configurations-ansible/roles/hardening-basic/tasks/main.yml

62 lines
2 KiB
YAML
Raw Normal View History

---
# tasks file for hardening-basic
- name: Basic Hardening
block:
- name: Create directory structure
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'directory'
2022-11-21 12:56:57 +01:00
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/basic/etc/'
2022-11-21 12:56:57 +01:00
when: item.state == 'file'
- name: Harden SSH Config
when: 'hardening_sshd_enabled is true'
block:
- name: Create directory structure
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'file'
2022-11-21 12:56:57 +01:00
- name: Give 1700 permissions to .ssh folder
ansible.builtin.file:
path: /root/.ssh
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
- name: Give 1600 permissions to .ssh/authorized_keys file
ansible.builtin.file:
path: /root/.ssh/authorized_keys
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
- name: Restart sshd
when: "is_docker is not true"
ansible.builtin.systemd:
state: restarted
name: sshd
- name: Harden Service Manager (like Systemd)
block:
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"