This role initializes a new host by performing some common configuration tasks.
This role is compatible with both dnf and rpm-ostree based Fedora.
This role is suitable to use for servers, but also for workstations or laptops.
Configure:
- Install an SSH authorized key.
- Set admin user password.
- Configure DNS servers with DNSSEC and "DNS over TLS" support.
- Configure NTP servers with NTS support.
- Set Grub timeout.
- Set Grub password
- Configure DNF proxy, weak dependencies, parallel downloads.
- Enable DNF auto-updates (With auto-restart).
- Set up NFS and CIFS/SMB shares.
- Set up
rootuser mail redirection with SMTP relay on an external server. - Install custom CA certificates.
This role also aims to improve the system security by providing many security-related optional and default features.
The goal is mainly to reduce the attack surface and protect against common security vulnerabilities classes.
Non-exhaustive list of changes:
- SElinux enforced.
- SSH hardening:
- Hardened SSHd configuration.
- Restricted SSH accesses using firewall.
- Fail2ban SSH jail
- Optional Linux kernel hardening, including:
- Protection against common memory issues like use-after-free.
- Various Kernel vulnerabilities prevention like DMA attacks.
- Network hardening against various attacks (Man In The Middle, Denial of service, ...).
- Deactivation of uncommon or vulnerable kernel modules.
- Kernel sensitive data protection or restricted access (Coredump, dmesg, ...)
- Optional Linux kernel lockdown mode.
- Optional CPU vulnerabilities mitigation configuration.
- Optional installation of the Netdata agent (As standalone cloud connected node, or as thin child node streaming to a parent).
The most intrusive security options are optional and can be disabled by re-running the role and changing options.
Hardening options in this role are tweaked for Fedora. Options that are not relevant on Fedora or already enabled on it are not included here. This role limits to security options that can be achievable using configuration files and Fedora repositories packages.
| Name | Default Value | Description |
|---|---|---|
common_admin_password |
If specified, Set this password to the current remote user. (Must be a hashed password. Can be generated using mkpasswd --method=yescrypt) |
|
common_allow_bluetooth |
false | If true, allow Bluetooth. Only apply with common_os_hardening set to true. |
common_allow_thunderbolt |
false | If false, disable Thunderbolt and Firewire. |
common_allow_usb |
true | If false, disable USB. |
common_ca_certificates |
If specified, CA certificates to install in the system CA trust store. Must be a list of local path to PEM or DER formatted certificates. | |
common_cpu_vulnerabilities_mitigation |
auto |
Configure kernel CPU vulnerabilities mitigations. Possible values are auto to enable all mitigations (Default kernel behavior), off to disable all mitigations (Best performance, weakest security), auto,nosmt to enable all mitigations and disable SMT if required (Best security, lowest performance). |
common_dnf_automatic_on_shutdown |
false | If true, trigger DNF automatic updates on system shutdown instead of using timer. Ignored on Ostree based OS. |
common_dnf_automatic_restart |
true | If true, restart the host if required when performing DNF automatic updates. Disabled if common_dnf_automatic_on_shutdown is true. Ignored on Ostree based OS. |
common_dnf_automatic_upgrade_type |
default |
The type of update installed by DNF automatic. Possibles values are default (All available updates) or security (Only security updates, may improve stability). Ignored on Ostree based OS. |
common_dnf_fastestmirror |
false | If true, If enabled a metric is used to find the fastest available mirror. This is often dynamically generated by the server to provide the best download speeds and enabling fastestmirror overrides this. Ignored on Ostree based OS. |
common_dnf_install_weak_deps |
false | If "true", configure DNF to install weak dependencies. Ignored on Ostree based OS. |
common_dnf_keepcache |
false | If "true", configure DNF to keep the package cache. Ignored on Ostree based OS. |
common_dnf_proxy |
URL of a proxy server to connect through The expected format of this option is <scheme>://<ip-or-hostname>[:port]. If you configured another host with the squid role, you may set this value to http://<squid-host-ip-or-hostname>:<squid-port>. Ignored on Ostree based OS. |
|
common_dnf_proxy_auth_method |
If the proxy requires authentication, the authentication method to use. Ignored on Ostree based OS. | |
common_dnf_proxy_password |
If the proxy requires authentication, the password to use. Ignored on Ostree based OS. | |
common_dnf_proxy_username |
If the proxy requires authentication, the username to use. Ignored on Ostree based OS. | |
