ansible-infra/collections/ansible_collections/nullified/infrastructure/roles/security/tasks/main.yml

---
- name: '[setup] gather facts is not already done'
  setup:
    gather_subset:
      - distribution

- name: '[ssh] hardening sshd'
  become: yes
  block:
    - name: '[ssh] setup sshd_config'
      ansible.builtin.template:
        src: ../templates/openssh-server/sshd_config.j2
        dest: /etc/ssh/sshd_config
        mode: 644
      notify:
        - '[ssh] restart service'
    - name: '[ssh] setup sshd_config.d'
      ansible.builtin.template:
        src: ../templates/openssh-server/sshd_config.d/encryption.conf.j2
        dest: /etc/ssh/sshd_config.d/encryption.conf
        mode: 644
      notify:
        - 'security : [ssh] restart service'

- name: '[utils] install security and audit tools'
  become: yes
  ansible.builtin.apt:
    update_cache: true
    force_apt_get: true
    cache_valid_time: 3600
    pkg:
      - lsof # rkhunter
      - rkhunter
      - unhide # rkhunter
    state: present

- name: '[system] configure rkhunter'
  become: yes
  block:
    - name: '[rkhunter] create include dir'
      ansible.builtin.file:
        path: /etc/rkhunter.d
        state: directory
        mode: '0750'
    - name: '[rkhunter] copy configuration'
      ansible.builtin.template:
        src: ../templates/rkhunter/rkhunter.conf.local.j2
        dest: /etc/rkhunter.conf.local
        mode: '0640'
    - name: '[rkhunter] setup cronjob'
      ansible.builtin.cron:
        name: rkhunter check
        minute: 0
        hour: 4
        day: "*/3"
        job: "/usr/bin/rkhunter -c 2>&1"
        state: present

- name: '[system] clamav'
  become: yes
  block:
    - name: '[clamav] retrieve and install clamav package'
      ansible.builtin.apt:
        deb: https://www.clamav.net/downloads/production/clamav-{{ security_clamav_version }}.linux.x86_64.deb
        force_apt_get: true
        state: present
    - name: '[clamav] add clamav group'
      ansible.builtin.group:
        name: clamav
        system: true
        state: present
    - name: '[clamav] add clamav user'
      ansible.builtin.user:
        name: clamav
        comment: clamav
        create_home: false
        expires: -1
        group: clamav
        shell: /bin/false
        system: true
        state: present
    - name: '[clamav] setup directories'
      block:
        - name: '[clamav] ensure /etc/clamav dir exists'
          ansible.builtin.file:
            path: /etc/clamav
            state: directory
            owner: clamav
            group: clamav
            mode: '0750'
        - name: '[clamav] ensure /var/lib/clamav dir exists'
          ansible.builtin.file:
            path: /var/lib/clamav
            state: directory
            owner: clamav
            group: clamav
            mode: '0750'
        - name: '[clamav] ensure /var/lib/clamav/quarantine dir exists'
          ansible.builtin.file:
            path: /var/lib/clamav/quarantine
            state: directory
            owner: clamav
            group: clamav
            mode: '0750'
        - name: '[clamav] ensure /var/log/clamav dir exists'
          ansible.builtin.file:
            path: /var/log/clamav
            state: directory
            owner: clamav
            group: clamav
            mode: '0750'
    - name: '[clamav] copy clamd.conf'
      ansible.builtin.template:
        src: '../templates/clamav/clamd.conf.j2'
        dest: /etc/clamav/clamd.conf
        owner: clamav
        group: clamav
        mode: '0640'
    - name: '[clamav] copy freshclam.conf'
      ansible.builtin.template:
        src: '../templates/clamav/freshclam.conf.j2'
        dest: /etc/clamav/freshclam.conf
        owner: clamav
        group: clamav
        mode: '0640'
    - name: '[clamav] setup freshclam service'
      block:
        - name: '[clamav] copy freshclam service file'
          ansible.builtin.template:
            src: '../templates/clamav/clamav-freshclam.service.j2'
            dest: /usr/lib/systemd/system/clamav-freshclam.service
            mode: '0644'
    - name: '[clamav] setup clamd service'
      block:
        - name: '[clamav] copy clamd service file'
          ansible.builtin.template:
            src: '../templates/clamav/clamav-clamd.service.j2'
            dest: /usr/lib/systemd/system/clamav-clamd.service
            mode: '0644'
    - name: '[clamav] setup cron job'
      ansible.builtin.cron:
        name: clamav full system scan
        minute: 30
        hour: 5
        weekday: 0
        job: "/usr/local/bin/clamscan --recursive --infected --exclude-dir='^/(sys|proc)' --database=/var/lib/clamav --move=/var/lib/clamav/quarantine --log=/var/log/clamav/weekly.log / 2>&1"
        state: present
  notify:
    - 'security : [clamav] daemon reload'
    - 'security : [freshclam] restart service'
    - 'security : [clamd] wait for signatures'
    - 'security : [clamd] restart service'

- name: '[system] hardening system'
  become: yes
  block:
    - name: '[system] login.defs'
      ansible.builtin.template:
        src: '../templates/system/{{ ansible_distribution | lower }}/login.defs.j2'
        dest: /etc/login.defs
        mode: '0644'
    - name: '[system] limits.conf'
      ansible.builtin.template:
        src: '../templates/system/{{ ansible_distribution | lower }}/limits.conf.j2'
        dest: /etc/security/limits.conf
        mode: '0644'