--- - name: '[setup] gather facts if not already done' setup: gather_subset: - distribution - name: '[ssh] hardening sshd' become: true block: - name: '[ssh] setup sshd_config' ansible.builtin.template: src: ../templates/openssh-server/sshd_config.j2 dest: /etc/ssh/sshd_config mode: '0644' - name: '[ssh] setup sshd_config.d' ansible.builtin.template: src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2 dest: /etc/ssh/sshd_config.d/encryption.conf mode: '0644' - name: '[ssh] remove low security keys' ansible.builtin.file: path: "/etc/ssh/{{ item }}" state: absent loop: - ssh_host_ecdsa_key - ssh_host_ecdsa_key.pub - ssh_host_rsa_key - ssh_host_rsa_key.pub notify: - 'security : [ssh] restart service' - name: '[utils] install security and audit tools' become: true ansible.builtin.apt: update_cache: true force_apt_get: true cache_valid_time: 3600 pkg: - lsof # rkhunter - rkhunter - unhide # rkhunter state: present - name: '[system] configure rkhunter' become: true block: - name: '[rkhunter] create include dir' ansible.builtin.file: path: /etc/rkhunter.d state: directory mode: '0750' - name: '[rkhunter] copy configuration' ansible.builtin.template: src: ../templates/rkhunter/rkhunter.conf.local.j2 dest: /etc/rkhunter.conf.local mode: '0640' - name: '[rkhunter] setup cronjob' ansible.builtin.cron: name: rkhunter check minute: 0 hour: 4 day: "*/3" job: "/usr/bin/rkhunter -c 2>&1" state: present - name: '[system] clamav' become: true block: - name: '[clamav] retrieve and install clamav package' ansible.builtin.apt: deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb force_apt_get: true state: present - name: '[clamav] add clamav group' ansible.builtin.group: name: clamav system: true state: present - name: '[clamav] add clamav user' ansible.builtin.user: name: clamav comment: clamav create_home: false expires: -1 group: clamav shell: /bin/false system: true state: present - name: '[clamav] setup directories' ansible.builtin.file: path: "{{ item }}" state: directory owner: clamav group: clamav mode: '0750' loop: - /etc/clamav - /var/lib/clamav/quarantine - /var/log/clamav - name: '[clamav] copy clamd.conf' ansible.builtin.template: src: '../templates/clamav/clamd.conf.j2' dest: /etc/clamav/clamd.conf owner: clamav group: clamav mode: '0640' - name: '[clamav] copy freshclam.conf' ansible.builtin.template: src: '../templates/clamav/freshclam.conf.j2' dest: /etc/clamav/freshclam.conf owner: clamav group: clamav mode: '0640' - name: '[clamav] copy freshclam service file' ansible.builtin.template: src: '../templates/clamav/clamav-freshclam.service.j2' dest: /usr/lib/systemd/system/clamav-freshclam.service mode: '0644' - name: '[clamav] copy clamd service file' ansible.builtin.template: src: '../templates/clamav/clamav-clamd.service.j2' dest: /usr/lib/systemd/system/clamav-clamd.service mode: '0644' - name: '[clamav] setup cron job' ansible.builtin.cron: name: clamav full system scan minute: 30 hour: 5 weekday: 0 job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1" state: present notify: - 'security : [clamav] daemon reload' - 'security : [freshclam] restart service' - 'security : [clamd] wait for signatures' - 'security : [clamd] restart service' - name: '[system] hardening system' become: true block: - name: '[system] login.defs' ansible.builtin.template: src: '../templates/system/{{ ansible_distribution | lower }}/login.defs.j2' dest: /etc/login.defs mode: '0644' - name: '[system] limits.conf' ansible.builtin.template: src: '../templates/system/{{ ansible_distribution | lower }}/limits.conf.j2' dest: /etc/security/limits.conf mode: '0644'