Startseite Erkunden Hilfe
Anmelden
kolter
/
ansible-playbooks
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 5fcfc4841c
Branches Tags
ansible-playboo...
/
roles
/
common
/
tasks
/
security.yml

security.yml 2.2 KB
Verlauf Originalformat

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. - name: Install auto upgrades package
    2. 

  2.   apt: pkg=unattended-upgrades state=installed update_cache=yes
    3. 

  3.   when: with_auto_upgrade
    4. 

  4. 

  5. - name: Configure auto upgrades
    6. 

  6.   template: src={{ item }} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
    7. 

  7.   first_available_file:
    8. 

  8.     - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
    9. 

  9.     - apt/auto-upgrades.j2
    10. 

  10.   when: with_auto_upgrade
    11. 

  11. 

  12. - name: Install logcheck packages
    13. 

  13.   apt: pkg={{ item }} state=installed update_cache=yes
    14. 

  14.   with_items:
    15. 

  15.     - logcheck
    16. 

  16.     - logcheck-database
    17. 

  17.   when: with_logcheck
    18. 

  18. 

  19. - name: Install local configuration files for logcheck
    20. 

  20.   copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
    21. 

  21.   with_items:
    22. 

  22.     - amavisd-new
    23. 

  23.     - ansible
    24. 

  24.     - bind
    25. 

  25.     - dhclient
    26. 

  26.     - dovecot
    27. 

  27.     - dropbear
    28. 

  28.     - git-daemon
    29. 

  29.     - ipmi
    30. 

  30.     - irqbalance
    31. 

  31.     - kernel
    32. 

  32.     - libpam-modules
    33. 

  33.     - mon
    34. 

  34.     - noip2
    35. 

  35.     - ntp
    36. 

  36.     - openvpn
    37. 

  37.     - php
    38. 

  38.     - postfix
    39. 

  39.     - pure-ftpd
    40. 

  40.     - pve-cluster
    41. 

  41.     - redir
    42. 

  42.     - rpc.mountd
    43. 

  43.     - rrdcached
    44. 

  44.     - rsyslog
    45. 

  45.     - smartd
    46. 

  46.     - spamd
    47. 

  47.     - sshd
    48. 

  48.     - svn
    49. 

  49.     - sympa
    50. 

  50.   when: with_logcheck
    51. 

  51. 

  52. - name: Update logcheck cron job
    53. 

  53.   template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
    54. 

  54.   when: with_logcheck
    55. 

  55. 

  56. - name: Install rkhunter related packages
    57. 

  57.   apt: pkg={{ item }} state=installed update_cache=yes
    58. 

  58.   with_items:
    59. 

  59.     - lsof
    60. 

  60.     - unhide
    61. 

  61.     - rkhunter
    62. 

  62.   when: with_rkhunter
    63. 

  63. 

  64. - name: Update rkhunter default/init parameters
    65. 

  65.   template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
    66. 

  66.   when: with_rkhunter
    67. 

  67. 

  68. - name: Update rkhunter configuration
    69. 

  69.   template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
    70. 

  70.   when: with_rkhunter
    71. 

  71. 

  72. - name: Update chkrootkit configuration
    73. 

  73.   template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
    74. 

  74.   when: with_chkrootkit
    75. 

  75. 

  76. - name: Update fstab to hide pids from /proc
    77. 

  77.   lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
    78. 

  78.   notify:
    79. 

  79.       - Remount /proc
    80. 

  80.   when: with_hideproc
    81.