- name: Install auto upgrades package apt: pkg=unattended-upgrades state=installed update_cache=yes when: with_auto_upgrade - name: Reconfigure unattended-upgrades package debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean" notify: - Reconfigure unattended-upgrades when: with_auto_upgrade - name: Update unattended-upgrades configuration template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644 first_available_file: - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2 - apt/auto-upgrades.j2 when: with_auto_upgrade - name: Install logcheck packages apt: pkg={{ item }} state=installed update_cache=yes with_items: - logcheck - logcheck-database when: with_logcheck - name: Install local configuration files for logcheck copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644 with_items: - amavisd-new - ansible - bind - dhclient - dovecot - dropbear - git-daemon - ipmi - irqbalance - kernel - libpam-modules - mon - noip2 - ntp - openvpn - php - postfix - pure-ftpd - pve-cluster - redir - rpc-mountd - rrdcached - rsyslog - smartd - spamd - sshd - svn - sympa - systemd - zabbix-agentd when: with_logcheck - name: Update logcheck cron job template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644 when: with_logcheck - name: Install rkhunter related packages apt: pkg={{ item }} state=installed update_cache=yes with_items: - lsof - unhide - rkhunter when: with_rkhunter - name: Reconfigure rkhunter package debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}" with_items: - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' } - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' } - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' } notify: - Reconfigure rkhunter when: with_rkhunter - name: Update rkhunter configuration template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644 when: with_rkhunter - name: Update chkrootkit configuration template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644 when: with_chkrootkit - name: Update fstab to hide pids from /proc lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes notify: - Remount /proc when: with_hideproc and hideproc_gid == '' - name: Update fstab to hide pids from /proc with group id (gid) lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes notify: - Remount /proc when: with_hideproc and hideproc_gid != '' - name: 'Create Diffie-Helman parameters' command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}' args: creates: '/etc/ssl/private/dh{{ item }}.pem' with_items: - 2048