Cleanup system hardening

group_vars/all/vars.yaml

@@ -4,6 +4,4 @@ worker_user: ansible
 users: ["nicof2000"]
 
 # fail2ban configuration for sshd jail
-f2b_sshd_findtime: 30m
 f2b_sshd_maxretry: 3
-f2b_sshd_bantime: 1d

playbook.yaml

@@ -119,13 +119,13 @@
     #      tags: [hardening, firewall]
     #  tags: [hardening, firewall]
 
-    - name: "Setup auditd"
-      when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky']  # TODO until bugs fixed
-      tags: [hardening]
-      ansible.builtin.include_tasks:
-        file: "tasks/linux/setup-auditd.yaml"
-        apply:
-          tags: [hardening]
+    #- name: "Setup auditd"
+    #  when: ansible_facts['distribution'] in ['CentOS', 'AlmaLinux', 'Rocky']  # TODO until bugs fixed
+    #  tags: [hardening]
+    #  ansible.builtin.include_tasks:
+    #    file: "tasks/linux/setup-auditd.yaml"
+    #    apply:
+    #      tags: [hardening]
 
     # TODO setup aide
     # TODO setup IDS (Suricata / snort)
@@ -140,20 +140,20 @@
         apply:
           tags: [users]
 
-    - name: "Audit the system using openscap"
-      tags: [audit]
-      when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']"  # TODO ssg files does not exist -> find solution
-      ansible.builtin.include_tasks:
-        file: "tasks/linux/audit-openscap.yaml"
-        apply:
-          tags: [audit]
+    #- name: "Audit the system using openscap"
+    #  tags: [audit]
+    #  when: "ansible_facts['distribution'] not in ['Ubuntu', 'Debian']"  # TODO ssg files does not exist -> find solution
+    #  ansible.builtin.include_tasks:
+    #    file: "tasks/linux/audit-openscap.yaml"
+    #    apply:
+    #      tags: [audit]
 
-    - name: "Audit the system using lynis"
-      tags: [audit]
-      ansible.builtin.include_tasks:
-        file: "tasks/linux/audit-lynis.yaml"
-        apply:
-          tags: [audit]
+    #- name: "Audit the system using lynis"
+    #  tags: [audit]
+    #  ansible.builtin.include_tasks:
+    #    file: "tasks/linux/audit-lynis.yaml"
+    #    apply:
+    #      tags: [audit]
 
     - name: "Setup postgresql"
       when:
@@ -190,7 +190,7 @@
           become: true
           tags: [redis]
 
-    # TODO setup nginx with ModSecurity if install_nginx is true: 
+    # TODO setup nginx with ModSecurity if install_nginx is true:
     # - debian: libnginx-mod-http-modsecurity modsecurity-crs
     # - ubuntu: modsecurity-crs libmodsecurity3
     # - rhel:   libmodsecurity nginx-mod-modsecurity

tasks/linux/setup-clamav.yaml

@@ -15,7 +15,7 @@
 - name: "Update clamav database"
   when:
     - "freshclam.changed"
-    - "ansible_facts['distribution'] not in ['CentOS']"
+    - "ansible_facts['distribution'] not in ['CentOS']" # TODO permission error
   block:
     - name: "Stop clamav service"
       ansible.builtin.systemd:

tasks/linux/setup-fail2ban.yaml

@@ -16,7 +16,6 @@
   ansible.builtin.file:
     path: "/etc/fail2ban/jail.d/defaults-debian.conf"
     state: absent
-  # when: "ansible_facts['distribution'] in ['Ubuntu', 'Debian']" #  TODO test
   become: true
 
 - name: "Create sshd jail"

tasks/linux/setup-rkhunter.yaml

@@ -5,3 +5,5 @@
     name: "rkhunter"
     state: present
   become: true
+
+# TODO scheduled exections

tasks/linux/setup-sshd.yaml

@@ -1,8 +1,7 @@
 ---
 - name: "Ensure openssh-server is installed"
   ansible.builtin.package:
-    name:
-      - openssh-server
+    name: openssh-server
     state: present
   become: true
 
@@ -79,20 +78,3 @@
     line: "X11Forwarding no"
   notify: "Restart sshd"
   become: true
-
-- name: "Create netbox service for ssh"
-  netbox.netbox.netbox_service:
-    netbox_url: "{{ netbox_url }}"
-    netbox_token: "{{ netbox_token }}"
-    data:
-      virtual_machine: "{{ inventory_hostname }}"
-      name: ssh
-      port: 22
-      protocol: TCP
-    state: present
-  delegate_to: localhost
-  when:
-    - "netbox_url is defined"
-    - "netbox_token is defined"
-    - "netbox_url is not none"
-    - "netbox_token is not none"