- name: Install auto upgrades package apt: pkg=unattended-upgrades state=installed update_cache=yes when: with_auto_upgrade - name: Configure auto upgrades template: src={{ item }} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644 first_available_file: - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2 - apt/auto-upgrades.j2 when: with_auto_upgrade - name: Install logcheck packages apt: pkg={{ item }} state=installed update_cache=yes with_items: - logcheck - logcheck-database when: with_logcheck - name: Install local configuration files for logcheck copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644 with_items: - amavisd-new - ansible - bind - dhclient - dovecot - dropbear - git-daemon - ipmi - irqbalance - kernel - libpam-modules - mon - noip2 - ntp - openvpn - php - postfix - pure-ftpd - pve-cluster - redir - rpc.mountd - rrdcached - rsyslog - smartd - spamd - sshd - svn - sympa when: with_logcheck - name: Update logcheck cron job template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644 when: with_logcheck - name: Install rkhunter related packages apt: pkg={{ item }} state=installed update_cache=yes with_items: - lsof - unhide - rkhunter when: with_rkhunter - name: Update rkhunter default/init parameters template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644 when: with_rkhunter - name: Update rkhunter configuration template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644 when: with_rkhunter - name: Update chkrootkit configuration template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644 when: with_chkrootkit - name: Update fstab to hide pids from /proc lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes notify: - Remount /proc when: with_hideproc