valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
28db1d2104
resist-vpn-infra/roles/system_hardening/tasks/main.yml
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

122 lines
3.7 KiB
YAML
Raw Blame History

---
# System Hardening Role - Main Tasks
- name: Set timezone
community.general.timezone:
name: "{{ system_timezone }}"
when: system_timezone is defined and system_timezone != ""
- name: Set hostname
ansible.builtin.hostname:
name: "{{ system_hostname }}"
when: system_hostname is defined and system_hostname != ""
- name: Update apt cache
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 3600
- name: Upgrade all packages
ansible.builtin.apt:
upgrade: dist
autoremove: yes
autoclean: yes
- name: Install security packages
ansible.builtin.apt:
name: "{{ hardening_install_packages }}"
state: present
- name: Remove insecure packages
ansible.builtin.apt:
name: "{{ hardening_remove_packages }}"
state: absent
purge: yes
- name: Configure SSH hardening
ansible.builtin.include_tasks: ssh.yml
- name: Configure sysctl parameters (basic)
ansible.builtin.include_tasks: sysctl.yml
- name: Configure CIS-compliant sysctl parameters
ansible.builtin.include_tasks: sysctl_cis.yml
- name: Configure AppArmor (CIS 1.3.x)
ansible.builtin.include_tasks: apparmor.yml
when: apparmor_enabled | default(true)
- name: Configure fail2ban
ansible.builtin.include_tasks: fail2ban.yml
when: fail2ban_enabled | bool
- name: Configure auditd (CIS 4.1.x)
ansible.builtin.include_tasks: audit.yml
when: auditd_enabled | bool
- name: Configure unattended upgrades
ansible.builtin.include_tasks: unattended_upgrades.yml
when: unattended_upgrades_enabled | bool
- name: Disable uncommon network protocols (CIS 3.3.x)
ansible.builtin.include_tasks: disable_protocols.yml
- name: Configure core dumps restriction (CIS 1.5.1)
ansible.builtin.include_tasks: core_dumps.yml
- name: Disable unnecessary services
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- avahi-daemon
- cups
- isc-dhcp-server
- isc-dhcp-server6
- rpcbind
- rsync
- snmpd
failed_when: false # Don't fail if service doesn't exist
- name: Set secure file permissions (CIS 6.1.x)
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ item.mode }}"
loop:
- { path: '/etc/passwd', mode: '0644' }
- { path: '/etc/shadow', mode: '0600' }
- { path: '/etc/group', mode: '0644' }
- { path: '/etc/gshadow', mode: '0600' }
- { path: '/etc/ssh/sshd_config', mode: '0600' }
- name: Create security banners (CIS 1.4.x)
ansible.builtin.copy:
dest: "{{ item }}"
content: |
**************************************************************************
* *
* WARNING: Unauthorized access to this system is forbidden and will *
* be prosecuted by law. By accessing this system, you agree that your *
* actions may be monitored if unauthorized usage is suspected. *
* *
**************************************************************************
mode: '0644'
loop:
- /etc/issue
- /etc/issue.net
- /etc/motd
- name: Display hardening summary
ansible.builtin.debug:
msg:
- "========================================="
- "System Hardening Complete"
- "========================================="
- "CIS Level 1 controls applied"
- "AppArmor: {{ 'ENABLED' if apparmor_enabled | default(true) else 'DISABLED' }}"
- "Auditd: {{ 'ENABLED' if auditd_enabled else 'DISABLED' }}"
- "Fail2ban: {{ 'ENABLED' if fail2ban_enabled else 'DISABLED' }}"
- "Unattended upgrades: {{ 'ENABLED' if unattended_upgrades_enabled else 'DISABLED' }}"
- "========================================="
Reference in New Issue View Git Blame Copy Permalink