security.yml 2.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980
  1. - name: Install auto upgrades package
  2. apt: pkg=unattended-upgrades state=installed update_cache=yes
  3. when: with_auto_upgrade
  4. - name: Configure auto upgrades
  5. template: src={{ item }} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
  6. first_available_file:
  7. - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
  8. - apt/auto-upgrades.j2
  9. when: with_auto_upgrade
  10. - name: Install logcheck packages
  11. apt: pkg={{ item }} state=installed update_cache=yes
  12. with_items:
  13. - logcheck
  14. - logcheck-database
  15. when: with_logcheck
  16. - name: Install local configuration files for logcheck
  17. copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  18. with_items:
  19. - amavisd-new
  20. - ansible
  21. - bind
  22. - dhclient
  23. - dovecot
  24. - dropbear
  25. - git-daemon
  26. - ipmi
  27. - irqbalance
  28. - kernel
  29. - libpam-modules
  30. - mon
  31. - noip2
  32. - ntp
  33. - openvpn
  34. - php
  35. - postfix
  36. - pure-ftpd
  37. - pve-cluster
  38. - redir
  39. - rpc.mountd
  40. - rrdcached
  41. - rsyslog
  42. - smartd
  43. - spamd
  44. - sshd
  45. - svn
  46. - sympa
  47. when: with_logcheck
  48. - name: Update logcheck cron job
  49. template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  50. when: with_logcheck
  51. - name: Install rkhunter related packages
  52. apt: pkg={{ item }} state=installed update_cache=yes
  53. with_items:
  54. - lsof
  55. - unhide
  56. - rkhunter
  57. when: with_rkhunter
  58. - name: Update rkhunter default/init parameters
  59. template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
  60. when: with_rkhunter
  61. - name: Update rkhunter configuration
  62. template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  63. when: with_rkhunter
  64. - name: Update chkrootkit configuration
  65. template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  66. when: with_chkrootkit
  67. - name: Update fstab to hide pids from /proc
  68. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  69. notify:
  70. - Remount /proc
  71. when: with_hideproc