common_dnf_sslcacert |
If specified, file containing the certificate authorities to verify SSL certificates. If not specified, use system defaults. Can be used to specify proxy certificate when used with common_dnf_proxy. Ignored on Ostree based OS. |
|
common_dns_over_tls |
opportunistic |
Enable DNS over TLS. "yes" is recommended if DNS server support DNS over TLS because opportunistic mode is more vulnerable. "no" to enforce classical unencrypted DNS. |
common_dns_servers |
Space-separated list of DNS servers to use, if not set will use the default value generally provided by the DHCP server. If common_dns_over_tls is set to "yes", it is recommended to servers values to address#server_name to allow certificate validation. |
|
common_dns_servers_fallback |
"1.1.1.1 9.9.9.9 1.0.0.1 149.112.112.112 2606:4700:4700::1111 2620:fe::fe 2606:4700:4700::1001 2620:fe::9" |
Space-separated list of fallback DNS servers to use. The default use Cloudflare and Quad9 DNS servers (Google is replaced for privacy reason). |
common_dnssec |
If "yes", enforce DNSSEC validation locally, else use default configuration. The DNS server must support DNSSEC. |
|
common_domain |
Domain/FQDN of the current machine. | |
common_fail2ban_action |
%(action_mwl)s |
Fail2ban default action. By default, ban user and send mail with detailed logs to root. |
common_fs_cache |
false | If true, configure cachefilesd to cache network file system. To use it with NFS or SMB mounts, set this value to true and add fsc to mount options. |
common_grub_auto_hide |
false | If true configure Grub to auto-hide. |
common_grub_cmdline_linux_default |
Space-separated list of extra Linux kernel options passed on boot using GRUB_CMDLINE_LINUX_DEFAULT. |
|
common_grub_hidden_timeout |
0 | Grub hidden timeout to set. |
common_grub_password |
If specified, ensure Grub password is set to this value. | |
common_grub_save_default |
false | If true configure Grub to use the last used entry as default. |
common_grub_timeout |
1 | Grub timeout to set. |
common_guest_qemu |
false | If true Install Qemu guest agent. |
common_hostname |
If specified, set hostname. | |
common_journal_disk_max_size |
If specified, set systemd journal disk max size (SystemMaxUse). |
|
common_journal_memory_max_size |
If specified, set systemd journal memory max size (RuntimeMaxUse). |
|
common_kernel_lockdown |
If specified, enable kernel lockdown. Possible values are integrity to protect kernel from modification, confidentiality to protect kernel from modification and from extracting confidential information. |
|
common_login_password_min_length |
12 | Minimal password size. |
common_mail_smtp_host |
SMTP server host. | |
common_mail_smtp_inet_interfaces |
127.0.0.1 |
Interface from where accept SMTP requests. By default, localhost only. Only if common_mail_smtp_host is specified. |
common_mail_smtp_password |
Password of the common_mail_relay_user user on the SMTP server. Only if common_mail_smtp_host is specified. |
|
common_mail_smtp_port |
465 | SMTP server port to use, can be: 25 (SMTP), 465 (SMTPS), 587 (SMTP-Submission). Only if common_mail_smtp_host is specified. |
common_mail_smtp_user |
User to authenticate on the SMTP server, if specified enable SMTP authentication. Only if common_mail_smtp_host is specified. |
|
common_mail_smtp_tls |
TLS |
Security mode to use. Possible values are TLS (For SMTPS) or STARTTLS (for SMTP/SMTP-Submission). |
common_mail_smtp_send_to |
If specified, redirect all root mails to the specified email address. | |
common_netdata_claim_rooms |
If specified, claim Netdata node in the specifid room. common_netdata_claim_token is required. Value is the room UUID in Netdata cloud. |
|
common_netdata_claim_token |
If specified, claim Netdata node in the cloud using the specified token. Value is the token from the Netdata cloud. common_netdata_claim_rooms is required. |
|
common_netdata_cloud_only |
false | If true, Netdata dashboard is only reachable from Netdata cloud. common_netdata_claim_token is required. |
common_netdata_enable |
false | If true, install Netdata agent. |
common_netdata_stream_api_key |
If specified, configure Netdata stream using the specified API Key. common_netdata_stream_destination is required. |
|
common_netdata_stream_destination |
If specified, configure Netdata stream to the specified parent destination. If configured, and common_netdata_claim_token is not configured, configure the agent as a thin agent that only stream to the parent. common_netdata_stream_api_key is required. |
|
common_nfs_mount |
If specified, mount specified NFS shares. Must be a list of mapping (one per share to mount) with keys: path (mount point path), src (share to mount), opts (optional, mount options, see fstab(5)), owner (optional, user owning the mount), group (optional, group owning the mount), mode (optional, permission mode) , state (optional, present if require to only add it to /etc/fstab without applying it now). |
|
common_ntp_server |
If specified, configure Chrony to use the specified NTP server. | |
common_nts |
false | If true, configure Chrony to enable NTS (Network Time Security). The server specified by common_ntp_server must support NTS. |
common_os_hardening |
true | If true, apply the OS hardening baseline. |
common_os_hardening_disable_kernel_module_loading |
false | If true, disable kernel modules loading. Only apply with common_os_hardening set to true. |
common_os_hardening_disable_user_namespaces |
false | If true, disable user namespaces. Only apply with common_os_hardening set to true. User namespaces is required for containers (Docker, Podman, ...) and PrivateUsers= Systemd sandboxing feature, this option must be disabled to use them. |
common_os_hardening_interactive_timeout |
600 | Timeout for interactive sessions before logout. Only apply with common_os_hardening set to true. |
common_os_hardening_fips |
false | If true, configure cryptography policies to use FIPS. WARNING: Keep an SSH shell open before applying this setting because it can break new SSH connexions. |
common_os_hardening_kernel_ia32_emulation |
false | If false, Reduce attack surface by disabling x86 32-bit emulation on x86-64. Only apply with common_os_hardening set to true. |
common_os_hardening_localpkg_gpgcheck |
true | If true, requires that local packages are signed to be installed. This will interfere with akmods and should be disabled if using it. |
common_random_mac |
false | If true, enable the use of random MAC addresses. |
common_random_mac_wifi |
random |
Random MAC address mode when using WIFI, random to always generate a random mac address, stable to generate a random mac address per network. When using random, it is still possible to configure a specific network to stable using nmcli c modify UUID 802-11-wireless.cloned-mac-address stable (With UUID the value from with nmcli c | grep wifi). |
common_random_mac_ethernet |
stable |
SRandom MAC address mode when using Ethernet, random to always generate a random mac address, stable to generate a random mac address per network or permanent to use the real interface MAC address. |
common_smb_mount |
If specified, mount specified CIFS/SMB shares. The value format is identical to common_nfs_mount. |
|
common_ssh_authorized_key |
If specified, add the specified SSH public key to ~/.ssh/authorized_keys. If common_ssh_hardening is set to true, this also disable password authentication. (A key can be generated using ssh-keygen -t ed25519) |
|
common_ssh_hardening |
true | If true, set an hardened configuration to the SSH server. |
common_trusted_firewalld_source |
If specified, configure Firewalld to authorize SSH access only from the specified sources list in CIDR notation (["192.168.1.10/32", "192.168.1.0/24", "2001:db8:1234:5678::/64"], ...). |
Example of remotely configuring a server:
---
- hosts: all
become: true
force_handlers: true # See known issues
collections:
- jgoutin.home
roles:
- common
vars:
common_ssh_authorized_key: ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
common_ntp_server: 192.168.1.1
common_trusted_firewalld_source: 192.168.1.10/32Example of locally configuring a laptop:
---
- hosts: localhost
become: true
force_handlers: true # See known issues
collections:
- jgoutin.home
roles:
- common
vars:
# Ensure Laptop devices are allowed
common_allow_bluetooth: true
common_allow_thunderbolt: true
# Use random MAC address
common_random_mac: trueSome modules and sub-roles of this role require installing some packages on the host to work. Since these packages are not required once the Ansible play is done, this role provides handlers to clean up these packages.
In case of failure during the Ansible play, handlers are not applied and packages are not cleaned up.
To avoid this issue and ensure the cleanup is performed, add
force_handlers: true in the playbook.
When using the common_admin_password variable, the playbook may fail on the
first step that follow Ensure current user password is set with the message
Incorrect sudo password.
In this case, simply re-run the playbook and enter the new password when asked
by Ansible (BECOME password).
If the failure is an issue in a complex playbook, do not use this variable to set the password.
Uninstalling Netdata is not supported yet by the role but can be done easily using the following commands:
curl https://get.netdata.cloud/kickstart.sh > /tmp/netdata-kickstart.sh && sh /tmp/netdata-kickstart.sh --uninstall --non-interactive
rm -rf /var/log/netdata/ /var/lib/netdata/ /etc/netdata/ /var/cache/netdata/