ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Ansible Hardening Role

    Scheduled Pinned Locked Moved IT Discussion
    ansiblesecurityhardeninglinuxautomation
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates
      last edited by

      In case anyone wants it. Haven't tested it on anything other than RHEL/CentOS/Fedora.

      https://gitlab.com/hooksie1/ansible-hardening.git

      1 Reply Last reply Reply Quote 3
      • RomoR
        Romo
        last edited by

        @stacksofplates Why allow ssh in the drop zone? Is this blocking it?

        - name: open SSH for drop zone
  firewalld:
    zone: drop
    service: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  with_items: "{{ firewalld_services }}"
  notify: set default zone
  tags:
   - firewalld
   - hardening
        stacksofplatesS 1 Reply Last reply Reply Quote 0
        • stacksofplatesS
          stacksofplates @Romo
          last edited by stacksofplates

          @romo said in Ansible Hardening Role:

          @stacksofplates Why allow ssh in the drop zone? Is this blocking it?

          - name: open SSH for drop zone
  firewalld:
    zone: drop
    service: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  with_items: "{{ firewalld_services }}"
  notify: set default zone
  tags:
   - firewalld
   - hardening

          It sets the default zone to drop in the handler.

          So from what I remember, drop used to drop everything no matter if it was allowed or not. But a test I did recently showed it allowed it through. This rule is based off of SCAP so you could also just change it to public instead of drop.

          RomoR 1 Reply Last reply Reply Quote 0
          • RomoR
            Romo @stacksofplates
            last edited by

            @stacksofplates Currently reading Jangs RHCSA book, it says drop zone defaults to allowing outgoing connection and drop incoming.

            So this playbook is just allowing ssh outgoing and dropping all ssh incoming, right?

            stacksofplatesS 1 Reply Last reply Reply Quote 0
            • stacksofplatesS
              stacksofplates @Romo
              last edited by

              @romo said in Ansible Hardening Role:

              @stacksofplates Currently reading Jangs RHCSA book, it says drop zone defaults to allowing outgoing connection and drop incoming.

              So this playbook is just allowing ssh outgoing and dropping all ssh incoming, right?

              That's what I was saying. I used to drop all incoming no matter what but it seems to allow incoming now? I'll have to play around with it again. The only reason it's set to drop is because the SCAP check wanted that. I'll verify when I get home that it's acting differently now.

              1 Reply Last reply Reply Quote 0
              • stacksofplatesS
                stacksofplates
                last edited by stacksofplates

                Ya, so there must have been a change at some point. Setting the zone to drop and then adding services allows those services through. Firewalld site shows what your book says is correct and what (I'm 99% sure) I saw when I initially started with the SCAP stuff last year:

                0_1505511440757_drop-site.png

                However, here are the actual results:

                0_1505511232007_drop.png

                0_1505511240422_nmap.png

                1 Reply Last reply Reply Quote 0
                • 1 / 1
                • First post
                  Last post