security.yml 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
  1. - name: Install auto upgrades package
  2. apt: pkg=unattended-upgrades state=installed update_cache=yes
  3. when: with_auto_upgrade
  4. - name: Reconfigure unattended-upgrades package
  5. debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
  6. notify:
  7. - Reconfigure unattended-upgrades
  8. when: with_auto_upgrade
  9. - name: Update unattended-upgrades configuration
  10. template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
  11. first_available_file:
  12. - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
  13. - apt/auto-upgrades.j2
  14. when: with_auto_upgrade
  15. - name: Install logcheck packages
  16. apt: pkg={{ item }} state=installed update_cache=yes
  17. with_items:
  18. - logcheck
  19. - logcheck-database
  20. when: with_logcheck
  21. - name: Install local configuration files for logcheck
  22. copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  23. with_items:
  24. - amavisd-new
  25. - ansible
  26. - apache2
  27. - bind
  28. - dhclient
  29. - dnsmasq
  30. - dovecot
  31. - dropbear
  32. - ferm
  33. - git-daemon
  34. - gogs
  35. - ipmi
  36. - irqbalance
  37. - kernel
  38. - libpam-modules
  39. - mon
  40. - noip2
  41. - ntp
  42. - openvpn
  43. - php
  44. - postfix
  45. - pure-ftpd
  46. - pve-cluster
  47. - redir
  48. - rpc-mountd
  49. - rrdcached
  50. - rsyslog
  51. - smartd
  52. - spamd
  53. - sshd
  54. - svn
  55. - sympa
  56. - systemd
  57. - zabbix-agentd
  58. when: with_logcheck
  59. - name: Update logcheck cron job
  60. template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  61. when: with_logcheck
  62. - name: Install rkhunter related packages
  63. apt: pkg={{ item }} state=installed update_cache=yes
  64. with_items:
  65. - lsof
  66. - unhide
  67. - rkhunter
  68. when: with_rkhunter
  69. - name: Reconfigure rkhunter package
  70. debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
  71. with_items:
  72. - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
  73. - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
  74. - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
  75. notify:
  76. - Reconfigure rkhunter
  77. when: with_rkhunter
  78. - name: Update rkhunter configuration
  79. template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  80. when: with_rkhunter
  81. - name: Update chkrootkit configuration
  82. template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  83. when: with_chkrootkit
  84. - name: Update fstab to hide pids from /proc
  85. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  86. notify:
  87. - Remount /proc
  88. when: with_hideproc and hideproc_gid == ''
  89. - name: Update fstab to hide pids from /proc with group id (gid)
  90. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
  91. notify:
  92. - Remount /proc
  93. when: with_hideproc and hideproc_gid != ''
  94. - name: 'Create Diffie-Helman parameters'
  95. command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
  96. args:
  97. creates: '/etc/ssl/private/dh{{ item }}.pem'
  98. with_items:
  99. - 2048