Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 90111b84bc
Branches Tags
ansible-playboo...
/
roles
/
common
/
tasks
/
security.yml

security.yml 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185 
  1. - name: 'Install auto upgrades package'
    2. 

  2.   apt:
    3. 

  3.     pkg:
    4. 

  4.       - 'unattended-upgrades'
    5. 

  5.     state: 'present'
    6. 

  6.   when: with_auto_upgrade|bool
    7. 

  7.   tags:
    8. 

  8.     - 'security'
    9. 

  9. 

  10. - name: 'Reconfigure unattended-upgrades package'
    11. 

  11.   debconf:
    12. 

  12.     name: 'unattended-upgrades'
    13. 

  13.     question: 'unattended-upgrades/enable_auto_updates'
    14. 

  14.     value: 'true'
    15. 

  15.     vtype: 'boolean'
    16. 

  16.   notify:
    17. 

  17.     - 'Reconfigure unattended-upgrades'
    18. 

  18.   when: with_auto_upgrade|bool
    19. 

  19.   tags:
    20. 

  20.     - 'security'
    21. 

  21. 

  22. - name: 'Update unattended-upgrades configuration'
    23. 

  23.   template:
    24. 

  24.     src: '{{ item }}'
    25. 

  25.     dest: '/etc/apt/apt.conf.d/90unattended-upgrades-local'
    26. 

  26.     owner: 'root'
    27. 

  27.     group: 'root'
    28. 

  28.     mode: '0644'
    29. 

  29.   with_first_found:
    30. 

  30.     - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2'
    31. 

  31.     - 'apt/auto-upgrades.j2'
    32. 

  32.   when: with_auto_upgrade|bool
    33. 

  33.   tags:
    34. 

  34.     - 'security'
    35. 

  35. 

  36. - name: 'Install logcheck packages'
    37. 

  37.   apt:
    38. 

  38.     pkg:
    39. 

  39.       - 'logcheck'
    40. 

  40.       - 'logcheck-database'
    41. 

  41.     state: 'present'
    42. 

  42.   when: with_logcheck|bool
    43. 

  43.   tags:
    44. 

  44.     - 'security'
    45. 

  45. 

  46. - name: 'Install local configuration files for logcheck'
    47. 

  47.   copy:
    48. 

  48.     src: 'logcheck/{{ item }}_local'
    49. 

  49.     dest: '/etc/logcheck/ignore.d.server/{{ item }}_local'
    50. 

  50.     owner: 'root'
    51. 

  51.     group: 'logcheck'
    52. 

  52.     mode: '0644'
    53. 

  53.   with_items:
    54. 

  54.     - 'amavisd-new'
    55. 

  55.     - 'ansible'
    56. 

  56.     - 'apache2'
    57. 

  57.     - 'bind'
    58. 

  58.     - 'dhclient'
    59. 

  59.     - 'dnsmasq'
    60. 

  60.     - 'dovecot'
    61. 

  61.     - 'dropbear'
    62. 

  62.     - 'ferm'
    63. 

  63.     - 'gammu'
    64. 

  64.     - 'git-daemon'
    65. 

  65.     - 'gogs'
    66. 

  66.     - 'influxd'
    67. 

  67.     - 'ipmi'
    68. 

  68.     - 'irqbalance'
    69. 

  69.     - 'kernel'
    70. 

  70.     - 'libpam-modules'
    71. 

  71.     - 'mon'
    72. 

  72.     - 'noip2'
    73. 

  73.     - 'ntp'
    74. 

  74.     - 'openvpn'
    75. 

  75.     - 'opendkim'
    76. 

  76.     - 'php'
    77. 

  77.     - 'postfix'
    78. 

  78.     - 'pure-ftpd'
    79. 

  79.     - 'pve-cluster'
    80. 

  80.     - 'redir'
    81. 

  81.     - 'rpc-mountd'
    82. 

  82.     - 'rrdcached'
    83. 

  83.     - 'rsyslog'
    84. 

  84.     - 'smartd'
    85. 

  85.     - 'spamd'
    86. 

  86.     - 'sshd'
    87. 

  87.     - 'svn'
    88. 

  88.     - 'sympa'
    89. 

  89.     - 'systemd'
    90. 

  90.     - 'zabbix-agentd'
    91. 

  91.   when: with_logcheck|bool
    92. 

  92.   tags:
    93. 

  93.     - 'security'
    94. 

  94.     - 'logcheck'
    95. 

  95. 

  96. - name: 'Update logcheck cron job'
    97. 

  97.   template:
    98. 

  98.     src: 'cron/logcheck.j2'
    99. 

  99.     dest: '/etc/cron.d/logcheck'
    100. 

  100.     owner: 'root'
    101. 

  101.     group: 'root'
    102. 

  102.     mode: '0644'
    103. 

  103.   when: with_logcheck|bool
    104. 

  104.   tags:
    105. 

  105.     - 'security'
    106. 

  106.     - 'logcheck'
    107. 

  107. 

  108. - name: 'Install rkhunter related packages'
    109. 

  109.   apt:
    110. 

  110.     pkg:
    111. 

  111.       - 'lsof'
    112. 

  112.       - 'unhide'
    113. 

  113.       - 'rkhunter'
    114. 

  114.     state: 'present'
    115. 

  115.   when: with_rkhunter|bool
    116. 

  116.   tags:
    117. 

  117.     - 'security'
    118. 

  118. 

  119. - name: 'Reconfigure rkhunter package'
    120. 

  120.   debconf:
    121. 

  121.     name: '{{ item.name }}'
    122. 

  122.     question: '{{ item.question }}'
    123. 

  123.     value: '{{ item.value }}'
    124. 

  124.     vtype: '{{ item.vtype }}'
    125. 

  125.   with_items:
    126. 

  126.     - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
    127. 

  127.     - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
    128. 

  128.     - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
    129. 

  129.   notify:
    130. 

  130.     - 'Reconfigure rkhunter'
    131. 

  131.   when: with_rkhunter|bool
    132. 

  132.   tags:
    133. 

  133.     - 'security'
    134. 

  134. 

  135. - name: 'Update rkhunter configuration'
    136. 

  136.   template:
    137. 

  137.     src: 'rkhunter/{{ ansible_lsb.codename }}.conf.j2'
    138. 

  138.     dest: '/etc/rkhunter.conf'
    139. 

  139.     owner: 'root'
    140. 

  140.     group: 'root'
    141. 

  141.     mode: '0644'
    142. 

  142.   when: with_rkhunter|bool
    143. 

  143.   tags:
    144. 

  144.     - 'security'
    145. 

  145. 

  146. - name: 'Update chkrootkit configuration'
    147. 

  147.   template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
    148. 

  148.   when: with_chkrootkit|bool
    149. 

  149.   tags:
    150. 

  150.     - 'security'
    151. 

  151. 

  152. - name: 'Update fstab to hide pids from /proc'
    153. 

  153.   lineinfile:
    154. 

  154.     dest: '/etc/fstab'
    155. 

  155.     regexp: '(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$'
    156. 

  156.     line: '\1defaults,hidepid=2\3'
    157. 

  157.     backrefs: 'yes'
    158. 

  158.   notify:
    159. 

  159.       - 'Remount /proc'
    160. 

  160.   when: with_hideproc|bool and hideproc_gid|length == 0
    161. 

  161.   tags:
    162. 

  162.     - 'security'
    163. 

  163. 

  164. - name: 'Update fstab to hide pids from /proc with group id (gid)'
    165. 

  165.   lineinfile:
    166. 

  166.     dest: '/etc/fstab'
    167. 

  167.     regexp: '(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$'
    168. 

  168.     line: '\1defaults,hidepid=2,gid={{ hideproc_gid }}\3'
    169. 

  169.     backrefs: 'yes'
    170. 

  170.   notify:
    171. 

  171.       - 'Remount /proc'
    172. 

  172.   when: with_hideproc|bool and hideproc_gid|length > 0
    173. 

  173.   tags:
    174. 

  174.     - 'security'
    175. 

  175. 

  176. - name: 'Create Diffie-Helman parameters'
    177. 

  177.   command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
    178. 

  178.   args:
    179. 

  179.     creates: '/etc/ssl/private/dh{{ item }}.pem'
    180. 

  180.   with_items:
    181. 

  181.     - '2048'
    182. 

  182.   tags:
    183. 

  183.     - 'security'
    184. 

  184. 

  185. # vim: ft=yaml.ansible
    186.