Added node read rule.
[ta/caas-security.git] / ansible / roles / security / tasks / main.yml
1 ---
2 # Copyright 2019 Nokia
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7 #
8 #     http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16   - name: protect grub with root password
17     blockinfile:
18       dest: /etc/grub.d/40_custom
19       state: present
20       insertafter: 'EOF'
21       content: |
22         # define superusers
23         set superusers="root"
24         #define users
25         password_pbkdf2 root {{ host_os.grub2_password }}
26     when:
27       - host_os is defined
28       - host_os.grub2_password | default(False, True)
29
30   - name: generate grub config
31     command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
32
33   - name: chsh/chfn right setting
34     file:
35       path: "{{ item }}"
36       state: file
37       mode: 04700
38       owner: root
39       group: root
40     with_items:
41       - /usr/bin/chsh
42       - /usr/bin/chfn
43
44   - name: permission change for ssh certificates
45     file:
46       path: "{{ item }}"
47       state: file
48       mode: 0600
49       owner: root
50       group: root
51     with_fileglob:
52       - /etc/ssh/ssh_host_*_key
53
54   - name: reload audit config
55     command: augenrules --load
56
57   - name: Checking existing file id for permission set 0600
58     stat:
59       path: "{{ item }}"
60     register: file_perm_status
61     with_items:
62       - /var/log/boot.log
63       - /var/log/cloud-init.log
64       - /var/log/cloud-init-output.log
65       - /var/log/dmesg
66       - /var/log/dmesg.old
67       - /var/log/java_install.log
68       - /var/log/ntp.log
69       - /var/log/rhsm/rhsmcertd.log
70       - /var/log/rhsm/rhsm.log
71       - /var/log/tuned/tuned.log
72       - /var/log/up2date
73       - /var/log/wpa_supplicant.log
74       - /etc/cron.d/0hourly
75       - /etc/cron.daily/0yum-daily.cron
76       - /etc/cron.daily/man-db.cron
77       - /etc/cron.hourly/0anacron
78       - /etc/cron.hourly/0yum-hourly.cron
79       - /boot/grub2/grub.cfg
80       - /etc/rsyslog.conf
81       - /etc/sysctl.conf
82       - /etc/ntp.conf
83       - /etc/audit/audit.rules
84
85   - name: change permission of of files to 0600
86     file:
87       path: "{{ item.stat.path }}"
88       state: file
89       mode: 0600
90     when:  item.stat.exists
91     with_items: "{{ file_perm_status.results }}"
92
93   - name: delete broken links
94     file:
95       path: "{{ item }}"
96       state: absent
97     with_lines:
98       - find /run/udev/watch/ -xtype l