v7.1.0 (#21)

* introduce harden_linux_absent_packages variable

* molecule/default/molecule.yml: add harden_linux_absent_packages variable

* fix ansible-lint issues

* fix molecule/default/converge.yml

* add harden_linux_systemd_resolved_settings variable

* molecule/default/molecule.yml: change IP addresses

* update CHANGELOG

* update README

* update CHANGELOG

* update README

* remove comment

CHANGELOG.md

@@ -1,33 +1,55 @@
-Changelog
----------
+# Changelog
 
-**v7.0.0**
+## v7.1.0
 
-- **BREAKING**: `meta/main.yml`: change `role_name` from `harden-linux` to `harden_linux`. This is a requirement since quite some time for Ansible Galaxy. But the requirement was introduced after this role already existed for quite some time. So please update the name of the role in your playbook accordingly!
-- **BREAKING**: remove support for Ubuntu 18.04 (reached EOL)
-- Molecule: add `verify` step
-- Fix various `ansible-lint` issues
+FEATURE
+
+- introduce `harden_linux_absent_packages` variable
+- introduce `harden_linux_systemd_resolved_settings` variable
+
+MOLECULE
+
+- change IP addresses
+
+OTHER
+
+- fix `ansible-lint` issues
+
+## v7.0.0
+
+BREAKING
+
+- `meta/main.yml`: change `role_name` from `harden-linux` to `harden_linux`. This is a requirement since quite some time for Ansible Galaxy. But the requirement was introduced after this role already existed for quite some time. So please update the name of the role in your playbook accordingly!
+- remove support for Ubuntu 18.04 (reached EOL)
+
+MOLECULE
+
+- add `verify` step
+- use `generic/ubuntu2204` VM image instead of `alvistack/ubuntu-22.04`
+- move `memory` and `cpus` properties to hosts
+- rename scenario `kvm` to `default`
+- rename `test-harden-linux-ubuntu1804-openntpd` to `test-harden-linux-ubuntu2204-openntpd`
+- adjust `verifier`
+- fix link in `defaults/main.yml`
+- add information about Molecule test to `README.md`
+
+OTHER
+
+- fix various `ansible-lint` issues
 - `.ansible-lint`: remove `role-name` / add `name[template]`
-- `molecule/default/molecule.yml`: use `generic/ubuntu2204` VM image instead of `alvistack/ubuntu-22.04`
-- `molecule/default/molecule.yml`: move `memory` and `cpus` properties to hosts
-- `molecule/default/molecule.yml`: rename scenario `kvm` to `default`
-- `molecule/default/molecule.yml`: rename `test-harden-linux-ubuntu1804-openntpd` to `test-harden-linux-ubuntu2204-openntpd`
-- `molecule/default/molecule.yml`: adjust `verifier`
-- `defaults/main.yml`: fix link
-- `README.md`: add information about Molecule test
 
-**v6.2.0**
+## v6.2.0
 
 - fix various `ansible-lint` issues
 - remove unneeded tests directory
 - add Github release action to push new release to Ansible Galaxy
 
-**v6.1.0**
+## v6.1.0
 
 - **FEATURE**: Support Ubuntu 22.04 (contribution by @lvnilesh)
 - add Molecule test for Ubuntu 22.04
 
-**v6.0.0**
+## v6.0.0
 
 This version contains a few **breaking** changes. Please read the changelog carefully:
 
@@ -41,66 +63,66 @@ This version contains a few **breaking** changes. Please read the changelog care
 - **FEATURE:** (Ubuntu only): add `harden_linux_ubuntu_cache_valid_time` variable. Set package cache valid time (in seconds). Previously it was always `3600` seconds.
 - **FEATURE:** (Archlinux only): introduce `harden_linux_archlinux_update_cache` variable. Set to `false` if package cache should not be updated.
 
-**v5.1.0**
+## v5.1.0
 
 - add `systemd-timesyncd` as additional option for `harden_linux_ntp`
 
-**v5.0.0**
+## v5.0.0
 
 - Remove Ubuntu 16.04 support
 
-**v4.1.0**
+## v4.1.0
 
 - Added basic Molecule tests
 - updated README about how to generate encrypted passwords
 
-**v4.0.3**
+## v4.0.3
 
 - Updated for Ubuntu 20.04 LTS
 
-**v4.0.1**
+## v4.0.1
 
 - make `harden_linux_ntp` optional (commented in `defaults/main.yml`).
 
-**v4.0.0**
+## v4.0.0
 
 - introduce `harden_linux_ntp` and `harden_linux_ntp_settings` variables. `openntpd` is installed by default now. See README for more information. If `harden_linux_ntp` variable isn't set no ntp service will be installed.
 
-**v3.1.0**
+## v3.1.0
 
 - fix deprecation warning in "install required packages" task
 - moved changelog entries to separate file
 - make Ansible linter happy
 
-**v3.0.1**
+## v3.0.1
 
 - update README
 
-**v3.0.0**
+## v3.0.0
 
-- Ansible v2.5 needed for Ubuntu 18.04 Bionic Beaver as Python 3 is default there. It *should* work with Ansible >= 2.2 too but who knows ;-) As Ubuntu 18.04 comes with Python 3 support only by default you may adjust your Ansible's `hosts` file. E.g you can add the `ansible_python_interpreter` env. like so: `host.domain.tld ansible_python_interpreter=/usr/bin/python3` (also see http://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html for more examples)
+- Ansible v2.5 needed for Ubuntu 18.04 Bionic Beaver as Python 3 is default there. It *should* work with Ansible >= 2.2 too but who knows ;-) As Ubuntu 18.04 comes with Python 3 support only by default you may adjust your Ansible's `hosts` file. E.g you can add the `ansible_python_interpreter` env. like so: `host.domain.tld ansible_python_interpreter=/usr/bin/python3` (also see [Python 3 support](http://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html) for more examples)
 
-**v2.1.0**
+## v2.1.0
 
 - support for Ubuntu 18.04 Bionic Beaver
 - added `sudo` package to `harden_linux_required_packages`
 
-**v2.0.1**
+## v2.0.1
 
 - fixed deprecation warning while installing aptitude
 
-**v2.0.0**
+## v2.0.0
 
 - major refactoring
 - removed `common_ssh_port` (see `harden_linux_sshd_settings` instead)
 - all variables that started with `common_` are now starting with the prefix `harden_linux_`. Additionally ALL variables that the role uses are now prefixed with `harden_linux_`. Using a variable name prefix avoids potential collisions with other role/group variables.
 - introduced `harden_linux_deploy_user_uid` and `harden_linux_deploy_user_shell`
-- single settings in `harden_linux_sysctl_settings` can be overridden by specifing the key/value in `harden_linux_sysctl_settings_user` list (whole list needed to be replaced before this change)
+- single settings in `harden_linux_sysctl_settings` can be overridden by specifying the key/value in `harden_linux_sysctl_settings_user` list (whole list needed to be replaced before this change)
 - more documentation added to `defaults/main.yml` (please read it ;-) )
 - every setting in hosts `/etc/ssh/sshd_config` config file can now be replaced by using `harden_linux_sshd_settings_user` list. The defaults are specified in `harden_linux_sysctl_settings` and will be merged with `harden_linux_sysctl_settings_user` during run time.
 - added variable `harden_linux_sshguard_whitelist` for Sshguard whitelist
 - firewall rules can now be added using `harden_linux_ufw_rules` variable
 
-**v1.0.0**
+## v1.0.0
 
 - initial release

README.md

@@ -1,29 +1,87 @@
-ansible-role-harden-linux
-=========================
+# ansible-role-harden-linux
 
 This Ansible role was mainly created for my blog series [Kubernetes the not so hard way with Ansible - Harden the instances](https://www.tauceti.blog/posts/kubernetes-the-not-so-hard-way-with-ansible-harden-the-instances/). But it can be used also standalone of course to harden Linux. It has the following features:
 
 - Optional: Change root password
 - Add a regular/deploy user used for administration (e.g. for Ansible or login via SSH)
 - Adjust APT update intervals
-- Setup UFW firewall and allow only SSH access by default (add more rules/allowed networks if you like)
+- Setup `UFW` firewall and allow only SSH access by default (add more rules/allowed networks if you like)
 - Adjust security related sysctl settings
-- Adjust sshd settings e.g disable sshd password authentication, disable sshd root login and disable sshd PermitTunnel
-- Install sshguard and adjust whitelist
-- Optional: Install/configure Network Time Synchronization (NTP) e.g. `openntpd`/`ntp`/`systemd-timesyncd`
+- Adjust `sshd` settings e.g disable sshd password authentication, disable sshd root login and disable sshd PermitTunnel
+- Install `sshguard` and adjust whitelist
+- Optional: Install/configure `Network Time Synchronization` (NTP) e.g. `openntpd`/`ntp`/`systemd-timesyncd`
+- Optional: Change `systemd-resolved` configuration
 
-Versions
---------
+## Versions
 
 I tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too.
 
-Changelog
----------
+## Changelog
 
-see [CHANGELOG.md](https://github.com/githubixx/ansible-role-harden-linux/blob/master/CHANGELOG.md)
+**Change history:**
 
-Role Variables
---------------
+See full  [CHANGELOG.md](https://github.com/githubixx/ansible-role-harden-linux/blob/master/CHANGELOG.md)
+
+**Recent changes:**
+
+### v7.1.0
+
+FEATURE
+
+- introduce `harden_linux_absent_packages` variable
+- introduce `harden_linux_systemd_resolved_settings` variable
+
+MOLECULE
+
+- change IP addresses
+
+OTHER
+
+- fix `ansible-lint` issues
+
+### v7.0.0
+
+BREAKING
+
+- `meta/main.yml`: change `role_name` from `harden-linux` to `harden_linux`. This is a requirement since quite some time for Ansible Galaxy. But the requirement was introduced after this role already existed for quite some time. So please update the name of the role in your playbook accordingly!
+- remove support for `Ubuntu 18.04` (reached EOL)
+
+MOLECULE
+
+- add `verify` step
+- use `generic/ubuntu2204` VM image instead of `alvistack/ubuntu-22.04`
+- move `memory` and `cpus` properties to hosts
+- rename scenario `kvm` to `default`
+- rename `test-harden-linux-ubuntu1804-openntpd` to `test-harden-linux-ubuntu2204-openntpd`
+- adjust `verifier`
+- fix link in `defaults/main.yml`
+- add information about Molecule test to `README.md`
+
+OTHER
+
+- fix various `ansible-lint` issues
+- `.ansible-lint`: remove `role-name` / add `name[template]`
+
+## Installation
+
+- Directly download from Github (Change into Ansible role directory before cloning. You can figure out the role path by using `ansible-config dump | grep DEFAULT_ROLES_PATH` command):
+`git clone https://github.com/githubixx/ansible-role-harden-linux.git githubixx.harden_linux`
+
+- Via `ansible-galaxy` command and download directly from Ansible Galaxy:
+`ansible-galaxy install role githubixx.harden_linux`
+
+- Create a `requirements.yml` file with the following content (this will download the role from Github) and install with
+`ansible-galaxy role install -r requirements.yml` (change `version` if needed):
+
+```yaml
+---
+roles:
+  - name: githubixx.harden_linux
+    src: https://github.com/githubixx/ansible-role-harden-linux.git
+    version: v7.1.0
+```
+
+## Role Variables
 
 The following variables don't have defaults. You need to specify them either in a file in `group_vars` or `host_vars` directory. E.g. if this settings should be used only for one specific host create a file for that host called like the FQDN of that host (e.g `host_vars/your-server.example.tld`) and put the variables with the correct values there. If you want to apply this variables to a host group create a file `group_vars/your-group.yml` e.g. Replace `your-group` with the host group name which you created in the Ansible `hosts` file (do not confuse with /etc/hosts...). `harden_linux_deploy_user_public_keys` loads all the public SSH key files specified in the list from your local hard disk. So at least you need to specify:
 
@@ -48,14 +106,21 @@ ansible localhost -m debug -a "msg={{ 'mypassword' | password_hash('sha512', 'my
 
 `harden_linux_deploy_user_public_keys` specifies a list of public SSH key files you want to add to `$HOME/.ssh/authorized_keys` of the deploy user on the remote host. If you specify `/home/deploy/.ssh/id_rsa.pub` e.g. as a value here the content of that **local** file will be added to `$HOME/.ssh/authorized_keys` of the deploy user on the remote host.
 
-The following variables below have defaults. So you only need to change them if you need another value for the variable. `harden_linux_optional_packages` (before version `v6.0.0` of this role this variable was called `harden_linux_required_packages`) specifies additional/optional packages to install on the remote host e.g. (by default this variable is not specified):
+`harden_linux_optional_packages` (before version `v6.0.0` of this role this variable was called `harden_linux_required_packages`) specifies additional/optional packages to install on the remote host. By default this variable is not specified. E.g.:
 
 ```yaml
 harden_linux_optional_packages:
   - vim
 ```
 
-The role changes some `sshd` settings by default:
+In contrast to the former variable, `harden_linux_absent_packages` will uninstall OS packages on the remote host. By default this variable is not specified. E.g.:
+
+```yaml
+harden_linux_absent_packages:
+  - vim
+```
+
+The following variables below have defaults. So you only need to change them if you need another value for the variable. The role changes some `sshd` settings by default:
 
 ```yaml
 harden_linux_sshd_settings:
@@ -252,6 +317,25 @@ harden_linux_files_to_delete:
   - "/root/.pw"
 ```
 
+If `systemd-resolved` is used for DNS resolution its behavior can be adjusted with `harden_linux_systemd_resolved_settings`. By default this variable is not specified. A systemd drop-in configuration will be created in `/etc/systemd/resolved.conf.d/99-override.conf` and the settings specified added there.
+
+Note: If a setting in `/etc/systemd/resolved.conf` is already set (e.g. `DNS=8.8.8.8`) then setting `DNS=9.9.9.9` below will add up. That means the final setting will be `DNS=8.8.8.8 9.9.9.9`. If you don't what that you need to "unset" the value first and then add the value you want to have. E.g.:
+
+```yaml
+harden_linux_systemd_resolved_settings:
+  - DNS=
+  - DNS=9.9.9.9
+```
+
+While the Google DNS server (`8.8.8.8`, `8.8.4.4`) offer speedy DNS lookups it's of course another possibility Google can spy on you. So using some other DNS servers should be at least something to think about. But there is one more thing and that's encrypting DNS requests. One way that `systemd-resolved` supports is `DNSOverTLS`. [Quad9 (9.9.9.9/149.112.112.112)](https://quad9.net) supports it and [Cloudflare (1.1.1.1/1.0.0.1)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/) support `DNSOverTLS`. So the following `systemd-resolved` settings configure Quad9 and Cloudflare DNS for IPv4 and IPv6. The setting `DNSOverTLS=opportunistic` uses `DNSOverTLS` if the DNS server supports it and falls back to regular unencrypted DNS if not supported (also see [resolved.conf.5](https://man.archlinux.org/man/resolved.conf.5)):
+
+```yaml
+harden_linux_systemd_resolved_settings:
+  - DNS=9.9.9.9 1.1.1.1 2606:4700:4700::1111 2620:fe::fe
+  - FallbackDNS=149.112.112.112 1.0.0.1 2620:fe::9 2606:4700:4700::1001
+  - DNSOverTLS=opportunistic
+```
+
 Also the package manager caching behavior can be influenced. E.g. for Ubuntu:
 
 ```yaml
@@ -269,8 +353,7 @@ For Archlinux:
 harden_linux_archlinux_update_cache: true
 ```
 
-Example Playbook
-----------------
+## Example Playbook
 
 If you installed the role via `ansible-galaxy install githubixx.harden_linux` then include the role into your playbook like in this example:
 
@@ -280,8 +363,7 @@ If you installed the role via `ansible-galaxy install githubixx.harden_linux` th
     - githubixx.harden_linux
 ```
 
-Testing
--------
+## Testing
 
 This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-runc/tree/master/molecule/default).
 
@@ -303,12 +385,10 @@ To clean up run
 molecule destroy
 ```
 
-License
--------
+## License
 
 GNU GENERAL PUBLIC LICENSE Version 3
 
-Author Information
-------------------
+## Author Information
 
 [www.tauceti.blog](https://www.tauceti.blog)

defaults/main.yml

@@ -12,6 +12,11 @@ harden_linux_files_to_delete:
 # harden_linux_optional_packages:
 #   - ...
 
+# List of packages that should be absent/uninstalled from host. By default this
+# variable is commented out.
+# harden_linux_absent_packages:
+#   - ...
+
 # NTP package to install. Valid options are:
 #
 # - openntpd
@@ -147,6 +152,27 @@ harden_linux_sshd_settings:
   "^PermitTunnel": "PermitTunnel no"                      # Disable tun(4) device forwarding
   "^Port ": "Port 22"                                     # Set SSHd port
 
+# When this variable is set, settings for "systemd-resolved" will be changed.
+# A systemd drop-in configuration will be created in "/etc/systemd/resolved.conf.d/99-override.conf"
+# and the settings specified added there. The settings below are just examples.
+#
+# Note: If a setting in "/etc/systemd/resolved.conf" is already set
+# (e.g. "DNS=8.8.8.8") then setting "DNS=9.9.9.9" below will add up.
+# That means the final setting will be "DNS=8.8.8.8 9.9.9.9". If you
+# don't what that you need to "unset" the value first and then add the
+# value you want to have. E.g.:
+#
+# harden_linux_systemd_resolved_settings:
+#   - DNS=
+#   - DNS=9.9.9.9
+#
+# Other examples:
+#
+# harden_linux_systemd_resolved_settings:
+#   - DNS=9.9.9.9 1.1.1.1 2606:4700:4700::1111 2620:fe::fe
+#   - FallbackDNS=149.112.112.112 1.0.0.1 2620:fe::9 2606:4700:4700::1001
+#   - DNSOverTLS=opportunistic
+
 # By default only allow SSH inbound traffic.
 harden_linux_ufw_rules:
   - rule: "allow"

handlers/main.yml

@@ -39,3 +39,8 @@
   ansible.builtin.service:
     name: sshguard
     state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted