forked from geerlingguy/ansible-for-devops
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
157 lines (137 loc) · 4.04 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
---
- hosts: all
become: true
handlers:
- name: restart ssh
service: name=sshd state=restarted
tasks:
# Use secure and encrypted communication.
- name: Allow sshd to listen on tcp port 2849.
seport:
ports: 2849
proto: tcp
setype: ssh_port_t
state: present
when: ansible_selinux.status == 'enabled'
- name: Update SSH configuration to be more secure.
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
validate: 'sshd -t -f %s'
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
- regexp: "^Port"
line: "Port 2849"
notify: restart ssh
# User account configuration.
- name: Add a deployment user.
user:
name: johndoe
state: present
# Disable root login and use `sudo`.
- name: Add sudo rights for deployment user.
lineinfile:
dest: /etc/sudoers
regexp: '^johndoe'
line: 'johndoe ALL=(ALL) NOPASSWD: ALL'
state: present
validate: 'visudo -cf %s'
# Remove unused software, open only required ports.
- name: Remove unused packages.
package:
name:
- nano
- sendmail
state: absent
# File permissions.
- name: Configure the permissions for the messages log.
file:
path: /var/log/messages
owner: root
group: root
mode: 0600
# Automating updates for RHEL systems.
- name: Install dnf-automatic.
yum:
name: dnf-automatic
state: present
- name: Ensure dnf-automatic is running and enabled on boot.
service:
name: dnf-automatic-install.timer
state: started
enabled: yes
# Automating updates for Debian systems.
- name: Install unattended upgrades package.
apt:
name: unattended-upgrades
state: present
when: ansible_os_family == 'Debian'
- name: Copy unattended-upgrades configuration files in place.
template:
src: "../templates/{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- 20auto-upgrades
- 50unattended-upgrades
when: ansible_os_family == 'Debian'
# Configuring a firewall with `firewalld` on RHEL.
- name: Ensure firewalld is running.
service:
name: firewalld
state: started
- name: Configure open ports with firewalld.
firewalld:
state: "{{ item.state }}"
port: "{{ item.port }}"
zone: external
immediate: yes
permanent: yes
with_items:
- { state: 'enabled', port: '22/tcp' }
- { state: 'enabled', port: '80/tcp' }
- { state: 'enabled', port: '123/udp' }
# Monitor logins and block suspect IP addresses.
- name: Ensure EPEL repo is present.
yum:
name: epel-release
state: present
when: ansible_os_family == 'RedHat'
- name: Install fail2ban (RedHat).
yum:
name: fail2ban
state: present
enablerepo: epel
when: ansible_os_family == 'RedHat'
- name: Install fail2ban (Debian).
apt:
name: fail2ban
state: present
when: ansible_os_family == 'Debian'
- name: Ensure fail2ban is running and enabled on boot.
service:
name: fail2ban
state: started
enabled: yes
# Use SELinux (Security-Enhanced Linux).
- name: Install Python SELinux library.
yum:
name: python3-libselinux
state: present
- name: Ensure SELinux is enabled in `targeted` mode.
selinux:
policy: targeted
state: enforcing
- name: Ensure httpd can connect to the network.
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
when: ansible_selinux.status == 'enabled'