diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index 6a9ced0..a5bafeb 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -4,6 +4,4 @@ worker_user: ansible users: ["nicof2000"] # fail2ban configuration for sshd jail -f2b_sshd_findtime: 30m f2b_sshd_maxretry: 3 -f2b_sshd_bantime: 1d diff --git a/playbook.yaml b/playbook.yaml index 8b3c821..576b9f9 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -119,13 +119,13 @@ # tags: [hardening, firewall] # tags: [hardening, firewall] - - name: "Setup auditd" - when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky'] # TODO until bugs fixed - tags: [hardening] - ansible.builtin.include_tasks: - file: "tasks/linux/setup-auditd.yaml" - apply: - tags: [hardening] + #- name: "Setup auditd" + # when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky'] # TODO until bugs fixed + # tags: [hardening] + # ansible.builtin.include_tasks: + # file: "tasks/linux/setup-auditd.yaml" + # apply: + # tags: [hardening] # TODO setup aide # TODO setup IDS (Suricata / snort) @@ -140,20 +140,20 @@ apply: tags: [users] - - name: "Audit the system using openscap" - tags: [audit] - when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']" # TODO ssg files does not exist -> find solution - ansible.builtin.include_tasks: - file: "tasks/linux/audit-openscap.yaml" - apply: - tags: [audit] + #- name: "Audit the system using openscap" + # tags: [audit] + # when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']" # TODO ssg files does not exist -> find solution + # ansible.builtin.include_tasks: + # file: "tasks/linux/audit-openscap.yaml" + # apply: + # tags: [audit] - - name: "Audit the system using lynis" - tags: [audit] - ansible.builtin.include_tasks: - file: "tasks/linux/audit-lynis.yaml" - apply: - tags: [audit] + #- name: "Audit the system using lynis" + # tags: [audit] + # ansible.builtin.include_tasks: + # file: "tasks/linux/audit-lynis.yaml" + # apply: + # tags: [audit] - name: "Setup postgresql" when: @@ -190,7 +190,7 @@ become: true tags: [redis] - # TODO setup nginx with ModSecurity if install_nginx is true: + # TODO setup nginx with ModSecurity if install_nginx is true: # - debian: libnginx-mod-http-modsecurity modsecurity-crs # - ubuntu: modsecurity-crs libmodsecurity3 # - rhel: libmodsecurity nginx-mod-modsecurity diff --git a/tasks/linux/setup-clamav.yaml b/tasks/linux/setup-clamav.yaml index 01280d2..9a89d89 100644 --- a/tasks/linux/setup-clamav.yaml +++ b/tasks/linux/setup-clamav.yaml @@ -15,7 +15,7 @@ - name: "Update clamav database" when: - "freshclam.changed" - - "ansible_facts['distribution'] not in ['CentOS']" + - "ansible_facts['distribution'] not in ['CentOS']" # TODO permission error block: - name: "Stop clamav service" ansible.builtin.systemd: diff --git a/tasks/linux/setup-fail2ban.yaml b/tasks/linux/setup-fail2ban.yaml index 830e6ec..121f4d2 100644 --- a/tasks/linux/setup-fail2ban.yaml +++ b/tasks/linux/setup-fail2ban.yaml @@ -16,7 +16,6 @@ ansible.builtin.file: path: "/etc/fail2ban/jail.d/defaults-debian.conf" state: absent - # when: "ansible_facts['distribution'] in ['Ubuntu', 'Debian']" # TODO test become: true - name: "Create sshd jail" diff --git a/tasks/linux/setup-rkhunter.yaml b/tasks/linux/setup-rkhunter.yaml index 63c2484..856175a 100644 --- a/tasks/linux/setup-rkhunter.yaml +++ b/tasks/linux/setup-rkhunter.yaml @@ -5,3 +5,5 @@ name: "rkhunter" state: present become: true + +# TODO scheduled exections diff --git a/tasks/linux/setup-sshd.yaml b/tasks/linux/setup-sshd.yaml index dd43686..27792fb 100644 --- a/tasks/linux/setup-sshd.yaml +++ b/tasks/linux/setup-sshd.yaml @@ -1,8 +1,7 @@ --- - name: "Ensure openssh-server is installed" ansible.builtin.package: - name: - - openssh-server + name: openssh-server state: present become: true @@ -79,20 +78,3 @@ line: "X11Forwarding no" notify: "Restart sshd" become: true - -- name: "Create netbox service for ssh" - netbox.netbox.netbox_service: - netbox_url: "{{ netbox_url }}" - netbox_token: "{{ netbox_token }}" - data: - virtual_machine: "{{ inventory_hostname }}" - name: ssh - port: 22 - protocol: TCP - state: present - delegate_to: localhost - when: - - "netbox_url is defined" - - "netbox_token is defined" - - "netbox_url is not none" - - "netbox_token is not none"