This directory contains scripts related to NECCDL 2023 regionals.

• Python
• Ansible

1. Edit the inventory.yml file to include the hostname of the hosts you want to configure. You can add additional hosts by adding a new entry under the appropriate hosts in the inventory.yml file. Make sure all hosts added to the inventory are added to your .ssh/config file.

The syntax for the ~/.ssh/config file is as follows:

Host <hostname (must match inventory.yml)>
    HostName <ip address>
    User <username>
    IdentityFile <path to private key  (Eg. ~/.ssh/practice_key)>

2. Edit the files in inventory.yaml, playbooks/ and playbooks/files to include the correct information. This is important because some of the playbooks could break the systems or scoring checks if the information is incorrect!

   • Check fail2ban jail.local and make sure ignoreip is set to the correct subnets for scoring checker and LAN!.
   • Check firewall.yml and make sure the correct ports are selected for any services running on docker swarm.
   • Make sure the hosts are under the correct group in inventory.yaml to prevent misconfiguration.

3. To run an invividual playbook, run the following command:

ansible-playbook -i inventory.yaml <playbook name>

• packages.yml
  • Installs some QoL packages on the hosts.
  • Updates the hosts using apt or yum.
• ssh.yml
  • Configures SSH on the hosts to disallow root login.
  • Installs the C3T backup key on the hosts.
  • Installs the C3T custom banner on the hosts.
  • Locks the authorized_keys file on the hosts with chattr +i.
• mac.yml
  • Enabled SELinux on RHEL hosts.
  • Enables AppArmor on Ubuntu hosts.
• fail2ban.yml
  • Installs fail2ban on the hosts.
  • Configures fail2ban on the hosts to ban hosts that fail to login 3 times.
• sudo.yml
  • Changes default sudo timeout to 30s
  • Removes root password
  • Adds immutable flag to sudoers file
  • Sets passwordless sudo for the ansible user
  • Sets password for ansible user and root and removes passwords from all other users
  • Marks /etc/shadow as immutable, preventing password changes
• audit.yml
  • Runs an audit script and fetches the results to playbooks/fetch
• network.yml
  • Configures the hosts to use the C3T DNS servers specified in the inventory.yaml
• honeypot.yml
  • Installs and configures the honeypot on the hosts.
• firewall.yml
  • Installs ufw on all hosts.
  • Disables firewalld on RHEL hosts.
  • Configures ufw on all hosts to allow SSH.
  • Enables group-based firewall rules on all hosts. Relies on the group names in inventory.yaml.
• os_hardening.yml
  • Runs scripts to harden the hosts from github.com/dev-sec/ansible-os-hardening

1. audit.yml
2. network.yml
3. os_hardening.yml
4. packages.yml
5. ssh.yml
6. mac.yml
7. fail2ban.yml
8. sudo.yml
9. honeypot.yml
10. firewall.yml