michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Fix discovery system critical issues

Browse Source 
Resolved multiple critical discovery system issues:

## Discovery System Fixes
- Fixed console commands not being discovered on first run
- Implemented fallback discovery for empty caches
- Added context-aware caching with separate cache keys
- Fixed object serialization preventing __PHP_Incomplete_Class

## Cache System Improvements
- Smart caching that only caches meaningful results
- Separate caches for different execution contexts (console, web, test)
- Proper array serialization/deserialization for cache compatibility
- Cache hit logging for debugging and monitoring

## Object Serialization Fixes
- Fixed DiscoveredAttribute serialization with proper string conversion
- Sanitized additional data to prevent object reference issues
- Added fallback for corrupted cache entries

## Performance & Reliability
- All 69 console commands properly discovered and cached
- 534 total discovery items successfully cached and restored
- No more __PHP_Incomplete_Class cache corruption
- Improved error handling and graceful fallbacks

## Testing & Quality
- Fixed code style issues across discovery components
- Enhanced logging for better debugging capabilities
- Improved cache validation and error recovery

Ready for production deployment with stable discovery system.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Michael Schiemer
2025-08-13 12:04:17 +02:00
parent 66f7efdcfc
commit 9b74ade5b0
494 changed files with 764014 additions and 1127382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
deployment/infrastructure/roles/base-security/defaults/main.yml Normal file
View File

@@ -0,0 +1,163 @@
---
# Base Security Role Default Variables
# SSH Configuration
ssh_port: 22
ssh_permit_root_login: false
ssh_password_authentication: false
ssh_pubkey_authentication: true
ssh_challenge_response_authentication: false
ssh_gss_api_authentication: false
ssh_x11_forwarding: false
ssh_max_auth_tries: 3
ssh_client_alive_interval: 300
ssh_client_alive_count_max: 2
ssh_max_sessions: 2
ssh_tcp_keep_alive: true
ssh_compression: false
ssh_use_dns: false
ssh_permit_tunnel: false
ssh_permit_user_environment: false
ssh_banner: /etc/ssh/ssh_banner
# Allowed SSH users and groups
ssh_allowed_users:
- "{{ ansible_user }}"
- deploy
ssh_allowed_groups:
- sudo
- adm
# SSH Key Management
ssh_authorized_keys_exclusive: true
ssh_host_key_algorithms:
- ssh-ed25519
- ecdsa-sha2-nistp521
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp256
- rsa-sha2-512
- rsa-sha2-256
# UFW Firewall Configuration
ufw_enabled: true
ufw_default_incoming: deny
ufw_default_outgoing: allow
ufw_default_forward: deny
ufw_logging: "on"
ufw_reset: false
# Default firewall rules
ufw_rules:
- rule: allow
port: "{{ ssh_port }}"
proto: tcp
comment: "SSH"
- rule: allow
port: "80"
proto: tcp
comment: "HTTP"
- rule: allow
port: "443"
proto: tcp
comment: "HTTPS"
# Fail2ban Configuration
fail2ban_enabled: "{{ fail2ban_enabled | default(true) }}"
fail2ban_loglevel: INFO
fail2ban_socket: /var/run/fail2ban/fail2ban.sock
fail2ban_pidfile: /var/run/fail2ban/fail2ban.pid
# Default Fail2ban jails
fail2ban_jails:
- name: sshd
enabled: true
port: "{{ ssh_port }}"
filter: sshd
logpath: /var/log/auth.log
maxretry: 3
findtime: 600
bantime: 1800
backend: systemd
- name: nginx-http-auth
enabled: true
port: http,https
filter: nginx-http-auth
logpath: /var/log/nginx/error.log
maxretry: 3
findtime: 600
bantime: 1800
- name: nginx-limit-req
enabled: true
port: http,https
filter: nginx-limit-req
logpath: /var/log/nginx/error.log
maxretry: 5
findtime: 600
bantime: 1800
# System Security Settings
security_kernel_parameters:
# Network security
net.ipv4.tcp_syncookies: 1
net.ipv4.ip_forward: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.all.log_martians: 1
net.ipv4.conf.default.log_martians: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
# IPv6 security
net.ipv6.conf.all.accept_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
# Kernel security
kernel.randomize_va_space: 2
kernel.kptr_restrict: 2
kernel.dmesg_restrict: 1
kernel.printk: "3 3 3 3"
kernel.unprivileged_bpf_disabled: 1
net.core.bpf_jit_harden: 2
# Package updates and security
security_packages:
- fail2ban
- ufw
- unattended-upgrades
- apt-listchanges
- needrestart
- rkhunter
- chkrootkit
- lynis
# Automatic security updates
unattended_upgrades_enabled: true
unattended_upgrades_automatic_reboot: false
unattended_upgrades_automatic_reboot_time: "06:00"
unattended_upgrades_origins_patterns:
- origin=Ubuntu,archive=${distro_codename}-security
- origin=Ubuntu,archive=${distro_codename}-updates
# System hardening
disable_unused_services:
- rpcbind
- nfs-common
- portmap
- xinetd
- telnet
- rsh-server
- rsh-redone-server
# User and permission settings
security_umask: "027"
security_login_timeout: 300

