security.yml 2.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
  1. - name: Install auto upgrades package
  2. apt: pkg=unattended-upgrades state=installed update_cache=yes
  3. when: with_auto_upgrade
  4. - name: Configure auto upgrades
  5. template: src={{ item }} dest=/etc/apt/apt.conf.d/20auto-upgrades owner=root group=root mode=0644
  6. first_available_file:
  7. - apt/auto-upgrades.{{ ansible_lsb.codename }}.j2
  8. - apt/auto-upgrades.j2
  9. when: with_auto_upgrade
  10. - name: Install logcheck packages
  11. apt: pkg={{ item }} state=installed update_cache=yes
  12. with_items:
  13. - logcheck
  14. - logcheck-database
  15. when: with_logcheck
  16. - name: Install local configuration files for logcheck
  17. copy: src=logcheck/{{ item }}_local dest=/etc/logcheck/ignore.d.server/{{ item }}_local owner=root group=root mode=0644
  18. with_items:
  19. - amavisd-new
  20. - ansible
  21. - bind
  22. - dhclient
  23. - dovecot
  24. - dropbear
  25. - git-daemon
  26. - ipmi
  27. - kernel
  28. - libpam-modules
  29. - mon
  30. - noip2
  31. - ntp
  32. - openvpn
  33. - php
  34. - postfix
  35. - pure-ftpd
  36. - pve-cluster
  37. - redir
  38. - rpc.mountd
  39. - rrdcached
  40. - rsyslog
  41. - smartd
  42. - spamd
  43. - sshd
  44. - svn
  45. - sympa
  46. when: with_logcheck
  47. - name: Update logcheck cron job
  48. template: src=cron/logcheck.j2 dest=/etc/cron.d/logcheck owner=root group=root mode=0644
  49. when: with_logcheck
  50. - name: Install rkhunter related packages
  51. apt: pkg={{ item }} state=installed update_cache=yes
  52. with_items:
  53. - lsof
  54. - unhide
  55. - rkhunter
  56. when: with_rkhunter
  57. - name: Update rkhunter default/init parameters
  58. template: src=rkhunter/default.j2 dest=/etc/default/rkhunter owner=root group=root mode=0644
  59. when: with_rkhunter
  60. - name: Update rkhunter configuration
  61. template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
  62. when: with_rkhunter
  63. - name: Update chkrootkit configuration
  64. template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
  65. when: with_chkrootkit
  66. - name: Update fstab to hide pids from /proc
  67. lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
  68. notify:
  69. - Remount /proc
  70. when: with_hideproc