Mateusz Suski
35e6b139fc
ci / validate (push) Failing after 1m8s
Rework portfolio around Linux operations, Zabbix monitoring, migration validation, and ELK/Grafana log observability. Add AAP-style LVM resize workflow, Zabbix server/proxy/agent automation assets, Linux/AIX monitoring templates, and updated validation CI.
96 lines
2.6 KiB
YAML
96 lines
2.6 KiB
YAML
---
|
|
- name: Validate hardening requirements
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_os_family == "Debian"
|
|
- cis_level in [1, 2]
|
|
fail_msg: "Unsupported configuration for hardening"
|
|
|
|
- name: Apply CIS hardening tasks
|
|
ansible.builtin.include_tasks: cis_hardening.yml
|
|
when: cis_level >= 1
|
|
|
|
- name: Configure SSH hardening
|
|
block:
|
|
- name: Disable root SSH login
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitRootLogin'
|
|
line: 'PermitRootLogin no'
|
|
state: present
|
|
when: disable_root_login
|
|
notify: restart sshd
|
|
|
|
- name: Disable password authentication
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PasswordAuthentication'
|
|
line: 'PasswordAuthentication no'
|
|
state: present
|
|
when: secure_ssh_config
|
|
notify: restart sshd
|
|
|
|
- name: Set MaxAuthTries
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^MaxAuthTries'
|
|
line: "MaxAuthTries {{ ssh_max_auth_tries }}"
|
|
state: present
|
|
notify: restart sshd
|
|
|
|
- name: Disable empty passwords
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^PermitEmptyPasswords'
|
|
line: 'PermitEmptyPasswords no'
|
|
state: present
|
|
notify: restart sshd
|
|
|
|
- name: Set ClientAliveInterval
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^ClientAliveInterval'
|
|
line: "ClientAliveInterval {{ ssh_client_alive_interval }}"
|
|
state: present
|
|
notify: restart sshd
|
|
|
|
- name: Set ClientAliveCountMax
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^ClientAliveCountMax'
|
|
line: "ClientAliveCountMax {{ ssh_client_alive_count_max }}"
|
|
state: present
|
|
notify: restart sshd
|
|
|
|
- name: Configure firewall rules
|
|
block:
|
|
- name: Enable firewall
|
|
community.general.ufw:
|
|
state: enabled
|
|
policy: "{{ firewall_policy }}"
|
|
when: firewall_policy is defined
|
|
|
|
- name: Allow SSH from trusted networks
|
|
community.general.ufw:
|
|
rule: allow
|
|
port: '22'
|
|
proto: tcp
|
|
from: "{{ item }}"
|
|
loop: "{{ ssh_allowed_networks }}"
|
|
|
|
- name: Disable unnecessary services
|
|
ansible.builtin.service:
|
|
name: "{{ item }}"
|
|
state: stopped
|
|
enabled: false
|
|
loop: "{{ unnecessary_services }}"
|
|
failed_when: false
|
|
|
|
- name: Remove unnecessary packages
|
|
ansible.builtin.apt:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
purge: true
|
|
loop: "{{ unnecessary_packages }}"
|
|
failed_when: false
|