PHiAX/Raspberry-Pi-IaC
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add and configure OS hardening role

Browse source 
This role was run but is commented out as rerunning it shouldn't add
much whilst also being a time hog.
This commit is contained in:
Thomas Kleinendorst 2024-04-09 17:49:51 +02:00
parent 7a42119d1a
commit ce995083c6
4 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,3 @@
{
"ansible.python.interpreterPath": "/home/thomas/python_venv/bin/python"
}

7
README.md
View file

@ -5,7 +5,12 @@ Contains the Infrastructure as Code files which are used for provisioning my in
The files within this repository should be run on a computer with Ansible installed which is only supported on MacOS and Linux systems. For Windows it can be run within a WSL distro (see [this guide](https://code.visualstudio.com/docs/remote/wsl-tutorial) on how to set this up, make sure the repository is checked out on the WSL distribution itself). The files within this repository should be run on a computer with Ansible installed which is only supported on MacOS and Linux systems. For Windows it can be run within a WSL distro (see [this guide](https://code.visualstudio.com/docs/remote/wsl-tutorial) on how to set this up, make sure the repository is checked out on the WSL distribution itself).
### Ansible control node prerequisites ### Ansible control node prerequisites
Install Ansible ([see instructions](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)). 1. Install Ansible ([see instructions](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)).
2. Install Ansible Galaxy content:
```bash
ansible-galaxy install -r requirements.yml
```
### Environment prerequisites ### Environment prerequisites
The Raspberry Pi IaC code contained within this repository provisions the Raspberry Pi itself but doesn't provision all surrounding infrastructure which is presumed to be managed by hand. The following relevant configuration is assumed: The Raspberry Pi IaC code contained within this repository provisions the Raspberry Pi itself but doesn't provision all surrounding infrastructure which is presumed to be managed by hand. The following relevant configuration is assumed:

10
playbook.yml
View file

@ -2,6 +2,16 @@
- name: Install raspberry pi - name: Install raspberry pi
become: true become: true
hosts: raspberry_pis hosts: raspberry_pis
# roles:
# These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
# Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
# - devsec.hardening.os_hardening
vars:
# devsec.hardening.os_hardening vars:
os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
os_cron_enabled: false # Cron isn't needed for the installation.
sysctl_overwrite:
vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
tasks: tasks:
# Disable warning on updating latest packages, it should be safe enough for this system. # Disable warning on updating latest packages, it should be safe enough for this system.
- name: Update all packages to their latest version # noqa: package-latest - name: Update all packages to their latest version # noqa: package-latest

6
requirements.yml Normal file
View file

@ -0,0 +1,6 @@
---
collections:
# from Ansible Galaxy
# See: https://galaxy.ansible.com/ui/repo/published/devsec/hardening/
- name: devsec.hardening
version: 9.0.1