diff --git a/roles/cis/tasks/security_lines.yml b/roles/cis/tasks/security_lines.yml index 1735344..dc6348e 100644 --- a/roles/cis/tasks/security_lines.yml +++ b/roles/cis/tasks/security_lines.yml @@ -2,19 +2,30 @@ - name: Add Security related lines into config files ansible.builtin.lineinfile: path: "{{ item.path }}" + regexp: "{{ item.regexp }}" line: "{{ item.content }}" loop: - - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" } - - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 } - - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 } - - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 } - - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 } - - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 } - - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 } - - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 } - - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}', content: Storage=persistent } - - { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" } - - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so } + - { path: /mnt/etc/security/limits.conf, regexp: '^\*\s+hard\s+core\s+', content: "* hard core 0" } + - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*minlen\s*=', content: minlen = 14 } + - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*dcredit\s*=', content: dcredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ucredit\s*=', content: ucredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ocredit\s*=', content: ocredit = -1 } + - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*lcredit\s*=', content: lcredit = -1 } + - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}' + regexp: '^\s*umask\s+\d+' + content: umask 077 + - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}' + regexp: '^\s*(export\s+)?TMOUT=' + content: export TMOUT=900 + - path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}' + regexp: '^\s*#?\s*Storage=' + content: Storage=persistent + - path: /mnt/etc/sudoers + regexp: '^\s*Defaults\s+logfile=' + content: Defaults logfile="/var/log/sudo.log" + - path: /mnt/etc/pam.d/su + regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so' + content: auth required pam_wheel.so - path: >- /mnt/etc/{{ "pam.d/common-auth" @@ -23,6 +34,7 @@ if os == "fedora" else "pam.d/system-auth" }} + regexp: '^\s*auth\s+required\s+pam_faillock\.so' content: >- auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 - path: >- @@ -33,6 +45,7 @@ if os == "fedora" else "pam.d/system-auth" }} + regexp: '^\s*account\s+required\s+pam_faillock\.so' content: account required pam_faillock.so - path: >- /mnt/etc/pam.d/{{ @@ -40,9 +53,10 @@ if is_debian | bool else "passwd" }} + regexp: '^\s*password\s+\[success=1.*\]\s+pam_unix\.so' content: >- password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 - - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" } - - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" } + - { path: /mnt/etc/hosts.deny, regexp: '^ALL:\s*ALL', content: "ALL: ALL" } + - { path: /mnt/etc/hosts.allow, regexp: '^sshd:\s*ALL', content: "sshd: ALL" } loop_control: label: "{{ item.content }}"