45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
---
|
|
- name: protect sysctl.conf
|
|
file: path='/etc/sysctl.conf' owner=root group=root mode=0440
|
|
|
|
- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family
|
|
template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544
|
|
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
|
|
|
|
- name: install initramfs-tools
|
|
apt: name='initramfs-tools' state=installed update_cache=true
|
|
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
|
|
|
- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
|
|
template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440
|
|
when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
|
|
register: initramfs
|
|
|
|
- name: update-initramfs
|
|
command: 'update-initramfs -u'
|
|
when: initramfs.changed
|
|
|
|
- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
|
|
sysctl:
|
|
name: '{{ item.key }}'
|
|
value: '{{ item.value }}'
|
|
sysctl_set: yes
|
|
state: present
|
|
reload: yes
|
|
ignoreerrors: yes
|
|
with_dict: '{{ sysctl_config }}'
|
|
|
|
- name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation
|
|
sysctl:
|
|
name: '{{ item.key }}'
|
|
value: '{{ item.value }}'
|
|
state: present
|
|
reload: yes
|
|
ignoreerrors: yes
|
|
with_dict: '{{ sysctl_rhel_config }}'
|
|
when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'
|
|
|
|
- name: Apply ufw defaults
|
|
template: src="ufw.j2" dest=/etc/default/ufw
|
|
when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
|
|
tags: ufw
|