---
# Initial hardening ideas from CIS
- name: sysctl hardening and limits
  block:
    - name: create combined sysctl-dict if overwrites are defined
      ansible.builtin.set_fact:
        sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
      when: sysctl_overwrite | default()

    - name: Kernel parameters
      sysctl:
        name: "{{ item.key }}"
        value: "{{ item.value }}"
        state: present
        ignoreerrors: true
        sysctl_set: true
        sysctl_file: /etc/sysctl.d/99-ansible.conf
      with_dict: "{{ sysctl_config }}"
      tags:
        - harden
        - kernel

    - name: Security limits
      pam_limits:
        dest: "/etc/security/limits.d/cis.conf"
        domain: "{{ item.domain }}"
        limit_type: "{{ item.limit_type }}"
        limit_item: "{{ item.limit_item }}"
        value: "{{ item.value }}"
      with_items: "{{ limits }}"
      tags:
        - harden

- name: Standard login settings
  block:
    - name: useradd defaults
      ansible.builtin.lineinfile:
        line: "INACTIVE=30"
        regexp: "^INACTIVE=.*"
        path: "/etc/login.defs"
      tags:
        - harden

    - name: login defs maximum days
      ansible.builtin.replace:
        path: /etc/login.defs
        regexp: '(PASS_MAX_DAYS).*\d+'
        replace: '\1\t{{ login_max_days }}'
      tags:
        - harden

    - name: login defs minimum days
      ansible.builtin.replace:
        path: /etc/login.defs
        regexp: '(PASS_MIN_DAYS).*\d+'
        replace: '\1\t{{ login_min_days }}'
      tags:
        - harden

    - name: login defs minimum length
      ansible.builtin.replace:
        path: /etc/login.defs
        regexp: '(PASS_MIN_LEN).*\d+'
        replace: '\1\t{{ login_min_len }}'
      tags:
        - harden

    - name: login defs warn age
      ansible.builtin.replace:
        path: /etc/login.defs
        regexp: '(PASS_WARN_AGE).*\d+'
        replace: '\1\t{{ login_warn_age }}'
      tags:
        - harden

    - name: cron directories permissions
      ansible.builtin.file:
        path: '{{ item }}'
        owner: root
        group: root
        mode: '0700'
        state: directory
      loop: '{{ login_cron_directories }}'
      tags:
        - harden

    - name: Create cron/at allows
      ansible.builtin.file:
        path: '{{ item }}'
        owner: root
        group: root
        mode: '0600'
        state: touch
      loop: '{{ login_cron_allows }}'
      tags:
        - harden

    - name: Remove cron/at denies
      ansible.builtin.file:
        path: '{{ item }}'
        state: absent
      loop: '{{ login_cron_denies }}'
      tags:
        - harden

    # TODO: Use pamd module to establish password policy
    - name: pwquality - minlen
      ansible.builtin.lineinfile:
        line: "minlen = 14"
        regexp: "^# minlen =.*"
        path: "/etc/security/pwquality.conf"
      tags:
        - harden

    - name: pwquality - dcredit
      ansible.builtin.lineinfile:
        line: "dcredit = -1"
        regexp: "^# dcredit =.*"
        path: "/etc/security/pwquality.conf"
      tags:
        - harden

    - name: pwquality - ucredit
      ansible.builtin.lineinfile:
        line: "ucredit = -1"
        regexp: "^# ucredit =.*"
        path: "/etc/security/pwquality.conf"
      tags:
        - harden

    - name: pwquality - lcredit
      ansible.builtin.lineinfile:
        line: "lcredit = -1"
        regexp: "^# lcredit =.*"
        path: "/etc/security/pwquality.conf"
      tags:
        - harden

    - name: pwquality - ocredit
      ansible.builtin.lineinfile:
        line: "ocredit = -1"
        regexp: "^# ocredit =.*"
        path: "/etc/security/pwquality.conf"
      tags:
        - harden

- name: Remove packages not allowed by CIS
  ansible.builtin.package:
    name: "{{ remove_packages }}"
    state: absent
  tags:
    - harden

- name: Disable Services
  ansible.builtin.service:
    name: "{{ item }}"
    enabled: false
    state: stopped
  loop: "{{ disable_svc }}"
  register: service_check
  failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
  tags:
    - services
    - harden

- name: modprobe settings
  block:
    - name: remove vfat from filesystem list if we are EFI
      ansible.builtin.set_fact:
        modprobe_unused_filesystems: "{{ modprobe_unused_filesystems | difference('vfat') }}"
      when:
        - efi_installed.stat.isdir is defined
        - efi_installed.stat.isdir
      tags:
        - efi

    - name: disable unused filesystems
      ansible.builtin.template:
        src: "etc/modprobe.d/cis.conf.j2"
        dest: "/etc/modprobe.d/cis.conf"
        owner: 'root'
        group: 'root'
        mode: '0644'
      tags:
        - harden

- name: Set init umask
  ansible.builtin.lineinfile:
    dest: /etc/sysconfig/init
    state: present
    regexp: ^umask
    line: "umask 027"
    create: true
    owner: root
    group: root
    mode: '0644'
  when: ansible_distribution_major_version == '7'
  tags:
    - harden

- name: CIS sudoers configuration
  ansible.builtin.copy:
    src: "etc/sudoers.d/cis"
    dest: "/etc/sudoers.d/cis"
    owner: root
    group: root
    mode: '0440'
  tags:
    - harden

- name: Remove packages not allowed by CIS
  ansible.builtin.package:
    name: "{{ remove_packages }}"
    state: absent
  tags:
    - harden
...