ansible-playbooks/roles/common/tasks/security.yml

- name: 'Install auto upgrades package'
  apt:
    pkg: 'unattended-upgrades'
    state: 'installed'
    update_cache: 'yes'
  when: with_auto_upgrade

- name: 'Reconfigure unattended-upgrades package'
  debconf:
    name: 'unattended-upgrades'
    question: 'unattended-upgrades/enable_auto_updates'
    value: 'true'
    vtype: 'boolean'
  notify:
    - 'Reconfigure unattended-upgrades'
  when: with_auto_upgrade

- name: 'Update unattended-upgrades configuration'
  template:
    src: '{{ item }}'
    dest: '/etc/apt/apt.conf.d/90unattended-upgrades-local'
    owner: 'root'
    group: 'root'
    mode: '0644'
  with_first_found:
    - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2'
    - 'apt/auto-upgrades.j2'
  when: with_auto_upgrade

- name: 'Install logcheck packages'
  apt:
    pkg: '{{ item }}'
    state: 'installed'
    update_cache: 'yes'
  with_items:
    - 'logcheck'
    - 'logcheck-database'
  when: with_logcheck

- name: 'Install local configuration files for logcheck'
  copy:
    src: 'logcheck/{{ item }}_local'
    dest: '/etc/logcheck/ignore.d.server/{{ item }}_local'
    owner: 'root'
    group: 'root'
    mode: '0644'
  with_items:
    - 'amavisd-new'
    - 'ansible'
    - 'apache2'
    - 'bind'
    - 'dhclient'
    - 'dnsmasq'
    - 'dovecot'
    - 'dropbear'
    - 'ferm'
    - 'git-daemon'
    - 'gogs'
    - 'ipmi'
    - 'irqbalance'
    - 'kernel'
    - 'libpam-modules'
    - 'mon'
    - 'noip2'
    - 'ntp'
    - 'openvpn'
    - 'php'
    - 'postfix'
    - 'pure-ftpd'
    - 'pve-cluster'
    - 'redir'
    - 'rpc-mountd'
    - 'rrdcached'
    - 'rsyslog'
    - 'smartd'
    - 'spamd'
    - 'sshd'
    - 'svn'
    - 'sympa'
    - 'systemd'
    - 'zabbix-agentd'
  when: with_logcheck

- name: 'Update logcheck cron job'
  template:
    src: 'cron/logcheck.j2'
    dest: '/etc/cron.d/logcheck'
    owner: 'root'
    group: 'root'
    mode: '0644'
  when: with_logcheck

- name: 'Install rkhunter related packages'
  apt:
    pkg: '{{ item }}'
    state: 'installed'
    update_cache: 'yes'
  with_items:
    - 'lsof'
    - 'unhide'
    - 'rkhunter'
  when: with_rkhunter

- name: 'Reconfigure rkhunter package'
  debconf:
    name: '{{item.name}}'
    question: '{{item.question}}'
    value: '{{item.value}}'
    vtype: '{{item.vtype}}'
  with_items:
    - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
    - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
    - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
  notify:
    - 'Reconfigure rkhunter'
  when: with_rkhunter

- name: Update rkhunter configuration
  template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  when: with_rkhunter

- name: Update chkrootkit configuration
  template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  when: with_chkrootkit

- name: Update fstab to hide pids from /proc
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid == ''

- name: Update fstab to hide pids from /proc with group id (gid)
  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
  notify:
      - Remount /proc
  when: with_hideproc and hideproc_gid != ''

- name: 'Create Diffie-Helman parameters'
  command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
  args:
    creates: '/etc/ssl/private/dh{{ item }}.pem'
  with_items:
    - '2048'