Ansible Hardening Role



  • In case anyone wants it. Haven't tested it on anything other than RHEL/CentOS/Fedora.

    https://gitlab.com/hooksie1/ansible-hardening.git



  • @stacksofplates Why allow ssh in the drop zone? Is this blocking it?

    - name: open SSH for drop zone
      firewalld:
        zone: drop
        service: "{{ item }}"
        permanent: true
        state: enabled
        immediate: true
      with_items: "{{ firewalld_services }}"
      notify: set default zone
      tags:
       - firewalld
       - hardening
    


  • @romo said in Ansible Hardening Role:

    @stacksofplates Why allow ssh in the drop zone? Is this blocking it?

    - name: open SSH for drop zone
      firewalld:
        zone: drop
        service: "{{ item }}"
        permanent: true
        state: enabled
        immediate: true
      with_items: "{{ firewalld_services }}"
      notify: set default zone
      tags:
       - firewalld
       - hardening
    

    It sets the default zone to drop in the handler.

    So from what I remember, drop used to drop everything no matter if it was allowed or not. But a test I did recently showed it allowed it through. This rule is based off of SCAP so you could also just change it to public instead of drop.



  • @stacksofplates Currently reading Jangs RHCSA book, it says drop zone defaults to allowing outgoing connection and drop incoming.

    So this playbook is just allowing ssh outgoing and dropping all ssh incoming, right?



  • @romo said in Ansible Hardening Role:

    @stacksofplates Currently reading Jangs RHCSA book, it says drop zone defaults to allowing outgoing connection and drop incoming.

    So this playbook is just allowing ssh outgoing and dropping all ssh incoming, right?

    That's what I was saying. I used to drop all incoming no matter what but it seems to allow incoming now? I'll have to play around with it again. The only reason it's set to drop is because the SCAP check wanted that. I'll verify when I get home that it's acting differently now.



  • Ya, so there must have been a change at some point. Setting the zone to drop and then adding services allows those services through. Firewalld site shows what your book says is correct and what (I'm 99% sure) I saw when I initially started with the SCAP stuff last year:

    0_1505511440757_drop-site.png

    However, here are the actual results:

    0_1505511232007_drop.png

    0_1505511240422_nmap.png