ansible-collection-hardening/tasks/sysctl.yml

---
- name: protect sysctl.conf
  file: path='/etc/sysctl.conf' owner=root group=root mode=0440

- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family
  template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544
  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'

- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled
  template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440
  when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading
  register: initramfs

- name: update-initramfs
  command: 'update-initramfs -u'
  when: initramfs.changed

- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
  sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
  with_dict: '{{ sysctl_config }}'

- name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation
  sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
  with_dict: '{{ sysctl_rhel_config }}'
  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'

- name: Apply ufw defaults
  template: src="ufw.j2" dest=/etc/default/ufw
  when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
  tags: dev
Add separated files 2015-05-26 19:53:55 +00:00			`---`
Add module configuration 2015-06-07 21:47:49 +00:00			`- name: protect sysctl.conf`
			`file: path='/etc/sysctl.conf' owner=root group=root mode=0440`

			`- name: NSA 2.2.4.1 Set Daemon umask, do config for rhel-family`
			`template: src='rhel_sysconfig_init.j2' dest='/etc/sysconfig/init' owner=root group=root mode=0544`
			`when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'`

			`- name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled`
			`template: src='modules.j2' dest='/etc/initramfs-tools/modules' owner=root group=root mode=0440`
			`when: ansible_os_family == 'Debian' and os_security_kernel_enable_module_loading`
			`register: initramfs`

			`- name: update-initramfs`
			`command: 'update-initramfs -u'`
			`when: initramfs.changed`

Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00			`- name: Change various sysctl-settings, look at the sysctl-vars file for documentation`
			`sysctl:`
			`name: '{{ item.key }}'`
			`value: '{{ item.value }}'`
			`sysctl_set: yes`
			`state: present`
			`reload: yes`
			`ignoreerrors: yes`
fix bare variables usage for loops 2016-05-17 18:35:41 +00:00			`with_dict: '{{ sysctl_config }}'`
Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00
			`- name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation`
			`sysctl:`
			`name: '{{ item.key }}'`
			`value: '{{ item.value }}'`
			`sysctl_set: yes`
			`state: present`
			`reload: yes`
			`ignoreerrors: yes`
fix bare variables usage for loops 2016-05-17 18:35:41 +00:00			`with_dict: '{{ sysctl_rhel_config }}'`
Change sysctl-task. Fix #18 2015-06-06 18:29:37 +00:00			`when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS'`
integrate ufw defaults management 2016-05-19 20:35:12 +00:00
			`- name: Apply ufw defaults`
			`template: src="ufw.j2" dest=/etc/default/ufw`
			`when: ufw_manage_defaults and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')`
			`tags: dev`