diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-03-13 16:43:50 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:43 +0200 |
| commit | d72d516f2647a3e03b5e11d891c6ec4e9ddcf9cf (patch) | |
| tree | 3d8e0f75a74d710aa1f0d84ce27daea302acb6e1 /roles/common/tasks | |
| parent | 984708466b7c368e98a8b51c00acff5e6b870bd2 (diff) | |
Make use of Ansible 1.5 new features.
Most notably pipelining=True and sysctl_set=yes.
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/logging.yml | 1 | ||||
| -rw-r--r-- | roles/common/tasks/rkhunter.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/sysctl.yml | 2 |
3 files changed, 4 insertions, 1 deletions
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index 06f06b0..d25a75e 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -3,37 +3,38 @@ with_items: - rsyslog - syslog-summary - logcheck - logcheck-database - logrotate - name: Start rsyslog service: name=rsyslog state=started tags: - syslog - name: Configure logcheck copy: src=etc/logcheck/{{ item }} dest=/etc/logcheck/{{ item }} owner=root group=logcheck mode=0640 with_items: - logcheck.conf - ignore.d.server/common.local + - violations.ignore.d/logcheck-sudo - name: Minimal logging policy (1) lineinfile: dest=/etc/logrotate.d/rsyslog regexp="^/var/log/mail.(log|info)$" state=absent - name: Minimal logging policy (2) copy: src=etc/logrotate.d/fripost-mail dest=/etc/logrotate.d/fripost-mail owner=root group=root mode=0644 tags: - logrotate # TODO: We also have specialized per-role logcheck rulesets, per-role # logrotate configuration (/etc/logrotate.d), and per-role rsyslog # configuration (/etc/rsyslog.d). diff --git a/roles/common/tasks/rkhunter.yml b/roles/common/tasks/rkhunter.yml index f6a4d71..78eec90 100644 --- a/roles/common/tasks/rkhunter.yml +++ b/roles/common/tasks/rkhunter.yml @@ -1,24 +1,26 @@ - name: Install rkhunter apt: pkg={{ item }} with_items: - rkhunter - curl - iproute - lsof - unhide - unhide.rb +# To test the configuration: +# ansible all -m command -a '/usr/bin/rkhunter -c --nomow --rwo' - name: Configure rkhunter copy: src=etc/{{ item }} dest=/etc/{{ item }} owner=root group=root mode=0644 with_items: - rkhunter.conf - default/rkhunter notify: # This might not always be necessary, but it's not like we would # change the config every day... - Update rkhunter's data file - meta: flush_handlers diff --git a/roles/common/tasks/sysctl.yml b/roles/common/tasks/sysctl.yml index 9adeece..6ac7feb 100644 --- a/roles/common/tasks/sysctl.yml +++ b/roles/common/tasks/sysctl.yml @@ -1,21 +1,21 @@ -- sysctl: name={{ item.name }} value={{ item.value }} +- sysctl: name={{ item.name }} "value={{ item.value }}" sysctl_set=yes with_items: - { name: 'kernel.domainname', value: '{{ ansible_domain }}' } # Networking. See # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Enable Spoof protection (reverse-path filter). Turn on Source # Address Verification in all interfaces to prevent some spoofing # attacks. - { name: 'net.ipv4.conf.default.rp_filter', value: 1 } - { name: 'net.ipv4.conf.all.rp_filter', value: 1 } # Enable TCP/IP SYN cookies to avoid TCP SYN flood attacks. We # rate-limit not only the default ICMP types 3, 4, 11 and 12 # (0x1818), but also types 0 and 8. See icmp(7). - { name: 'net.ipv4.tcp_syncookies', value: 1 } - { name: 'net.ipv4.icmp_ratemask', value: 6425 } - { name: 'net.ipv4.icmp_ratelimit', value: 1000 } # Disable paquet forwarding between interfaces (we are not a router). |