import basics from NSA's commission repo

author: bnewbold <bnewbold@robocracy.org> 2016-03-25 11:49:45 -0700
committer: bnewbold <bnewbold@robocracy.org> 2016-03-25 11:49:45 -0700
commit: be8701c13800eb84fc4afb118c16738abee55850 (patch)
tree: 7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks/security.yml
download: infra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz
infra-be8701c13800eb84fc4afb118c16738abee55850.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/roles/common/tasks/security.yml b/roles/common/tasks/security.yml
new file mode 100644
index 0000000..c00b941
--- /dev/null
+++ b/roles/common/tasks/security.yml
@@ -0,0 +1,26 @@
+---
+- name: Install security-related packages
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - fail2ban
+    - whois
+    - lynis
+    - rkhunter
+    - debsums
+  tags:
+    - dependencies
+
+- name: Copy fail2ban configuration into place
+  template: src=etc_fail2ban_jail.local.j2 dest=/etc/fail2ban/jail.local
+  notify: restart fail2ban
+
+- name: Ensure fail2ban is started
+  service: name=fail2ban state=started enabled=yes
+
+- name: Update sshd (server) config for PFS and more secure defaults
+  template: src=etc_ssh_sshd_config.j2 dest=/etc/ssh/sshd_config
+  notify: restart ssh
+
+- name: Update ssh (client) config for more secure defaults
+  template: src=etc_ssh_ssh_config.j2 dest=/etc/ssh/ssh_config
+
author	bnewbold <bnewbold@robocracy.org>	2016-03-25 11:49:45 -0700
committer	bnewbold <bnewbold@robocracy.org>	2016-03-25 11:49:45 -0700
commit	be8701c13800eb84fc4afb118c16738abee55850 (patch)
tree	7060e1b8ca09c1c9fd2957ba258a9ad624035d1d /roles/common/tasks/security.yml
download	infra-be8701c13800eb84fc4afb118c16738abee55850.tar.gz infra-be8701c13800eb84fc4afb118c16738abee55850.zip