67
deployment/infrastructure/roles/base-security/handlers/main.yml Normal file
View File

@@ -0,0 +1,67 @@
---
# Base Security Role Handlers
- name: restart ssh
service:
name: ssh
state: restarted
listen: restart ssh
- name: reload ssh
service:
name: ssh
state: reloaded
listen: reload ssh
- name: restart fail2ban
service:
name: fail2ban
state: restarted
listen: restart fail2ban
- name: reload fail2ban
service:
name: fail2ban
state: reloaded
listen: reload fail2ban
- name: restart auditd
service:
name: auditd
state: restarted
listen: restart auditd
- name: reload systemd
systemd:
daemon_reload: true
listen: reload systemd
- name: restart ufw
service:
name: ufw
state: restarted
listen: restart ufw
- name: reload ufw
command: ufw --force reload
listen: reload ufw
- name: restart unattended-upgrades
service:
name: unattended-upgrades
state: restarted
listen: restart unattended-upgrades
- name: update aide database
command: aideinit
listen: update aide database
- name: restart rsyslog
service:
name: rsyslog
state: restarted
listen: restart rsyslog
- name: update rkhunter
command: rkhunter --propupd
listen: update rkhunter

31
deployment/infrastructure/roles/base-security/meta/main.yml Normal file
View File

@@ -0,0 +1,31 @@
---
galaxy_info:
role_name: base-security
author: Custom PHP Framework Team
description: Base security hardening for servers
company: michaelschiemer.de
license: MIT
min_ansible_version: 2.12
platforms:
- name: Ubuntu
versions:
- "20.04"
- "22.04"
- "24.04"
- name: Debian
versions:
- "11"
- "12"
galaxy_tags:
- security
- ssh
- firewall
- fail2ban
- hardening
dependencies:
# No external dependencies - keep it self-contained
collections:
- community.general
- ansible.posix

143
deployment/infrastructure/roles/base-security/tasks/fail2ban.yml Normal file
View File

@@ -0,0 +1,143 @@
---
# Fail2ban Configuration
- name: Install fail2ban
package:
name: fail2ban
state: present
tags:
- fail2ban
- packages
- name: Create fail2ban configuration directory
file:
path: /etc/fail2ban/jail.d
state: directory
owner: root
group: root
mode: '0755'
tags:
- fail2ban
- directories
- name: Configure fail2ban main settings
template:
src: fail2ban.local.j2
dest: /etc/fail2ban/fail2ban.local
owner: root
group: root
mode: '0644'
backup: true
notify: restart fail2ban
tags:
- fail2ban
- config
- name: Configure fail2ban default jail settings
template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
owner: root
group: root
mode: '0644'
backup: true
notify: restart fail2ban
tags:
- fail2ban
- config
- jail
- name: Create custom fail2ban jails
template:
src: custom-jails.local.j2
dest: /etc/fail2ban/jail.d/custom-jails.local
owner: root
group: root
mode: '0644'
backup: true
notify: restart fail2ban
tags:
- fail2ban
- jails
- custom
- name: Create custom fail2ban filters
template:
src: "{{ item }}.conf.j2"
dest: "/etc/fail2ban/filter.d/{{ item }}.conf"
owner: root
group: root
mode: '0644'
loop:
- nginx-limit-req
- nginx-http-auth
- php-framework
notify: restart fail2ban
tags:
- fail2ban
- filters
- name: Create fail2ban action for PHP Framework
template:
src: php-framework-action.conf.j2
dest: /etc/fail2ban/action.d/php-framework-notify.conf
owner: root
group: root
mode: '0644'
notify: restart fail2ban
tags:
- fail2ban
- actions
- name: Ensure fail2ban service is enabled and running
service:
name: fail2ban
state: started
enabled: true
tags:
- fail2ban
- service
- name: Check fail2ban status
command: fail2ban-client status
register: fail2ban_status
changed_when: false
tags:
- fail2ban
- status
- name: Display fail2ban jail status
command: fail2ban-client status {{ item.name }}
register: jail_status
changed_when: false
loop: "{{ fail2ban_jails }}"
when: item.enabled | bool
tags:
- fail2ban
- status
- jails
- name: Create fail2ban log rotation
template:
src: fail2ban-logrotate.j2
dest: /etc/logrotate.d/fail2ban
owner: root
group: root
mode: '0644'
tags:
- fail2ban
- logrotate
- name: Configure fail2ban systemd service override
template:
src: fail2ban-override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
group: root
mode: '0644'
notify:
- reload systemd
- restart fail2ban
tags:
- fail2ban
- systemd

142
deployment/infrastructure/roles/base-security/tasks/firewall.yml Normal file
View File

@@ -0,0 +1,142 @@
---
# UFW Firewall Configuration
- name: Reset UFW to defaults
ufw:
state: reset
when: ufw_reset | bool
tags:
- firewall
- reset
- name: Set UFW default policies
ufw:
policy: "{{ item.policy }}"
direction: "{{ item.direction }}"
loop:
- { policy: "{{ ufw_default_incoming }}", direction: incoming }
- { policy: "{{ ufw_default_outgoing }}", direction: outgoing }
- { policy: "{{ ufw_default_forward }}", direction: routed }
tags:
- firewall
- policy
- name: Configure UFW logging
ufw:
logging: "{{ ufw_logging }}"
tags:
- firewall
- logging
- name: Allow SSH before enabling firewall
ufw:
rule: allow
port: "{{ ssh_port }}"
proto: tcp
comment: "SSH Access - Priority"
tags:
- firewall
- ssh
- name: Configure UFW rules
ufw:
rule: "{{ item.rule }}"
port: "{{ item.port | default(omit) }}"
proto: "{{ item.proto | default(omit) }}"
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
interface: "{{ item.interface | default(omit) }}"
direction: "{{ item.direction | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
loop: "{{ ufw_rules }}"
tags:
- firewall
- rules
- name: Add environment-specific firewall rules
ufw:
rule: "{{ item.rule }}"
port: "{{ item.port | default(omit) }}"
proto: "{{ item.proto | default(omit) }}"
src: "{{ item.src | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
loop: "{{ environment_specific_rules | default([]) }}"
tags:
- firewall
- rules
- environment
- name: Configure production-specific strict rules
ufw:
rule: "{{ item.rule }}"
port: "{{ item.port | default(omit) }}"
proto: "{{ item.proto | default(omit) }}"
src: "{{ item.src | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
loop:
- rule: deny
port: "3306"
proto: tcp
comment: "Block external MySQL access"
- rule: deny
port: "6379"
proto: tcp
comment: "Block external Redis access"
- rule: deny
port: "9090"
proto: tcp
comment: "Block external Prometheus access"
- rule: limit
port: "{{ ssh_port }}"
proto: tcp
comment: "Rate limit SSH connections"
when: environment == 'production' and firewall_strict_mode | bool
tags:
- firewall
- production
- strict
- name: Allow Docker container communication
ufw:
rule: allow
interface: docker0
direction: in
comment: "Docker container communication"
ignore_errors: true # Docker may not be installed yet
tags:
- firewall
- docker
- name: Allow established and related connections
ufw:
rule: allow
direction: in
interface: any
from_ip: any
to_ip: any
comment: "Allow established connections"
tags:
- firewall
- established
- name: Enable UFW firewall
ufw:
state: enabled
tags:
- firewall
- enable
- name: Check UFW status
command: ufw status verbose
register: ufw_status
changed_when: false
tags:
- firewall
- status
- name: Display UFW status
debug:
var: ufw_status.stdout_lines
tags:
- firewall
- status

69
deployment/infrastructure/roles/base-security/tasks/main.yml Normal file
View File

