From 861d3b5c790e71de19fb6512b195ae7bbb011c53 Mon Sep 17 00:00:00 2001 From: Nico Felbinger Date: Sat, 18 Apr 2026 16:26:41 +0200 Subject: [PATCH 1/5] ssh: remove netbox service creation --- tasks/linux/setup-fail2ban.yaml | 1 - tasks/linux/setup-sshd.yaml | 20 +------------------- 2 files changed, 1 insertion(+), 20 deletions(-) diff --git a/tasks/linux/setup-fail2ban.yaml b/tasks/linux/setup-fail2ban.yaml index 830e6ec..121f4d2 100644 --- a/tasks/linux/setup-fail2ban.yaml +++ b/tasks/linux/setup-fail2ban.yaml @@ -16,7 +16,6 @@ ansible.builtin.file: path: "/etc/fail2ban/jail.d/defaults-debian.conf" state: absent - # when: "ansible_facts['distribution'] in ['Ubuntu', 'Debian']" # TODO test become: true - name: "Create sshd jail" diff --git a/tasks/linux/setup-sshd.yaml b/tasks/linux/setup-sshd.yaml index dd43686..27792fb 100644 --- a/tasks/linux/setup-sshd.yaml +++ b/tasks/linux/setup-sshd.yaml @@ -1,8 +1,7 @@ --- - name: "Ensure openssh-server is installed" ansible.builtin.package: - name: - - openssh-server + name: openssh-server state: present become: true @@ -79,20 +78,3 @@ line: "X11Forwarding no" notify: "Restart sshd" become: true - -- name: "Create netbox service for ssh" - netbox.netbox.netbox_service: - netbox_url: "{{ netbox_url }}" - netbox_token: "{{ netbox_token }}" - data: - virtual_machine: "{{ inventory_hostname }}" - name: ssh - port: 22 - protocol: TCP - state: present - delegate_to: localhost - when: - - "netbox_url is defined" - - "netbox_token is defined" - - "netbox_url is not none" - - "netbox_token is not none" From 85aefe23718b8af9221d682630170c649669c4dd Mon Sep 17 00:00:00 2001 From: Nico Felbinger Date: Sat, 18 Apr 2026 16:34:23 +0200 Subject: [PATCH 2/5] playbook/auditd: comment out --- playbook.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/playbook.yaml b/playbook.yaml index 8b3c821..5c98738 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -119,13 +119,13 @@ # tags: [hardening, firewall] # tags: [hardening, firewall] - - name: "Setup auditd" - when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky'] # TODO until bugs fixed - tags: [hardening] - ansible.builtin.include_tasks: - file: "tasks/linux/setup-auditd.yaml" - apply: - tags: [hardening] + #- name: "Setup auditd" + # when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky'] # TODO until bugs fixed + # tags: [hardening] + # ansible.builtin.include_tasks: + # file: "tasks/linux/setup-auditd.yaml" + # apply: + # tags: [hardening] # TODO setup aide # TODO setup IDS (Suricata / snort) @@ -190,7 +190,7 @@ become: true tags: [redis] - # TODO setup nginx with ModSecurity if install_nginx is true: + # TODO setup nginx with ModSecurity if install_nginx is true: # - debian: libnginx-mod-http-modsecurity modsecurity-crs # - ubuntu: modsecurity-crs libmodsecurity3 # - rhel: libmodsecurity nginx-mod-modsecurity From 9fbcf1bf7f93974e1d5782f12a1f15b0a914e43d Mon Sep 17 00:00:00 2001 From: Nico Felbinger Date: Sat, 18 Apr 2026 16:34:42 +0200 Subject: [PATCH 3/5] playbook/lynis+openscap: comment out --- playbook.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/playbook.yaml b/playbook.yaml index 5c98738..576b9f9 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -140,20 +140,20 @@ apply: tags: [users] - - name: "Audit the system using openscap" - tags: [audit] - when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']" # TODO ssg files does not exist -> find solution - ansible.builtin.include_tasks: - file: "tasks/linux/audit-openscap.yaml" - apply: - tags: [audit] + #- name: "Audit the system using openscap" + # tags: [audit] + # when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']" # TODO ssg files does not exist -> find solution + # ansible.builtin.include_tasks: + # file: "tasks/linux/audit-openscap.yaml" + # apply: + # tags: [audit] - - name: "Audit the system using lynis" - tags: [audit] - ansible.builtin.include_tasks: - file: "tasks/linux/audit-lynis.yaml" - apply: - tags: [audit] + #- name: "Audit the system using lynis" + # tags: [audit] + # ansible.builtin.include_tasks: + # file: "tasks/linux/audit-lynis.yaml" + # apply: + # tags: [audit] - name: "Setup postgresql" when: From 22fc4cdb62f10afc03c782ff438669c53dc54da5 Mon Sep 17 00:00:00 2001 From: Nico Felbinger Date: Sat, 18 Apr 2026 16:35:10 +0200 Subject: [PATCH 4/5] clamav+rkhunter: add todo --- tasks/linux/setup-clamav.yaml | 2 +- tasks/linux/setup-rkhunter.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/linux/setup-clamav.yaml b/tasks/linux/setup-clamav.yaml index 01280d2..9a89d89 100644 --- a/tasks/linux/setup-clamav.yaml +++ b/tasks/linux/setup-clamav.yaml @@ -15,7 +15,7 @@ - name: "Update clamav database" when: - "freshclam.changed" - - "ansible_facts['distribution'] not in ['CentOS']" + - "ansible_facts['distribution'] not in ['CentOS']" # TODO permission error block: - name: "Stop clamav service" ansible.builtin.systemd: diff --git a/tasks/linux/setup-rkhunter.yaml b/tasks/linux/setup-rkhunter.yaml index 63c2484..856175a 100644 --- a/tasks/linux/setup-rkhunter.yaml +++ b/tasks/linux/setup-rkhunter.yaml @@ -5,3 +5,5 @@ name: "rkhunter" state: present become: true + +# TODO scheduled exections From b633dcdbde76ec3e0826d67a51bd67267a99585b Mon Sep 17 00:00:00 2001 From: Nico Felbinger Date: Sat, 18 Apr 2026 16:37:48 +0200 Subject: [PATCH 5/5] group_vars/all: remove default or worse than default fail2ban settings --- group_vars/all/vars.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/all/vars.yaml b/group_vars/all/vars.yaml index 6a9ced0..a5bafeb 100644 --- a/group_vars/all/vars.yaml +++ b/group_vars/all/vars.yaml @@ -4,6 +4,4 @@ worker_user: ansible users: ["nicof2000"] # fail2ban configuration for sshd jail -f2b_sshd_findtime: 30m f2b_sshd_maxretry: 3 -f2b_sshd_bantime: 1d