├── .gitignore ├── LICENSE ├── README.md ├── group_vars └── variables.yml ├── hosts.yml ├── main-playbook.yml ├── requirements-playbook.yml └── roles ├── auditd └── tasks │ └── main.yml ├── clamav └── tasks │ └── main.yml ├── firewall ├── handlers │ └── main.yml └── tasks │ └── main.yml ├── lynis └── tasks │ └── main.yml ├── mail └── tasks │ └── main.yml ├── packages └── tasks │ └── main.yml ├── password-quality └── tasks │ └── main.yml ├── requirements └── tasks │ └── main.yml ├── rkhunter └── tasks │ └── main.yml ├── ssh ├── handlers │ └── main.yml └── tasks │ └── main.yml └── unattended-upgrades └── tasks └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | group_vars/variables.yml 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Attribution-ShareAlike 4.0 International 2 | 3 | ======================================================================= 4 | 5 | Creative Commons Corporation ("Creative Commons") is not a law firm and 6 | does not provide legal services or legal advice. Distribution of 7 | Creative Commons public licenses does not create a lawyer-client or 8 | other relationship. Creative Commons makes its licenses and related 9 | information available on an "as-is" basis. Creative Commons gives no 10 | warranties regarding its licenses, any material licensed under their 11 | terms and conditions, or any related information. Creative Commons 12 | disclaims all liability for damages resulting from their use to the 13 | fullest extent possible. 14 | 15 | Using Creative Commons Public Licenses 16 | 17 | Creative Commons public licenses provide a standard set of terms and 18 | conditions that creators and other rights holders may use to share 19 | original works of authorship and other material subject to copyright 20 | and certain other rights specified in the public license below. The 21 | following considerations are for informational purposes only, are not 22 | exhaustive, and do not form part of our licenses. 23 | 24 | Considerations for licensors: Our public licenses are 25 | intended for use by those authorized to give the public 26 | permission to use material in ways otherwise restricted by 27 | copyright and certain other rights. Our licenses are 28 | irrevocable. Licensors should read and understand the terms 29 | and conditions of the license they choose before applying it. 30 | Licensors should also secure all rights necessary before 31 | applying our licenses so that the public can reuse the 32 | material as expected. Licensors should clearly mark any 33 | material not subject to the license. This includes other CC- 34 | licensed material, or material used under an exception or 35 | limitation to copyright. More considerations for licensors: 36 | wiki.creativecommons.org/Considerations_for_licensors 37 | 38 | Considerations for the public: By using one of our public 39 | licenses, a licensor grants the public permission to use the 40 | licensed material under specified terms and conditions. If 41 | the licensor's permission is not necessary for any reason--for 42 | example, because of any applicable exception or limitation to 43 | copyright--then that use is not regulated by the license. Our 44 | licenses grant only permissions under copyright and certain 45 | other rights that a licensor has authority to grant. Use of 46 | the licensed material may still be restricted for other 47 | reasons, including because others have copyright or other 48 | rights in the material. A licensor may make special requests, 49 | such as asking that all changes be marked or described. 50 | Although not required by our licenses, you are encouraged to 51 | respect those requests where reasonable. More considerations 52 | for the public: 53 | wiki.creativecommons.org/Considerations_for_licensees 54 | 55 | ======================================================================= 56 | 57 | Creative Commons Attribution-ShareAlike 4.0 International Public 58 | License 59 | 60 | By exercising the Licensed Rights (defined below), You accept and agree 61 | to be bound by the terms and conditions of this Creative Commons 62 | Attribution-ShareAlike 4.0 International Public License ("Public 63 | License"). To the extent this Public License may be interpreted as a 64 | contract, You are granted the Licensed Rights in consideration of Your 65 | acceptance of these terms and conditions, and the Licensor grants You 66 | such rights in consideration of benefits the Licensor receives from 67 | making the Licensed Material available under these terms and 68 | conditions. 69 | 70 | 71 | Section 1 -- Definitions. 72 | 73 | a. Adapted Material means material subject to Copyright and Similar 74 | Rights that is derived from or based upon the Licensed Material 75 | and in which the Licensed Material is translated, altered, 76 | arranged, transformed, or otherwise modified in a manner requiring 77 | permission under the Copyright and Similar Rights held by the 78 | Licensor. For purposes of this Public License, where the Licensed 79 | Material is a musical work, performance, or sound recording, 80 | Adapted Material is always produced where the Licensed Material is 81 | synched in timed relation with a moving image. 82 | 83 | b. Adapter's License means the license You apply to Your Copyright 84 | and Similar Rights in Your contributions to Adapted Material in 85 | accordance with the terms and conditions of this Public License. 86 | 87 | c. BY-SA Compatible License means a license listed at 88 | creativecommons.org/compatiblelicenses, approved by Creative 89 | Commons as essentially the equivalent of this Public License. 90 | 91 | d. Copyright and Similar Rights means copyright and/or similar rights 92 | closely related to copyright including, without limitation, 93 | performance, broadcast, sound recording, and Sui Generis Database 94 | Rights, without regard to how the rights are labeled or 95 | categorized. For purposes of this Public License, the rights 96 | specified in Section 2(b)(1)-(2) are not Copyright and Similar 97 | Rights. 