security.yml 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. - name: Install auto upgrades package
  2. apt: pkg=unattended-upgrades state=installed update_cache=yes
  3. when: with_auto_upgrade
  4. - name: Reconfigure unattended-upgrades package
  5. debconf: name="unattended-upgrades" question="unattended-upgrades/enable_auto_updates" value="true" vtype="boolean"
  6. notify:
  7. - Reconfigure unattended-upgrades
  8. when: with_auto_upgrade
  9. - name: Update unattended-upgrades configuration
  10. template: src={{ item }} dest=/etc/apt/apt.conf.d/90unattended-upgrades-local owner=root group=root mode=0644
  11. first_available_file:
  12. - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
  13. - apt/auto-upgrades.j2
  14. when: with_auto_upgrade
  15. - name: Install logcheck packages
  16. apt: pkg={{ item }} state=installed update_cache=yes
  17. with_items:
  18. - logcheck
  19. - logcheck-database
  20. when: with_logcheck
  21. - name: Install local configuration files for logcheck
  22. copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  23. with_items:
  24. - amavisd-new
  25. - ansible
  26. - apache2
  27. - bind
  28. - dhclient
  29. - dnsmasq
  30. - dovecot
  31. - dropbear
  32. - git-daemon
  33. - gogs
  34. - ipmi
  35. - irqbalance
  36. - kernel
  37. - libpam-modules
  38. - mon
  39. - noip2
  40. - ntp
  41. - openvpn
  42. - php
  43. - postfix
  44. - pure-ftpd
  45. - pve-cluster
  46. - redir
  47. - rpc-mountd
  48. - rrdcached
  49. - rsyslog
  50. - smartd
  51. - spamd
  52. - sshd
  53. - svn
  54. - sympa
  55. - systemd
  56. - zabbix-agentd
  57. when: with_logcheck
  58. - name: Update logcheck cron job
  59. template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  60. when: with_logcheck
  61. - name: Install rkhunter related packages
  62. apt: pkg={{ item }} state=installed update_cache=yes
  63. with_items:
  64. - lsof
  65. - unhide
  66. - rkhunter
  67. when: with_rkhunter
  68. - name: Reconfigure rkhunter package
  69. debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
  70. with_items:
  71. - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
  72. - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
  73. - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
  74. notify:
  75. - Reconfigure rkhunter
  76. when: with_rkhunter
  77. - name: Update rkhunter configuration
  78. template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  79. when: with_rkhunter
  80. - name: Update chkrootkit configuration
  81. template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  82. when: with_chkrootkit
  83. - name: Update fstab to hide pids from /proc
  84. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  85. notify:
  86. - Remount /proc
  87. when: with_hideproc and hideproc_gid == ''
  88. - name: Update fstab to hide pids from /proc with group id (gid)
  89. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
  90. notify:
  91. - Remount /proc
  92. when: with_hideproc and hideproc_gid != ''
  93. - name: 'Create Diffie-Helman parameters'
  94. command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
  95. args:
  96. creates: '/etc/ssl/private/dh{{ item }}.pem'
  97. with_items:
  98. - 2048