configurations-ansible/roles/hardening-basic/tasks/main.yml

61 lines
1.8 KiB
YAML

---
# tasks file for hardening-basic
- ansible.builtin.debug:
msg: "hardening-basic role"
- name: Create directory structure
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'file'
- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
when: 'hardening_sshd_enabled is true'
block:
- name: Create directory structure
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'file'
- name: Give 1700 permissions to .ssh folder
ansible.builtin.file:
path: /root/.ssh
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
- name: Give 1600 permissions to .ssh/authorized_keys file
ansible.builtin.file:
path: /root/.ssh/authorized_keys
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
- name: Restart sshd
when: "is_docker is not true"
ansible.builtin.systemd:
state: restarted
name: sshd
- name: Harden Service Manager (like Systemd)
include_tasks: "harden_{{ ansible_service_mgr }}.yml"