74 lines
2.4 KiB
YAML
74 lines
2.4 KiB
YAML
---
|
|
- name: protect sysctl.conf
|
|
file:
|
|
path: '/etc/sysctl.conf'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0440'
|
|
|
|
- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
|
|
template:
|
|
src: 'etc/sysconfig/rhel_sysconfig_init.j2'
|
|
dest: '/etc/sysconfig/init'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0544'
|
|
when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or
|
|
ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon'
|
|
|
|
- name: install initramfs-tools
|
|
apt:
|
|
name: 'initramfs-tools'
|
|
state: 'present'
|
|
update_cache: true
|
|
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
|
|
|
|
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
|
template:
|
|
src: 'etc/initramfs-tools/modules.j2'
|
|
dest: '/etc/initramfs-tools/modules'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0440'
|
|
notify:
|
|
- update-initramfs
|
|
when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading
|
|
register: initramfs
|
|
|
|
- name: change sysctls
|
|
block:
|
|
- name: create a combined sysctl-dict if overwrites are defined
|
|
set_fact:
|
|
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
|
when: sysctl_overwrite | default()
|
|
|
|
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
|
sysctl:
|
|
name: '{{ item.key }}'
|
|
value: '{{ item.value }}'
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
ignoreerrors: yes
|
|
with_dict: '{{ sysctl_config }}'
|
|
|
|
- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
|
|
sysctl:
|
|
name: '{{ item.key }}'
|
|
value: '{{ item.value }}'
|
|
state: present
|
|
reload: yes
|
|
ignoreerrors: yes
|
|
with_dict: '{{ sysctl_rhel_config }}'
|
|
when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and
|
|
ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon'
|
|
|
|
when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc']
|
|
|
|
- name: Apply ufw defaults
|
|
template:
|
|
src: 'etc/default/ufw.j2'
|
|
dest: '/etc/default/ufw'
|
|
when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu')
|
|
tags: ufw
|