From 4032d4ce1d3b3dad4fc4794a48569374f8353873 Mon Sep 17 00:00:00 2001 From: danielkubat Date: Sat, 12 Dec 2020 03:10:29 +0100 Subject: [PATCH 1/4] Make yamllint happy --- ansible/playbooks/vars/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml index 68a2eb8..284156c 100644 --- a/ansible/playbooks/vars/RedHat.yml +++ b/ansible/playbooks/vars/RedHat.yml @@ -19,7 +19,7 @@ remove_packages: # security limits limits: - - { domain: '*', limit_type: hard, limit_item: core, value: 0 } + - {domain: '*', limit_type: hard, limit_item: core, value: 0} # sysctl settings sysctl_config: From 458d5db418f57fa57c39fa624d08ece5bb45d80e Mon Sep 17 00:00:00 2001 From: danielkubat Date: Sat, 12 Dec 2020 03:11:06 +0100 Subject: [PATCH 2/4] Empty line deleted --- ansible/playbooks/templates/etc/resolv.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/playbooks/templates/etc/resolv.conf.j2 b/ansible/playbooks/templates/etc/resolv.conf.j2 index 2b2cae4..dd91a8d 100644 --- a/ansible/playbooks/templates/etc/resolv.conf.j2 +++ b/ansible/playbooks/templates/etc/resolv.conf.j2 @@ -1,4 +1,3 @@ # Generated by Ansible search {{ ipareplica_domain }} nameserver {{ ipa_dns_master }} - From af0b20f7a84633407374aef37f164fea5c0bfc00 Mon Sep 17 00:00:00 2001 From: danielkubat Date: Sat, 12 Dec 2020 03:28:20 +0100 Subject: [PATCH 3/4] Sudoers include defined as file --- ansible/playbooks/files/etc/sudoers.d/cis | 2 ++ ansible/playbooks/tasks/harden.yml | 19 +++++++++---------- 2 files changed, 11 insertions(+), 10 deletions(-) create mode 100644 ansible/playbooks/files/etc/sudoers.d/cis diff --git a/ansible/playbooks/files/etc/sudoers.d/cis b/ansible/playbooks/files/etc/sudoers.d/cis new file mode 100644 index 0000000..9f41de1 --- /dev/null +++ b/ansible/playbooks/files/etc/sudoers.d/cis @@ -0,0 +1,2 @@ +Defaults use_pty +Defaults logfile="/var/log/sudo.log" diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml index e42bfff..5d91cd6 100644 --- a/ansible/playbooks/tasks/harden.yml +++ b/ansible/playbooks/tasks/harden.yml @@ -7,15 +7,15 @@ sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}' when: sysctl_overwrite | default() - - name: sysctl + - name: Kernel parameters sysctl: - name: '{{ item.key }}' - value: '{{ item.value }}' + name: "{{ item.key }}" + value: "{{ item.value }}" state: present ignoreerrors: true sysctl_set: true sysctl_file: /etc/sysctl.d/99-ansible.conf - with_dict: '{{ sysctl_config }}' + with_dict: "{{ sysctl_config }}" tags: - harden - kernel @@ -103,6 +103,7 @@ tags: - harden +# TODO: Use pamd module to establish password policy - name: pwquality - minlen lineinfile: line: "minlen = 14" @@ -188,7 +189,7 @@ name: "{{ item }}" enabled: false state: stopped - with_items: "{{ disable_svc }}" + loop: "{{ disable_svc }}" register: service_check failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg tags: @@ -230,15 +231,13 @@ tags: - harden -- name: cis sudoers configuration +- name: CIS sudoers configuration copy: - dest: /etc/sudoers.d/cis + src: "etc/sudoers.d/cis" + dest: "/etc/sudoers.d/cis" owner: root group: root mode: '0440' - content: | - Defaults use_pty - Defaults logfile="/var/log/sudo.log" tags: - harden From c3dcc26f29af4be0e5baa917748580008d9867e6 Mon Sep 17 00:00:00 2001 From: danielkubat Date: Sat, 12 Dec 2020 03:32:37 +0100 Subject: [PATCH 4/4] Comment not indented like content --- ansible/playbooks/tasks/harden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml index 5d91cd6..5ac8420 100644 --- a/ansible/playbooks/tasks/harden.yml +++ b/ansible/playbooks/tasks/harden.yml @@ -103,7 +103,7 @@ tags: - harden -# TODO: Use pamd module to establish password policy + # TODO: Use pamd module to establish password policy - name: pwquality - minlen lineinfile: line: "minlen = 14"