mirror of
https://github.com/trailofbits/algo
synced 2024-11-16 12:12:55 +00:00
2.2 KiB
2.2 KiB
Ansible Roles
Required Roles
- Common
- Installs several required packages and software updates, then reboots if necessary
- Configures network interfaces and enables packet forwarding on them
- VPN
- Installs StrongSwan, enables AppArmor, limits CPU and memory access, and drops user privileges
- Builds a Certificate Authority (CA) with easy-rsa-ipsec and creates one client certificate per user
- Bundles the appropriate certificates into Apple mobileconfig profiles for each user
- Configures IPtables to block traffic that might pose a risk to VPN users, such as SMB/CIFS
Optional Roles
- Security Enhancements (Reccommended)
- Enables unattended-upgrades to ensure available patches are always applied
- Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
- Enhances SSH with modern ciphers and seccomp, and restricts access to older, unwanted features like X11 forwarding and SFTP
- Ad Blocking and Compression HTTP Proxy
- Installs Privoxy with an ad blocking ruleset
- Installs Apache with mod_pagespeed as an HTTP proxy
- Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
- DNS Ad Blocking
- Install the dnsmasq local resolver with a blacklist for advertising domains
- Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
- Security Monitoring and Logging
- Configures auditd and rsyslog to log data useful for investigating security incidents
- Sends logs to a configured email address on a regular basis
- SSH Tunneling
- Adds a restricted
algo
group with no shell access and limited SSH forwarding options - Creates one limited, local account per user and an SSH public key for each
- Adds a restricted