fix cis support for all distros
This commit is contained in:
parent
4b98ec1434
commit
6dd31cc95f
@ -1,6 +1,7 @@
|
|||||||
almalinux:
|
almalinux:
|
||||||
- bind-utils
|
- bind-utils
|
||||||
- cloud-init
|
- cloud-init
|
||||||
|
- dbus-daemon
|
||||||
- dhcp-client
|
- dhcp-client
|
||||||
- efibootmgr
|
- efibootmgr
|
||||||
- glibc-langpack-de
|
- glibc-langpack-de
|
||||||
@ -13,6 +14,7 @@ almalinux:
|
|||||||
- nfs-utils
|
- nfs-utils
|
||||||
- nfsv4-client-utils
|
- nfsv4-client-utils
|
||||||
- open-vm-tools
|
- open-vm-tools
|
||||||
|
- ppp
|
||||||
- shim
|
- shim
|
||||||
- telnet
|
- telnet
|
||||||
- vim
|
- vim
|
||||||
@ -30,6 +32,7 @@ archlinux:
|
|||||||
- fish
|
- fish
|
||||||
- grub
|
- grub
|
||||||
- htop
|
- htop
|
||||||
|
- libpwquality
|
||||||
- linux
|
- linux
|
||||||
- logrotate
|
- logrotate
|
||||||
- lrzsz
|
- lrzsz
|
||||||
@ -41,6 +44,7 @@ archlinux:
|
|||||||
- nfs-utils
|
- nfs-utils
|
||||||
- openssh
|
- openssh
|
||||||
- open-vm-tools
|
- open-vm-tools
|
||||||
|
- ppp
|
||||||
- prometheus-node-exporter
|
- prometheus-node-exporter
|
||||||
- python-psycopg2
|
- python-psycopg2
|
||||||
- qemu-guest-agent
|
- qemu-guest-agent
|
||||||
@ -140,18 +144,22 @@ fedora:
|
|||||||
- bind-utils
|
- bind-utils
|
||||||
- btrfs-progs
|
- btrfs-progs
|
||||||
- cloud-init
|
- cloud-init
|
||||||
|
- cronie
|
||||||
- dhcp-client
|
- dhcp-client
|
||||||
- efibootmgr
|
- efibootmgr
|
||||||
- glibc-langpack-de
|
- glibc-langpack-de
|
||||||
- glibc-langpack-en
|
- glibc-langpack-en
|
||||||
- grub2
|
- grub2
|
||||||
- grub2-efi
|
- grub2-efi
|
||||||
|
- logrotate
|
||||||
- lrzsz
|
- lrzsz
|
||||||
- lvm2
|
- lvm2
|
||||||
- nc
|
- nc
|
||||||
- nfs-utils
|
- nfs-utils
|
||||||
- nfsv4-client-utils
|
- nfsv4-client-utils
|
||||||
- open-vm-tools
|
- open-vm-tools
|
||||||
|
- polkit
|
||||||
|
- ppp
|
||||||
- shim
|
- shim
|
||||||
- telnet
|
- telnet
|
||||||
- vim-default-editor
|
- vim-default-editor
|
||||||
@ -189,6 +197,7 @@ rhel9:
|
|||||||
rocky:
|
rocky:
|
||||||
- bind-utils
|
- bind-utils
|
||||||
- cloud-init
|
- cloud-init
|
||||||
|
- dbus-daemon
|
||||||
- dhcp-client
|
- dhcp-client
|
||||||
- efibootmgr
|
- efibootmgr
|
||||||
- glibc-langpack-de
|
- glibc-langpack-de
|
||||||
@ -201,6 +210,7 @@ rocky:
|
|||||||
- nfs-utils
|
- nfs-utils
|
||||||
- nfsv4-client-utils
|
- nfsv4-client-utils
|
||||||
- open-vm-tools
|
- open-vm-tools
|
||||||
|
- ppp
|
||||||
- shim
|
- shim
|
||||||
- telnet
|
- telnet
|
||||||
- util-linux-core
|
- util-linux-core
|
||||||
|
@ -65,7 +65,7 @@
|
|||||||
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
|
# - { regexp: '^PASS_MIN_DAYS.*', replace: 'PASS_MIN_DAYS 7' }
|
||||||
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
|
# - { regexp: '^UMASK.*', replace: 'UMASK 027' }
|
||||||
|
|
||||||
- name: Create allow files
|
- name: Ensure files exist
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: touch
|
state: touch
|
||||||
@ -73,6 +73,8 @@
|
|||||||
loop:
|
loop:
|
||||||
- /mnt/etc/at.allow
|
- /mnt/etc/at.allow
|
||||||
- /mnt/etc/cron.allow
|
- /mnt/etc/cron.allow
|
||||||
|
- /mnt/etc/hosts.allow
|
||||||
|
- /mnt/etc/hosts.deny
|
||||||
|
|
||||||
- name: Add Security related lines into config files
|
- name: Add Security related lines into config files
|
||||||
lineinfile:
|
lineinfile:
|
||||||
@ -85,14 +87,14 @@
|
|||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
|
- { path: '/mnt/etc/security/pwquality.conf', content: 'ucredit = -1' }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
|
- { path: '/mnt/etc/security/pwquality.conf', content: 'ocredit = -1' }
|
||||||
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
|
- { path: '/mnt/etc/security/pwquality.conf', content: 'lcredit = -1' }
|
||||||
- { path: '/mnt/etc/bash.bashrc', content: 'umask 077' }
