Initial commit

Signed-off-by: Alan Orth <alan.orth@gmail.com>

roles/common/files/cron-apt/3-download

@@ -0,0 +1,2 @@
+autoclean -y
+upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/cron-apt/config

@@ -0,0 +1,6 @@
+# Configuration for cron-apt. For further information about the possible
+# configuration settings see the README file.
+
+MAILTO="a.orth@cgiar.org"
+MAILON="error"
+OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/cron-apt/security.sources.list

@@ -0,0 +1 @@
+deb http://security.ubuntu.com/ubuntu precise-security main universe

roles/common/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# file: roles/common/handlers/main.yml
+
+- name: restart iptables
+  service: name=iptables state=restarted
+
+- name: restart iptables-persistent
+  service: name=iptables-persistent state=restarted
+
+- name: restart sshd
+  service: name={{ sshd_service_name }} state=restarted
+
+- name: reload sysctl
+  command: sysctl -p /etc/sysctl.conf

roles/common/tasks/iptables_Debian.yml

@@ -0,0 +1,10 @@
+---
+- name: Install iptables-persistent
+  apt: pkg=iptables-persistent update_cache=yes
+  tags: firewall
+
+- name: Copy /etc/iptables/rules.v4
+  template: src=iptables.j2 dest=/etc/iptables/rules.v4 owner=root mode=0600
+  notify:
+    - restart iptables-persistent
+  tags: firewall

roles/common/tasks/main.yml

@@ -0,0 +1,38 @@
+---
+# not needed on OpenStack images...
+#- name: Set hostname
+#  hostname: name={{ inventory_hostname }}
+#  tags: hostname
+#
+#- name: Add hostname to /etc/hosts
+#  lineinfile: dest=/etc/hosts insertafter=^127.0.0.1 line='127.0.1.1       {{ inventory_hostname }}'
+#  tags: hostname
+
+- include: packages_Ubuntu.yml
+  when: "ansible_distribution == 'Ubuntu'"
+  tags: packages
+
+- include: iptables_Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- name: Reconfigure /etc/ssh/sshd_config
+  template: src=sshd_config_{{ansible_distribution}}-{{ansible_distribution_version}}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  notify:
+  - restart sshd
+  tags: sshd
+
+- name: Reconfigure /etc/sysctl.conf
+  template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  notify:
+  - reload sysctl
+  tags: sysctl
+
+- name: Reconfigure /etc/rc.local
+  when: "ansible_distribution == 'CentOS'"
+  template: src=rc.local_{{ ansible_distribution }}.j2 dest=/etc/rc.d/rc.local owner=root group=root mode=0755
+
+- name: Reconfigure /etc/rc.local
+  when: "ansible_distribution == 'Debian'"
+  template: src=rc.local_{{ ansible_distribution }}.j2 dest=/etc/rc.local owner=root group=root mode=0755
+
+# vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -0,0 +1,50 @@
+---
+- name: Configure apt mirror
+  template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+
+- name: Add GPG key for Extras repo
+  apt_key: id=0x3E5C1192 url=http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x16126D3A3E5C1192 state=present
+
+- name: Upgrade base OS
+  apt: upgrade=dist update_cache=yes
+
+- name: Install base packages
+  apt: pkg={{ item }}
+  with_items:
+    - ntp
+    - git
+    - tmux
+    - iotop
+    - htop
+    - strace
+    - s3cmd
+    - cron-apt
+    - safe-rm
+    - debian-goodies
+    - mosh
+    - python-pycurl # for ansible's apt_repository
+    - sysv-rc-conf
+    - lzop
+    - vim
+
+- name: Security hardening (CIS Benchmark 1.0)
+  apt: pkg={{ item }} state=absent purge=yes
+  with_items:
+    - whoopsie # CIS 4.1
+    - apport   # CIS 4.1
+
+- name: Remove annoying packages
+  apt: pkg={{ item }} state=absent purge=yes
+  with_items:
+    - command-not-found
+    - command-not-found-data
+    - python3-commandnotfound
+
+- name: Configure cron-apt (config)
+  copy: src=cron-apt/config dest=/etc/cron-apt/config mode=0644 owner=root group=root
+
+- name: Configure cron-apt (config)
+  copy: src=cron-apt/3-download dest=/etc/cron-apt/action.d/3-download mode=0644 owner=root group=root
+
+- name: Configure cron-apt (security)
+  copy: src=cron-apt/security.sources.list dest=/etc/apt/security.sources.list mode=0644 owner=root group=root

