Stage/ansible_playbooks
4
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Convert setup_iptables to ansible role + Fix usertwist group don't exist error + Hardened Systemd unit #5

Closed
Mateo wants to merge 10 commits from dev into main
pull from: dev
merge into: Stage:main
Conversation 5 Commits 10 Files Changed 7 +115 -19
Mateo commented 2024-07-30 12:07:40 +00:00
Member
Copy Link

Goal : Improve service security

  • Hardened systemd unit
  • Changed usertwist service to use his own user ("usertwist")
Goal : Improve service security - Hardened systemd unit - Changed usertwist service to use his own user ("usertwist")
Mateo added 1 commit 2024-07-30 12:07:40 +00:00
Convert setup_iptables to ansible role + Fix usertwist group don't exist error 5ebad367b4
Mateo added 1 commit 2024-07-30 12:45:53 +00:00
Hardened systemd unit (4.8 score) 2082ccb5b5
Mateo changed title from Convert setup_iptables to ansible role + Fix usertwist group don't exist error to Convert setup_iptables to ansible role + Fix usertwist group don't exist error + Hardened Systemd unit 2024-07-30 12:47:58 +00:00
Mateo added 1 commit 2024-07-30 12:51:10 +00:00
Bootstrap get dev branch instead of main 82151639ab
Mateo added 1 commit 2024-07-30 12:54:54 +00:00
Merge pull request 'Usertwist update' (#6) from main into dev deabcf2f69 
Reviewed-on: #6
papey commented 2024-07-31 15:43:57 +00:00
Member
Copy Link

Please provide some details in the PR description (context, changes etc..)

Please provide some details in the PR description (context, changes etc..)
papey requested changes 2024-07-31 15:50:37 +00:00
papey left a comment
Member
Copy Link

Start looking good, one required change regarding iptables because I think that you current setup does survive a reboot.

Start looking good, one required change regarding iptables because I think that you current setup does survive a reboot.
files/usertwist.service
@@ -8,0 +14,4 @@
ProtectKernelModules=yes
ProtectControlGroups=yes
PrivateDevices=yes
RestrictSUIDSGID=true
papey commented 2024-07-31 15:46:58 +00:00
Member
Copy Link

What about ProtectHome ?

What about `ProtectHome` ?
Mateo marked this conversation as resolved
tasks/roles/setup_iptables/README.md Outdated
@@ -0,0 +1,38 @@
Role Name
papey commented 2024-07-31 15:47:42 +00:00
Member
Copy Link

This looks a bit generic !

This looks a bit generic !
👍 1
Mateo marked this conversation as resolved
tasks/roles/setup_iptables/tasks/main.yml
@@ -0,0 +1,17 @@
---
papey commented 2024-07-31 15:49:49 +00:00
Member
Copy Link

Required change : i'm pretty sure this iptables config does not survive a reboot. Can you check ? What should you do to ensure this config is applied at boot time ?

**Required change** : i'm pretty sure this iptables config does not survive a reboot. Can you check ? What should you do to ensure this config is applied at boot time ?
Mateo marked this conversation as resolved
Corwin requested changes 2024-08-01 12:49:25 +00:00
Corwin left a comment
Owner
Copy Link

See comment : I would like the user to not being able to login ! Thanks

See comment : I would like the user to not being able to login ! Thanks
tasks/install_caddy.yml
@@ -32,3 +35,4 @@
- name: Create the usertwist user
ansible.builtin.user:
name: usertwist
Corwin commented 2024-08-01 12:46:19 +00:00
Owner
Copy Link

Is this user able to login ?
If so please use No Login https://man7.org/linux/man-pages/man8/nologin.8.html

Is this user able to login ? If so please use No Login https://man7.org/linux/man-pages/man8/nologin.8.html
Mateo marked this conversation as resolved
Mateo added 1 commit 2024-08-02 07:27:56 +00:00
Hardened usertwist service + Saved iptables rules daa4a1c745
Mateo added 1 commit 2024-08-02 07:31:54 +00:00
Fixed error on iptables_state package d41bfb5aad
Mateo added 1 commit 2024-08-02 07:45:23 +00:00
Added iptables folder 95d216ccd5
Mateo added 1 commit 2024-08-02 07:59:39 +00:00
Fixed persistence (maybe...) 61705dd02f
Mateo added 1 commit 2024-08-02 08:10:48 +00:00
Removed login from usertwist 9ad7e73946
Mateo added 1 commit 2024-08-02 08:38:44 +00:00
Iptables persistence finally working ee8242d842
Corwin reviewed 2024-08-02 09:20:41 +00:00
tasks/roles/setup_iptables/meta/main.yml
@@ -0,0 +14,4 @@
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
Corwin commented 2024-08-02 09:20:41 +00:00
Owner
Copy Link

Which license should we pick ?

Which license should we pick ?
Mateo marked this conversation as resolved
Corwin commented 2024-08-02 09:29:16 +00:00
Owner
Copy Link

Closing for splitting tickets/PR

Closing for splitting tickets/PR
Corwin closed this pull request 2024-08-02 09:29:16 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
papey
Corwin
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Administrator Corwin Mateo papey
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Stage/ansible_playbooks#5
No description provided.
Delete Branch "dev"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?