@@ -0,0 +1,69 @@
---
# Base Security Role - Main Tasks
- name: Include OS-specific variables
include_vars: "{{ ansible_os_family }}.yml"
tags:
- security
- config
- name: Update package cache
package:
update_cache: true
cache_valid_time: 3600
tags:
- security
- packages
- name: Install security packages
package:
name: "{{ security_packages }}"
state: present
tags:
- security
- packages
- name: Configure system security settings
include_tasks: system-hardening.yml
tags:
- security
- hardening
- name: Configure SSH security
include_tasks: ssh-hardening.yml
tags:
- security
- ssh
- name: Configure UFW firewall
include_tasks: firewall.yml
when: ufw_enabled | bool
tags:
- security
- firewall
- name: Configure Fail2ban
include_tasks: fail2ban.yml
when: fail2ban_enabled | bool
tags:
- security
- fail2ban
- name: Configure automatic security updates
include_tasks: security-updates.yml
when: unattended_upgrades_enabled | bool
tags:
- security
- updates
- name: Disable unused services
include_tasks: service-hardening.yml
tags:
- security
- services
- name: Apply security audit recommendations
include_tasks: security-audit.yml
tags:
- security
- audit

185
deployment/infrastructure/roles/base-security/tasks/security-audit.yml Normal file
View File

@@ -0,0 +1,185 @@
---
# Security Audit and Compliance Checks
- name: Install security audit tools
package:
name: "{{ item }}"
state: present
loop:
- lynis
- rkhunter
- chkrootkit
- debsums
- aide
tags:
- security
- audit
- tools
- name: Initialize AIDE database
command: aideinit
args:
creates: /var/lib/aide/aide.db.new
tags:
- security
- aide
- integrity
- name: Move AIDE database to production location
command: mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
args:
creates: /var/lib/aide/aide.db
tags:
- security
- aide
- integrity
- name: Configure AIDE for file integrity monitoring
template:
src: aide.conf.j2
dest: /etc/aide/aide.conf
owner: root
group: root
mode: '0600'
backup: true
tags:
- security
- aide
- config
- name: Schedule AIDE integrity checks
cron:
name: "AIDE integrity check"
minute: "0"
hour: "3"
job: "/usr/bin/aide --check 2>&1 | mail -s 'AIDE Integrity Check - {{ inventory_hostname }}' {{ ssl_email }}"
user: root
tags:
- security
- aide
- cron
- name: Configure rkhunter
template:
src: rkhunter.conf.j2
dest: /etc/rkhunter.conf
owner: root
group: root
mode: '0644'
backup: true
tags:
- security
- rkhunter
- config
- name: Update rkhunter database
command: rkhunter --update
changed_when: false
tags:
- security
- rkhunter
- update
- name: Configure rkhunter properties
command: rkhunter --propupd
changed_when: false
tags:
- security
- rkhunter
- properties
- name: Schedule rkhunter scans
cron:
name: "RKhunter rootkit scan"
minute: "30"
hour: "3"
job: "/usr/bin/rkhunter --cronjob --report-warnings-only 2>&1 | mail -s 'RKhunter Scan - {{ inventory_hostname }}' {{ ssl_email }}"
user: root
tags:
- security
- rkhunter
- cron
- name: Configure Lynis for system auditing
template:
src: lynis.conf.j2
dest: /etc/lynis/default.prf
owner: root
group: root
mode: '0644'
tags:
- security
- lynis
- config
- name: Run initial security audit with Lynis
command: lynis audit system --quick --quiet
register: lynis_audit
changed_when: false
tags:
- security
- lynis
- audit
- name: Schedule weekly Lynis security audits
cron:
name: "Lynis security audit"
minute: "0"
hour: "4"
weekday: "0"
job: "/usr/sbin/lynis audit system --cronjob | mail -s 'Lynis Security Audit - {{ inventory_hostname }}' {{ ssl_email }}"
user: root
tags:
- security
- lynis
- cron
- name: Create security monitoring script
template:
src: security-monitor.sh.j2
dest: /usr/local/bin/security-monitor.sh
owner: root
group: root
mode: '0755'
tags:
- security
- monitoring
- scripts
- name: Schedule security monitoring
cron:
name: "Security monitoring"
minute: "*/15"
job: "/usr/local/bin/security-monitor.sh"
user: root
tags:
- security
- monitoring
- cron
- name: Create security incident response script
template:
src: security-incident.sh.j2
dest: /usr/local/bin/security-incident.sh
owner: root
group: root
mode: '0755'
tags:
- security
- incident
- response
- name: Verify system security configuration
command: "{{ item.command }}"
register: security_checks
changed_when: false
failed_when: security_checks.rc != 0 and item.required | default(true)
loop:
- { command: "sshd -t", name: "SSH configuration" }
- { command: "ufw status", name: "UFW firewall status", required: false }
- { command: "fail2ban-client status", name: "Fail2ban status", required: false }
- { command: "systemctl is-active auditd", name: "Audit daemon", required: false }
tags:
- security
- verification
- validation

