Commits · 84cbfa3455ae8f3953327182d5d8bbbbc2c5728c · Arch Linux / infrastructure

Sep 24, 2023

hardening: reject authentication with empty passwd · 6b5a5eea

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.

Verified

6b5a5eea

Mar 26, 2023

ansible-lint: address no-changed-when fatal errors · 4ae73a93

Evangelos Foutras authored 2 years ago

Add "noqa no-changed-when" tags to handlers using the command module.
Perhaps it is wrong of ansible-lint to flag these, since handlers are
not the best place to have conditional execution.

Verified

4ae73a93

Aug 29, 2022
- Capitalize the handler name in handler invocations · 578b7819
  Evangelos Foutras authored 2 years ago
  
  Fixes: 26f289b7 ("Capitalize the first letter of all task names")
  Verified
  
  578b7819
Aug 23, 2022

Capitalize the first letter of all task names · 26f289b7

Evangelos Foutras authored 2 years ago

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

Verified

26f289b7

Jun 08, 2022

Remove the three dashes from all YAML documents · a9e0790f

Evangelos Foutras authored 2 years ago

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.

Verified

a9e0790f

Feb 14, 2022

hardening: use default ptrace scope on buildservers · f6cbd3f8

Evangelos Foutras authored 3 years ago

Making 'kernel.yama.ptrace_scope' more strict by setting it to '2'
causes failures in elfutils' test suite. While tentatively helpful
on other servers, it seems kind of unnecessary for a build server.

Fixes: #424 (to be reopened though, if more restrictions are found)

f6cbd3f8

Sep 15, 2020

kernel: further default sysctl hardening · b2ba1877

Levente Polyak authored 4 years ago

- unprivileged bpf: we do not need this on our infra, we can assume
  bpf() calls will happen with CAP_SYS_ADMIN if required.

- unprivileged userns: we do not need this on our infra for none of
  our services or similar. Reduce attack surface by a huge margin
  including most recent CVE-2020-14386.

- kptr restrict: we already check for CAP_SYSLOG and real ids but we
  really do not require any specific kernel pointers to be logged.
  Settings this to 2 instead to blank out all kernel pointers to
  protect against info leak.

- kexec: disable kexec as we do never want to kexec our running servers
  into something else. Settings this sysctl disables kexec even if its
  compiled into the kernel.

- bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for
  the sacrifices off a bit performance for all users including
  privileged.

Verified

b2ba1877

Aug 27, 2020
- fix E208 'File permissions not mentioned' · 63887d3b
  Frederik Schwan authored 4 years ago and Sven-Hendrik Haase committed 4 years ago
  
  63887d3b
Feb 13, 2020

roles/hardening: Change the lockdown file creation to run only at boot · eb64ecaf

Giancarlo Razzolini authored 5 years ago

Since after enabling lockdown you cannot change the file anymore until reboot,
change the tmpfile setting to use ! and run only at boot time. This makes
systemd-tmpfiles --create command to not fail, since it cannot write to the lockdown
file.

Verified

eb64ecaf

Dec 22, 2019
- hardening: set lockdown to integrity · 2c753804
  Jelle van der Waa authored 5 years ago
  
  2c753804
May 07, 2019

roles: add a hardening role for sysctl hardening options · 0e344d4b

Jelle van der Waa authored 5 years ago

Add sysctl hardening options which disallow perf/viewing kernel symbols
and dmesg for non-admin users as they contain valuable information for
attackers.

0e344d4b

Admin message