2022-11-18 18:33:37 +01:00
|
|
|
---
|
|
|
|
# tasks file for hardening-basic
|
|
|
|
|
2023-01-13 18:01:41 +01:00
|
|
|
- ansible.builtin.debug:
|
|
|
|
msg: "hardening-basic role"
|
|
|
|
|
|
|
|
- name: Create directory structure
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: '/etc/{{ item.path }}'
|
|
|
|
state: directory
|
|
|
|
mode: '{{ item.mode }}'
|
|
|
|
with_community.general.filetree: '../templates/basic/etc/'
|
|
|
|
when: item.state == 'directory'
|
|
|
|
|
|
|
|
- name: Create and copy hardening files
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: '{{ item.src }}'
|
|
|
|
dest: '/etc/{{ item.path }}'
|
|
|
|
with_community.general.filetree: '../templates/basic/etc/'
|
|
|
|
when: item.state == 'file'
|
|
|
|
|
|
|
|
- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
|
|
|
|
when: 'hardening_sshd_enabled is true'
|
2022-11-18 18:33:37 +01:00
|
|
|
block:
|
2022-12-01 11:45:28 +01:00
|
|
|
- name: Create directory structure
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: '/etc/{{ item.path }}'
|
|
|
|
state: directory
|
|
|
|
mode: '{{ item.mode }}'
|
2023-01-13 18:01:41 +01:00
|
|
|
with_community.general.filetree: '../templates/ssh/etc/'
|
2022-12-01 11:45:28 +01:00
|
|
|
when: item.state == 'directory'
|
|
|
|
|
2022-11-21 12:56:57 +01:00
|
|
|
- name: Create and copy hardening files
|
|
|
|
ansible.builtin.template:
|
|
|
|
src: '{{ item.src }}'
|
|
|
|
dest: '/etc/{{ item.path }}'
|
2023-01-13 18:01:41 +01:00
|
|
|
with_community.general.filetree: '../templates/ssh/etc/'
|
2022-11-21 12:56:57 +01:00
|
|
|
when: item.state == 'file'
|
|
|
|
|
2023-01-13 18:01:41 +01:00
|
|
|
- name: Give 1700 permissions to .ssh folder
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: /root/.ssh
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
|
|
|
|
|
|
|
|
- name: Give 1600 permissions to .ssh/authorized_keys file
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: /root/.ssh/authorized_keys
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
|
|
|
|
|
|
|
|
- name: Restart sshd
|
|
|
|
when: "is_docker is not true"
|
|
|
|
ansible.builtin.systemd:
|
|
|
|
state: restarted
|
|
|
|
name: sshd
|
|
|
|
|
|
|
|
- name: Harden Service Manager (like Systemd)
|
|
|
|
include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|