-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdebian-compliance-hardning.yml
58 lines (54 loc) · 2.05 KB
/
debian-compliance-hardning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# _ __ _ _ ____ _
# | |/ /__ ___ ____ _(_|_) _ \ __ _ _ __ | |_ ___ _ _
# | ' // _` \ \ /\ / / _` | | | |_) / _` | '_ \| __/ __| | | |
# | . \ (_| |\ V V / (_| | | | __/ (_| | | | | |_\__ \ |_| |
# |_|\_\__,_| \_/\_/ \__,_|_|_|_| \__,_|_| |_|\__|___/\__,_|
# ____ _ _ _
# [ ANSIBLE ] | _ \| | __ _ _ _| |__ ___ ___ | | _____
# Please only use | |_) | |/ _` | | | | '_ \ / _ \ / _ \| |/ / __|
# playbooks if | __/| | (_| | |_| | |_) | (_) | (_) | <\__ \
# you know what |_| |_|\__,_|\__, |_.__/ \___/ \___/|_|\_\___/
# they change/do |___/
#
# .---------| My Compliance Playbooks - General hardning
# |
# | This is a bit of a special one, yes it's hardning, but it might
# | not contain all the normal stuff - I use this to keep my hosts
# | inline with my compliance requirements that i have set inside
# | FleetDM so that i don't recieve complience alerts and also to
# | keep the hosts harden and secure of course. But it's not a
# | "100%" total lock down.
# |
# | This playbook will do the following:
# | - Make sure SSHd only accepts root via "key"
# |
# |
# |
# `---------------------------------------------------------------
---
- hosts: debian
tasks:
- name: Check if platform is Virtual
lineinfile:
dest: /sys/devices/virtual/dmi/id/sys_vendor
line: "QEMU"
check_mode: yes
register: virtual
failed_when: (virtual is changed) or (virtual is failed)
ignore_errors: true
- name: Check if platform is Physical
set_fact:
physical: true
virtual: false
when: virtual is changed
- name: Set fact for Virtual
set_fact:
physical: false
virtual: true
when: virtual
- name: SSH-COMPLIANCE %% Disable password authentication for root
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '^#?PermitRootLogin'
line: 'PermitRootLogin prohibit-password'