From 1b9dcf16cfbf45ff5f50cd83509245d1527f9fd0 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 26 Jul 2016 12:28:52 +0200 Subject: [PATCH] first commit --- .gitignore | 13 ++++ .kitchen.vagrant.yml | 65 ++++++++++++++++++ .kitchen.yml | 65 ++++++++++++++++++ .travis.yml | 22 +++++++ CHANGELOG.md | 109 ++++++++++++++++++++++++++++++ CONTRIBUTING.md | 85 ++++++++++++++++++++++++ Gemfile | 35 ++++++++++ README.md | 128 ++++++++++++++++++++++++++++++++++++ Rakefile | 11 ++++ Thorfile | 10 +++ default.yml | 6 ++ defaults/main.yml | 26 ++++++++ handlers/main.yml | 2 + meta/main.yml | 27 ++++++++ requirements.yml | 1 + spec/travis.yml | 3 + tasks/main.yml | 31 +++++++++ templates/hardening.conf.j2 | 17 +++++ vars/Debian.yml | 3 + vars/Oracle Linux.yml | 3 + vars/RedHat.yml | 3 + vars/main.yml | 0 22 files changed, 665 insertions(+) create mode 100644 .gitignore create mode 100644 .kitchen.vagrant.yml create mode 100644 .kitchen.yml create mode 100644 .travis.yml create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 Gemfile create mode 100644 README.md create mode 100644 Rakefile create mode 100644 Thorfile create mode 100644 default.yml create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 requirements.yml create mode 100644 spec/travis.yml create mode 100644 tasks/main.yml create mode 100644 templates/hardening.conf.j2 create mode 100644 vars/Debian.yml create mode 100644 vars/Oracle Linux.yml create mode 100644 vars/RedHat.yml create mode 100644 vars/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fbe87e0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +README.pdf +README.html +shared_test_repo/ +test/integration +.kitchen +coverage +Vagrantfile.erb + +Gemfile.lock +Berksfile.lock + +ansible.cfg +hosts diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml new file mode 100644 index 0000000..470133d --- /dev/null +++ b/.kitchen.vagrant.yml @@ -0,0 +1,65 @@ +--- +driver: + name: vagrant + +provisioner: + name: ansible_playbook + test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git + hosts: all + require_ansible_repo: false + require_ansible_omnibus: true + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_verbose: true + roles_path: ../ansible-ssh-hardening/ + playbook: default.yml + +platforms: +- name: ubuntu-12.04 + driver_config: + box: opscode-ubuntu-12.04 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box +- name: ubuntu-14.04 + driver_config: + box: opscode-ubuntu-14.04 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box +- name: centos-6.4 + driver_config: + box: opscode-centos-6.4 + box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box +- name: centos-6.5 + driver_config: + box: opscode-centos-6.5 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box +- name: oracle-6.4 + driver_config: + box: oracle-6.4 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box +- name: oracle-6.5 + driver_config: + box: oracle-6.5 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box +- name: debian-6 + driver_config: + box: debian-6 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box +- name: debian-7 + driver_config: + box: debian-7 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box +- name: debian-8 + driver_config: + box: debian-8 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/tests-ssh-hardening + +suites: +- name: ssh-ansible_1.9 + provisioner: + ansible_version: 1.9.4 +- name: ssh-ansible_latest diff --git a/.kitchen.yml b/.kitchen.yml new file mode 100644 index 0000000..3f3628a --- /dev/null +++ b/.kitchen.yml @@ -0,0 +1,65 @@ +--- +driver: + name: docker + +transport: + max_ssh_sessions: 5 + +provisioner: + name: ansible_playbook + hosts: all + require_ansible_repo: false + require_ansible_omnibus: true + require_chef_for_busser: false + require_ruby_for_busser: false + requirements_path: requirements.yml + ansible_verbose: true + ansible_diff: true + roles_path: ../ansible-nginx-hardening/ + playbook: default.yml + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/tests-nginx-hardening + +platforms: +- name: ubuntu-12.04 + driver: + image: ubuntu:12.04 +- name: ubuntu-14.04 + driver: + image: ubuntu:14.04 +- name: ubuntu-16.04 + driver: + image: ubuntu:16.04 +- name: centos-6.6 + driver: + image: centos:6.6 +- name: centos-6.7 + driver: + image: centos:6.7 +- name: centos-7 + driver: + image: centos:7 + privileged: true + run_command: /usr/sbin/init +- name: debian-7 + driver: + image: debian:7 +- name: debian-8 + driver: + image: debian:8 + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/tests-nginx-hardening + +suites: +- name: nginx-ansible_1.9 + provisioner: + ansible_version: 1.9.4 +- name: nginx-ansible_latest diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..8570889 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,22 @@ +--- +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ +language: python +python: "2.7" + +env: + - ANSIBLE_VERSION=latest + - ANSIBLE_VERSION=1.9.4 + +before_install: + - sudo apt-get update -qq + - sudo apt-get install -qq python-apt python-pycurl +install: + - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi + - echo -e 'localhost ansible_connection=local' > spec/inventory + - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg + +script: + - ansible-playbook --syntax-check spec/travis.yml + - ansible-playbook --sudo -v --diff spec/travis.yml + - ansible-playbook --sudo -v --diff spec/travis.yml --extra-vars "network_ipv6_enable=true ssh_allow_root_with_key=true ssh_client_password_login=true ssh_client_cbc_required=true ssh_server_weak_hmac=true ssh_client_weak_kex=true sftp_enabled=true" diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..01121f1 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,109 @@ +# Change Log + +## [3.0.0](https://github.com/hardening-io/ansible-ssh-hardening/tree/HEAD) + +[Full Changelog](https://github.com/hardening-io/ansible-ssh-hardening/compare/2.0.0...HEAD) + +**Implemented enhancements:** + +- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/hardening-io/ansible-ssh-hardening/pull/57) ([shirokatze](https://github.com/shirokatze)) +- add test support for ansible 1.9 and 2.0 [\#56](https://github.com/hardening-io/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro)) +- update platforms in meta-file [\#52](https://github.com/hardening-io/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro)) +- add webhook for ansible galaxy [\#51](https://github.com/hardening-io/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) +- Disable experimental client roaming. [\#49](https://github.com/hardening-io/ansible-ssh-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) +- use inspec as test framework [\#48](https://github.com/hardening-io/ansible-ssh-hardening/pull/48) ([chris-rock](https://github.com/chris-rock)) +- Change categories to tags for upcoming ansible 2.0 [\#47](https://github.com/hardening-io/ansible-ssh-hardening/pull/47) ([rndmh3ro](https://github.com/rndmh3ro)) +- add changelog generator [\#46](https://github.com/hardening-io/ansible-ssh-hardening/pull/46) ([chris-rock](https://github.com/chris-rock)) + +**Closed issues:** + +- Fail at TASK \[remove selinux-policy when Pam is used...\] when ssh\_use\_pam: true [\#54](https://github.com/hardening-io/ansible-ssh-hardening/issues/54) +- Install from ansible galaxy missing files \(tasks\) [\#50](https://github.com/hardening-io/ansible-ssh-hardening/issues/50) +- should generate new ssh host key files [\#45](https://github.com/hardening-io/ansible-ssh-hardening/issues/45) + +## [2.0.0](https://github.com/hardening-io/ansible-ssh-hardening/tree/2.0.0) (2015-11-28) +[Full Changelog](https://github.com/hardening-io/ansible-ssh-hardening/compare/1.2.1...2.0.0) + +**Closed issues:** + +- Fix directory structure. [\#43](https://github.com/hardening-io/ansible-ssh-hardening/issues/43) + +**Merged pull requests:** + +- New dir layout. Fix \#43 [\#44](https://github.com/hardening-io/ansible-ssh-hardening/pull/44) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add var to travis job [\#42](https://github.com/hardening-io/ansible-ssh-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro)) +- sftp\_enable option [\#41](https://github.com/hardening-io/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123)) + +## [1.2.1](https://github.com/hardening-io/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) +[Full Changelog](https://github.com/hardening-io/ansible-ssh-hardening/compare/1.2.0...1.2.1) + +**Merged pull requests:** + +- Allow whitelisted groups on ssh [\#40](https://github.com/hardening-io/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) + +## [1.2.0](https://github.com/hardening-io/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) +[Full Changelog](https://github.com/hardening-io/ansible-ssh-hardening/compare/1.1.0...1.2.0) + +**Merged pull