diff --git a/ansible/playbooks/files/etc/sudoers.d/cis b/ansible/playbooks/files/etc/sudoers.d/cis new file mode 100644 index 0000000..9f41de1 --- /dev/null +++ b/ansible/playbooks/files/etc/sudoers.d/cis @@ -0,0 +1,2 @@ +Defaults use_pty +Defaults logfile="/var/log/sudo.log" diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml index e42bfff..5ac8420 100644 --- a/ansible/playbooks/tasks/harden.yml +++ b/ansible/playbooks/tasks/harden.yml @@ -7,15 +7,15 @@ sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' when: sysctl_overwrite | default() - - name: sysctl + - name: Kernel parameters sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' + name: "{{ item.key }}" + value: "{{ item.value }}" state: present ignoreerrors: true sysctl_set: true sysctl_file: /etc/sysctl.d/99-ansible.conf - with_dict: '{{ sysctl_config }}' + with_dict: "{{ sysctl_config }}" tags: - harden - kernel @@ -103,6 +103,7 @@ tags: - harden + # TODO: Use pamd module to establish password policy - name: pwquality - minlen lineinfile: line: "minlen = 14" @@ -188,7 +189,7 @@ name: "{{ item }}" enabled: false state: stopped - with_items: "{{ disable_svc }}" + loop: "{{ disable_svc }}" register: service_check failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg tags: @@ -230,15 +231,13 @@ tags: - harden -- name: cis sudoers configuration +- name: CIS sudoers configuration copy: - dest: /etc/sudoers.d/cis + src: "etc/sudoers.d/cis" + dest: "/etc/sudoers.d/cis" owner: root group: root mode: '0440' - content: | - Defaults use_pty - Defaults logfile="/var/log/sudo.log" tags: - harden diff --git a/ansible/playbooks/templates/etc/resolv.conf.j2 b/ansible/playbooks/templates/etc/resolv.conf.j2 index 2b2cae4..dd91a8d 100644 --- a/ansible/playbooks/templates/etc/resolv.conf.j2 +++ b/ansible/playbooks/templates/etc/resolv.conf.j2 @@ -1,4 +1,3 @@ # Generated by Ansible search {{ ipareplica_domain }} nameserver {{ ipa_dns_master }} - diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml index 68a2eb8..284156c 100644 --- a/ansible/playbooks/vars/RedHat.yml +++ b/ansible/playbooks/vars/RedHat.yml @@ -19,7 +19,7 @@ remove_packages: # security limits limits: - - { domain: '*', limit_type: hard, limit_item: core, value: 0 } + - {domain: '*', limit_type: hard, limit_item: core, value: 0} # sysctl settings sysctl_config: