- name: 'Install auto upgrades package' apt: pkg: 'unattended-upgrades' state: 'installed' when: with_auto_upgrade - name: 'Reconfigure unattended-upgrades package' debconf: name: 'unattended-upgrades' question: 'unattended-upgrades/enable_auto_updates' value: 'true' vtype: 'boolean' notify: - 'Reconfigure unattended-upgrades' when: with_auto_upgrade - name: 'Update unattended-upgrades configuration' template: src: '{{ item }}' dest: '/etc/apt/apt.conf.d/90unattended-upgrades-local' owner: 'root' group: 'root' mode: '0644' with_first_found: - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2' - 'apt/auto-upgrades.j2' when: with_auto_upgrade - name: 'Install logcheck packages' apt: pkg: '{{ item }}' state: 'installed' with_items: - 'logcheck' - 'logcheck-database' when: with_logcheck - name: 'Install local configuration files for logcheck' copy: src: 'logcheck/{{ item }}_local' dest: '/etc/logcheck/ignore.d.server/{{ item }}_local' owner: 'root' group: 'logcheck' mode: '0644' with_items: - 'amavisd-new' - 'ansible' - 'apache2' - 'bind' - 'dhclient' - 'dnsmasq' - 'dovecot' - 'dropbear' - 'ferm' - 'gammu' - 'git-daemon' - 'gogs' - 'influxd' - 'ipmi' - 'irqbalance' - 'kernel' - 'libpam-modules' - 'mon' - 'noip2' - 'ntp' - 'openvpn' - 'php' - 'postfix' - 'pure-ftpd' - 'pve-cluster' - 'redir' - 'rpc-mountd' - 'rrdcached' - 'rsyslog' - 'smartd' - 'spamd' - 'sshd' - 'svn' - 'sympa' - 'systemd' - 'zabbix-agentd' when: with_logcheck tags: - 'logcheck' - name: 'Update logcheck cron job' template: src: 'cron/logcheck.j2' dest: '/etc/cron.d/logcheck' owner: 'root' group: 'root' mode: '0644' when: with_logcheck - name: 'Install rkhunter related packages' apt: pkg: '{{ item }}' state: 'installed' with_items: - 'lsof' - 'unhide' - 'rkhunter' when: with_rkhunter - name: 'Reconfigure rkhunter package' debconf: name: '{{item.name}}' question: '{{item.question}}' value: '{{item.value}}' vtype: '{{item.vtype}}' with_items: - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' } - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' } - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' } notify: - 'Reconfigure rkhunter' when: with_rkhunter - name: Update rkhunter configuration template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644 when: with_rkhunter - name: Update chkrootkit configuration template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644 when: with_chkrootkit - name: Update fstab to hide pids from /proc lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes notify: - Remount /proc when: with_hideproc and hideproc_gid == '' - name: Update fstab to hide pids from /proc with group id (gid) lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes notify: - Remount /proc when: with_hideproc and hideproc_gid != '' - name: 'Create Diffie-Helman parameters' command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}' args: creates: '/etc/ssl/private/dh{{ item }}.pem' with_items: - '2048'