requests:** + +- bugfix. Now option true for PrintLastLog is available again [\#39](https://github.com/hardening-io/ansible-ssh-hardening/pull/39) ([fitz123](https://github.com/fitz123)) +- Add more travis-tests [\#38](https://github.com/hardening-io/ansible-ssh-hardening/pull/38) ([rndmh3ro](https://github.com/rndmh3ro)) +- Support for selinux and pam. fix \#23 [\#35](https://github.com/hardening-io/ansible-ssh-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [1.1.0](https://github.com/hardening-io/ansible-ssh-hardening/tree/1.1.0) (2015-09-01) +[Full Changelog](https://github.com/hardening-io/ansible-ssh-hardening/compare/1.0.0...1.1.0) + +**Closed issues:** + +- ssh\_ports - individual client/server config [\#33](https://github.com/hardening-io/ansible-ssh-hardening/issues/33) +- UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/hardening-io/ansible-ssh-hardening/issues/23) + +**Merged pull requests:** + +- Change variable for hmac from server to client [\#37](https://github.com/hardening-io/ansible-ssh-hardening/pull/37) ([rndmh3ro](https://github.com/rndmh3ro)) +- Update kitchen-ansible, remove separate debian install [\#36](https://github.com/hardening-io/ansible-ssh-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro)) +- Separate ssh client and server ports. Fix \#33 [\#34](https://github.com/hardening-io/ansible-ssh-hardening/pull/34) ([rndmh3ro](https://github.com/rndmh3ro)) +- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#32](https://github.com/hardening-io/ansible-ssh-hardening/pull/32) ([chris-rock](https://github.com/chris-rock)) +- Make MaxAuthTries configurable [\#31](https://github.com/hardening-io/ansible-ssh-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro)) +- Change oneliner if-statements to be more readable [\#30](https://github.com/hardening-io/ansible-ssh-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro)) +- Make ssh client password login configurable. [\#29](https://github.com/hardening-io/ansible-ssh-hardening/pull/29) ([ypid](https://github.com/ypid)) +- Fix join-filter, jinja-cases, intendation [\#27](https://github.com/hardening-io/ansible-ssh-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro)) +- Short role review. Fixed role when ssh\_client\_weak\_kex == true. [\#26](https://github.com/hardening-io/ansible-ssh-hardening/pull/26) ([ypid](https://github.com/ypid)) +- Make it configurable to only harden ssh client/server or both \(default\). [\#25](https://github.com/hardening-io/ansible-ssh-hardening/pull/25) ([ypid](https://github.com/ypid)) +- Separate system-vars from editable vars [\#24](https://github.com/hardening-io/ansible-ssh-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add correct CONTRIB-file [\#22](https://github.com/hardening-io/ansible-ssh-hardening/pull/22) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add Ansible Galaxy badge [\#21](https://github.com/hardening-io/ansible-ssh-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix configuration of playbook path [\#20](https://github.com/hardening-io/ansible-ssh-hardening/pull/20) ([chris-rock](https://github.com/chris-rock)) +- Debian install script [\#19](https://github.com/hardening-io/ansible-ssh-hardening/pull/19) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [1.0.0](https://github.com/hardening-io/ansible-ssh-hardening/tree/1.0.0) (2015-04-30) +**Implemented enhancements:** + +- Update variable-documentation [\#12](https://github.com/hardening-io/ansible-ssh-hardening/pull/12) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Closed issues:** + +- add travis test for ubuntu 12.04 [\#7](https://github.com/hardening-io/ansible-ssh-hardening/issues/7) +- Use handler for sshd restart [\#6](https://github.com/hardening-io/ansible-ssh-hardening/issues/6) +- Running test-kitchen fails [\#2](https://github.com/hardening-io/ansible-ssh-hardening/issues/2) + +**Merged pull requests:** + +- add self as author [\#18](https://github.com/hardening-io/ansible-ssh-hardening/pull/18) ([chris-rock](https://github.com/chris-rock)) +- add badges [\#17](https://github.com/hardening-io/ansible-ssh-hardening/pull/17) ([chris-rock](https://github.com/chris-rock)) +- fix meta.yml [\#16](https://github.com/hardening-io/ansible-ssh-hardening/pull/16) ([chris-rock](https://github.com/chris-rock)) +- add more information to changelog [\#15](https://github.com/hardening-io/ansible-ssh-hardening/pull/15) ([chris-rock](https://github.com/chris-rock)) +- Add