ansible-collection-hardening/tasks/sysctl.yml

---
- name: protect sysctl.conf
  file:
    path: '/etc/sysctl.conf'
    owner: 'root'
    group: 'root'
    mode: '0440'

- name: set Daemon umask, do config for rhel-family | NSA 2.2.4.1
  template:
    src: 'rhel_sysconfig_init.j2'
    dest: '/etc/sysconfig/init'
    owner: 'root'
    group: 'root'
    mode: '0544'
  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'

- name: install initramfs-tools
  apt:
    name: 'initramfs-tools'
    state: 'installed'
    update_cache: true
  when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading

- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
  template:
    src: 'modules.j2'
    dest: '/etc/initramfs-tools/modules'
    owner: 'root'
    group: 'root'
    mode: '0440'
  when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
  register: initramfs

- name: update-initramfs
  command: 'update-initramfs -u'
  when: initramfs.changed

- name: create a combined sysctl-dict if overwrites are defined
  set_fact:
    sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
  when: sysctl_overwrite | default()

- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
  sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
  with_dict: '{{ sysctl_config }}'

- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation
  sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
    state: present
    reload: yes
    ignoreerrors: yes
  with_dict: '{{ sysctl_rhel_config }}'
  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7'

- name: Apply ufw defaults
  template:
    src: 'ufw.j2'
    dest: '/etc/default/ufw'
  when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
  tags: ufw
Add separated files 2015-05-26 19:53:55 +00:00			`---`
Add module configuration 2015-06-07 21:47:49 +00:00			`- name: protect sysctl.conf`
style update 2017-08-04 19:45:04 +00:00			`file:`
			`path: '/etc/sysctl.conf'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0440'`
Add module configuration 2015-06-07 21:47:49 +00:00
style update 2017-08-04 19:45:04 +00:00			`- name: set Daemon umask, do config for rhel-family \| NSA 2.2.4.1`
			`template:`
			`src: 'rhel_sysconfig_init.j2'`
			`dest: '/etc/sysconfig/init'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0544'`
Add module configuration 2015-06-07 21:47:49 +00:00			`when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'`

install initramfs-tools These are not installed by default on debian 8 but needed for module generation. see: https://github.com/dev-sec/ansible-os-hardening/issues/111 2017-01-23 18:50:02 +00:00			`- name: install initramfs-tools`
style update 2017-08-04 19:45:04 +00:00			`apt:`
			`name: 'initramfs-tools'`
			`state: 'installed'`
			`update_cache: true`
install initramfs-tools These are not installed by default on debian 8 but needed for module generation. see: https://github.com/dev-sec/ansible-os-hardening/issues/111 2017-01-23 18:50:02 +00:00			`when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading`

Add module configuration 2015-06-07 21:47:49 +00:00			`- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled`
style update 2017-08-04 19:45:04 +00:00			`template:`
			`src: 'modules.j2'`
			`dest: '/etc/initramfs-tools/modules'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0440'`
Add module configuration 2015-06-07 21:47:49 +00:00			`when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading`
			`register: initramfs`

			`- name: update-initramfs`
			`command: 'update-initramfs -u'`
			`when: initramfs.changed`

add more sysctl settings, allow overwriting 2017-04-23 15:04:18 +00:00			`- name: create a combined sysctl-dict if overwrites are defined`
style update 2017-08-04 19:45:04 +00:00			`set_fact:`
			`sysctl_config: '{{ sysctl_config \| combine(sysctl_overwrite) }}'`
remove omit param in default() 2017-06-06 14:39:13 +00:00			`when: sysctl_overwrite \| default()`
add more sysctl settings, allow overwriting 2017-04-23 15:04:18 +00:00
Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00			`- name: Change various sysctl-settings, look at the sysctl-vars file for documentation`
			`sysctl:`
			`name: '{{ item.key }}'`
			`value: '{{ item.value }}'`
			`sysctl_set: yes`
			`state: present`
			`reload: yes`
			`ignoreerrors: yes`
fix bare variables usage for loops 2016-05-17 18:35:41 +00:00			`with_dict: '{{ sysctl_config }}'`
Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00
change vars file loading 2017-08-07 19:27:20 +00:00			`- name: Change various sysctl-settings on rhel6-hosts or older, look at the sysctl-vars file for documentation`
Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00			`sysctl:`
			`name: '{{ item.key }}'`
			`value: '{{ item.value }}'`
			`state: present`
			`reload: yes`
			`ignoreerrors: yes`
fix bare variables usage for loops 2016-05-17 18:35:41 +00:00			`with_dict: '{{ sysctl_rhel_config }}'`
change vars file loading 2017-08-07 19:27:20 +00:00			`when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS') and ansible_distribution_major_version < '7'`
integrate ufw defaults management 2016-05-19 20:35:12 +00:00
			`- name: Apply ufw defaults`
style update 2017-08-04 19:45:04 +00:00			`template:`
			`src: 'ufw.j2'`
			`dest: '/etc/default/ufw'`
integrate ufw defaults management 2016-05-19 20:35:12 +00:00			`when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')`
tag for ufw task changed to 'ufw' 2016-05-21 05:17:06 +00:00			`tags: ufw`