cisagov · konstruktoid · May 6, 2024 · May 29, 2024 · May 29, 2024 · May 29, 2024
@@ -19,9 +19,6 @@
     - name: Install and configure htop
       ansible.builtin.include_role:
         name: htop
-    - name: Configure JournalD to preserve logs across reboots
-      ansible.builtin.include_role:
-        name: persist_journald
     - name: Install and configure systemd-resolved
       ansible.builtin.include_role:
         name: systemd_resolved
@@ -15,15 +15,61 @@
         - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/issue
         - https://raw.githubusercontent.com/cisagov/ansible-role-banner/develop/files/motd
     - name: Harden system
-      # This role is forked from konstruktoid/ansible-role-hardening
-      # and we do not control the names of the role variables.  This
+      # We do not control the names of the role variables.  This
       # is the reason for the noqa comment.
-      ansible.builtin.include_role:  # noqa var-naming[no-role-prefix]
-        name: harden
+      ansible.builtin.import_role:  # noqa var-naming[no-role-prefix]
+        name: konstruktoid.hardening
       vars:
-        # Point the role to the correct issue and motd templates
+        automatic_updates: false
+        fallback_ntp:
+          # AWS-provided NTP server
+          - 169.254.169.123
+        # Use the COOL issue template
         issue_template: /tmp/issue
+        journald_storage: persistent
+        manage_timesyncd: false
+        manage_resolved: false
+        manage_ufw: false
+        # Use the COOL MOTD template
         motd_template: /tmp/motd
+        ntp_servers:
+          # AWS-provided NTP server
+          - 169.254.169.123
+        sshd_admin_net:
+          - "0.0.0.0/0"
+        system_upgrade: false
+        packages_blocklist:
+          - apport*
+          - autofs
+          - avahi*
+          - avahi-*
+          - beep
+          - git
+          - pastebinit
+          - popularity-contest
+          - prelink
+          - rpcbind
+          - rsh*
+          - rsync
+          - talk*
+          - telnet*
+          - tftp*
+          - tuned
+          - whoopsie
+          - xinetd
+          - yp-tools
+          - ypbind
+        packages_debian:
+          - auditd
+          - cracklib-runtime
+          - libpam-pwquality
+        packages_ubuntu: []
+        pass_max_days: 365
+        pass_min_days: 7
+        sshd_max_sessions: 4
+        suid_sgid_permissions: false
+        # Necessary for FreeIPA
+        umask_value: "027"
     - name: Delete local copies of issue and motd files
       ansible.builtin.file:
         path: "{{ item }}"

@@ -2,6 +2,6 @@
 - name: Install create-ipa-initial-seeding-script.sh
   ansible.builtin.get_url:
     dest: /usr/local/sbin
-    mode: 0500
+    mode: "0500"
     url: >
       https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh
@@ -20,16 +20,15 @@ roles:
     src: https://github.com/cisagov/ansible-role-crowdstrike
   - name: freeipa_client
     src: https://github.com/cisagov/ansible-role-freeipa-client
-  - name: harden
-    src: https://github.com/cisagov/ansible-role-hardening-2
+  - name: konstruktoid.hardening
+    src: https://github.com/konstruktoid/ansible-role-hardening
+    version: v2.0.4
   - name: htop
     src: https://github.com/cisagov/ansible-role-htop
   - name: nvme
     src: https://github.com/cisagov/ansible-role-nvme
   - name: openvpn
     src: https://github.com/cisagov/ansible-role-openvpn
-  - name: persist_journald
-    src: https://github.com/cisagov/ansible-role-persist-journald
   - name: pip
     src: https://github.com/cisagov/ansible-role-pip
   - name: python
@@ -40,5 +39,3 @@ roles:
     src: https://github.com/cisagov/ansible-role-systemd-resolved
   - name: ufw
     src: https://github.com/cisagov/ansible-role-ufw
-  - name: upgrade
-    src: https://github.com/cisagov/ansible-role-upgrade