WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-infra/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

150 lines
4.6 KiB
YAML
Raw Blame History

---
- name: '[setup] gather facts if not already done'
setup:
gather_subset:
- distribution
- name: '[ssh] hardening sshd'
become: true
block:
- name: '[ssh] setup sshd_config'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.j2
dest: /etc/ssh/sshd_config
mode: '0644'
- name: '[ssh] setup sshd_config.d'
ansible.builtin.template:
src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
dest: /etc/ssh/sshd_config.d/encryption.conf
mode: '0644'
- name: '[ssh] remove low security keys'
ansible.builtin.file:
path: "/etc/ssh/{{ item }}"
state: absent
loop:
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
notify:
- 'security : [ssh] restart service'
- name: '[utils] install security and audit tools'
become: true
ansible.builtin.apt:
update_cache: true
force_apt_get: true
cache_valid_time: 3600
pkg:
- lsof # rkhunter
- rkhunter
- unhide # rkhunter
state: present
- name: '[system] configure rkhunter'
become: true
block:
- name: '[rkhunter] create include dir'
ansible.builtin.file:
path: /etc/rkhunter.d
state: directory
mode: '0750'
- name: '[rkhunter] copy configuration'
ansible.builtin.template:
src: ../templates/rkhunter/rkhunter.conf.local.j2
dest: /etc/rkhunter.conf.local
mode: '0640'
- name: '[rkhunter] setup cronjob'
ansible.builtin.cron:
name: rkhunter check
minute: 0
hour: 4
day: "*/3"
job: "/usr/bin/rkhunter -c 2>&1"
state: present
- name: '[system] clamav'
become: true
block:
- name: '[clamav] retrieve and install clamav package'
ansible.builtin.apt:
deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
force_apt_get: true
state: present
- name: '[clamav] add clamav group'
ansible.builtin.group:
name: clamav
system: true
state: present
- name: '[clamav] add clamav user'
ansible.builtin.user:
name: clamav
comment: clamav
create_home: false
expires: -1
group: clamav
shell: /bin/false
system: true
state: present
- name: '[clamav] setup directories'
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: clamav
group: clamav
mode: '0750'
loop:
- /etc/clamav
- /var/lib/clamav/quarantine
- /var/log/clamav
- name: '[clamav] copy clamd.conf'
ansible.builtin.template:
src: '../templates/clamav/clamd.conf.j2'
dest: /etc/clamav/clamd.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] copy freshclam.conf'
ansible.builtin.template:
src: '../templates/clamav/freshclam.conf.j2'
dest: /etc/clamav/freshclam.conf
owner: clamav
group: clamav
mode: '0640'
- name: '[clamav] copy freshclam service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-freshclam.service.j2'
dest: /usr/lib/systemd/system/clamav-freshclam.service
mode: '0644'
- name: '[clamav] copy clamd service file'
ansible.builtin.template:
src: '../templates/clamav/clamav-clamd.service.j2'
dest: /usr/lib/systemd/system/clamav-clamd.service
mode: '0644'
- name: '[clamav] setup cron job'
ansible.builtin.cron:
name: clamav full system scan
minute: 30
hour: 5
weekday: 0
job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1"
state: present
notify:
- 'security : [clamav] daemon reload'
- 'security : [freshclam] restart service'
- 'security : [clamd] wait for signatures'
- 'security : [clamd] restart service'
- name: '[system] hardening system'
become: true
block:
- name: '[system] login.defs'
ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/login.defs.j2'
dest: /etc/login.defs
mode: '0644'
- name: '[system] limits.conf'
ansible.builtin.template:
src: '../templates/system/{{ ansible_distribution | lower }}/limits.conf.j2'
dest: /etc/security/limits.conf
mode: '0644'
Reference in a new issue View git blame Copy permalink