diff --git a/tasks/configure-fail2ban.yml b/tasks/configure-fail2ban.yml index 0f50d438c00622a71a168a0625b431e6847c3e1f..7208bc8b17deae587ce3cdd3a263e4857ca46f96 100644 --- a/tasks/configure-fail2ban.yml +++ b/tasks/configure-fail2ban.yml @@ -4,7 +4,7 @@ package: name: "fail2ban" state: present - tags: [fail2ban, apt, yum] + tags: [apt, yum] # neue Konfiguration einspielen - name: Konfiguration fuer fail2ban einspielen (1/4) @@ -77,7 +77,6 @@ logpath = /var/log/fail2ban.log maxretry = 20 destemail = {{ vault_destemail }} - tags: [fail2ban] notify: restart fail2ban.service - name: Konfiguration fuer fail2ban einspielen (2/4) @@ -98,7 +97,6 @@ failregex = \]\s+Ban\s+<HOST> ignoreregex = \[f2b-loop.*\]\s+Ban\s+<HOST> # (Author: Walter Heitman Jr. https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/) - tags: [fail2ban] notify: restart fail2ban.service - name: see if fail2ban.local exists @@ -111,7 +109,6 @@ path: "/etc/fail2ban/fail2ban.local" state: absent when: old_fail2ban_local.stat.exists - tags: [fail2ban] notify: restart fail2ban.service - name: Konfiguration fuer fail2ban einspielen (4/4) @@ -134,7 +131,6 @@ pidfile = /var/run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 dbpurgeage = 86400 - tags: [fail2ban] notify: restart fail2ban.service # Ordner für Check_MK-Plugin anlegen @@ -145,7 +141,6 @@ owner: "root" group: "root" mode: "0755" - tags: [fail2ban] # Plugin bereitstellen - name: Check_MK-Plugin installieren (fail2ban-Zustand) @@ -155,7 +150,7 @@ owner: "root" group: "root" mode: "0750" - tags: [fail2ban, monitoring] + tags: [monitoring] notify: restart fail2ban.service ### Documentation diff --git a/tasks/configure-home-permissions.yml b/tasks/configure-home-permissions.yml index f8295038b6a06f4abf6cd2441b53807a49e6fbc7..145b039ed2e573788d2ff67c0c5d91e6ced4f1e4 100644 --- a/tasks/configure-home-permissions.yml +++ b/tasks/configure-home-permissions.yml @@ -6,7 +6,6 @@ file_type: directory paths: "/home/" register: ls_out - tags: [users] - name: striktere Berechtigungen für Homeverzeichnisse setzen file: path: "{{ item.path }}/" @@ -14,5 +13,3 @@ with_items: # - "{{ ls_out.files | difference(['import','zih']) }}" - "{{ ls_out.files }}" - tags: [users] - tags: [users] diff --git a/tasks/configure-iptables.yml b/tasks/configure-iptables.yml index b1e1f71cfcc4c4c2471afb414ceb9c4ea3fcd05f..75a32a8126f7cb9ea22d650c20f19bcd88dc853b 100644 --- a/tasks/configure-iptables.yml +++ b/tasks/configure-iptables.yml @@ -9,7 +9,6 @@ state: "stopped" enabled: false when: ansible_os_family == "RedHat" - tags: [iptables] # - name: clean IPtables rules (1) # iptables: @@ -21,7 +20,7 @@ # - "ipv6" # notify: # - save iptables rules -# tags: [iptables, molecule-notest] +# tags: [molecule-notest] # # - name: clean IPtables rules (2) # iptables: @@ -29,7 +28,7 @@ # flush: "true" # notify: # - save iptables rules -# tags: [iptables, molecule-notest] +# tags: [molecule-notest] - name: Allow related and established IPv4 connections @@ -41,7 +40,6 @@ state: present notify: - save iptables rules - tags: [iptables] # - name: Allow related and established IPv4 connections # iptables: @@ -52,7 +50,6 @@ # action: "insert" # notify: # - save iptables rules -# tags: [iptables] - name: Allow all loop back traffic iptables: @@ -63,7 +60,6 @@ jump: "ACCEPT" notify: - save iptables rules - tags: [iptables] # - name: Allow all loop back traffic # iptables: @@ -74,7 +70,6 @@ # jump: "ACCEPT" # notify: # - save iptables rules -# tags: [iptables] # Set default policy for INPUT chain - name: iptables-Policy für INPUT-Chain setzen @@ -87,7 +82,7 @@ - "ipv6" notify: - save iptables rules - tags: [iptables, molecule-notest] + tags: [molecule-notest] ## Set default policy for OUTPUT chain # - name: iptables-Policy für OUTPUT-Chain setzen @@ -100,7 +95,7 @@ # - "ipv6" # notify: # - save iptables rules -# tags: [iptables, molecule-notest] +# tags: [molecule-notest] # Configure specific rules - Chain INPUT - name: iptables-Regeln (IPv4) setzen - Chain INPUT @@ -124,7 +119,7 @@ loop: "{{ vault_iptables_input|flatten(levels=1) }}" notify: - save iptables rules - tags: [iptables, molecule-notest] + tags: [molecule-notest] # http://shouldiblockicmp.com # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!! @@ -151,7 +146,7 @@ # loop: "{{ vault_iptables_output|flatten(levels=1) }}" # notify: # - save iptables rules -# tags: [iptables, molecule-notest] +# tags: [molecule-notest] # THESE NEED TO BE THE LAST RULES IN IPTABLES' RULE LIST!!! - name: iptables-Regeln (IPv4) setzen - REJECT @@ -168,4 +163,4 @@ - chain: "FORWARD" notify: - save iptables rules - tags: [iptables, molecule-notest] + tags: [molecule-notest] diff --git a/tasks/configure-kernel-parameters.yml b/tasks/configure-kernel-parameters.yml index 0da50679ea1bbaa510892f5008b859027f944fdc..daf4440a12d6b6a5ee10fd4af7e84f918a94ec74 100644 --- a/tasks/configure-kernel-parameters.yml +++ b/tasks/configure-kernel-parameters.yml @@ -116,8 +116,6 @@ # DEFAULT: kernel.panic = 0 # kernel.panic = 10 notify: activate kernel parameter changes - tags: [kernel] - tags: [kernel] # show all available Kernel parameters by using: # sudo sysctl -a diff --git a/tasks/configure-pam.yml b/tasks/configure-pam.yml index f76263d029988db0fe1f69cdca85f66125f2602a..b2ffa7a023095695663534cab9a27c65955ff83c 100644 --- a/tasks/configure-pam.yml +++ b/tasks/configure-pam.yml @@ -16,7 +16,6 @@ # Uncomment and edit /etc/security/time.conf if you need to set time restrainst on su usage. (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs as well as /etc/porttime) account requisite pam_time.so - tags: [pam] - name: configure times for certain system actions blockinfile: @@ -41,7 +40,6 @@ # Members of the "operator" group are not allowed to login during # night times. We don't want them to login when they're not rested. login;tty*;operator;!Al2300-0500 - tags: [pam] - name: configure login actions blockinfile: @@ -61,4 +59,3 @@ # Benutzern vor der Anmeldung eine Nachricht anzeigen. Standardmäßig # deaktiviert. # auth required pam_issue.so issue=/etc/issue - tags: [pam] diff --git a/tasks/configure-portable-storage.yml b/tasks/configure-portable-storage.yml index 76c7bc574e23b7622460431ee93537ec1580f82c..df8abdf18c8b5473962a42004be738a41e8d854d 100644 --- a/tasks/configure-portable-storage.yml +++ b/tasks/configure-portable-storage.yml @@ -18,4 +18,3 @@ line: "blacklist firewire-core" - path: "thunderbolt.conf" line: "blacklist thunderbolt" - tags: [usb] diff --git a/tasks/configure-root.yml b/tasks/configure-root.yml index 928a4a5fc679c3a62ba08820c28f90f957fe50c6..09c75f5a7d7747788f425ef3fad90b546de75fd8 100644 --- a/tasks/configure-root.yml +++ b/tasks/configure-root.yml @@ -7,4 +7,3 @@ # local: "yes" local: false password_lock: "yes" - tags: [users] diff --git a/tasks/configure-ssh-hardening.yml b/tasks/configure-ssh-hardening.yml index 9814b24bfd9f4d6f09828bfac5393b652d5ad1db..1ce0dc2ebd46607450a6eda125385984dd3ce9da 100644 --- a/tasks/configure-ssh-hardening.yml +++ b/tasks/configure-ssh-hardening.yml @@ -49,4 +49,3 @@ {{ "PasswordAuthentication no" if ansible_os_family == "Debian" else "PasswordAuthentication yes" }} notify: - restart sshd - tags: [ssh] diff --git a/tasks/configure-umask.yml b/tasks/configure-umask.yml index b22aa561ca52492f1747258e103ef4a9866d2b43..f5a52331338ecf8d6e97bcbeaa930536857db948 100644 --- a/tasks/configure-umask.yml +++ b/tasks/configure-umask.yml @@ -11,7 +11,6 @@ block: | # install more secure umask with no privileges for "others" umask 026 - tags: [umask] - name: libpam-umask installieren (Debian) block: @@ -19,7 +18,7 @@ apt: name: "libpam-umask" state: present - tags: [pam, apt, umask] + tags: [apt] - name: Standard-umask mit PAM anpassen blockinfile: @@ -34,9 +33,8 @@ # Das Paket libpam-umask passt die Standard-Umask eines Benutzers mit # Hilfe von PAM an. session optional pam_umask.so umask=026 - tags: [pam] when: ansible_os_family == "Debian" - tags: [pam, apt, umask] + tags: [apt] - name: set default login umask lineinfile: @@ -47,7 +45,6 @@ - umask: Debian: "UMASK 022" RedHat: "UMASK 077" - tags: [umask] # umask could also be set in: # - /etc/profile.d/umask (Setting umask in profile.d sets it for all users who diff --git a/tasks/install-auditd.yml b/tasks/install-auditd.yml index 67b7adcb7241b505ed159955229716a90e3adb38..62ecb17bab5625f7f656d65c2d0ca87f90eb87c0 100644 --- a/tasks/install-auditd.yml +++ b/tasks/install-auditd.yml @@ -6,14 +6,14 @@ name: "auditd" state: present when: ansible_os_family == "Debian" - tags: [auditd, apt] + tags: [apt] - name: install auditd package (RedHat) yum: name: "audit" state: present when: ansible_os_family == "RedHat" - tags: [auditd, yum] + tags: [yum] - name: configure auditd rules copy: @@ -24,7 +24,6 @@ group: "root" notify: - restart auditd.service - tags: [auditd] # show active rules: sudo auditctl -l # find related event for passwd file: ausearch -f /etc/passwd diff --git a/tasks/install-clamav.yml b/tasks/install-clamav.yml index 5a1a6c53b74b9e41f0bf7d7048d58c719203e53f..7fca265d5807faa01382433d5d5dce3514bbb44d 100644 --- a/tasks/install-clamav.yml +++ b/tasks/install-clamav.yml @@ -1,14 +1,14 @@ --- - name: include vars clamav include_vars: "clamav.yml" - tags: [clamav, apt] + tags: [apt] - name: install clamav packages (Debian) apt: name: "clamav-daemon" state: present when: ansible_os_family == "Debian" - tags: [clamav, apt] + tags: [apt] - name: install clamav packages (RedHat) yum: @@ -18,7 +18,7 @@ ] state: present when: ansible_os_family == "RedHat" - tags: [clamav, yum] + tags: [yum] # clamav-freshclam.service und clamav-daemon.service laufen nach der Installation sofort los - name: configure freshclam @@ -59,7 +59,6 @@ DatabaseMirror db.de.clamav.net DatabaseMirror database.clamav.net OnUpdateExecute "/usr/local/bin/refresh_rkhunter.sh" - tags: [clamav] - name: configure ClamD exclude paths blockinfile: @@ -77,13 +76,11 @@ notify: - restart clamav-daemon service - restart clamd service - tags: [clamav] - name: remove old ClamD refresh dir file: path: "/etc/clamav/onupdateexecute.d/refresh_rkhunter.sh" state: absent - tags: [clamav] - name: configure ClamD to refresh rkhunter after DB updates blockinfile: @@ -100,4 +97,3 @@ if [ -x /usr/bin/rkhunter ]; then /usr/bin/rkhunter --propupd --nolog fi - tags: [clamav] diff --git a/tasks/install-debsecan.yml b/tasks/install-debsecan.yml index b480430d6a8b51887ac18795e1df7b60cbce9f4f..8ae3ea1560c4d30d1e52b0201e3d79911c94603a 100644 --- a/tasks/install-debsecan.yml +++ b/tasks/install-debsecan.yml @@ -2,13 +2,11 @@ - block: - name: include vars debsecan include_vars: debsecan_preseed.yml - tags: [debsecan] - name: install debsecan package apt: name: "debsecan" state: present - tags: [debsecan] - name: reconfigure debsecan package (dpkg-reconfigure) debconf: @@ -17,7 +15,6 @@ value: "{{ item.value }}" vtype: "{{ item.vtype }}" loop: "{{ debsecan_dpkg | flatten(levels=1) }}" - tags: [debsecan] - name: reconfigure debsecan package (/etc/default/debsecan) template: @@ -27,6 +24,3 @@ group: "root" mode: "0644" force: "yes" - tags: [debsecan] - when: ansible_distribution == "Debian" - tags: [debsecan] diff --git a/tasks/install-rkhunter.yml b/tasks/install-rkhunter.yml index 020f5f232cace74a1bd2402f8f74e1788025a369..410c1c7a2db95b51381b10ce35baa1402cd997f6 100644 --- a/tasks/install-rkhunter.yml +++ b/tasks/install-rkhunter.yml @@ -5,7 +5,7 @@ package: name: "rkhunter" state: present - tags: [rkhunter] + tags: [apt] - name: create /var/log/rkhunter/rkhunter.log if it doesn't exist, so logrotate doesn't fail file: @@ -21,7 +21,6 @@ - path: "/var/log/rkhunter/rkhunter.log" mode: "0640" state: touch - tags: [rkhunter] - name: configure /etc/default/rkhunter lineinfile: @@ -37,7 +36,6 @@ - regexp: '^NICE="0"' line: 'NICE="-10"' when: ansible_distribution == "Debian" - tags: [rkhunter] - name: create rkhunter config directory file: @@ -46,7 +44,6 @@ owner: "root" group: "root" mode: 0755 - tags: [rkhunter] - name: configure /etc/rkhunter.d/rkhunter.local.conf blockinfile: @@ -105,7 +102,6 @@ # This option has no default value. WEB_CMD="" # validate: rkhunter --config-check --configfile %s - tags: [rkhunter] - name: stop & disable RKhunter service unit & timer systemd: @@ -116,7 +112,7 @@ - "service" - "timer" when: ansible_distribution == "Debian" - tags: [rkhunter, molecule-notest] + tags: [molecule-notest] ignore_errors: "yes" - name: remove Rkhunter service unit & timer @@ -127,7 +123,6 @@ - "service" - "timer" when: ansible_distribution == "Debian" - tags: [rkhunter] # Unitfiles neu einlesen (implizit mit enable), Services sofort starten & automatisch bei jedem Booten starten # - name: Service automatisch bei jedem Booten starten - rkhunter.service @@ -135,7 +130,6 @@ # loop: # - "/etc/systemd/user/rkhunter.service" # - "/etc/systemd/user/rkhunter.timer" -# tags: [rkhunter] # sudo rkhunter --check diff --git a/tasks/main.yml b/tasks/main.yml index 44b56698208fab6b4c72ca413ca0d803cd89bf89..2dbcf5020d78e8f6bbb9f80bad31715e835f9e8e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -30,7 +30,7 @@ - name: configure fail2ban import_tasks: ./configure-fail2ban.yml - tags: [always] + tags: [fail2ban, ssh] - name: configure $HOME permissions import_tasks: ./configure-home-permissions.yml