98 | 99 | e. Effective Technological Measures means those measures that, in the 100 | absence of proper authority, may not be circumvented under laws 101 | fulfilling obligations under Article 11 of the WIPO Copyright 102 | Treaty adopted on December 20, 1996, and/or similar international 103 | agreements. 104 | 105 | f. Exceptions and Limitations means fair use, fair dealing, and/or 106 | any other exception or limitation to Copyright and Similar Rights 107 | that applies to Your use of the Licensed Material. 108 | 109 | g. License Elements means the license attributes listed in the name 110 | of a Creative Commons Public License. The License Elements of this 111 | Public License are Attribution and ShareAlike. 112 | 113 | h. Licensed Material means the artistic or literary work, database, 114 | or other material to which the Licensor applied this Public 115 | License. 116 | 117 | i. Licensed Rights means the rights granted to You subject to the 118 | terms and conditions of this Public License, which are limited to 119 | all Copyright and Similar Rights that apply to Your use of the 120 | Licensed Material and that the Licensor has authority to license. 121 | 122 | j. Licensor means the individual(s) or entity(ies) granting rights 123 | under this Public License. 124 | 125 | k. Share means to provide material to the public by any means or 126 | process that requires permission under the Licensed Rights, such 127 | as reproduction, public display, public performance, distribution, 128 | dissemination, communication, or importation, and to make material 129 | available to the public including in ways that members of the 130 | public may access the material from a place and at a time 131 | individually chosen by them. 132 | 133 | l. Sui Generis Database Rights means rights other than copyright 134 | resulting from Directive 96/9/EC of the European Parliament and of 135 | the Council of 11 March 1996 on the legal protection of databases, 136 | as amended and/or succeeded, as well as other essentially 137 | equivalent rights anywhere in the world. 138 | 139 | m. You means the individual or entity exercising the Licensed Rights 140 | under this Public License. Your has a corresponding meaning. 141 | 142 | 143 | Section 2 -- Scope. 144 | 145 | a. License grant. 146 | 147 | 1. Subject to the terms and conditions of this Public License, 148 | the Licensor hereby grants You a worldwide, royalty-free, 149 | non-sublicensable, non-exclusive, irrevocable license to 150 | exercise the Licensed Rights in the Licensed Material to: 151 | 152 | a. reproduce and Share the Licensed Material, in whole or 153 | in part; and 154 | 155 | b. produce, reproduce, and Share Adapted Material. 156 | 157 | 2. Exceptions and Limitations. For the avoidance of doubt, where 158 | Exceptions and Limitations apply to Your use, this Public 159 | License does not apply, and You do not need to comply with 160 | its terms and conditions. 161 | 162 | 3. Term. The term of this Public License is specified in Section 163 | 6(a). 164 | 165 | 4. Media and formats; technical modifications allowed. The 166 | Licensor authorizes You to exercise the Licensed Rights in 167 | all media and formats whether now known or hereafter created, 168 | and to make technical modifications necessary to do so. The 169 | Licensor waives and/or agrees not to assert any right or 170 | authority to forbid You from making technical modifications 171 | necessary to exercise the Licensed Rights, including 172 | technical modifications necessary to circumvent Effective 173 | Technological Measures. For purposes of this Public License, 174 | simply making modifications authorized by this Section 2(a) 175 | (4) never produces Adapted Material. 176 | 177 | 5. Downstream recipients. 178 | 179 | a. Offer from the Licensor -- Licensed Material. Every 180 | recipient of the Licensed Material automatically 181 | receives an offer from the Licensor to exercise the 182 | Licensed Rights under the terms and conditions of this 183 | Public License. 184 | 185 | b. Additional offer from the Licensor -- Adapted Material. 186 | Every recipient of Adapted Material from You 187 | automatically receives an offer from the Licensor to 188 | exercise the Licensed Rights in the Adapted Material 189 | under the conditions of the Adapter's License You apply. 190 | 191 | c. No downstream restrictions. You may not offer or impose 192 | any additional or different terms or conditions on, or 193 | apply any Effective Technological Measures to, the 194 | Licensed Material if doing so restricts exercise of the 195 | Licensed Rights by any recipient of the Licensed 196 | Material. 197 | 198 | 6. No endorsement. Nothing in this Public License constitutes or 199 | may be construed as permission to assert or imply that You 200 | are, or that Your use of the Licensed Material is, connected 201 | with, or sponsored, endorsed, or granted official status by, 202 | the Licensor or others designated to receive attribution as 203 | provided in Section 3(a)(1)(A)(i). 204 | 205 | b. Other rights. 206 | 207 | 1. Moral rights, such as the right of integrity, are not 208 | licensed under this Public License, nor are publicity, 209 | privacy, and/or other similar personality rights; however, to 210 | the extent possible, the Licensor waives and/or agrees not to 211 | assert any such rights held by the Licensor to the limited 212 | extent necessary to allow You to exercise the Licensed 213 | Rights, but not otherwise. 214 | 215 | 2. Patent and trademark rights are not licensed under this 216 | Public License. 