Merge branch 'master' into 'master'

fail2ban: Harden service See merge request saibotk.de/infrastructure!401
2021-12-05 14:13:00 +00:00 · 2021-12-05 14:13:00 +00:00 · 7674a04a25
commit 7674a04a25
parent 8caa2909f1 25846e32f0
4 changed files with 62 additions and 2 deletions
--- a/roles/fail2ban/handlers/main.yml
+++ b/roles/fail2ban/handlers/main.yml
@ -18,7 +18,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 - name: restart fail2ban service
-  service:
+  systemd:
    name: "fail2ban"
    state: "restarted"
+    daemon_reload: true
  become: true
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@ -23,6 +23,24 @@
    state: "{{ fail2ban_package_state }}"
  become: true

+- name: Create fail2ban logging directory.
+  file:
+    path: "/var/log/fail2ban"
+    state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
+  become: true
+
+- name: Create fail2ban systemd drop-in directory.
+  file:
+    path: "/etc/systemd/system/fail2ban.service.d"
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+  become: true
+
 - name: Deploy fail2ban jail config.
  template:
    src: "jail.local.j2"
@ -33,9 +51,33 @@
  notify: restart fail2ban service
  become: true

+- name: Deploy fail2ban config.
+  template:
+    src: "fail2ban.local.j2"
+    dest: "/etc/fail2ban/fail2ban.local"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
+- name: Deploy fail2ban hardening systemd drop-in.
+  template:
+    src: override.conf.j2
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
+- name: Flush handlers
+  meta: flush_handlers
+
 - name: Ensure fail2ban service is enabled and started.
-  service:
+  systemd:
    name: fail2ban
    state: started
    enabled: true
+    daemon_reload: true
  become: true
--- a/roles/fail2ban/templates/fail2ban.local.j2
+++ b/roles/fail2ban/templates/fail2ban.local.j2
@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
--- a/roles/fail2ban/templates/override.conf.j2
+++ b/roles/fail2ban/templates/override.conf.j2
@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW