ansible/roles/security/tasks/main.yml

   1 ---
   2 # Copyright 2019 Nokia
   3 #
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7 #
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9 #
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16   - name: protect grub with root password
  17     blockinfile:
  18       dest: /etc/grub.d/40_custom
  19       state: present
  20       insertafter: 'EOF'
  21       content: |
  22         # define superusers
  23         set superusers="root"
  24         #define users
  25         password_pbkdf2 root {{ host_os.grub2_password }}
  26     when:
  27       - host_os is defined
  28       - host_os.grub2_password | default(False, True)
  29
  30   - name: generate grub config
  31     command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
  32
  33   - name: chsh/chfn right setting
  34     file:
  35       path: "{{ item }}"
  36       state: file
  37       mode: 04700
  38       owner: root
  39       group: root
  40     with_items:
  41       - /usr/bin/chsh
  42       - /usr/bin/chfn
  43
  44   - name: permission change for ssh certificates
  45     file:
  46       path: "{{ item }}"
  47       state: file
  48       mode: 0600
  49       owner: root
  50       group: root
  51     with_fileglob:
  52       - /etc/ssh/ssh_host_*_key
  53
  54   - name: reload audit config
  55     command: augenrules --load
  56
  57   - name: Checking existing file id for permission set 0600
  58     stat:
  59       path: "{{ item }}"
  60     register: file_perm_status
  61     with_items:
  62       - /var/log/boot.log
  63       - /var/log/cloud-init.log
  64       - /var/log/cloud-init-output.log
  65       - /var/log/dmesg
  66       - /var/log/dmesg.old
  67       - /var/log/java_install.log
  68       - /var/log/ntp.log
  69       - /var/log/rhsm/rhsmcertd.log
  70       - /var/log/rhsm/rhsm.log
  71       - /var/log/tuned/tuned.log
  72       - /var/log/up2date
  73       - /var/log/wpa_supplicant.log
  74       - /etc/cron.d/0hourly
  75       - /etc/cron.daily/0yum-daily.cron
  76       - /etc/cron.daily/man-db.cron
  77       - /etc/cron.hourly/0anacron
  78       - /etc/cron.hourly/0yum-hourly.cron
  79       - /boot/grub2/grub.cfg
  80       - /etc/rsyslog.conf
  81       - /etc/sysctl.conf
  82       - /etc/ntp.conf
  83       - /etc/audit/audit.rules
  84
  85   - name: change permission of of files to 0600
  86     file:
  87       path: "{{ item.stat.path }}"
  88       state: file
  89       mode: 0600
  90     when:  item.stat.exists
  91     with_items: "{{ file_perm_status.results }}"
  92
  93   - name: delete broken links
  94     file:
  95       path: "{{ item }}"
  96       state: absent
  97     with_lines:
  98       - find /run/udev/watch/ -xtype l