Added seed code for caas-security.

[ta/caas-security.git] / ansible / roles / hardening / tasks / main.yml

diff --git a/ansible/roles/hardening/tasks/main.yml b/ansible/roles/hardening/tasks/main.yml
new file mode 100644 (file)
index 0000000..00d6c20
--- /dev/null
+++ b/ansible/roles/hardening/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_tasks: hardening.yaml
+
+- name: setting umask for init scripts
+  lineinfile:
+    dest: /etc/sysconfig/init
+    regexp: ^umask
+    line: umask 027
+
+- name: disable interactive boot
+  lineinfile:
+    dest: /etc/sysconfig/init
+    state: present
+    regexp: '^ *PROMPT *= *\w+$'
+    line: PROMPT=no
+
+- name: removing wheel group altogether
+  group:
+    name: wheel
+    state: absent
+
+- name: removing postfix
+  yum:
+    name: postfix
+    state: absent
+
+- name: change permission of files to 0500
+  file:
+    path: /usr/sbin/tcpdump
+    state: file
+    mode: 0500
+
+- name: change permission of files to 0X00
+  file:
+    path: /root
+    state: directory
+    recurse: yes
+    mode: "g-rwx,o-rwx"
+