63 lines
2.8 KiB
YAML
63 lines
2.8 KiB
YAML
---
|
|
- name: Add Security related lines into config files
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ item.path }}"
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.content }}"
|
|
loop:
|
|
- { path: /mnt/etc/security/limits.conf, regexp: '^\*\s+hard\s+core\s+', content: "* hard core 0" }
|
|
- { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*minlen\s*=', content: "minlen = {{ cis_cfg.pwquality_minlen }}" }
|
|
- { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*dcredit\s*=', content: dcredit = -1 }
|
|
- { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ucredit\s*=', content: ucredit = -1 }
|
|
- { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ocredit\s*=', content: ocredit = -1 }
|
|
- { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*lcredit\s*=', content: lcredit = -1 }
|
|
- path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
|
|
regexp: '^\s*umask\s+\d+'
|
|
content: "umask {{ cis_cfg.umask }}"
|
|
- path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
|
|
regexp: '^\s*(export\s+)?TMOUT='
|
|
content: "export TMOUT={{ cis_cfg.tmout }}"
|
|
- path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}'
|
|
regexp: '^\s*#?\s*Storage='
|
|
content: Storage=persistent
|
|
- path: /mnt/etc/sudoers
|
|
regexp: '^\s*Defaults\s+logfile='
|
|
content: Defaults logfile="/var/log/sudo.log"
|
|
- path: /mnt/etc/pam.d/su
|
|
regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
|
|
content: auth required pam_wheel.so
|
|
- path: >-
|
|
/mnt/etc/{{
|
|
"pam.d/common-auth"
|
|
if is_debian | bool
|
|
else "authselect/system-auth"
|
|
if os == "fedora"
|
|
else "pam.d/system-auth"
|
|
}}
|
|
regexp: '^\s*auth\s+required\s+pam_faillock\.so'
|
|
content: >-
|
|
auth required pam_faillock.so onerr=fail audit silent deny={{ cis_cfg.faillock_deny }} unlock_time={{ cis_cfg.faillock_unlock_time }}
|
|
- path: >-
|
|
/mnt/etc/{{
|
|
"pam.d/common-account"
|
|
if is_debian | bool
|
|
else "authselect/system-auth"
|
|
if os == "fedora"
|
|
else "pam.d/system-auth"
|
|
}}
|
|
regexp: '^\s*account\s+required\s+pam_faillock\.so'
|
|
content: account required pam_faillock.so
|
|
- path: >-
|
|
/mnt/etc/pam.d/{{
|
|
"common-password"
|
|
if is_debian | bool
|
|
else "passwd"
|
|
}}
|
|
regexp: '^\s*password\s+\[success=1.*\]\s+pam_unix\.so'
|
|
content: >-
|
|
password [success=1 default=ignore] pam_unix.so obscure sha512 remember={{ cis_cfg.password_remember }}
|
|
- { path: /mnt/etc/hosts.deny, regexp: '^ALL:\s*ALL', content: "ALL: ALL" }
|
|
- { path: /mnt/etc/hosts.allow, regexp: '^sshd:\s*ALL', content: "sshd: ALL" }
|
|
loop_control:
|
|
label: "{{ item.content }}"
|