ansible-test/roles/linux/base/tasks/hardening.yml

---
- name: disabling core dump
  lineinfile:
    path: /etc/security/limits.conf
    line: "* hard core 0"

- name: default umask
  lineinfile:
    path: /etc/login.defs
    line: UMASK 027
    regexp: ^UMASK.*

- name: put myself to /etc/hosts
  lineinfile:
    path: /etc/hosts
    line: "127.0.0.1 {{ ansible_hostname }}"

- name: SSH config
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "{{ item.conf }}"
    regexp: "{{ item.regexp }}"
  notify: restart sshd
  loop:
    - { conf: "Compression no", regexp: \#?Compression.* }
    - { conf: "MaxAuthTries 3", regexp: \#?MaxAuthTries.* }

- name: sysctl
  copy:
    dest: /etc/sysctl.d/50-hardening.conf
    src: files/sysctl-50-hardening.conf
  notify: restart sysctl
base und sysupgrade role, some hardening 2021-06-13 00:15:16 +02:00			`---`
			`- name: disabling core dump`
			`lineinfile:`
			`path: /etc/security/limits.conf`
			`line: "* hard core 0"`

			`- name: default umask`
			`lineinfile:`
			`path: /etc/login.defs`
			`line: UMASK 027`
			`regexp: ^UMASK.*`

			`- name: put myself to /etc/hosts`
			`lineinfile:`
			`path: /etc/hosts`
			`line: "127.0.0.1 {{ ansible_hostname }}"`

			`- name: SSH config`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`line: "{{ item.conf }}"`
			`regexp: "{{ item.regexp }}"`
			`notify: restart sshd`
			`loop:`
			`- { conf: "Compression no", regexp: \#?Compression.* }`
			`- { conf: "MaxAuthTries 3", regexp: \#?MaxAuthTries.* }`

			`- name: sysctl`
			`copy:`
			`dest: /etc/sysctl.d/50-hardening.conf`
			`src: files/sysctl-50-hardening.conf`
			`notify: restart sysctl`