--- - name: Add Security related lines into config files ansible.builtin.lineinfile: path: "{{ item.path }}" line: "{{ item.content }}" loop: - {path: /mnt/etc/security/limits.conf, content: "* hard core 0"} - {path: /mnt/etc/security/pwquality.conf, content: minlen = 14} - {path: /mnt/etc/security/pwquality.conf, content: dcredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1} - {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1} - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077} - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000} - {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent} - {path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log"} - {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so} - path: >- /mnt/etc/{{ "pam.d/common-auth" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }} content: >- auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900 - path: >- /mnt/etc/{{ "pam.d/common-account" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "authselect/system-auth" if os == "fedora" else "pam.d/system-auth" }} content: account required pam_faillock.so - path: >- /mnt/etc/pam.d/{{ "common-password" if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"] else "passwd" }} content: >- password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 - {path: /mnt/etc/hosts.deny, content: "ALL: ALL"} - {path: /mnt/etc/hosts.allow, content: "sshd: ALL"}