This directory contains scripts related to NECCDL 2023 regionals.
- Python
- Ansible
- Edit the
inventory.yml
file to include the hostname of the hosts you want to configure. You can add additional hosts by adding a new entry under the appropriatehosts
in theinventory.yml
file. Make sure all hosts added to the inventory are added to your .ssh/config file.
The syntax for the ~/.ssh/config file is as follows:
Host <hostname (must match inventory.yml)>
HostName <ip address>
User <username>
IdentityFile <path to private key (Eg. ~/.ssh/practice_key)>
-
Edit the files in inventory.yaml, playbooks/ and playbooks/files to include the correct information. This is important because some of the playbooks could break the systems or scoring checks if the information is incorrect!
- Check fail2ban jail.local and make sure ignoreip is set to the correct subnets for scoring checker and LAN!.
- Check firewall.yml and make sure the correct ports are selected for any services running on docker swarm.
- Make sure the hosts are under the correct group in inventory.yaml to prevent misconfiguration.
-
To run an invividual playbook, run the following command:
ansible-playbook -i inventory.yaml <playbook name>
- packages.yml
- Installs some QoL packages on the hosts.
- Updates the hosts using apt or yum.
- ssh.yml
- Configures SSH on the hosts to disallow root login.
- Installs the C3T backup key on the hosts.
- Installs the C3T custom banner on the hosts.
- Locks the authorized_keys file on the hosts with chattr +i.
- mac.yml
- Enabled SELinux on RHEL hosts.
- Enables AppArmor on Ubuntu hosts.
- fail2ban.yml
- Installs fail2ban on the hosts.
- Configures fail2ban on the hosts to ban hosts that fail to login 3 times.
- sudo.yml
- Changes default sudo timeout to 30s
- Removes root password
- Adds immutable flag to sudoers file
- Sets passwordless sudo for the ansible user
- Sets password for ansible user and root and removes passwords from all other users
- Marks /etc/shadow as immutable, preventing password changes
- audit.yml
- Runs an audit script and fetches the results to playbooks/fetch
- network.yml
- Configures the hosts to use the C3T DNS servers specified in the inventory.yaml
- honeypot.yml
- Installs and configures the honeypot on the hosts.
- firewall.yml
- Installs ufw on all hosts.
- Disables firewalld on RHEL hosts.
- Configures ufw on all hosts to allow SSH.
- Enables group-based firewall rules on all hosts. Relies on the group names in inventory.yaml.
- os_hardening.yml
- Runs scripts to harden the hosts from github.com/dev-sec/ansible-os-hardening
- audit.yml
- network.yml
- os_hardening.yml
- packages.yml
- ssh.yml
- mac.yml
- fail2ban.yml
- sudo.yml
- honeypot.yml
- firewall.yml