217 | 218 | 3. To the extent possible, the Licensor waives any right to 219 | collect royalties from You for the exercise of the Licensed 220 | Rights, whether directly or through a collecting society 221 | under any voluntary or waivable statutory or compulsory 222 | licensing scheme. In all other cases the Licensor expressly 223 | reserves any right to collect such royalties. 224 | 225 | 226 | Section 3 -- License Conditions. 227 | 228 | Your exercise of the Licensed Rights is expressly made subject to the 229 | following conditions. 230 | 231 | a. Attribution. 232 | 233 | 1. If You Share the Licensed Material (including in modified 234 | form), You must: 235 | 236 | a. retain the following if it is supplied by the Licensor 237 | with the Licensed Material: 238 | 239 | i. identification of the creator(s) of the Licensed 240 | Material and any others designated to receive 241 | attribution, in any reasonable manner requested by 242 | the Licensor (including by pseudonym if 243 | designated); 244 | 245 | ii. a copyright notice; 246 | 247 | iii. a notice that refers to this Public License; 248 | 249 | iv. a notice that refers to the disclaimer of 250 | warranties; 251 | 252 | v. a URI or hyperlink to the Licensed Material to the 253 | extent reasonably practicable; 254 | 255 | b. indicate if You modified the Licensed Material and 256 | retain an indication of any previous modifications; and 257 | 258 | c. indicate the Licensed Material is licensed under this 259 | Public License, and include the text of, or the URI or 260 | hyperlink to, this Public License. 261 | 262 | 2. You may satisfy the conditions in Section 3(a)(1) in any 263 | reasonable manner based on the medium, means, and context in 264 | which You Share the Licensed Material. For example, it may be 265 | reasonable to satisfy the conditions by providing a URI or 266 | hyperlink to a resource that includes the required 267 | information. 268 | 269 | 3. If requested by the Licensor, You must remove any of the 270 | information required by Section 3(a)(1)(A) to the extent 271 | reasonably practicable. 272 | 273 | b. ShareAlike. 274 | 275 | In addition to the conditions in Section 3(a), if You Share 276 | Adapted Material You produce, the following conditions also apply. 277 | 278 | 1. The Adapter's License You apply must be a Creative Commons 279 | license with the same License Elements, this version or 280 | later, or a BY-SA Compatible License. 281 | 282 | 2. You must include the text of, or the URI or hyperlink to, the 283 | Adapter's License You apply. You may satisfy this condition 284 | in any reasonable manner based on the medium, means, and 285 | context in which You Share Adapted Material. 286 | 287 | 3. You may not offer or impose any additional or different terms 288 | or conditions on, or apply any Effective Technological 289 | Measures to, Adapted Material that restrict exercise of the 290 | rights granted under the Adapter's License You apply. 291 | 292 | 293 | Section 4 -- Sui Generis Database Rights. 294 | 295 | Where the Licensed Rights include Sui Generis Database Rights that 296 | apply to Your use of the Licensed Material: 297 | 298 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right 299 | to extract, reuse, reproduce, and Share all or a substantial 300 | portion of the contents of the database; 301 | 302 | b. if You include all or a substantial portion of the database 303 | contents in a database in which You have Sui Generis Database 304 | Rights, then the database in which You have Sui Generis Database 305 | Rights (but not its individual contents) is Adapted Material, 306 | 307 | including for purposes of Section 3(b); and 308 | c. You must comply with the conditions in Section 3(a) if You Share 309 | all or a substantial portion of the contents of the database. 310 | 311 | For the avoidance of doubt, this Section 4 supplements and does not 312 | replace Your obligations under this Public License where the Licensed 313 | Rights include other Copyright and Similar Rights. 314 | 315 | 316 | Section 5 -- Disclaimer of Warranties and Limitation of Liability. 317 | 318 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE 319 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS 320 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF 321 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, 322 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, 323 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR 324 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, 325 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT 326 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT 327 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. 328 | 329 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE 330 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, 331 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, 332 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, 333 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR 334 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN 335 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR 336 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR 337 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. 338 | 339 | c. The disclaimer of warranties and limitation of liability provided 340 | above shall be interpreted in a manner that, to the extent 341 | possible, most closely approximates an absolute disclaimer and 342 | waiver of all liability. 343 | 344 | 345 | Section 6 -- Term and Termination. 346 | 347 | a. This Public License applies for the term of the Copyright and 348 | Similar Rights licensed here. However, if You fail to comply with 349 | this Public License, then Your rights under this Public License 350 | terminate automatically. 