configurations-ansible/roles/hardening-basic/tasks/main.yml

---
# tasks file for hardening-basic

- name: Basic Hardening
  block:
    - name: Harden SSH Config
      when: 'hardening_sshd_enabled is true'
      block:
      - name: Check if sshd_config/99-hardening exists
        stat:
          path: /etc/ssh/sshd_config.d/99-hardening.conf
        register: file_name

      - name: Download sshd_config
        when: not file_name.stat.exists
        ansible.builtin.get_url:
          url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config
          dest: /etc/ssh/sshd_config.d/99-hardening.conf

      - name: Enable TCP SSH Forwarding
        when: 'hardening_sshd_tcp_forward is true'
        replace:
          path: /etc/ssh/sshd_config.d/99-hardening.conf
          regexp: 'AllowTcpForwarding no'
          replace: 'AllowTcpForwarding yes'
          backup: yes

      - name: Give 1700 permissions to .ssh folder
        ansible.builtin.file:
          path: /root/.ssh
          owner: root
          group: root
          mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"

      - name: Give 1600 permissions to .ssh/authorized_keys file
        ansible.builtin.file:
          path: /root/.ssh/authorized_keys
          owner: root
          group: root
          mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"

      - name: Restart sshd
        when: "is_docker is not true"
        ansible.builtin.systemd:
          state: restarted
          name: sshd

    - name: Create if not exists /etc/modprobe.d
      file:
        path: /etc/modprobe.d
        state: directory

    - name: modprobe.d setup
      include_tasks: modprobe.yml
      loop: "{{ hardening_modprobe_files }}"
      loop_control:
        loop_var: file

    - name: Create if not exists /etc/sysctl.d
      file:
        path: /etc/sysctl.d
        state: directory

    - name: Check if sysctl/99-hardening exists
      stat:
        path: /etc/sysctl.d/99-hardening.conf
      register: file_name

    - name: Download sysctl.conf
      when: not file_name.stat.exists
      ansible.builtin.get_url:
        url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf
        dest: /etc/sysctl.d/99-hardening.conf
init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates 2022-11-18 18:33:37 +01:00			`---`
			`# tasks file for hardening-basic`

			`- name: Basic Hardening`
			`block:`
			`- name: Harden SSH Config`
			`when: 'hardening_sshd_enabled is true'`
			`block:`
			`- name: Check if sshd_config/99-hardening exists`
			`stat:`
			`path: /etc/ssh/sshd_config.d/99-hardening.conf`
			`register: file_name`

			`- name: Download sshd_config`
			`when: not file_name.stat.exists`
			`ansible.builtin.get_url:`
			`url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config`
			`dest: /etc/ssh/sshd_config.d/99-hardening.conf`

			`- name: Enable TCP SSH Forwarding`
			`when: 'hardening_sshd_tcp_forward is true'`
			`replace:`
			`path: /etc/ssh/sshd_config.d/99-hardening.conf`
			`regexp: 'AllowTcpForwarding no'`
			`replace: 'AllowTcpForwarding yes'`
			`backup: yes`

			`- name: Give 1700 permissions to .ssh folder`
			`ansible.builtin.file:`
			`path: /root/.ssh`
			`owner: root`
			`group: root`
			`mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"`

			`- name: Give 1600 permissions to .ssh/authorized_keys file`
			`ansible.builtin.file:`
			`path: /root/.ssh/authorized_keys`
			`owner: root`
			`group: root`
			`mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"`

			`- name: Restart sshd`
			`when: "is_docker is not true"`
			`ansible.builtin.systemd:`
			`state: restarted`
			`name: sshd`

			`- name: Create if not exists /etc/modprobe.d`
			`file:`
			`path: /etc/modprobe.d`
			`state: directory`

			`- name: modprobe.d setup`
			`include_tasks: modprobe.yml`
			`loop: "{{ hardening_modprobe_files }}"`
			`loop_control:`
			`loop_var: file`

			`- name: Create if not exists /etc/sysctl.d`
			`file:`
			`path: /etc/sysctl.d`
			`state: directory`

			`- name: Check if sysctl/99-hardening exists`
			`stat:`
			`path: /etc/sysctl.d/99-hardening.conf`
			`register: file_name`

			`- name: Download sysctl.conf`
			`when: not file_name.stat.exists`
			`ansible.builtin.get_url:`
			`url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf`
			`dest: /etc/sysctl.d/99-hardening.conf`