45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
---
|
|
# tasks file for hardening-basic
|
|
|
|
- name: Basic Hardening
|
|
block:
|
|
- name: Create and copy hardening files
|
|
ansible.builtin.template:
|
|
src: '{{ item.src }}'
|
|
dest: '/etc/{{ item.path }}'
|
|
with_community.general.filetree: '../templates/basic/etc/'
|
|
when: item.state == 'file'
|
|
|
|
- name: Harden SSH Config
|
|
when: 'hardening_sshd_enabled is true'
|
|
block:
|
|
- name: Create and copy hardening files
|
|
ansible.builtin.template:
|
|
src: '{{ item.src }}'
|
|
dest: '/etc/{{ item.path }}'
|
|
with_community.general.filetree: '../templates/ssh/etc/'
|
|
when: item.state == 'file'
|
|
|
|
- name: Give 1700 permissions to .ssh folder
|
|
ansible.builtin.file:
|
|
path: /root/.ssh
|
|
owner: root
|
|
group: root
|
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
|
|
|
|
- name: Give 1600 permissions to .ssh/authorized_keys file
|
|
ansible.builtin.file:
|
|
path: /root/.ssh/authorized_keys
|
|
owner: root
|
|
group: root
|
|
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
|
|
|
|
- name: Restart sshd
|
|
when: "is_docker is not true"
|
|
ansible.builtin.systemd:
|
|
state: restarted
|
|
name: sshd
|
|
|
|
- name: Harden Service Manager (like Systemd)
|
|
block:
|
|
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|