49 lines
1.4 KiB
YAML
49 lines
1.4 KiB
YAML
---
|
|
- name: Configure sysctl
|
|
template:
|
|
src: sysctl.d/local.conf.j2
|
|
dest: /etc/sysctl.d/local.conf
|
|
mode: 0644
|
|
|
|
# Use this command to list setuid or setgid executables
|
|
# find / -type f -perm /6000 -ls 2>/dev/null
|
|
- name: Desactivate setuid/setgid on unused binaries
|
|
file:
|
|
path: "{{ item }}"
|
|
mode: u-s,g-s
|
|
loop:
|
|
- /usr/lib/openssh/sshkeysign # Not used
|
|
- /usr/bin/gpasswd # No group auth
|
|
- /usr/bin/passwd # Only root should change passwd
|
|
- /usr/bin/expiry # With re2o
|
|
- /usr/bin/newgrp # No group auth
|
|
- /usr/bin/chage # With re2o
|
|
- /usr/bin/chsh # With re2o
|
|
- /usr/bin/chfn # With re2o
|
|
- /bin/mount # Only root should mount
|
|
- /bin/umount # Only root should umount
|
|
ignore_errors: true # Sometimes file won't exist
|
|
|
|
# Only SSH keys to log on root
|
|
- name: Prohibit root SSH with password
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
insertafter: '^#PermitRootLogin'
|
|
line: 'PermitRootLogin prohibit-password'
|
|
notify: Restart sshd service
|
|
|
|
# See banned client with `fail2ban-client status sshd`
|
|
- name: Install fail2ban
|
|
apt:
|
|
name: fail2ban
|
|
register: apt_result
|
|
retries: 3
|
|
until: apt_result is succeeded
|
|
|
|
- name: Configure fail2ban
|
|
template:
|
|
src: fail2ban/jail.d/local.conf.j2
|
|
dest: /etc/fail2ban/jail.d/local.conf
|
|
mode: 0644
|
|
notify: Restart fail2ban service
|