Mateusz Suski
e5da6cfdad
ci / validate (push) Has been cancelled
- Implement 4-role architecture (base_provision, patching, hardening, decommission) - Extract hardcoded values to role defaults and group_vars - Add Ansible Vault integration for secrets management - Implement proper handlers for service restarts instead of direct tasks - Add Molecule testing framework with Docker driver - Configure ansible-lint with production profile settings Fix all 125+ ansible-lint violations: - Add FQCN (Fully Qualified Collection Names) to all modules - Replace yes/no with true/false for boolean values - Add explicit mode parameters to file/template operations - Remove duplicate post_tasks blocks from playbooks - Add newlines at end of all YAML files - Fix key ordering in tasks (name, when, block) - Convert service restarts to handlers with notify - Remove ignore_errors in favor of failed_when/changed_when - Fix line length violations and empty lines - Add noqa comments for unavoidable risky-file-permissions Update documentation: - Add REFACTORING.md with implementation details - Add VAULT_GUIDE.md for secrets management - Add per-role README.md files - Update existing documentation All playbooks now pass ansible-lint production profile with 0 violations.
127 lines
3.4 KiB
YAML
127 lines
3.4 KiB
YAML
---
|
|
- name: Harden Enterprise Infrastructure Nodes
|
|
hosts: all
|
|
become: true
|
|
gather_facts: true
|
|
vars_files:
|
|
- vars/vault.yml
|
|
|
|
pre_tasks:
|
|
- name: Validate hardening prerequisites
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_os_family == "Debian"
|
|
- cis_level in [1, 2]
|
|
fail_msg: "Invalid hardening configuration"
|
|
|
|
- name: Display hardening information
|
|
ansible.builtin.debug:
|
|
msg: |
|
|
Hardening {{ inventory_hostname }}
|
|
CIS Level: {{ cis_level }}
|
|
Disable Root Login: {{ disable_root_login }}
|
|
|
|
roles:
|
|
- role: hardening
|
|
tags: ['hardening', 'security']
|
|
|
|
post_tasks:
|
|
- name: Display hardening summary
|
|
ansible.builtin.debug:
|
|
msg: |
|
|
Hardening completed successfully!
|
|
Host: {{ inventory_hostname }}
|
|
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Configure auditd
|
|
when: auditd_enabled
|
|
block:
|
|
- name: Install auditd
|
|
ansible.builtin.apt:
|
|
name: auditd
|
|
state: present
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Configure audit rules
|
|
ansible.builtin.template:
|
|
src: templates/audit.rules.j2
|
|
dest: /etc/audit/rules.d/hardening.rules
|
|
mode: '0644'
|
|
|
|
- name: Enable auditd service
|
|
ansible.builtin.service:
|
|
name: auditd
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Configure AppArmor
|
|
when: apparmor_enabled and ansible_os_family == "Debian"
|
|
block:
|
|
- name: Install apparmor
|
|
ansible.builtin.apt:
|
|
name: apparmor
|
|
state: present
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Enable apparmor service
|
|
ansible.builtin.service:
|
|
name: apparmor
|
|
state: started
|
|
enabled: true
|
|
|
|
- name: Configure sysctl hardening
|
|
ansible.posix.sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
reload: true
|
|
loop:
|
|
- { key: 'net.ipv4.ip_forward', value: '0' }
|
|
- { key: 'net.ipv4.conf.all.send_redirects', value: '0' }
|
|
- { key: 'net.ipv4.conf.default.send_redirects', value: '0' }
|
|
- { key: 'net.ipv4.tcp_syncookies', value: '1' }
|
|
- { key: 'net.ipv4.icmp_echo_ignore_broadcasts', value: '1' }
|
|
|
|
- name: Set secure file permissions
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- /etc/passwd
|
|
- /etc/group
|
|
- /etc/shadow
|
|
- /etc/gshadow
|
|
|
|
- name: Lock inactive user accounts
|
|
ansible.builtin.command: usermod -L "{{ item }}"
|
|
loop: "{{ inactive_users | default([]) }}"
|
|
changed_when: false
|
|
|
|
- name: Configure password policies
|
|
community.general.pam_limits:
|
|
domain: '*'
|
|
limit_type: hard
|
|
limit_item: nofile
|
|
value: 1024
|
|
|
|
- name: Generate hardening report
|
|
ansible.builtin.template:
|
|
src: templates/hardening_report.j2
|
|
dest: "/var/log/hardening_report_{{ ansible_date_time.iso8601 }}.log"
|
|
mode: '0644'
|
|
|
|
handlers:
|
|
- name: restart sshd
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: restart auditd
|
|
ansible.builtin.service:
|
|
name: auditd
|
|
state: restarted
|
|
when: auditd_enabled
|