ansible/roles/security/tasks/main.yml

   1 ---
   2 # Copyright 2019 Nokia
   3 #
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7 #
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9 #
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16   - name: protect grub with root password
  17     blockinfile:
  18       dest: /etc/grub.d/40_custom
  19       state: present
  20       insertafter: 'EOF'
  21       content: |
  22         # define superusers
  23         set superusers="root"
  24         #define users
  25         password_pbkdf2 root {{ host_os.grub2_password }}
  26     when:
  27       - host_os is defined
  28       - host_os.grub2_password | default(False, True)
  29
  30   - name: check whether grub-efi exists
  31     stat:
  32       path: /boot/efi/EFI/centos/grub.cfg
  33     register: grub_efi_file_stat
  34
  35   - name: generate grub config
  36     command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
  37
  38   - name: generate grub-efi config
  39     command: /usr/sbin/grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg
  40     when: grub_efi_file_stat.stat.exists == true
  41
  42   - name: chsh/chfn right setting
  43     file:
  44       path: "{{ item }}"
  45       state: file
  46       mode: 04700
  47       owner: root
  48       group: root
  49     with_items:
  50       - /usr/bin/chsh
  51       - /usr/bin/chfn
  52
  53   - name: permission change for ssh certificates
  54     file:
  55       path: "{{ item }}"
  56       state: file
  57       mode: 0600
  58       owner: root
  59       group: root
  60     with_fileglob:
  61       - /etc/ssh/ssh_host_*_key
  62
  63   - name: reload audit config
  64     command: augenrules --load
  65
  66   - name: Checking existing file id for permission set 0600
  67     stat:
  68       path: "{{ item }}"
  69     register: file_perm_status
  70     with_items:
  71       - /var/log/boot.log
  72       - /var/log/cloud-init.log
  73       - /var/log/cloud-init-output.log
  74       - /var/log/dmesg
  75       - /var/log/dmesg.old
  76       - /var/log/java_install.log
  77       - /var/log/ntp.log
  78       - /var/log/rhsm/rhsmcertd.log
  79       - /var/log/rhsm/rhsm.log
  80       - /var/log/tuned/tuned.log
  81       - /var/log/up2date
  82       - /var/log/wpa_supplicant.log
  83       - /etc/cron.d/0hourly
  84       - /etc/cron.daily/0yum-daily.cron
  85       - /etc/cron.daily/man-db.cron
  86       - /etc/cron.hourly/0anacron
  87       - /etc/cron.hourly/0yum-hourly.cron
  88       - /boot/grub2/grub.cfg
  89       - /etc/rsyslog.conf
  90       - /etc/sysctl.conf
  91       - /etc/ntp.conf
  92       - /etc/audit/audit.rules
  93
  94   - name: change permission of of files to 0600
  95     file:
  96       path: "{{ item.stat.path }}"
  97       state: file
  98       mode: 0600
  99     when:  item.stat.exists
 100     with_items: "{{ file_perm_status.results }}"
 101
 102   - name: delete broken links
 103     file:
 104       path: "{{ item }}"
 105       state: absent
 106     with_lines:
 107       - find /run/udev/watch/ -xtype l