Ansible-Bootstrap/roles/cis/tasks/security_lines.yml

---
- name: Add Security related lines into config files
  ansible.builtin.lineinfile:
    path: "{{ item.path }}"
    regexp: "{{ item.regexp }}"
    line: "{{ item.content }}"
  loop:
    - { path: /mnt/etc/security/limits.conf, regexp: '^\*\s+hard\s+core\s+', content: "* hard core 0" }
    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*minlen\s*=', content: minlen = 14 }
    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*dcredit\s*=', content: dcredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ucredit\s*=', content: ucredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ocredit\s*=', content: ocredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*lcredit\s*=', content: lcredit = -1 }
    - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
      regexp: '^\s*umask\s+\d+'
      content: umask 077
    - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
      regexp: '^\s*(export\s+)?TMOUT='
      content: export TMOUT=900
    - path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}'
      regexp: '^\s*#?\s*Storage='
      content: Storage=persistent
    - path: /mnt/etc/sudoers
      regexp: '^\s*Defaults\s+logfile='
      content: Defaults        logfile="/var/log/sudo.log"
    - path: /mnt/etc/pam.d/su
      regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
      content: auth required pam_wheel.so
    - path: >-
        /mnt/etc/{{
          "pam.d/common-auth"
          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
        }}
      regexp: '^\s*auth\s+required\s+pam_faillock\.so'
      content: >-
        auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
    - path: >-
        /mnt/etc/{{
          "pam.d/common-account"
          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
        }}
      regexp: '^\s*account\s+required\s+pam_faillock\.so'
      content: account required pam_faillock.so
    - path: >-
        /mnt/etc/pam.d/{{
          "common-password"
          if is_debian | bool
          else "passwd"
        }}
      regexp: '^\s*password\s+\[success=1.*\]\s+pam_unix\.so'
      content: >-
        password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
    - { path: /mnt/etc/hosts.deny, regexp: '^ALL:\s*ALL', content: "ALL: ALL" }
    - { path: /mnt/etc/hosts.allow, regexp: '^sshd:\s*ALL', content: "sshd: ALL" }
  loop_control:
    label: "{{ item.content }}"