--- # tasks file for hardening-basic - name: Basic Hardening block: - name: Harden SSH Config when: 'hardening_sshd_enabled is true' block: - name: Check if sshd_config/99-hardening exists stat: path: /etc/ssh/sshd_config.d/99-hardening.conf register: file_name - name: Download sshd_config when: not file_name.stat.exists ansible.builtin.get_url: url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config dest: /etc/ssh/sshd_config.d/99-hardening.conf - name: Enable TCP SSH Forwarding when: 'hardening_sshd_tcp_forward is true' replace: path: /etc/ssh/sshd_config.d/99-hardening.conf regexp: 'AllowTcpForwarding no' replace: 'AllowTcpForwarding yes' backup: yes - name: Give 1700 permissions to .ssh folder ansible.builtin.file: path: /root/.ssh owner: root group: root mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" - name: Give 1600 permissions to .ssh/authorized_keys file ansible.builtin.file: path: /root/.ssh/authorized_keys owner: root group: root mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - name: Restart sshd when: "is_docker is not true" ansible.builtin.systemd: state: restarted name: sshd - name: Create if not exists /etc/modprobe.d file: path: /etc/modprobe.d state: directory - name: modprobe.d setup include_tasks: modprobe.yml loop: "{{ hardening_modprobe_files }}" loop_control: loop_var: file - name: Create if not exists /etc/sysctl.d file: path: /etc/sysctl.d state: directory - name: Check if sysctl/99-hardening exists stat: path: /etc/sysctl.d/99-hardening.conf register: file_name - name: Download sysctl.conf when: not file_name.stat.exists ansible.builtin.get_url: url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf dest: /etc/sysctl.d/99-hardening.conf