144
deployment/infrastructure/roles/base-security/tasks/security-updates.yml Normal file
View File

@@ -0,0 +1,144 @@
---
# Automatic Security Updates Configuration
- name: Install unattended-upgrades package
package:
name: unattended-upgrades
state: present
tags:
- security
- updates
- packages
- name: Configure unattended-upgrades
template:
src: 50unattended-upgrades.j2
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: '0644'
backup: true
tags:
- security
- updates
- config
- name: Enable automatic updates
template:
src: 20auto-upgrades.j2
dest: /etc/apt/apt.conf.d/20auto-upgrades
owner: root
group: root
mode: '0644'
tags:
- security
- updates
- config
- name: Configure automatic reboot for kernel updates
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^Unattended-Upgrade::Automatic-Reboot\s+'
line: 'Unattended-Upgrade::Automatic-Reboot "{{ unattended_upgrades_automatic_reboot | lower }}";'
create: true
tags:
- security
- updates
- reboot
- name: Configure reboot time
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^Unattended-Upgrade::Automatic-Reboot-Time\s+'
line: 'Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_upgrades_automatic_reboot_time }}";'
when: unattended_upgrades_automatic_reboot | bool
tags:
- security
- updates
- reboot
- name: Configure email notifications for updates
lineinfile:
path: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^Unattended-Upgrade::Mail\s+'
line: 'Unattended-Upgrade::Mail "{{ ssl_email }}";'
tags:
- security
- updates
- notifications
- name: Install apt-listchanges for change notifications
package:
name: apt-listchanges
state: present
tags:
- security
- updates
- packages
- name: Configure apt-listchanges
template:
src: listchanges.conf.j2
dest: /etc/apt/listchanges.conf
owner: root
group: root
mode: '0644'
tags:
- security
- updates
- notifications
- name: Install needrestart for service restart detection
package:
name: needrestart
state: present
tags:
- security
- updates
- packages
- name: Configure needrestart
template:
src: needrestart.conf.j2
dest: /etc/needrestart/needrestart.conf
owner: root
group: root
mode: '0644'
tags:
- security
- updates
- services
- name: Create update notification script
template:
src: update-notification.sh.j2
dest: /usr/local/bin/update-notification.sh
owner: root
group: root
mode: '0755'
tags:
- security
- updates
- scripts
- name: Schedule regular security updates check
cron:
name: "Security updates check"
minute: "0"
hour: "2"
job: "/usr/bin/unattended-upgrade --dry-run && /usr/local/bin/update-notification.sh"
user: root
tags:
- security
- updates
- cron
- name: Verify unattended-upgrades service
service:
name: unattended-upgrades
state: started
enabled: true
tags:
- security
- updates
- service

149
deployment/infrastructure/roles/base-security/tasks/service-hardening.yml Normal file
View File

