added again ansible-role-security

roles/ansible-role-security/tasks/autoupdate-Debian.yml

@@ -0,0 +1,16 @@
+---
+- name: Install unattended upgrades package.
+  package:
+    name: unattended-upgrades
+    state: present
+
+- name: Copy unattended-upgrades configuration files in place.
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - 10periodic
+    - 50unattended-upgrades

roles/ansible-role-security/tasks/autoupdate-RedHat.yml

@@ -0,0 +1,35 @@
+---
+- name: Set correct automatic update utility vars (RHEL >= 8).
+  set_fact:
+    update_utility: dnf-automatic
+    update_service: dnf-automatic-install.timer
+    update_conf_path: /etc/dnf/automatic.conf
+  when: ansible_distribution_major_version | int >= 8
+
+- name: Set correct automatic update utility vars (RHEL <= 7).
+  set_fact:
+    update_utility: yum-cron
+    update_service: yum-cron
+    update_conf_path: /etc/yum/yum-cron.conf
+  when: ansible_distribution_major_version | int <= 7
+
+- name: Install automatic update utility.
+  package:
+    name: '{{ update_utility }}'
+    state: present
+
+- name: Ensure automatic update utility is running and enabled on boot.
+  service:
+    name: '{{ update_service }}'
+    state: started
+    enabled: true
+
+- name: Configure autoupdates.
+  lineinfile:
+    dest: '{{ update_conf_path }}'
+    regexp: '^apply_updates = .+'
+    line: 'apply_updates = yes'
+    mode: 0644
+  when:
+    - security_autoupdate_enabled
+    - ansible_distribution_major_version | int in [7, 8]

roles/ansible-role-security/tasks/fail2ban.yml

@@ -0,0 +1,29 @@
+---
+- name: Install fail2ban (RedHat).
+  package:
+    name: fail2ban
+    state: present
+    enablerepo: epel
+  when: ansible_os_family == 'RedHat'
+
+- name: Install fail2ban (Debian).
+  package:
+    name: fail2ban
+    state: present
+  when: ansible_os_family == 'Debian'
+
+- name: Copy fail2ban custom configuration file into place.
+  template:
+    src: "{{ security_fail2ban_custom_configuration_template }}"
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload fail2ban
+
+- name: Ensure fail2ban is running and enabled on boot.
+  service:
+    name: fail2ban
+    state: started
+    enabled: true

roles/ansible-role-security/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+# Fail2Ban
+- include_tasks: fail2ban.yml
+  when: security_fail2ban_enabled | bool
+
+# SSH
+- include_tasks: ssh.yml
+
+# Autoupdate
+- include_tasks: autoupdate-RedHat.yml
+  when:
+    - ansible_os_family == 'RedHat'
+    - security_autoupdate_enabled | bool
+
+- include_tasks: autoupdate-Debian.yml
+  when:
+    - ansible_os_family == 'Debian'
+    - security_autoupdate_enabled | bool

roles/ansible-role-security/tasks/ssh.yml

@@ -0,0 +1,33 @@
+---
+- name: Ensure SSH daemon is running.
+  service:
+    name: "{{ security_sshd_name }}"
+    state: "{{ security_sshd_state }}"
+
+- name: Update SSH configuration to be more secure.
+  lineinfile:
+    dest: "{{ security_ssh_config_path }}"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    validate: 'sshd -T -f %s'
+    mode: 0644
+  with_items:
+    - regexp: "^PasswordAuthentication"
+      line: "PasswordAuthentication {{ security_ssh_password_authentication }}"
+    - regexp: "^PermitRootLogin"
+      line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
+    - regexp: "^Port"
+      line: "Port {{ security_ssh_port }}"
+    - regexp: "^UseDNS"
+      line: "UseDNS {{ security_ssh_usedns }}"
+    - regexp: "^PermitEmptyPasswords"
+      line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
+    - regexp: "^ChallengeResponseAuthentication"
+      line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
+    - regexp: "^GSSAPIAuthentication"
+      line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
+    - regexp: "^X11Forwarding"
+      line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
+  notify: restart ssh
+