meta-information for Ansible Galaxy [\#14](https://github.com/hardening-io/ansible-ssh-hardening/pull/14) ([rndmh3ro](https://github.com/rndmh3ro)) +- Update CHANGELOG.md [\#13](https://github.com/hardening-io/ansible-ssh-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add handler to restart ssh only if necessary. Fix \#6 [\#11](https://github.com/hardening-io/ansible-ssh-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro)) +- add more descriptions [\#10](https://github.com/hardening-io/ansible-ssh-hardening/pull/10) ([chris-rock](https://github.com/chris-rock)) +- add travis config for ansible [\#9](https://github.com/hardening-io/ansible-ssh-hardening/pull/9) ([chris-rock](https://github.com/chris-rock)) +- update .kitchen.yml to find playbook role in tests [\#8](https://github.com/hardening-io/ansible-ssh-hardening/pull/8) ([chris-rock](https://github.com/chris-rock)) +- Oracle support [\#5](https://github.com/hardening-io/ansible-ssh-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove custom Vagrantfile-reference. Fix \#2 [\#4](https://github.com/hardening-io/ansible-ssh-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro)) +- Remove custom Vagrantfile-reference. Fix \#2 [\#3](https://github.com/hardening-io/ansible-ssh-hardening/pull/3) ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix missing gem [\#1](https://github.com/hardening-io/ansible-ssh-hardening/pull/1) ([chris-rock](https://github.com/chris-rock)) + + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..783c10f --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,85 @@ +# Contributor Guideline + +This document provides an overview of how you can participate in improving this project or extending it. We are grateful for all your help: bug reports and fixes, code contributions, documentation or ideas. Feel free to join, we appreciate your support!! + +## Communication + +### GitHub repositories + +Much of the issues, goals and ideas are tracked in the respective projects in GitHub. Please use this channel to report bugs and post ideas. + +## git and GitHub + +In order to contribute code please: + +1. Fork the project on GitHub +2. Clone the project +3. Add changes (and tests) +4. Commit and push +5. Create a merge-request + +To have your code merged, see the expectations listed below. + +You can find a well-written guide [here](https://help.github.com/articles/fork-a-repo). + +Please follow common commit best-practices. Be explicit, have a short summary, a well-written description and references. This is especially important for the merge-request. + +Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCommitMessages) and [here](http://robots.thoughtbot.com/5-useful-tips-for-a-better-commit-message). + + +## Expectations + +### Don't reinvent the wheel + +This hardening project doesn't intend to reinvent the configuration stack for services. Aim to use official configuration projects first and provide hardening as a layer on top. The goal is remove the need for a user to configure all aspects of services and maintain security configuration. This way, the user can still configure a service using the interface provided by the official project. + +* For Chef refer to the official [opscode community cookbooks](http://community.opscode.com/cookbooks). +* For Puppet head to the [Puppet Forge](https://forge.puppetlabs.com/) and take a node of the Puppet supported modules. +* For Ansible check the [Ansible Module Index](http://docs.ansible.com/list_of_all_modules.html) + +These projects are generally hosted on GitHub as well. + +In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/TelekomLabs/chef-os-hardening), [nginx-hardening](https://github.com/TelekomLabs/chef-nginx-hardening)). + + +### Be explicit + +* Please avoid using nonsensical property and variable names. +* Use self-describing attribute names for user configuration. +* In case of failures, communicate what happened and why a failure occurs to the user. Make it easy to track the code or action that produced the error. Try to catch and handle errors if possible to provide improved failure messages. + + +### Add tests + +The security review of this project is done using integration tests. + +Whenever you add a new security configuration, please start by writing a test that checks for this configuration. For example: If you want to set a new attribute in a configuration