---
# Copyright 2019 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: set /etc/openssl directory with proper rights
  file:
    path: /etc/openssl
    state: directory
    mode: 0755

- name: templating path hardener profile.d script
  template:
    src: hardened_path.sh
    dest: /etc/profile.d/hardened_path.sh
    mode: 0644

- name: removing root spool/mail if exists
  file:
    path: /var/spool/mail/root
    state: absent

- name: creating root spool/mail
  file:
    path: /var/spool/mail/root
    state: directory
    mode: 0660
    owner: root
    group: mail

- name: removing unused users
  user:
    name: "{{ item }}"
    state: absent
    remove: yes # deletes home, spool etc
  ignore_errors: yes # sometimes spool not exists, sometimes group is not primary.
  with_items:
    - "lp"
    - "operator"
    - "games"
    - "ftp"

- name: remove not needed user groups
  group:
    name: "{{ item }}"
    state: absent
  with_items:
    - "cdrom"
    - "floppy"
    - "games"
    - "tape"

- name: system uids to 999 instead of 199
  replace:
    dest: /etc/profile
    regexp: 'if \[ \$UID -gt 199 \]'
    replace: 'if [ $UID -gt 999 ]'

- name: Removing home per bin from path in skeleton and in the already existing root
  lineinfile:
    dest: "{{ item }}"
    state: absent
    regexp: '^PATH=.*$HOME/bin'
  with_items:
    - /etc/skel/.bash_profile
    - /root/.bash_profile

- name: create /etc/cron.allow with root
  copy:
    content: 'root'
    dest: /etc/cron.allow
    owner: root
    group: root
    mode: 0600
    force: yes

- name: remove linked files
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/prelink.conf.d/fipscheck.conf
    - /etc/prelink.conf.d/grub2.conf
    - /etc/prelink.conf.d/nss-softokn-prelink.conf

- name: change auditd config
  lineinfile:
    dest: /etc/audit/auditd.conf
    state: present
    regexp: '^ *{{ item.key }} *=.+$'
    line: '{{ item.key }} = {{ item.val }}'
  with_items:
    - key: num_logs
      val: 10
    - key: max_log_file
      val: 15

- name: No root login access on terminals /etc/securetty
  copy:
    content: 'console'
    dest: /etc/securetty
    force: yes