mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-09-21 03:52:35 +00:00
Louis Abel
GitHub
commit
c8fe3b75cc
2
ansible/playbooks/files/etc/sudoers.d/cis
Normal file
2
ansible/playbooks/files/etc/sudoers.d/cis
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Defaults use_pty
|
||||||
|
Defaults logfile="/var/log/sudo.log"
|
||||||
@ -7,15 +7,15 @@
|
|||||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||||
when: sysctl_overwrite | default()
|
when: sysctl_overwrite | default()
|
||||||
|
|
||||||
- name: sysctl
|
- name: Kernel parameters
|
||||||
sysctl:
|
sysctl:
|
||||||
name: '{{ item.key }}'
|
name: "{{ item.key }}"
|
||||||
value: '{{ item.value }}'
|
value: "{{ item.value }}"
|
||||||
state: present
|
state: present
|
||||||
ignoreerrors: true
|
ignoreerrors: true
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
sysctl_file: /etc/sysctl.d/99-ansible.conf
|
sysctl_file: /etc/sysctl.d/99-ansible.conf
|
||||||
with_dict: '{{ sysctl_config }}'
|
with_dict: "{{ sysctl_config }}"
|
||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
- kernel
|
- kernel
|
||||||
@ -103,6 +103,7 @@
|
|||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
|
# TODO: Use pamd module to establish password policy
|
||||||
- name: pwquality - minlen
|
- name: pwquality - minlen
|
||||||
lineinfile:
|
lineinfile:
|
||||||
line: "minlen = 14"
|
line: "minlen = 14"
|
||||||
@ -188,7 +189,7 @@
|
|||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: false
|
||||||
state: stopped
|
state: stopped
|
||||||
with_items: "{{ disable_svc }}"
|
loop: "{{ disable_svc }}"
|
||||||
register: service_check
|
register: service_check
|
||||||
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
|
failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
|
||||||
tags:
|
tags:
|
||||||
@ -230,15 +231,13 @@
|
|||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
- name: cis sudoers configuration
|
- name: CIS sudoers configuration
|
||||||
copy:
|
copy:
|
||||||
dest: /etc/sudoers.d/cis
|
src: "etc/sudoers.d/cis"
|
||||||
|
dest: "/etc/sudoers.d/cis"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: '0440'
|
mode: '0440'
|
||||||
content: |
|
|
||||||
Defaults use_pty
|
|
||||||
Defaults logfile="/var/log/sudo.log"
|
|
||||||
tags:
|
tags:
|
||||||
- harden
|
- harden
|
||||||
|
|
||||||
|
|||||||
@ -1,4 +1,3 @@
|
|||||||
# Generated by Ansible
|
# Generated by Ansible
|
||||||
search {{ ipareplica_domain }}
|
search {{ ipareplica_domain }}
|
||||||
nameserver {{ ipa_dns_master }}
|
nameserver {{ ipa_dns_master }}
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ remove_packages:
|
|||||||
|
|
||||||
# security limits
|
# security limits
|
||||||
limits:
|
limits:
|
||||||
- { domain: '*', limit_type: hard, limit_item: core, value: 0 }
|
- {domain: '*', limit_type: hard, limit_item: core, value: 0}
|
||||||
|
|
||||||
# sysctl settings
|
# sysctl settings
|
||||||
sysctl_config:
|
sysctl_config:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user