netcup-setup/ansible/hardening.yml

- name: Apply DevSec hardening
  hosts: all
  become: yes
  vars:
    sysctl_overwrite:
      # Enable IPv4 traffic forwarding. Needed for containers.
      net.ipv4.ip_forward: 1
    os_security_users_allow:
      - "change_user"  # Ensure this user is allowed to avoid modifying /bin/su (does not work on read-only filesystems)
    os_family: "Suse"
    os_release: "Tumbleweed"  # Treat MicroOS as Tumbleweed
    os_version: "{{ ansible_distribution_version }}"
    os_vars:
      packages:
        - sudo
        - openssh
      ignore_fs_types:
        - squashfs
        - iso9660
        - vfat
      auth_pam:
        - common-password
        - common-auth
        - common-account
        - common-session
      pam_passwords:
        - password requisite pam_pwquality.so retry=3
        - password required pam_unix.so use_authtok remember=5 sha512 shadow
      securetty: [console, tty1, tty2, tty3, tty4, tty5, tty6]
      sshd:
        package: openssh
        service: sshd
        config: /etc/ssh/sshd_config
      kernel_modules_disabled:
        - cramfs
        - freevxfs
        - jffs2
        - hfs
        - hfsplus
        - squashfs
        - udf
        - vfat
      auditd_package: audit  # This is the correct package name for auditd in openSUSE
      os_env_umask: "027"  # Setting a default umask value
      os_auth_uid_min: "1000"  # Setting the minimum user ID for non-system users
      os_auth_uid_max: "60000"  # Setting the maximum user ID for non-system users
      os_auth_gid_min: 1000
      os_auth_gid_max: 60000
      os_auth_sys_uid_min: "100"  # Setting the minimum user ID for system users
      os_auth_sys_uid_max: "499"  # Setting the maximum user ID for system users
      os_auth_sys_gid_min: 100
      os_auth_sys_gid_max: 499
      os_auth_sub_uid_min: 100000
      os_auth_sub_uid_max: 600100000
      os_auth_sub_uid_count: 65536
      os_auth_sub_gid_min: 100000
      os_auth_sub_gid_max: 600100000
      os_auth_sub_gid_count: 65536
      os_shadow_perms:
        owner: root
        group: shadow
        mode: "0640"
      os_passwd_perms:
        owner: root
        group: root
        mode: "0644"
      hidepid_option: "2" # allowed values: 0, 1, 2
      os_mnt_boot_group: 'root'
      os_mnt_boot_owner: 'root'
      os_mnt_dev_group: 'root'
      os_mnt_dev_owner: 'root'
      os_mnt_dev_shm_group: 'root'
      os_mnt_dev_shm_owner: 'root'
      os_mnt_home_group: 'root'
      os_mnt_home_owner: 'root'
      os_mnt_run_group: 'root'
      os_mnt_run_owner: 'root'
      os_mnt_tmp_group: 'root'
      os_mnt_tmp_owner: 'root'
      os_mnt_var_group: 'root'
      os_mnt_var_owner: 'root'
      os_mnt_var_log_group: 'root'
      os_mnt_var_log_owner: 'root'
      os_mnt_var_log_audit_group: 'root'
      os_mnt_var_log_audit_owner: 'root'
      os_mnt_var_tmp_group: 'root'
      os_mnt_var_tmp_owner: 'root'
  roles:
    - devsec.hardening.os_hardening