|
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'umask 077' }
|
||||||
- { path: '/mnt/etc/bash.bashrc', content: 'export TMOUT=3000' }
|
- { path: '/mnt/etc/{{ "bashrc" if os in ["almalinux", "fedora", "rocky"] else "bash.bashrc" }}', content: 'export TMOUT=3000' }
|
||||||
- { path: '/mnt/etc/systemd/journald.conf', content: 'Storage=persistent' }
|
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: 'Storage=persistent' }
|
||||||
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
|
- { path: '/mnt/etc/sudoers', content: 'Defaults logfile="/var/log/sudo.log"' }
|
||||||
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
|
- { path: '/mnt/etc/pam.d/su', content: 'auth required pam_wheel.so' }
|
||||||
- { path: '/mnt/etc/pam.d/common-auth', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
|
- { path: '/mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900' }
|
||||||
- { path: '/mnt/etc/pam.d/common-account', content: 'account required pam_faillock.so' }
|
- { path: '/mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }}', content: 'account required pam_faillock.so' }
|
||||||
- { path: '/mnt/etc/pam.d/common-password', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
|
- { path: '/mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }}', content: 'password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5' }
|
||||||
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
|
- { path: '/mnt/etc/hosts.deny', content: 'ALL: ALL' }
|
||||||
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
|
- { path: '/mnt/etc/hosts.allow', content: 'sshd: ALL' }
|
||||||
|
|
||||||
@ -112,12 +114,8 @@
|
|||||||
- { path: '/mnt/etc/crontab', mode: '0600' }
|
- { path: '/mnt/etc/crontab', mode: '0600' }
|
||||||
- { path: '/mnt/etc/logrotate.conf', mode: '0644' }
|
- { path: '/mnt/etc/logrotate.conf', mode: '0644' }
|
||||||
- { path: '/mnt/usr/sbin/pppd', mode: '754' }
|
- { path: '/mnt/usr/sbin/pppd', mode: '754' }
|
||||||
- { path: '/mnt/usr/lib/dbus-1.0/dbus-daemon-launch-helper', mode: '754' }
|
- { path: '/mnt/usr/bin/{{ "fusermount3" if os in ["archlinux", "debian12", "fedora"] else "fusermount" }}', mode: '755' }
|
||||||
- { path: '/mnt/usr/libexec/polkit-agent-helper-1', mode: '755' }
|
|
||||||
- { path: '/mnt/usr/bin/{{ "fusermount" if os == "debian11" else "fusermount3" }}', mode: '755' }
|
|
||||||
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
|
- { path: '/mnt/usr/bin/{{ "write.ul" if os == "debian11" else "write" }}', mode: '755' }
|
||||||
- { path: '/mnt/usr/lib/x86_64-linux-gnu/utempter/utempter', mode: '755' }
|
|
||||||
- { path: '/mnt/home/svcansible', mode: '750' }
|
|
||||||
|
|
||||||
- name: Adjust SSHD config
|
- name: Adjust SSHD config
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -97,7 +97,6 @@
|
|||||||
command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
|
command: arch-chroot /mnt {% if os | lower == "archlinux" %}/usr/sbin/mkinitcpio -P{% elif os | lower not in ["debian11", "debian12", "ubuntu", "ubuntu-lts", "archlinux"] %}/usr/bin/dracut --regenerate-all --force{% else %}echo "Skipping initramfs regeneration"{% endif %}
|
||||||
|
|
||||||
- name: Extra Configuration
|
- name: Extra Configuration
|
||||||
when: os | lower != "archlinux"
|
|
||||||
block:
|
block:
|
||||||
- name: Append lines to vimrc
|
- name: Append lines to vimrc
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
@ -113,6 +112,7 @@
|
|||||||
- "set mouse=a"
|
- "set mouse=a"
|
||||||
|
|
||||||
- name: Copy FirstRun Script
|
- name: Copy FirstRun Script
|
||||||
|
when: os | lower != "archlinux"
|
||||||
template:
|
template:
|
||||||
src: firstrun.sh.j2
|
src: firstrun.sh.j2
|
||||||
dest: /mnt/root/firstrun.sh
|
dest: /mnt/root/firstrun.sh
|
||||||
|
Loading…
Reference in New Issue
Block a user