--- # System Hardening Role - Main Tasks - name: Set timezone community.general.timezone: name: "{{ system_timezone }}" when: system_timezone is defined and system_timezone != "" - name: Set hostname ansible.builtin.hostname: name: "{{ system_hostname }}" when: system_hostname is defined and system_hostname != "" - name: Update apt cache ansible.builtin.apt: update_cache: yes cache_valid_time: 3600 - name: Upgrade all packages ansible.builtin.apt: upgrade: dist autoremove: yes autoclean: yes - name: Install security packages ansible.builtin.apt: name: "{{ hardening_install_packages }}" state: present - name: Remove insecure packages ansible.builtin.apt: name: "{{ hardening_remove_packages }}" state: absent purge: yes - name: Configure SSH hardening ansible.builtin.include_tasks: ssh.yml - name: Configure sysctl parameters (basic) ansible.builtin.include_tasks: sysctl.yml - name: Configure CIS-compliant sysctl parameters ansible.builtin.include_tasks: sysctl_cis.yml - name: Configure AppArmor (CIS 1.3.x) ansible.builtin.include_tasks: apparmor.yml when: apparmor_enabled | default(true) - name: Configure fail2ban ansible.builtin.include_tasks: fail2ban.yml when: fail2ban_enabled | bool - name: Configure auditd (CIS 4.1.x) ansible.builtin.include_tasks: audit.yml when: auditd_enabled | bool - name: Configure unattended upgrades ansible.builtin.include_tasks: unattended_upgrades.yml when: unattended_upgrades_enabled | bool - name: Disable uncommon network protocols (CIS 3.3.x) ansible.builtin.include_tasks: disable_protocols.yml - name: Configure core dumps restriction (CIS 1.5.1) ansible.builtin.include_tasks: core_dumps.yml - name: Disable unnecessary services ansible.builtin.systemd: name: "{{ item }}" state: stopped enabled: no loop: - avahi-daemon - cups - isc-dhcp-server - isc-dhcp-server6 - rpcbind - rsync - snmpd failed_when: false # Don't fail if service doesn't exist - name: Set secure file permissions (CIS 6.1.x) ansible.builtin.file: path: "{{ item.path }}" mode: "{{ item.mode }}" loop: - { path: '/etc/passwd', mode: '0644' } - { path: '/etc/shadow', mode: '0600' } - { path: '/etc/group', mode: '0644' } - { path: '/etc/gshadow', mode: '0600' } - { path: '/etc/ssh/sshd_config', mode: '0600' } - name: Create security banners (CIS 1.4.x) ansible.builtin.copy: dest: "{{ item }}" content: | ************************************************************************** * * * WARNING: Unauthorized access to this system is forbidden and will * * be prosecuted by law. By accessing this system, you agree that your * * actions may be monitored if unauthorized usage is suspected. * * * ************************************************************************** mode: '0644' loop: - /etc/issue - /etc/issue.net - /etc/motd - name: Display hardening summary ansible.builtin.debug: msg: - "=========================================" - "System Hardening Complete" - "=========================================" - "CIS Level 1 controls applied" - "AppArmor: {{ 'ENABLED' if apparmor_enabled | default(true) else 'DISABLED' }}" - "Auditd: {{ 'ENABLED' if auditd_enabled else 'DISABLED' }}" - "Fail2ban: {{ 'ENABLED' if fail2ban_enabled else 'DISABLED' }}" - "Unattended upgrades: {{ 'ENABLED' if unattended_upgrades_enabled else 'DISABLED' }}" - "========================================="