@@ -0,0 +1,149 @@
---
# Service Hardening and Unused Service Removal
- name: Stop and disable unused services
service:
name: "{{ item }}"
state: stopped
enabled: false
loop: "{{ disable_unused_services }}"
ignore_errors: true
tags:
- security
- services
- cleanup
- name: Remove unused service packages
package:
name: "{{ item }}"
state: absent
loop: "{{ disable_unused_services }}"
ignore_errors: true
tags:
- security
- services
- packages
- name: Mask dangerous services
systemd:
name: "{{ item }}"
masked: true
loop:
- rpcbind.service
- rpcbind.socket
- nfs-server.service
- nfs-lock.service
- nfs-idmap.service
ignore_errors: true
tags:
- security
- services
- systemd
- name: Configure service security settings
template:
src: service-security.conf.j2
dest: /etc/systemd/system/{{ item }}.service.d/security.conf
owner: root
group: root
mode: '0644'
loop:
- nginx
- php8.4-fpm
notify: reload systemd
tags:
- security
- services
- systemd
- name: Create systemd security override directory
file:
path: "/etc/systemd/system/{{ item }}.service.d"
state: directory
owner: root
group: root
mode: '0755'
loop:
- nginx
- php8.4-fpm
- docker
tags:
- security
- services
- directories
- name: Harden Docker service (if installed)
template:
src: docker-security.conf.j2
dest: /etc/systemd/system/docker.service.d/security.conf
owner: root
group: root
mode: '0644'
notify: reload systemd
ignore_errors: true
tags:
- security
- services
- docker
- name: Configure service restart policies
lineinfile:
path: /etc/systemd/system/{{ item.service }}.service.d/restart.conf
regexp: '^Restart='
line: 'Restart={{ item.policy }}'
create: true
loop:
- { service: "nginx", policy: "always" }
- { service: "php8.4-fpm", policy: "always" }
- { service: "fail2ban", policy: "always" }
notify: reload systemd
tags:
- security
- services
- reliability
- name: Set service timeouts for security
lineinfile:
path: /etc/systemd/system/{{ item.service }}.service.d/timeout.conf
regexp: '^TimeoutStopSec='
line: 'TimeoutStopSec={{ item.timeout }}'
create: true
loop:
- { service: "nginx", timeout: "30s" }
- { service: "php8.4-fpm", timeout: "30s" }
- { service: "docker", timeout: "60s" }
notify: reload systemd
tags:
- security
- services
- timeouts
- name: Enable core security services
service:
name: "{{ item }}"
state: started
enabled: true
loop:
- ufw
- fail2ban
- auditd
- unattended-upgrades
tags:
- security
- services
- enable
- name: Verify critical service status
command: systemctl is-active {{ item }}
register: service_status
changed_when: false
failed_when: service_status.rc != 0
loop:
- ssh
- ufw
- fail2ban
- auditd
tags:
- security
- services
- verification

119
deployment/infrastructure/roles/base-security/tasks/ssh-hardening.yml Normal file
View File

@@ -0,0 +1,119 @@
---
# SSH Hardening Configuration
- name: Create SSH banner
copy:
content: |
**************************************************************************
* WARNING: AUTHORIZED ACCESS ONLY *
**************************************************************************
* This system is for authorized users only. All activities are logged *
* and monitored. Unauthorized access is prohibited and may result in *
* civil and/or criminal penalties. *
* *
* Custom PHP Framework - {{ domain_name }} *
* Environment: {{ environment | upper }} *
**************************************************************************
dest: "{{ ssh_banner }}"
owner: root
group: root
mode: '0644'
notify: restart ssh
tags:
- ssh
- banner
- name: Generate strong SSH host keys
command: ssh-keygen -t {{ item }} -f /etc/ssh/ssh_host_{{ item }}_key -N ""
args:
creates: /etc/ssh/ssh_host_{{ item }}_key
loop:
- ed25519
- ecdsa
- rsa
notify: restart ssh
tags:
- ssh
- keys
- name: Set correct permissions on SSH host keys
file:
path: /etc/ssh/ssh_host_{{ item }}_key
owner: root
group: root
mode: '0600'
loop:
- ed25519
- ecdsa
- rsa
tags:
- ssh
- keys
- permissions
- name: Configure SSH daemon
template:
src: sshd_config.j2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: '0644'
backup: true
notify: restart ssh
tags:
- ssh
- config
- name: Create SSH client configuration
template:
src: ssh_config.j2
dest: /etc/ssh/ssh_config
owner: root
group: root
mode: '0644'
backup: true
tags:
- ssh
- config
- name: Ensure SSH service is enabled and running
service:
name: ssh
state: started
enabled: true
tags:
- ssh
- service
- name: Configure SSH authorized keys for deploy user
authorized_key:
user: "{{ ansible_user }}"
state: present
key: "{{ lookup('file', '~/.ssh/id_rsa_deploy.pub') }}"
exclusive: "{{ ssh_authorized_keys_exclusive }}"
when: ansible_user != 'root'
tags:
- ssh
- keys
- users
- name: Remove default SSH keys for security
file:
path: "{{ item }}"
state: absent
loop:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_dsa_key.pub
tags:
- ssh
- keys
- cleanup
- name: Verify SSH configuration syntax
command: sshd -t
register: ssh_config_test
changed_when: false
failed_when: ssh_config_test.rc != 0
tags:
- ssh
- validation

167
deployment/infrastructure/roles/base-security/tasks/system-hardening.yml Normal file
View File

@@ -0,0 +1,167 @@
---
# System Security Hardening
- name: Apply kernel security parameters
sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
state: present
sysctl_set: true
reload: true
loop: "{{ security_kernel_parameters | dict2items }}"
tags:
- security
- kernel
- sysctl
- name: Create security limits configuration
template:
src: security-limits.conf.j2
dest: /etc/security/limits.d/99-security.conf
owner: root
group: root
mode: '0644'
tags:
- security
- limits
- name: Configure login.defs for security
lineinfile:
path: /etc/login.defs
regexp: "^{{ item.key }}"
line: "{{ item.key }} {{ item.value }}"
backup: true
loop:
- { key: "UMASK", value: "{{ security_umask }}" }
- { key: "PASS_MAX_DAYS", value: "90" }
- { key: "PASS_MIN_DAYS", value: "1" }
- { key: "PASS_WARN_AGE", value: "7" }
- { key: "LOGIN_TIMEOUT", value: "{{ security_login_timeout }}" }
- { key: "ENCRYPT_METHOD", value: "SHA512" }
tags:
- security
- login
- password
- name: Secure shared memory
mount:
path: /dev/shm
src: tmpfs
fstype: tmpfs
opts: "defaults,noexec,nosuid,nodev,size=512M"
state: mounted
tags:
- security
- memory
- filesystem
- name: Configure audit system
package:
name: auditd
state: present
tags:
- security
- audit
- name: Create audit rules for security monitoring
template:
src: audit-rules.rules.j2
dest: /etc/audit/rules.d/99-security.rules
owner: root
group: root
mode: '0600'
backup: true
notify: restart auditd
tags:
- security
- audit
- rules
- name: Ensure auditd service is enabled and running
service:
name: auditd
state: started
enabled: true
tags:
- security
- audit
- service
- name: Remove unnecessary packages
package:
name: "{{ item }}"
state: absent
loop:
- telnet
- rsh-client
- rsh-redone-client
- talk
- ntalk
- xinetd
- inetutils-inetd
ignore_errors: true
tags:
- security
- cleanup
- packages
- name: Set correct permissions on critical files
file:
path: "{{ item.path }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode }}"
loop:
- { path: "/etc/passwd", mode: "0644" }
- { path: "/etc/shadow", mode: "0640", group: "shadow" }
- { path: "/etc/group", mode: "0644" }
- { path: "/etc/gshadow", mode: "0640", group: "shadow" }
- { path: "/boot", mode: "0700" }
- { path: "/etc/ssh", mode: "0755" }
- { path: "/etc/crontab", mode: "0600" }
- { path: "/etc/cron.hourly", mode: "0700" }
- { path: "/etc/cron.daily", mode: "0700" }
- { path: "/etc/cron.weekly", mode: "0700" }
- { path: "/etc/cron.monthly", mode: "0700" }
- { path: "/etc/cron.d", mode: "0700" }
tags:
- security
- permissions
- files
- name: Configure process accounting
package:
name: acct
state: present
tags:
- security
- accounting
- name: Enable process accounting
service:
name: acct
state: started
enabled: true
tags:
- security
- accounting
- service
- name: Configure system banner
copy:
content: |
Custom PHP Framework Production Server
{{ domain_name }} - {{ environment | upper }}
Unauthorized access is prohibited.
All activities are monitored and logged.
System administered by: {{ ssl_email }}
dest: /etc/motd
owner: root
group: root
mode: '0644'
tags:
- security
- banner
- motd

63
deployment/infrastructure/roles/base-security/templates/custom-jails.local.j2 Normal file
View File

@@ -0,0 +1,63 @@
# Custom Fail2ban Jails for Custom PHP Framework
# Generated by Ansible - Do not edit manually
{% for jail in fail2ban_jails %}
[{{ jail.name }}]
enabled = {{ jail.enabled | ternary('true', 'false') }}
{% if jail.port is defined %}
port = {{ jail.port }}
{% endif %}
{% if jail.filter is defined %}
filter = {{ jail.filter }}
{% endif %}
{% if jail.logpath is defined %}
logpath = {{ jail.logpath }}
{% endif %}
{% if jail.maxretry is defined %}
maxretry = {{ jail.maxretry }}
{% endif %}
{% if jail.findtime is defined %}
findtime = {{ jail.findtime }}
{% endif %}
{% if jail.bantime is defined %}
bantime = {{ jail.bantime }}
{% endif %}
{% if jail.backend is defined %}
backend = {{ jail.backend }}
{% endif %}
action = %(action_mwl)s
{% endfor %}
# PHP Framework specific jail
[php-framework]
enabled = true
port = http,https
filter = php-framework
logpath = /var/log/nginx/access.log
/var/log/nginx/error.log
maxretry = 5
findtime = 600
bantime = 3600
action = %(action_mwl)s
php-framework-notify
# Docker container protection
[docker-php]
enabled = {{ 'true' if environment == 'production' else 'false' }}
port = http,https
filter = docker-php
logpath = /var/log/docker/*.log
maxretry = 3
findtime = 300
bantime = 1800
# Custom application errors
[app-errors]
enabled = true
port = http,https
filter = nginx-limit-req
logpath = /var/log/nginx/error.log
maxretry = 10
findtime = 600
bantime = 600

