From d822f8544deb7b53d49f88f87112099a617bde36 Mon Sep 17 00:00:00 2001
From: histalek <histalek@posteo.de>
Date: Sun, 5 Dec 2021 14:22:51 +0100
Subject: [PATCH] fail2ban: Harden service

This hardens the fail2ban service by giving it only the capabilities and
read/write access it needs.

This is done in accordance to the Arch Wiki article [1] where further
information about the needed capabilities and read/write paths can be
found.

[1] https://wiki.archlinux.org/title/Fail2ban#Service_hardening
---
 roles/fail2ban/tasks/main.yml              | 38 ++++++++++++++++++++++
 roles/fail2ban/templates/fail2ban.local.j2 |  4 +++
 roles/fail2ban/templates/override.conf.j2  | 13 ++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 roles/fail2ban/templates/fail2ban.local.j2
 create mode 100644 roles/fail2ban/templates/override.conf.j2

diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 4108edc..5d0394e 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -23,6 +23,24 @@
     state: "{{ fail2ban_package_state }}"
   become: true
 
+- name: Create fail2ban logging directory.
+  file:
+    path: "/var/log/fail2ban"
+    state: directory
+    mode: '0700'
+    owner: 'root'
+    group: 'root'
+  become: true
+
+- name: Create fail2ban systemd drop-in directory.
+  file:
+    path: "/etc/systemd/system/fail2ban.service.d"
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+  become: true
+
 - name: Deploy fail2ban jail config.
   template:
     src: "jail.local.j2"
@@ -33,6 +51,26 @@
   notify: restart fail2ban service
   become: true
 
+- name: Deploy fail2ban config.
+  template:
+    src: "fail2ban.local.j2"
+    dest: "/etc/fail2ban/fail2ban.local"
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
+- name: Deploy fail2ban hardening systemd drop-in.
+  template:
+    src: override.conf.j2
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: restart fail2ban service
+  become: true
+
 - name: Ensure fail2ban service is enabled and started.
   service:
     name: fail2ban
diff --git a/roles/fail2ban/templates/fail2ban.local.j2 b/roles/fail2ban/templates/fail2ban.local.j2
new file mode 100644
index 0000000..5af1a72
--- /dev/null
+++ b/roles/fail2ban/templates/fail2ban.local.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+
+[Definition]
+logtarget = /var/log/fail2ban/fail2ban.log
diff --git a/roles/fail2ban/templates/override.conf.j2 b/roles/fail2ban/templates/override.conf.j2
new file mode 100644
index 0000000..ca6fa6d
--- /dev/null
+++ b/roles/fail2ban/templates/override.conf.j2
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW