Role that manages security settings. For now:
- manages sshd params
- ensures /root has strict permissions
- hardens permissions for grub.cfg and a bunch of other dirs/files, see
security_permissionslist in defaults - manages hidepid param for /proc
- disables auto-upgrades
- role: security
security_disable_hidepid_changing: true| Param | Description |
|---|---|
default_sshd_params |
contains list of default params for sshd, doublecheck if you override it! |
default_sysctl_params |
contains list of default system params, doublecheck if you override it! |
sshd_params |
list for setting custom params for sshd, empty by default |
security_disable_hidepid_changing |
if set to "true" - hidepid setup will be skipped. This will not revert any of already made mount options or scripts |
security_permissions |
see defaults |
You can skip only hidepid setup so far. Or you can override default lists of sshd params with empty ones.
- Our article about security settings, links to other articles could be found there
- Hidepid doesn't work if nesting disabled for unprivileged container. More information is here.
- add skip option. for example: skip ssh configuration
- improve detection of installed unattended-upgrades after this issue
- improve tests (and clean out commented garbage)
- should we enforce Drone public key presence in authorized_keys?