algo/docs/ROLES.md
2016-12-30 19:20:09 +01:00

2.2 KiB

Ansible Roles

Required Roles

  • Common
    • Installs several required packages and software updates, then reboots if necessary
    • Configures network interfaces and enables packet forwarding on them
  • VPN
    • Installs StrongSwan, enables AppArmor, limits CPU and memory access, and drops user privileges
    • Builds a Certificate Authority (CA) with easy-rsa-ipsec and creates one client certificate per user
    • Bundles the appropriate certificates into Apple mobileconfig profiles for each user
    • Configures IPtables to block traffic that might pose a risk to VPN users, such as SMB/CIFS

Optional Roles

  • Security Enhancements
    • Enables unattended-upgrades to ensure available patches are always applied
    • Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
    • Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
  • Proxy-based Adblocking and Compression
    • Installs Privoxy with an ad blocking ruleset
    • Installs Apache with mod_pagespeed as an HTTP proxy
    • Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
  • DNS-based Adblocking
    • Install the dnsmasq local resolver with a blacklist for advertising domains
    • Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
  • Security Monitoring and Logging
    • Configures auditd and rsyslog to log data useful for investigating security incidents
    • Sends logs to a configured email address on a regular basis
  • SSH Tunneling
    • Adds a restricted algo group with no shell access and limited SSH forwarding options
    • Creates one limited, local account per user and an SSH public key for each