file, write a test that expects the value to be set first. Then implement your change. + +You may add a new feature request by creating a test for whatever value you need. + +All tests will be reviewed internally for their validity and overall project direction. + + +### Document your code + +As code is more often read than written, please provide documentation in all projects. + +Adhere to the respective guidelines for documentation: + +* Chef generally documents code based explicit readme files. For code documentation please use [yard-chef](https://github.com/rightscale/yard-chef) +* [Puppet module documentation](http://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html) + + +### Follow coding styles + +We generally include test for coding guidelines: + +* Chef follows [Foodcritic](http://acrmp.github.io/foodcritic/) +* Puppet is checked with [puppet-lint](http://puppet-lint.com/checks/) +* Ansible is checked by running the playbook with the syntax-check option, e.g. `ansible-playbook foo.yml --syntax-check` + +Remember: Code is generally read much more often than written. + +### Use Markdown + +Wherever possible, please refrain from any other formats and stick to simple markdown. diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..71eede2 --- /dev/null +++ b/Gemfile @@ -0,0 +1,35 @@ +# encoding: utf-8 + +source 'https://rubygems.org' + +group :test do + gem 'rake' + gem 'foodcritic', '~> 4.0' + gem 'thor-foodcritic' + gem 'coveralls', require: false +end + +group :development do + gem 'guard' + gem 'guard-rspec' + gem 'guard-kitchen' +end + +group :integration do + gem 'test-kitchen', '~> 1.0' + gem 'kitchen-ansible' + gem 'kitchen-vagrant' + gem 'kitchen-inspec' + gem 'kitchen-sharedtests', '~> 0.2.0' + gem 'kitchen-sync' + gem 'kitchen-transport-rsync' + gem 'kitchen-docker' +end + +group :openstack do + gem 'kitchen-openstack' +end + +group :tools do + gem 'github_changelog_generator', '~> 1' +end diff --git a/README.md b/README.md new file mode 100644 index 0000000..019bab7 --- /dev/null +++ b/README.md @@ -0,0 +1,128 @@ +# nginx-hardening (Ansible Role) + +[![Build Status](http://img.shields.io/travis/dev-sec/ansible-nginx-hardening.svg)][1] +[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] +[![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginx--hardening-660198.svg)][3] + +## Description + +This role provides secure nginx configuration. + +## Requirements + +* Ansible + +## Role Variables + +| Name | Default Value | Description | +| -------------- | ------------- | -----------------------------------| +| [nginx_client_body_buffer_size][] | `1k` | Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. | +| nginx_remove_default_site | `true` | Disables the default site. Set to false to enable the default site in nginx. | +| [nginx_client_max_body_size][] | `1k` | Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. | +| [nginx_keepalive_timeout][] | `5 5` | The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. | +| [nginx_server_tokens][] | `off` | Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response header. | +| [nginx_more_clear_headers][] | `[ "Server", "X-Powered-By" ]` | | +| [nginx_client_header_buffer_size][] | `1k` | | +| [nginx_large_client_header_buffers][] | `2 1k` | | +| [nginx_client_body_timeout][] | `10` | | +| [nginx_client_header_timeout][] | `10` | | +| [nginx_send_timeout][] | `10` | | +| [nginx_limit_conn_zone][] | `$binary_remote_addr zone=default:10m` | | +| [nginx_limit_conn][] | `default 5` | | +| [nginx_add_header][] | `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]` | | +| [nginx_ssl_protocols][] | `TLSv1 TLSv1.1 TLSv1.2` | Specifies the SSL protocol which should be used. | +| [nginx_ssl_ciphers][] | `ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA` | Specifies the TLS ciphers which should be used. | +| [nginx_ssl_prefer_server_ciphers][] | `on` | Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it. | +| [nginx_dh-size][] | `2048` | Specifies the length of DH parameters for EDH ciphers. | + +## Example Playbook + + - hosts: localhost + roles: + - dev-sec.nginx-hardening + +## Local Testing + +The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system. + +You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). + +Next install test-kitchen: + +```bash +# Install dependencies +gem install bundler +bundle install +``` + +### Testing with Docker + +``` +# fast