Hi all,
I recently took an interest in moving to a hardened debian-based distro and Kicksecure felt like the best option for me. I wanted to automate the installation of it by creating an Ansible task for it that can make it easy to install, as I have a playbook for Debian. Here are the bash commands I use around the playbook:
# Add /sbin to path to for user include its binaries in command line
export PATH=/sbin:$PATH
# User does not have sudo access, so switch to root
su root #`su` could be used, as it assumes root by default
# Adduser to sudo group
adduser user sudo
# Manually add user to sudo group (sudoers) by adding them under root and copying the same permissions as root
## Required since just adding user to sudo group doesn't seem to give user sudo command access
sudo visudo
# Exit from root
exit
# Install git and Ansible
sudo apt install git ansible -y
# Download the repository
git clone [repo_here]
# Change Directory into the repo
cd ansible
# Install Roles from Ansible Galaxy
ansible-galaxy install -r requirements.yml
# Run the playbook
ansible-playbook -i inventory.ini Debian.yml -K
#Reboot to finalize changes
reboot
By doing the setup with the commands above, am I increasing the attack surface since I am not doing it exactly how it is written on the Debian+Kicksecure steps? After install, other than being asked to remove “gnome-calculator”, I seem to be passing the systemcheck. I do understand that Debian-morphed-to-Kicksecure steps are there for a reason, and this is a niche support request. However, if there is no issue doing it this way, I would like to either submit this to documentation and/or just make it public for anyone to use.
P.S. Ansible task for context:
---
# Prerequisites
- name: Apt Update
ansible.builtin.apt:
update_cache: yes
become: true
- name: Apt Full-Upgrade
ansible.builtin.apt: upgrade=full
become: true
# Didn't include the --no-install-recommends here - couldn't find option for it other than ansible.builtin.shell module
## apt install --no-install-recommends sudo adduser
- name: Install sudo and adduser
ansible.builtin.apt:
pkg:
- sudo
- adduser
state: present
become: true
- name: Export /sbin to $PATH
ansible.builtin.shell: export PATH=/sbin:$PATH
- name: Ensure group "console" exists
ansible.builtin.group:
name: console
state: present
system: true
become: true
# Two steps more: adding user and then adding them to groups sudo and admin
- name: Add the user to sudo and console groups
ansible.builtin.user:
name: "{{ username }}"
groups: sudo,console
append: yes
become: true
## Steps mention to reboot, I reboot manually at the end
# Installation
- name: Install extrepo
ansible.builtin.apt:
name: extrepo
state: present
become: true
- name: Enable kicksecure repo
ansible.builtin.shell: extrepo enable kicksecure
become: true
- name: Apt Update
ansible.builtin.apt:
update_cache: yes
become: true
- name: Apt Full-Upgrade
ansible.builtin.apt: upgrade=full
become: true
- name: Install kicksecure-cli-host
ansible.builtin.apt:
name: kicksecure-cli-host
state: present
become: true
# Post-Installation
- name: Enable the /etc/apt/sources.list.d/derivative.list Kicksecure APT repository
ansible.builtin.shell: repository-dist --enable --repository stable
become: true
- name: Disable the extrepo kicksecure APT repository
ansible.builtin.shell: extrepo disable kicksecure
become: true
- name: Copy sources.list
ansible.builtin.copy:
src: /etc/apt/sources.list
dest: "/home/{{ username }}/sources.list.bak"
become: true
- name: Remove sources.list
ansible.builtin.file:
path: /etc/apt/sources.list
state: absent
become: true
- name: Touch sources.list
ansible.builtin.file:
path: /etc/apt/sources.list
state: touch
become: true