351 | 352 | b. Where Your right to use the Licensed Material has terminated under 353 | Section 6(a), it reinstates: 354 | 355 | 1. automatically as of the date the violation is cured, provided 356 | it is cured within 30 days of Your discovery of the 357 | violation; or 358 | 359 | 2. upon express reinstatement by the Licensor. 360 | 361 | For the avoidance of doubt, this Section 6(b) does not affect any 362 | right the Licensor may have to seek remedies for Your violations 363 | of this Public License. 364 | 365 | c. For the avoidance of doubt, the Licensor may also offer the 366 | Licensed Material under separate terms or conditions or stop 367 | distributing the Licensed Material at any time; however, doing so 368 | will not terminate this Public License. 369 | 370 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public 371 | License. 372 | 373 | 374 | Section 7 -- Other Terms and Conditions. 375 | 376 | a. The Licensor shall not be bound by any additional or different 377 | terms or conditions communicated by You unless expressly agreed. 378 | 379 | b. Any arrangements, understandings, or agreements regarding the 380 | Licensed Material not stated herein are separate from and 381 | independent of the terms and conditions of this Public License. 382 | 383 | 384 | Section 8 -- Interpretation. 385 | 386 | a. For the avoidance of doubt, this Public License does not, and 387 | shall not be interpreted to, reduce, limit, restrict, or impose 388 | conditions on any use of the Licensed Material that could lawfully 389 | be made without permission under this Public License. 390 | 391 | b. To the extent possible, if any provision of this Public License is 392 | deemed unenforceable, it shall be automatically reformed to the 393 | minimum extent necessary to make it enforceable. If the provision 394 | cannot be reformed, it shall be severed from this Public License 395 | without affecting the enforceability of the remaining terms and 396 | conditions. 397 | 398 | c. No term or condition of this Public License will be waived and no 399 | failure to comply consented to unless expressly agreed to by the 400 | Licensor. 401 | 402 | d. Nothing in this Public License constitutes or may be interpreted 403 | as a limitation upon, or waiver of, any privileges and immunities 404 | that apply to the Licensor or You, including from the legal 405 | processes of any jurisdiction or authority. 406 | 407 | 408 | ======================================================================= 409 | 410 | Creative Commons is not a party to its public 411 | licenses. Notwithstanding, Creative Commons may elect to apply one of 412 | its public licenses to material it publishes and in those instances 413 | will be considered the “Licensor.” The text of the Creative Commons 414 | public licenses is dedicated to the public domain under the CC0 Public 415 | Domain Dedication. Except for the limited purpose of indicating that 416 | material is shared under a Creative Commons public license or as 417 | otherwise permitted by the Creative Commons policies published at 418 | creativecommons.org/policies, Creative Commons does not authorize the 419 | use of the trademark "Creative Commons" or any other trademark or logo 420 | of Creative Commons without its prior written consent including, 421 | without limitation, in connection with any unauthorized modifications 422 | to any of its public licenses or any other arrangements, 423 | understandings, or agreements concerning use of licensed material. For 424 | the avoidance of doubt, this paragraph does not form part of the 425 | public licenses. 426 | 427 | Creative Commons may be contacted at creativecommons.org. 428 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # How To Secure A Linux Server With Ansible 2 | Ansible playbooks of ["How To Secure A Linux Server"](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server). 3 | 4 | These Ansible playbooks are made to help install secure Linux servers faster. 5 | 6 | ## How to get started 7 | 1. Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) 8 | 2. git clone this repository 9 | ``` 10 | git clone https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible 11 | cd How-To-Secure-A-Linux-Server-With-Ansible 12 | ``` 13 | 14 | 4. [Create SSH-Public/Private-Keys](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#ssh-publicprivate-keys) 15 | ``` 16 | ssh-keygen -t ed25519 17 | ``` 18 | 19 | 5. Change all variables in *group_vars/variables.yml* according to your needs. 20 | 6. Enable SSH root access before running the playbooks: 21 | 22 | ``` 23 | nano /etc/ssh/sshd_config 24 | [...] 25 | PermitRootLogin yes 26 | [...] 27 | ``` 28 | 29 | 7. Recommended: configure static IP address on your system. 30 | 8. Add your systems IP address to *hosts.yml*. 31 | 32 |   33 | 34 | Run the requirements playbook using the root password you specified while installing the server: 35 | 36 | ansible-playbook --inventory hosts.yml --ask-pass requirements-playbook.yml 37 | 38 |   39 | 40 | Run the main playbook with the new users password you specified in the *variables.yml* file: 41 | 42 | ansible-playbook --inventory hosts.yml --ask-pass main-playbook.yml 43 | 44 |   45 | 46 | If you need to run the playbooks multiple times remember to use the SSH key and the new SSH port: 47 | 48 | ansible-playbook --inventory hosts.yml -e ansible_ssh_port=SSH_PORT --key-file /PATH/TO/SSH/KEY main-playbook.yml 49 | 50 |   51 | 52 | Tested on Debian 12 Bookworm. 53 | 54 | ## Configurations 55 | The playbook uses most of the settings from ["How To Secure A Linux Server"](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) / my choices if the guide has more than one option to do something. 56 | 57 | ### Requirements 58 | - sudo installed 59 | - groups created for *sshusers*, *sudousers* and *suusers* 60 | - new user created with the name specified in *variables.yml* and added to groups 61 | - use of sudo limited to sudousers group 62 | - use of su limited to suusers group 63 | - passwordless sudo enabled for the new user 64 | - SSH public key added to authorized_keys file 65 | 66 | ### auditd 67 | Uses best practice rules from [Neo23x0](https://github.com/Neo23x0) 68 | 69 | ### ClamAV 70 | ClamAV is set to run everyday at 3 AM to scan the full system, exluding sys folders. 71 | 72 | ### Firewall: UFW 73 | UFW is set to default deny in and out. 74 | The SSH-Port is set to *limit in*, allowed outgoing ports by default are 53 (DNS), 123 (NTP), 80 (http), 443 (https) and the mail port specified in *variables.yml*. 75 | 76 | ### Firewall: PSAD and Fail2Ban 77 | PSAD and Fail2Ban is configured according to "How To Secure A Linux Server" guide. 78 | 79 | ### Lynis 80 | Lynis is configured according to "How To Secure A Linux Server" guide and will run an audit + send the report as an attachment to your mail address configured in *variables.yml*. 81 | Current Lynis rating is 77. 82 | 83 | ### Mail 84 | For mailing I chose msmtp with the help from [Decatec's guide](https://decatec.de/linux/linux-einfach-e-mails-versenden-mit-msmtp/). This will send a testmail. 85 | 86 | ### Packages 87 | Installed packages are: 88 | - apt-transport-https 89 | - ca-certificates 90 | - host 91 | - kbtin 92 | - ntp 93 | - libpam-pwquality 94 | - unattended-upgrades 95 | - apt-listchanges 96 | - apticron 97 | - ufw 98 | - psad 99 | - fail2ban 100 | - msmtp 101 | - msmtp-mta 102 | - mailutils 103 | - clamav 104 | - clamav-freshclam 105 | - clamav-daemon 106 | - rkhunter 107 | - auditd 108 | - audispd-plugins 109 | 110 | ### Password quality 111 | Password quality is done via pam_pwquality according to "How To Secure A Linux Server" guide. 112 | 113 | ### Rkhunter 114 | Rkhunter is configured according to "How To Secure A Linux Server" guide. 115 | 116 | ### SSH 117 | SSH is configured according to "How To Secure A Linux Server" guide. 118 | 119 | ### Unattended upgrades 120 | Unattended upgrades is configured to only upgrade security upgrades automatically. Automatic restarts are enabled. 121 | 122 | ## Plans / ToDos 123 | - [ ] use Ansible vault to securely store secrets 124 | 125 | ## Warning! 126 | Read all tasks carefully and make sure they do not break your system before using these playbooks! Do not rely solely on the Ansible playbooks for security! It is your responsibility to make sure all settings you need have been set and are working. This is just a starting point! Depending on your needs and goals make sure to further secure your system. 127 | 128 | ## Credits 129 | - [imthenachoman](https://github.com/imthenachoman) for creating the great [How To Secure A Linux Server](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server) guide 130 | - [Neo23x0](https://github.com/Neo23x0) for the auditd best practice rules 131 | - [Decatec](https://decatec.de/linux/linux-einfach-e-mails-versenden-mit-msmtp/) for the easy mail configuration 132 | -------------------------------------------------------------------------------- /group_vars/variables.yml: -------------------------------------------------------------------------------- 1 | sshpub_location: SSH_PUBKEY_HERE #the full path to your SSH public key ( e.g. /Users/username/.ssh/id_ed25519.pub ) 2 | root_pw: "PASSWORD_HERE" #root password that should be set 3 | user_name: USERNAME_HERE #username for the created user 4 | user_pw: "PASSWORD_HERE" #password for the new user 5 | ssh_port: 55899 #port number for ssh 6 | mail_to: mailto@example.com #the mail address where mails should be sent to 7 | mail_from: mailfrom@example.com #the mail address where mails are sent from 8 | mail_smtp_server: smtp.example.com #mail server, e.g. smtp.gmail.com 9 | mail_pw: PASSWORD_HERE #password for the mail_from mail address 10 | mail_port: 587 #the port where mails are sent to the mail server, e.g. 587 11 | 12 | -------------------------------------------------------------------------------- /hosts.yml: -------------------------------------------------------------------------------- 1 | [debian-server] 2 | SERVER-IPADDRESS-HERE 3 | -------------------------------------------------------------------------------- /main-playbook.yml: -------------------------------------------------------------------------------- 1 | - name: Main-Playbook 2 | hosts: debian-server 3 | remote_user: "{{ user_name }}" 4 | gather_facts: yes 5 | vars_files: ./group_vars/variables.yml 6 | 7 | roles: 8 | - packages 9 | - ssh 10 | - password-quality 11 | - unattended-upgrades 12 | - firewall 13 | - mail 14 | - clamav 15 | - rkhunter 16 | - auditd 17 | - lynis -------------------------------------------------------------------------------- /requirements-playbook.yml: -------------------------------------------------------------------------------- 1 | - name: Requirements-Playbook 2 | hosts: debian-server 3 | remote_user: root 4 | vars_files: ./group_vars/variables.yml 5 | 6 | roles: 7 | - requirements -------------------------------------------------------------------------------- /roles/auditd/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: remove default auditd rules and download best practice rules 3 | become: true 4 | shell: | 5 | rm /etc/audit/rules.d/audit.rules 6 | wget -P /etc/audit/rules.d/ https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules 7 | service auditd restart 8 | 9 | -------------------------------------------------------------------------------- /roles/clamav/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: set cron MAILTO 3 | become: true 4 | cronvar: 5 | user: root 6 | name: MAILTO 7 | value: "{{ mail_to }}" 8 | 9 | - name: add crontab to run clamav daily at 3 AM 10 | become: true 11 | cron: 12 | name: clamav daily run 13 | minute: "0" 14 | hour: "3" 15 | job: "/usr/bin/clamscan -ri --exclude-dir=\"^/sys\" --no-summary /" 16 | user: root 17 | -------------------------------------------------------------------------------- /roles/firewall/handlers/main.yml: -------------------------------------------------------------------------------- 1 | - name: restart ufw service 2 | become: yes 3 | service: 4 | name: ufw 5 | state: restarted 6 | 7 | - name: restart psad service 8 | become: yes 9 | service: 10 | name: psad 11 | state: restarted 12 | 13 | - name: restart fail2ban service 14 | become: yes 15 | service: 16 | name: fail2ban 17 | state: restarted -------------------------------------------------------------------------------- /roles/firewall/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: default config for ufw 3 | become: true 4 | ufw: 5 | state: enabled 6 | logging: on 7 | notify: restart ufw service 8 | 9 | - name: ufw - default deny in 10 | become: true 11 | ufw: 12 | policy: deny 13 | direction: incoming 14 | notify: restart ufw service 15 | 16 | - name: ufw - default deny out 17 | become: true 18 | ufw: 19 | policy: deny 20 | direction: outgoing 21 | notify: restart ufw service 22 | 23 | - name: ufw - configure ssh rule 24 | become: true 25 | ufw: 26 | rule: limit 27 | direction: in 28 | to_port: "{{ ssh_port }}" 29 | notify: restart ufw service 30 | 31 | - name: ufw - allow outgoing ports 32 | become: true 33 | ufw: 34 | rule: allow 35 | direction: out 36 | to_port: "{{ item }}" 37 | with_items: 38 | - "43" 39 | - "53" 40 | - "123" 41 | - "80" 42 | - "443" 43 | - "{{ mail_port }}" #outgoing mail port 44 | notify: restart ufw service 45 | 46 | - name: configure psad 47 | become: true 48 | lineinfile: 49 | dest: /etc/psad/psad.conf 50 | regexp: "{{ item.regexp }}" 51 | line: "{{ item.line }}" 52 | loop: 53 | - { regexp: '^EMAIL_ADDRESSES', line: 'EMAIL_ADDRESSES {{ mail_to }};' } 54 | - { regexp: '^EXPECT_TCP_OPTIONS', line: 'EXPECT_TCP_OPTIONS Y;'} 55 | - { regexp: '^ENABLE_PSADWATCHD', line: 'ENABLE_PSADWATCHD Y;'} 56 | - { regexp: '^ENABLE_AUTO_IDS ', line: 'ENABLE_AUTO_IDS Y;'} 57 | - { regexp: '^ENABLE_AUTO_IDS_EMAILS', line: 'ENABLE_AUTO_IDS_EMAILS Y;'} 58 | - { regexp: '^AUTO_IDS_DANGER_LEVEL', line: 'AUTO_IDS_DANGER_LEVEL 3;'} 59 | - { regexp: '^HOSTNAME', line: 'HOSTNAME {{ ansible_hostname }};'} 60 | notify: restart psad service 61 | 62 | - name: add logging to ufw before.rules 63 | become: true 64 | blockinfile: 65 | dest: /etc/ufw/before.rules 66 | insertbefore: "COMMIT" 67 | marker: "# {mark} ANSIBLE MANAGED BLOCK" 68 | block: | 69 | # log all traffic so psad can analyze 70 | -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " 71 | -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] " 72 | notify: restart ufw service 73 | 74 | - name: add logging to ufw before6.rules 75 | become: true 76 | blockinfile: 77 | dest: /etc/ufw/before6.rules 78 | insertbefore: "COMMIT" 79 | marker: "# {mark} ANSIBLE MANAGED BLOCK" 80 | block: | 81 | # log all traffic so psad can analyze 82 | -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " 83 | -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] " 84 | notify: restart ufw service 85 | 86 | - name: update psad signatures 87 | become: true 88 | shell: | 89 | psad --sig-update 90 | 91 | - name: configure fail2ban 92 | become: true 93 | blockinfile: 94 | path: /etc/fail2ban/jail.local 95 | block: | 96 | [DEFAULT] 97 | # the IP address range we want to ignore 98 | ignoreip = 127.0.0.1/8 99 | 100 | # who to send e-mail to 101 | destemail = {{ mail_to }} 102 | 103 | # who is the email from 104 | sender = {{ mail_from }} 105 | 106 | # since we're using exim4 to send emails 107 | mta = mail 108 | 109 | # get email alerts 110 | action = %(action_mwl)s 111 | create: true 112 | notify: restart fail2ban service 113 | 114 | - name: fail2ban - configure ssh jail 115 | become: true 116 | blockinfile: 117 | path: /etc/fail2ban/jail.d/ssh.local 118 | block: | 119 | [sshd] 120 | enabled = true 121 | banaction = ufw 122 | port = {{ ssh_port }} 123 | filter = sshd 124 | logpath = %(sshd_log)s 125 | maxretry = 5 126 | create: true 127 | notify: restart fail2ban service 128 | 129 | -------------------------------------------------------------------------------- /roles/lynis/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: update and upgrade 2 | become: true 3 | apt: 4 | update_cache: yes 5 | upgrade: yes 6 | 7 | - name: install lynis dependencies 8 | become: true 9 | apt: 10 | name: gpg 11 | state: present 12 | 13 | - name: prepare lynis installation 14 | become: true 15 | shell: | 16 | curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg 17 | echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list 18 | 19 | - name: update and upgrade 20 | become: true 21 | apt: 22 | update_cache: yes 23 | upgrade: yes 24 | 25 | - name: install lynis 26 | become: true 27 | apt: 28 | name: lynis 29 | state: present 30 | 31 | - name: update and run first lynis audit 32 | become: true 33 | shell: | 34 | lynis update info 35 | lynis audit system | ansi2html -l > /tmp/lynis-report.html 36 | echo "First Lynis report see attachment" | mail -A /tmp/lynis-report.html -s "Lynis report" {{ mail_to }} -------------------------------------------------------------------------------- /roles/mail/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: configure mail settings 3 | become: true 4 | blockinfile: 5 | path: /etc/msmtprc 6 | block: | 7 | defaults 8 | port {{ mail_port }} 9 | tls on 10 | tls_trust_file /etc/ssl/certs/ca-certificates.crt 11 | account {{ mail_from }} 12 | host {{ mail_smtp_server }} 13 | set_from_header on 14 | from {{ mail_from }} 15 | auth on 16 | user {{ mail_from }} 17 | password {{ mail_pw }} 18 | account default: {{ mail_from }} 19 | aliases /etc/aliases 20 | logfile /var/log/msmtp 21 | create: true 22 | 23 | - name: chmod mail config file 24 | become: true 25 | file: 26 | path: /etc/msmtprc 27 | group: msmtp 28 | mode: '640' 29 | 30 | - name: configure mail settings pt. 2 31 | become: true 32 | lineinfile: 33 | dest: /etc/aliases 34 | regexp: "{{ item.regexp }}" 35 | line: "{{ item.line }}" 36 | create: true 37 | loop: 38 | - { regexp: '^root:', line: 'root: {{ mail_to }}' } 39 | - { regexp: '^default:', line: 'default: {{ mail_to }}' } 40 | 41 | - name: configure mail settings pt. 3 42 | become: true 43 | lineinfile: 44 | path: /etc/mail.rc 45 | regexp: '^set sendmail' 46 | line: 'set sendmail="/usr/bin/msmtp -t"' 47 | create: yes 48 | 49 | - name: send a testmail 50 | become: true 51 | shell: echo "Testmail content" | mail -s "Testmail subject" {{ mail_to }} 52 | -------------------------------------------------------------------------------- /roles/packages/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: update and upgrade 2 | become: true 3 | apt: 4 | update_cache: yes 5 | upgrade: yes 6 | 7 | - name: install packages 8 | become: true 9 | apt: 10 | name: 11 | - apt-transport-https 12 | - ca-certificates 13 | - host 14 | - kbtin 15 | - ntp 16 | - libpam-pwquality 17 | - unattended-upgrades 18 | - apt-listchanges 19 | - apticron 20 | - ufw 21 | - psad 22 | - fail2ban 23 | - msmtp 24 | - msmtp-mta 25 | - mailutils 26 | - clamav 27 | - clamav-freshclam 28 | - clamav-daemon 29 | - rkhunter 30 | - auditd 31 | - audispd-plugins 32 | state: present 33 | -------------------------------------------------------------------------------- /roles/password-quality/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: enforce strong passwords with pam_pwquality 2 | become: true 3 | lineinfile: 4 | dest: /etc/pam.d/common-password 5 | regexp: '^.*pam_pwquality.so.*$' 6 | line: 'password requisite pam_pwquality.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec' 7 | -------------------------------------------------------------------------------- /roles/requirements/tasks/main.yml: -------------------------------------------------------------------------------- 1 | - name: apt update 2 | apt: 3 | update_cache: yes 4 | upgrade: false 5 | 6 | - name: install sudo via apt 7 | apt: 8 | name: sudo 9 | 10 | - name: create group for ssh users 11 | group: 12 | name: sshusers 13 | 14 | - name: create group for su users 15 | group: 16 | name: suusers 17 | 18 | - name: create group for sudo users 19 | group: 20 | name: sudousers 21 | 22 | - name: create new user with password, add to groups 23 | user: 24 | name: "{{ user_name }}" 25 | password: "{{ user_pw | password_hash('sha512')}}" 26 | groups: "sshusers, sudousers, suusers" 27 | shell: /bin/bash 28 | 29 | - name: limit sudo to sudousers groups 30 | lineinfile: 31 | path: /etc/sudoers 32 | regexp: '^%sudousers' 33 | line: '%sudousers ALL=(ALL:ALL) ALL' 34 | 35 | - name: limit who can use su 36 | register: sustd 37 | shell: | 38 | sudo dpkg-statoverride --update --add root suusers 4750 /bin/su 39 | failed_when: 40 | - sustd.rc != 0 41 | - '"exist" not in sustd.stderr' # this has to be changed: unsure how to skip the "already exist" error in other languages 42 | 43 | - name: passwordless sudo for new user 44 | lineinfile: 45 | path: /etc/sudoers 46 | regexp: '^{{ user_name }}' 47 | line: '{{ user_name }} ALL=(ALL) NOPASSWD: ALL' 48 | state: present 49 | mode: 0440 50 | create: yes 51 | validate: 'visudo -cf %s' 52 | 53 | - name: add authorized keys for new user 54 | authorized_key: 55 | user: "{{ user_name }}" 56 | key: "{{ lookup('file', sshpub_location) }}" 57 | 58 | 59 | -------------------------------------------------------------------------------- /roles/rkhunter/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: copy rkhunter's default config file 3 | become: true 4 | shell: cp -p /etc/rkhunter.conf /etc/rkhunter.conf.local 5 | 6 | - name: configure rkhunter 7 | become: true 8 | lineinfile: 9 | dest: /etc/rkhunter.conf.local 10 | regexp: "{{ item.regexp }}" 11 | line: "{{ item.line }}" 12 | loop: 13 | - { regexp: '^UPDATE_MIRRORS', line: 'UPDATE_MIRRORS=1' } 14 | - { regexp: '^MIRRORS_MODE', line: 'MIRRORS_MODE=0'} 15 | - { regexp: '^MAIL-ON-WARNING', line: 'MAIL-ON-WARNING={{ mail_to }}'} 16 | - { regexp: '^COPY_LOG_ON_ERROR', line: 'COPY_LOG_ON_ERROR=1'} 17 | - { regexp: '^PHALANX2_DIRTEST', line: 'PHALANX2_DIRTEST=1'} 18 | - { regexp: '^WEB_CMD', line: 'WEB_CMD=""'} 19 | - { regexp: '^USE_LOCKING', line: 'USE_LOCKING=1'} 20 | - { regexp: '^SHOW_SUMMARY_WARNINGS_NUMBER', line: 'SHOW_SUMMARY_WARNINGS_NUMBER=1'} 21 | 22 | - name: configure rkhunter pt. 2 23 | become: true 24 | lineinfile: 25 | dest: /etc/default/rkhunter 26 | regexp: "{{ item.regexp }}" 27 | line: "{{ item.line }}" 28 | loop: 29 | - { regexp: '^CRON_DAILY_RUN', line: 'CRON_DAILY_RUN="true"' } 30 | - { regexp: '^CRON_DB_UPDATE', line: 'CRON_DB_UPDATE="true"' } 31 | - { regexp: '^DB_UPDATE_EMAIL', line: 'DB_UPDATE_EMAIL="false"' } 32 | - { regexp: '^REPORT_EMAIL', line: 'REPORT_EMAIL="root"' } 33 | - { regexp: '^APT_AUTOGEN', line: 'APT_AUTOGEN="true"' } 34 | - { regexp: '^NICE', line: 'NICE="0"' } 35 | - { regexp: '^RUN_CHECK_ON_BATTERY', line: 'RUN_CHECK_ON_BATTERY="false"' } 36 | 37 | - name: update rkhunter 38 | become: true 39 | shell: | 40 | rkhunter --update 41 | rkhunter --propupd 42 | -------------------------------------------------------------------------------- /roles/ssh/handlers/main.yml: -------------------------------------------------------------------------------- 1 | - name: restart ssh service 2 | become: yes 3 | service: 4 | name: ssh 5 | state: restarted -------------------------------------------------------------------------------- /roles/ssh/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: secure ssh configuration 3 | become: true 4 | blockinfile: 5 | path: /etc/ssh/sshd_config 6 | block: | 7 | ######################################################################################################## 8 | # start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01 9 | ######################################################################################################## 10 | # Supported HostKey algorithms by order of preference. 