}}; -ssl_ciphers {{nginx_ssl_ciphers}}; +set_cookie_flag {{nginx_set_cookie_flag}}; +ssl_ciphers '{{nginx_ssl_ciphers}}'; +ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}}; +ssl_session_tickets {{nginx_ssl_session_tickets}}; ssl_dhparam {{nginx_dh_param}}; {% for header in nginx_add_header %} add_header {{header}}; diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..8f43b19 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,15 @@ +--- +- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings + hosts: localhost + pre_tasks: + - package: name="{{item}}" state=installed + with_items: + - "systemd" + ignore_errors: true + - apt: name="{{item}}" state=installed update_cache=true + with_items: + - "systemd" + ignore_errors: true + roles: + - nginxinc.nginx + - ansible-nginx-hardening