~sirn/ansible-freebsd-hardening

Ansible role for hardening FreeBSD host
build: really fix build
build: replace skip list

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~sirn/ansible-freebsd-hardening
read/write
git@git.sr.ht:~sirn/ansible-freebsd-hardening

You can also use your local clone with git send-email.

#ansible-freebsd-hardening

builds.sr.ht status

Harden FreeBSD with few common configurations using Lynis.

  • SSH: disable agent forwarding, tcp forwarding, X11 forwarding, etc.
  • SSH: change ssh port (optional)
  • Sudo: ensure configuration permissions
  • TTY: enforce root password on single user mode
  • Bootloader: disable Hyper-Threading (optional)
  • Sysctl: defaults from HardenedBSD
  • Racct: enable accounting

#Variables

#hardening_ssh_port
hardening_ssh_port: 22

Change SSH port to the given port. Note Ansible run will fail if port was changed. Remember to update inventory file accordingly after a failed run.

#hardening_disable_ht
hardening_disable_ht: false

Disable Hyper-Threading to mitigate side-channel attack via speculative execution. Turning this on will affect performance.