test on one machine +bundle exec kitchen test default-ubuntu-1204 + +# test on all machines +bundle exec kitchen test + +# for development +bundle exec kitchen create default-ubuntu-1204 +bundle exec kitchen converge default-ubuntu-1204 +``` + +### Testing with Virtualbox + +``` +# fast test on one machine +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1204 + +# test on all machines +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test + +# for development +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1204 +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1204 +``` + +For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) + +## Contributing + +See [contributor guideline](CONTRIBUTING.md). + +## License and Author + +* Author:: Sebastian Gumprich + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +[1]: http://travis-ci.org/dev-sec/ansible-nginx-hardening +[2]: https://gitter.im/dev-sec/general +[3]: https://galaxy.ansible.com/dev-sec/nginx-hardening/ + +[nginx_client_body_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size +[nginx_client_max_body_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size +[nginx_keepalive_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout +[nginx_server_tokens]: http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens +[nginx_more_clear_headers]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header +[nginx_client_header_buffer_size]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size +[nginx_large_client_header_buffers]: http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers +[nginx_client_body_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout +[nginx_client_header_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout +[nginx_send_timeout]: http://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout +[nginx_limit_conn_zone]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone +[nginx_limit_conn]: http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn +[nginx_add_header]: http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header +[nginx_ssl_protocols]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols +[nginx_ssl_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers +[nginx_ssl_prefer_server_ciphers]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers +[nginx_dh-size]: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam \ No newline at end of file diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..02c5821 --- /dev/null +++ b/Rakefile @@ -0,0 +1,11 @@ +#!/usr/bin/env rake +# encoding: utf-8 + +# Automatically generate a changelog for this project. Only loaded if +# the necessary gem is installed. +begin + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog +rescue LoadError + puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' +end diff --git a/Thorfile b/Thorfile new file mode 100644 index 0000000..15b092f --- /dev/null +++ b/Thorfile @@ -0,0 +1,10 @@ +# encoding: utf-8 + +require 'bundler' +require 'bundler/setup' +require 'thor/foodcritic' + +require 'kitchen_sharedtests' +require 'kitchen/sharedtests_thor_tasks' + +Kitchen::SharedtestsThorTasks.new diff --git a/default.yml b/default.yml new file mode 100644 index 0000000..8020c5f --- /dev/null +++ b/default.yml @@ -0,0 +1,6 @@ +--- +- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings + hosts: localhost + roles: + - geerlingguy.nginx + - ansible-nginx-hardening diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c20051c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,26 @@ +--- +nginx_client_body_buffer_size: '1k' +nginx_remove_default_site: true +nginx_client_max_body_size: '1k' +nginx_keepalive_timeout: '5 5' +nginx_server_tokens: 'off' +nginx_more_clear_headers: [ "Server", "X-Powered-By" ] +nginx_client_header_buffer_size: "1k" +nginx_large_client_header_buffers: "2 1k" +nginx_client_body_timeout: "10" +nginx_client_header_timeout: "10" +nginx_send_timeout: "10" +nginx_limit_conn_zone: "$binary_remote_addr zone=default:10m" +nginx_limit_conn: "default 5" +nginx_add_header: [ + # vvoid clickjacking + "X-Frame-Options SAMEORIGIN", + # disable content-type sniffing + "X-Content-Type-Options nosniff", + # XSS filter + "X-XSS-Protection \"1; mode=block\"" ] + +nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2" +nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" +nginx_ssl_prefer_server_ciphers: "on" +nginx_dh_size: "2048" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..e2dd289 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +- name: reload nginx + service: name={{ nginx_service_name }} state=reloaded diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a6beea0 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,27 @@ +--- +galaxy_info: + author: "Sebastian Gumprich" + description: 'This Ansible role provides secure nginx configurations. http://dev-sec.io/' + company: Hardening Framework Team + license: Apache License 2.0 + min_ansible_version: '1.9' + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Ubuntu + versions: + - precise + - trusty + - xenial + - name: Debian + versions: + - wheezy + - jessie + galaxy_tags: + - system + - security + - hardening + - nginx +dependencies: [] diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..86981f9 --- /dev/null +++ b/requirements.yml @@ -0,0 +1 @@ +- src: geerlingguy.nginx diff --git a/spec/travis.yml b/spec/travis.yml new file mode 100644 index 0000000..690ee1a --- /dev/null +++ b/spec/travis.yml @@ -0,0 +1,3 @@ +- hosts: localhost + roles: + - ansible-nginx-hardening diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..01085b2 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: add the OS specific variables + include_vars: "{{ ansible_os_family }}.yml" + +- name: config should not be worldwide read- or writeable + file: path="/etc/nginx" mode="o-rw" owner="root" group="root" recurse=yes + +- name: create additional configuration + template: src="hardening.conf.j2" dest="{{nginx_config_conf_dir}}/90.hardening.conf" owner="root" group="root" + notify: reload nginx + +- name: change configuration in main nginx.conf + lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s+server_tokens" line="server_tokens {{nginx_server_tokens}};" insertafter="http {" + notify: reload nginx + +- name: change client_max_body_size in main nginx.conf + lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s+client_max_body_size" line="client_max_body_size {{nginx_client_max_body_size}};" insertafter="http {" + notify: reload nginx + +- name: change client_body_buffer_size in main nginx.conf + lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s+client_body_buffer_size" line="client_body_buffer_size {{nginx_client_body_buffer_size}};" insertafter="http {" + notify: reload nginx + +- name: change keepalive_timeout in main nginx.conf + lineinfile: dest="/etc/nginx/nginx.conf" regexp="^\s+keepalive_timeout" line="keepalive_timeout {{nginx_keepalive_timeout}};" insertafter="http {" + notify: reload nginx + +- name: remove default.conf + file: path="{{nginx_default_conf}}" state=absent + when: nginx_remove_default_site + notify: reload nginx diff --git a/templates/hardening.conf.j2 b/templates/hardening.conf.j2 new file mode 100644 index 0000000..81eae1a --- /dev/null +++ b/templates/hardening.conf.j2 @@ -0,0 +1,17 @@ +# {{ansible_managed}} +# Additional configuration for Nginx. + +client_header_buffer_size {{nginx_client_header_buffer_size}}; +large_client_header_buffers {{nginx_large_client_header_buffers}}; +client_body_timeout {{nginx_client_body_timeout}}; +client_header_timeout {{nginx_client_header_timeout}}; +send_timeout {{nginx_send_timeout}}; +limit_conn_zone {{nginx_limit_conn_zone}}; +limit_conn {{nginx_limit_conn}}; +ssl_protocols {{nginx_ssl_protocols}}; +ssl_ciphers {{nginx_ssl_ciphers}}; +ssl_dhparam {{nginx_dh_size}}; +ssl_prefer_server_ciphers {{nginx_ssl_prefer_server_ciphers}}; +{% for header in nginx_add_header %} +add_header {{header}}; +{% endfor %} diff --git a/vars/Debian.yml b/vars/Debian.yml new file mode 100644 index 0000000..2a05d53 --- /dev/null +++ b/vars/Debian.yml @@ -0,0 +1,3 @@ +nginx_config_conf_dir: '/etc/nginx/conf.d' +nginx_default_conf: '/etc/nginx/sites-enabled/default' +nginx_service_name: 'nginx' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml new file mode 100644 index 0000000..a0fe693 --- /dev/null +++ b/vars/Oracle Linux.yml @@ -0,0 +1,3 @@ +nginx_config_conf_dir: '/etc/nginx/conf.d' +nginx_default_conf: '/etc/nginx/conf.d/default.conf' +nginx_service_name: 'nginx' diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..a0fe693 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,3 @@ +nginx_config_conf_dir: '/etc/nginx/conf.d' +nginx_default_conf: '/etc/nginx/conf.d/default.conf' +nginx_service_name: 'nginx' diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..e69de29