-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.yml
70 lines (57 loc) · 1.59 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---
- name: update grub
ansible.builtin.command: update-grub
when:
- not ubtu18stig_system_is_container
- name: reload gdm
ansible.builtin.command: dpkg-reconfigure gdm3
- name: dconf update
ansible.builtin.command: dconf update
- name: restart sshd
ansible.builtin.service:
name: sshd
state: restarted
when:
- "'openssh-server' in ansible_facts.packages"
- name: restart chrony
ansible.builtin.service:
name: chrony
state: restarted
- name: auditd_immutable_check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check
- name: audit_immutable_fact
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'
- name: reload kernel system
ansible.builtin.shell: sysctl --system
- name: update auditd
ansible.builtin.template:
src: audit/99_stig_auditd.rules.j2
dest: /etc/audit/rules.d/99_stig_audit.rules
owner: root
group: root
mode: 0600
notify:
- reload auditd
- restart auditd
- name: reload auditd
ansible.builtin.shell: augenrules --load
- name: restart auditd
ansible.builtin.service:
name: auditd
state: restarted
- name: restart rsyslog
ansible.builtin.service:
name: rsyslog
state: restarted
- name: sysctl flush ipv4 route table
ansible.posix.sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
when: ansible_virtualization_type != "docker"