11 | HostKey /etc/ssh/ssh_host_ed25519_key 12 | HostKey /etc/ssh/ssh_host_rsa_key 13 | HostKey /etc/ssh/ssh_host_ecdsa_key 14 | KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 15 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr 16 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com 17 | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. 18 | LogLevel VERBOSE 19 | # Use kernel sandbox mechanisms where possible in unprivileged processes 20 | # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere. 21 | # Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5) 22 | # UsePrivilegeSeparation sandbox 23 | ######################################################################################################## 24 | # end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01 25 | ######################################################################################################## 26 | # don't let users set environment variables 27 | PermitUserEnvironment no 28 | # only use the newer, more secure protocol 29 | Protocol 2 30 | # disable port forwarding 31 | AllowTcpForwarding no 32 | AllowStreamLocalForwarding no 33 | GatewayPorts no 34 | PermitTunnel no 35 | # don't allow login if the account has an empty password 36 | PermitEmptyPasswords no 37 | # ignore .rhosts and .shosts 38 | IgnoreRhosts yes 39 | # verify hostname matches IP 40 | UseDNS yes 41 | Compression no 42 | TCPKeepAlive no 43 | AllowAgentForwarding no 44 | # don't allow .rhosts or /etc/hosts.equiv 45 | HostbasedAuthentication no 46 | notify: restart ssh service 47 | 48 | - name: secure ssh configuration part 2 49 | become: true 50 | lineinfile: 51 | dest: /etc/ssh/sshd_config 52 | regexp: "{{ item.regexp }}" 53 | line: "{{ item.line }}" 54 | loop: 55 | - { regexp: '^AllowGroups', line: 'AllowGroups sshusers' } 56 | - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 0'} 57 | - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300'} 58 | - { regexp: '^ListenAddress', line: 'ListenAddress 0.0.0.0'} 59 | - { regexp: '^LoginGraceTime', line: 'LoginGraceTime 30'} 60 | - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 2'} 61 | - { regexp: '^MaxSessions', line: 'MaxSessions 2'} 62 | - { regexp: '^MaxStartups', line: 'MaxStartups 2'} 63 | - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no'} 64 | - { regexp: '^Port', line: 'Port {{ ssh_port }}'} 65 | - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no'} 66 | - { regexp: '^X11Forwarding', line: 'X11Forwarding no'} 67 | - { regexp: '^Subsystem', line: 'Subsystem sftp internal-sftp -f AUTHPRIV -l INFO'} 68 | notify: restart ssh service 69 | 70 | - name: remove short diffie diffie-hellman 71 | become: true 72 | shell: | 73 | awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp 74 | mv /etc/ssh/moduli.tmp /etc/ssh/moduli 75 | notify: restart ssh service -------------------------------------------------------------------------------- /roles/unattended-upgrades/tasks/main.yml: -------------------------------------------------------------------------------- 1 | 2 | - name: configure unattended upgrades to only install security upgrades 3 | become: true 4 | blockinfile: 5 | path: /etc/apt/apt.conf.d/51myunattended-upgrades 6 | block: | 7 | // Enable the update/upgrade script (0=disable) 8 | APT::Periodic::Enable "1"; 9 | 10 | // Do "apt-get update" automatically every n-days (0=disable) 11 | APT::Periodic::Update-Package-Lists "1"; 12 | 13 | // Do "apt-get upgrade --download-only" every n-days (0=disable) 14 | APT::Periodic::Download-Upgradeable-Packages "1"; 15 | 16 | // Do "apt-get autoclean" every n-days (0=disable) 17 | APT::Periodic::AutocleanInterval "7"; 18 | 19 | // Send report mail to root 20 | // 0: no report (or null string) 21 | // 1: progress report (actually any string) 22 | // 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) 23 | // 3: + trace on APT::Periodic::Verbose "2"; 24 | APT::Periodic::Unattended-Upgrade "1"; 25 | 26 | // Automatically upgrade packages from these 27 | Unattended-Upgrade::Origins-Pattern { 28 | // "o=Debian,a=stable"; 29 | //"o=Debian,a=stable-updates"; 30 | "origin=Debian,codename=${distro_codename},label=Debian-Security"; 31 | }; 32 | 33 | // You can specify your own packages to NOT automatically upgrade here 34 | Unattended-Upgrade::Package-Blacklist { 35 | }; 36 | 37 | // Run dpkg --force-confold --configure -a if a unclean dpkg state is detected to true to ensure that updates get installed even when the system got interrupted during a previous run 38 | Unattended-Upgrade::AutoFixInterruptedDpkg "true"; 39 | 40 | //Perform the upgrade when the machine is running because we wont be shutting our server down often 41 | Unattended-Upgrade::InstallOnShutdown "false"; 42 | 43 | // Send an email to this address with information about the packages upgraded. 44 | Unattended-Upgrade::Mail "root"; 45 | 46 | // Always send an e-mail 47 | Unattended-Upgrade::MailOnlyOnError "false"; 48 | 49 | // Remove all unused dependencies after the upgrade has finished 50 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 51 | 52 | // Remove any new unused dependencies after the upgrade has finished 53 | Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; 54 | 55 | // Automatically reboot WITHOUT CONFIRMATION if the file /var/run/reboot-required is found after the upgrade. 56 | Unattended-Upgrade::Automatic-Reboot "true"; 57 | 58 | // Automatically reboot even if users are logged in. 59 | Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; 60 | create: true 61 | --------------------------------------------------------------------------------