Initial refactor for issue cisagov#96

Signed-off-by: Thomas Sjögren <[email protected]>

src/base.yml

@@ -4,9 +4,6 @@
   become: true
   become_method: ansible.builtin.sudo
   tasks:
-    - name: Install and configure automated security updates
-      ansible.builtin.include_role:
-        name: automated_security_updates
     - name: Install and configure login banner
       ansible.builtin.include_role:
         name: banner
@@ -19,9 +16,6 @@
     - name: Install and configure htop
       ansible.builtin.include_role:
         name: htop
-    - name: Configure JournalD to preserve logs across reboots
-      ansible.builtin.include_role:
-        name: persist_journald
     - name: Install and configure systemd-resolved
       ansible.builtin.include_role:
         name: systemd_resolved

src/harden.yml

@@ -15,15 +15,61 @@
         - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/issue
         - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/motd
     - name: Harden system
-      # This role is forked from konstruktoid/ansible-role-hardening
-      # and we do not control the names of the role variables.  This
+      # We do not control the names of the role variables.  This
       # is the reason for the noqa comment.
-      ansible.builtin.include_role:  # noqa var-naming[no-role-prefix]
-        name: harden
+      ansible.builtin.import_role:  # noqa var-naming[no-role-prefix]
+        name: konstruktoid.hardening
       vars:
-        # Point the role to the correct issue and motd templates
+        automatic_updates: true
+        fallback_ntp:
+          - 169.254.169.123
         issue_template: /tmp/issue
+        journald_storage: persistent
+        manage_timesyncd: false
+        manage_resolved: false
+        manage_ufw: false
         motd_template: /tmp/motd
+        ntp_servers:
+          - 169.254.169.123
+        sshd_admin_net:
+          - "0.0.0.0/0"
+        system_upgrade: true
+        packages_blocklist:
+          - apport*
+          - autofs
+          - avahi*
+          - avahi-*
+          - beep
+          - git
+          - pastebinit
+          - popularity-contest
+          - prelink
+          - rpcbind
+          - rsh*
+          - rsync
+          - talk*
+          - telnet*
+          - tftp*
+          - tuned
+          - whoopsie
+          - xinetd
+          - yp-tools
+          - ypbind
+        packages_debian:
+          - auditd
+          - cracklib-runtime
+          - libpam-pwquality
+        packages_redhat:
+          - audit
+          - cracklib
+          - libpwquality
+          - python3-dnf-plugin-post-transaction-actions
+        packages_ubuntu: []
+        pass_max_days: 365
+        pass_min_days: 7
+        sshd_max_sessions: 4
+        suid_sgid_permissions: false
+        umask_value: "027"
     - name: Delete local copies of issue and motd files
       ansible.builtin.file:
         path: "{{ item }}"

src/ipa-initial-seeding-script.yml

@@ -2,6 +2,6 @@
 - name: Install create-ipa-initial-seeding-script.sh
   ansible.builtin.get_url:
     dest: /usr/local/sbin
-    mode: 0500
+    mode: "0500"
     url: >
       https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh

src/packer.pkr.hcl

@@ -132,12 +132,6 @@ source "amazon-ebs" "openvpn" {
 build {
   sources = ["source.amazon-ebs.openvpn"]
 
-  provisioner "ansible" {
-    playbook_file = "src/upgrade.yml"
-    use_proxy     = false
-    use_sftp      = true
-  }
-
   provisioner "ansible" {
     playbook_file = "src/python.yml"
     use_proxy     = false

src/playbook.yml

@@ -2,9 +2,6 @@
 - name: Import base image playbook
   ansible.builtin.import_playbook: base.yml
 
-- name: Import automated security updates playbook
-  ansible.builtin.import_playbook: automated-security-updates.yml
-
 - name: Import UFW playbook
   ansible.builtin.import_playbook: ufw.yml
 

src/requirements.yml

@@ -4,8 +4,6 @@ collections:
 roles:
   - name: amazon_ssm_agent
     src: https://github.com/cisagov/ansible-role-amazon-ssm-agent
-  - name: automated_security_updates
-    src: https://github.com/cisagov/ansible-role-automated-security-updates
   - name: banner
     src: https://github.com/cisagov/ansible-role-banner
   - name: cdm_nessus_agent
@@ -20,16 +18,16 @@ roles:
     src: https://github.com/cisagov/ansible-role-crowdstrike
   - name: freeipa_client
     src: https://github.com/cisagov/ansible-role-freeipa-client
-  - name: harden
-    src: https://github.com/cisagov/ansible-role-hardening-2
+  - name: konstruktoid.hardening
+    version: v2.0.4
+    src: https://github.com/konstruktoid/ansible-role-hardening.git
+    scm: git
   - name: htop
     src: https://github.com/cisagov/ansible-role-htop
   - name: nvme
     src: https://github.com/cisagov/ansible-role-nvme
   - name: openvpn
     src: https://github.com/cisagov/ansible-role-openvpn
-  - name: persist_journald
-    src: https://github.com/cisagov/ansible-role-persist-journald
   - name: pip
     src: https://github.com/cisagov/ansible-role-pip
   - name: python
@@ -40,5 +38,3 @@ roles:
     src: https://github.com/cisagov/ansible-role-systemd-resolved
   - name: ufw
     src: https://github.com/cisagov/ansible-role-ufw
-  - name: upgrade
-    src: https://github.com/cisagov/ansible-role-upgrade