20
deployment/infrastructure/roles/base-security/templates/fail2ban.local.j2 Normal file
View File

@@ -0,0 +1,20 @@
# Fail2ban Main Configuration for Custom PHP Framework
# Generated by Ansible - Do not edit manually
[Definition]
loglevel = {{ fail2ban_loglevel }}
socket = {{ fail2ban_socket }}
pidfile = {{ fail2ban_pidfile }}
# Database configuration
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbmaxmatches = 10
# Backend
backend = systemd
# Email Configuration
[mta]
sender = fail2ban-{{ inventory_hostname }}@{{ domain_name }}
destemail = {{ ssl_email }}
action = %(action_mwl)s

73
deployment/infrastructure/roles/base-security/templates/sshd_config.j2 Normal file
View File

@@ -0,0 +1,73 @@
# SSH Configuration for Custom PHP Framework - {{ environment | upper }}
# Generated by Ansible - Do not edit manually
# Basic Configuration
Port {{ ssh_port }}
Protocol 2
AddressFamily inet
# Authentication
PermitRootLogin {{ ssh_permit_root_login | ternary('yes', 'no') }}
PasswordAuthentication {{ ssh_password_authentication | ternary('yes', 'no') }}
PubkeyAuthentication {{ ssh_pubkey_authentication | ternary('yes', 'no') }}
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication {{ ssh_challenge_response_authentication | ternary('yes', 'no') }}
GSSAPIAuthentication {{ ssh_gss_api_authentication | ternary('yes', 'no') }}
UsePAM yes
# Security Settings
MaxAuthTries {{ ssh_max_auth_tries }}
ClientAliveInterval {{ ssh_client_alive_interval }}
ClientAliveCountMax {{ ssh_client_alive_count_max }}
MaxSessions {{ ssh_max_sessions }}
TCPKeepAlive {{ ssh_tcp_keep_alive | ternary('yes', 'no') }}
Compression {{ ssh_compression | ternary('yes', 'no') }}
UseDNS {{ ssh_use_dns | ternary('yes', 'no') }}
# Tunnel and Forwarding
X11Forwarding {{ ssh_x11_forwarding | ternary('yes', 'no') }}
PermitTunnel {{ ssh_permit_tunnel | ternary('yes', 'no') }}
PermitUserEnvironment {{ ssh_permit_user_environment | ternary('yes', 'no') }}
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
# Host Key Configuration
{% for algorithm in ssh_host_key_algorithms %}
HostKey /etc/ssh/ssh_host_{{ algorithm.split('-')[0] }}_key
{% endfor %}
# Allowed Users and Groups
{% if ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users | join(' ') }}
{% endif %}
{% if ssh_allowed_groups %}
AllowGroups {{ ssh_allowed_groups | join(' ') }}
{% endif %}
# Banner
Banner {{ ssh_banner }}
# Logging
SyslogFacility AUTH
LogLevel INFO
# Kex Algorithms (secure)
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
# Ciphers (secure)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# MAC Algorithms (secure)
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
# Host Key Algorithms
PubkeyAcceptedKeyTypes {{ ssh_host_key_algorithms | join(',') }}
# Additional Security
PermitEmptyPasswords no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PrintMotd no
PrintLastLog yes

21
deployment/infrastructure/roles/base-security/vars/Debian.yml Normal file
View File

@@ -0,0 +1,21 @@
---
# OS-specific variables for Debian/Ubuntu
security_packages:
- ufw
- fail2ban
- unattended-upgrades
- apt-listchanges
- logwatch
- rkhunter
- chkrootkit
# Services
security_services:
- ufw
- fail2ban
- unattended-upgrades
# Package management
package_manager: apt
update_cache_command: "apt-get update"
upgrade_command: "apt-get upgrade -y"