roles/common/templates/iptables.j2

@@ -0,0 +1,20 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s 0.0.0.0/0 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -s 0.0.0.0/0 -j ACCEPT
+
+{% if extra_iptables_rules is defined %}
+{% for rule in extra_iptables_rules %}
+-A INPUT -p {{ rule.protocol }} -m state --state NEW -m {{ rule.protocol }} --dport {{ rule.port }} -s {{ ghetto_ipsets[rule.acl].src }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

roles/common/templates/rc.local_Ubuntu.j2

@@ -0,0 +1,19 @@
+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+# VMs should use deadline IO sched
+{% for device in ansible_devices %}
+echo deadline > /sys/block/{{ device }}/queue/scheduler
+{% endfor %}
+
+exit 0

roles/common/templates/sources.list.j2

@@ -0,0 +1,16 @@
+#############################################################
+################### OFFICIAL UBUNTU REPOS ###################
+#############################################################
+
+###### Ubuntu Main Repos
+deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
+
+###### Ubuntu Update Repos
+deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
+deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
+
+###### Ubuntu Partner Repo
+deb http://archive.canonical.com/ubuntu {{ ansible_distribution_release }} partner
+
+###### Ubuntu Extras Repo
+deb http://extras.ubuntu.com/ubuntu {{ ansible_distribution_release }} main

roles/common/templates/sshd_config_Ubuntu-14.04.j2

@@ -0,0 +1,98 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication no
+GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+# bettercrypto.org - June, 2014
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+# Is there a list of allowed users?
+# Is it populated? (An empty list is 'None', which evaluates as False in Python)
+AllowUsers {{ ssh_allowed_users }}
+{% endif %}

roles/common/templates/sysctl_Ubuntu.j2

@@ -0,0 +1,98 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additional system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+#net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#
+
+# CIS Benchmark Adjustments
+# See: https://github.com/alanorth/securekickstarts
+kernel.randomize_va_space = 2 
+net.ipv4.ip_forward = 0 
+net.ipv4.conf.all.send_redirects = 0 
+net.ipv4.conf.default.send_redirects = 0 
+net.ipv4.conf.all.accept_source_route = 0 
+net.ipv4.conf.default.accept_source_route = 0 
+net.ipv4.conf.all.accept_redirects = 0 
+net.ipv4.conf.default.accept_redirects = 0 
+net.ipv4.conf.all.secure_redirects = 0 
+net.ipv4.conf.default.secure_redirects = 0 
+net.ipv4.conf.all.log_martians = 1 
+net.ipv4.conf.default.log_martians = 1 
+net.ipv4.icmp_echo_ignore_broadcasts = 1 
+net.ipv4.icmp_ignore_bogus_error_responses = 1 
+net.ipv4.conf.all.rp_filter = 1 
+net.ipv4.conf.default.rp_filter = 1 
+net.ipv4.tcp_syncookies = 1
+
+# TCP stuff
+# See: http://fasterdata.es.net/host-tuning/linux/
+# increase TCP max buffer size settable using setsockopt()
+net.core.rmem_max = 16777216 
+net.core.wmem_max = 16777216 
+# increase Linux autotuning TCP buffer limit 
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+# increase the length of the processor input queue
+net.core.netdev_max_backlog = 30000
+{# Linode kernels don't have htcp, and kernels after 2.6.32 don't have buggy cubic #}
+{% if "linode" not in ansible_kernel and ansible_kernel < "2.6.33" %}
+# recommended default congestion control is htcp 
+net.ipv4.tcp_congestion_control=htcp
+{% endif %}
+# recommended for hosts with jumbo frames enabled
+#net.ipv4.tcp_mtu_probing=1