consolidated fedora_security

playbooks/fedora_workstation.yml

@@ -2,19 +2,11 @@
 - name: Fedora workstation setup
   hosts: workstation
   roles:
-    - role: fedora_firewall
+    - role: fedora_pkg
-      tags: fedora_firewall
+      tags: fedora_pkg
-
-    - role: fedora_selinux
-      tags: fedora_selinux
-
-    - role: fedora_auditd
-      tags: fedora_auditd
 
     - role: fedora_base
       tags: fedora_base
 
-    - role: fedora_pkg
+    - role: fedora_security
-      tags: fedora_pkg
+      tags: fedora_security
-
-

roles/fedora_pkg/vars/main.yml

@@ -70,6 +70,9 @@ general_packages:
   - calcurse
   - wireguard-tools
   - telnet
+  - clamav
+  - clamd
+  - dnf-automatic
 
 flatpak_packages:
   - net.ankiweb.Anki

roles/fedora_security/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart clamd
+  systemd:
+    name: clamd@scan
+    state: restarted

roles/fedora_security/tasks/main.yml

@@ -0,0 +1,61 @@
+---
+- name: Set default firewalld zone to home
+  command:
+    cmd: firewall-cmd --set-default-zone=home
+  become: true
+
+- name: Change interface to home zone
+  command:
+    cmd: firewall-cmd --zone=home --change-interface={{ network_interface }}
+  become: true
+
+- name: Add allowed services to home zone
+  firewalld:
+    service: "{{ item }}"
+    zone: home
+    permanent: yes
+    state: enabled
+  loop: "{{ allowed_services }}"
+  become: true
+
+- name: Enable logging for denied packets
+  command:
+    cmd: firewall-cmd --set-log-denied=all
+  become: true
+
+- name: Reload firewalld
+  systemd:
+    name: firewalld
+    state: reloaded
+  become: true
+
+- name: Ensure SELinux is enabled and in enforcing mode
+  selinux:
+    policy: targeted
+    state: enforcing
+
+- name: Set SELinux to enforcing in config file
+  replace:
+    path: /etc/selinux/config
+    regexp: '^SELINUX=.*'
+    replace: 'SELINUX=enforcing'
+
+- name: Install dnf-automatic for automatic security updates
+  package:
+    name: dnf-automatic
+    state: present
+
+- name: Configure dnf-automatic
+  template:
+    src: dnf-automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and start dnf-automatic timer
+  systemd:
+    name: dnf-automatic.timer
+    enabled: true
+    state: started
+

roles/fedora_security/templates/dnf-automatic.conf.j2

@@ -0,0 +1,101 @@
+> cat /etc/dnf/automatic.conf
+[commands]
+#  What kind of upgrade to perform:
+# default                            = all available upgrades
+# security                           = only the security upgrades
+upgrade_type = security
+random_sleep = 0
+
+# Maximum time in seconds to wait until the system is on-line and able to
+# connect to remote repositories.
+network_online_timeout = 60
+
+# To just receive updates use dnf-automatic-notifyonly.timer
+
+# Whether updates should be downloaded when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+download_updates = yes
+
+# Whether updates should be applied when they are available, by
+# dnf-automatic.timer. notifyonly.timer, download.timer and
+# install.timer override this setting.
+apply_updates = yes
+
+# When the system should reboot following upgrades:
+# never                              = don't reboot after upgrades
+# when-changed                       = reboot after any changes
+# when-needed                        = reboot when necessary to apply changes
+reboot = never
+
+# The command that is run to trigger a system reboot.
+reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  Default is the
+# hostname.
+# system_name = my-host
+
+# How to send messages.  Valid options are stdio, email and motd.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via includes motd, /etc/motd file will have the messages. if
+# emit_via includes command_email, then messages will be send via a shell
+# command compatible with sendmail.
+# Default is email,stdio.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio
+
+
+[email]
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+# Port number to connect to at the email host.
+email_port = 25
+
+# Use TLS or STARTTLS to connect to the email host.
+email_tls = no
+
+
+[command]
+# The shell command to execute. This is a Python format string, as used in
+# str.format(). The format function will pass a shell-quoted argument called
+# `body`.
+# command_format = "cat"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+
+[command_email]
+# The shell command to use to send email. This is a Python format string,
+# as used in str.format(). The format function will pass shell-quoted arguments
+# called body, subject, email_from, email_to.
+# command_format = "mail -Ssendwait -s {subject} -r {email_from} {email_to}"
+
+# The contents of stdin to pass to the command. It is a format string with the
+# same arguments as `command_format`.
+# stdin_format = "{body}"
+
+# The address to send email messages from.
+email_from = root@example.com
+
+# List of addresses to send messages to.
+email_to = root
+
+
+[base]
+# This section overrides dnf.conf
+
+# Use this to filter DNF core messages
+debuglevel = 1

roles/fedora_security/templates/freshclam.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=ClamAV Virus Database Update
+Documentation=man:freshclam(1) man:freshclam.conf(5)
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/freshclam
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=freshclam
+
+[Install]
+WantedBy=multi-user.target
+

roles/fedora_security/templates/freshclam.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run freshclam periodically
+
+[Timer]
+OnCalendar=hourly
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+

roles/fedora_security/templates/scan.conf.j2

@@ -0,0 +1,20 @@
+# Automatically Generated by Ansible
+LocalSocket /var/run/clamd.scan/clamd.sock
+FixStaleSocket true
+User clamscan
+AllowSupplementaryGroups true
+ScanMail true
+ScanArchive true
+ArchiveBlockEncrypted false
+MaxDirectoryRecursion 15
+FollowDirectorySymlinks false
+FollowFileSymlinks false
+ReadTimeout 180
+MaxThreads 12
+LogFile /var/log/clamd.scan
+LogTime true
+LogSyslog false
+PidFile /var/run/clamd.scan/clamd.pid
+DatabaseDirectory /var/lib/clamav
+OfficialDatabaseOnly false
+

roles/fedora_security/vars/main.yml

@@ -0,0 +1,6 @@
+---
+network_interface: wlp0s20f3
+allowed_services:
+  - ssh
+  - dhcpv6-client
+  - mdns

roles/fedora_selinux/tasks/main.yml

@@ -1,11 +0,0 @@
----
-- name: Ensure SELinux is enabled and in enforcing mode
-  ansible.posix.selinux:
-    policy: targeted
-    state: enforcing
-
-- name: Set SELinux to enforcing in config file
-  ansible.builtin.replace:
-    path: /etc/selinux/config
-    regexp: '^SELINUX=.*'
-    replace: 'SELINUX=enforcing'

roles/fedora_selinux/vars/main.yml

@@ -1 +0,0 @@
----