Initial import of existing role

tasks/aide.yaml

@@ -0,0 +1,20 @@
+---
+- name: Install AIDE
+  dnf:
+    name: aide
+    state: installed
+- name: Init AIDE if database is missing
+  shell: aide --init && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+  args:
+    creates: /var/lib/aide/aide.db.gz
+- name: Install AIDE crontab
+  copy:
+    dest: /etc/cron.d/aide
+    owner: root
+    group: root
+    mode: "0600"
+    content: |
+      SHELL=/bin/bash
+      PATH=/sbin:/bin:/usr/sbin:/usr/bin
+      MAILTO=root
+      0 5 * * * root /usr/sbin/aide --check

tasks/auditd.yaml

@@ -0,0 +1,15 @@
+---
+- name: Copy main CIS benchmark ruleset
+  copy:
+    src: auditd/cis-hardening.rules
+    dest: /etc/audit/rules.d/cis-hardening.rules
+    owner: root
+    group: root
+    mode: "0600"
+- name: Copy privileged commands ruleset
+  copy:
+    src: auditd/privileged.rules
+    dest: /etc/audit/rules.d/privileged.rules
+    owner: root
+    group: root
+    mode: "0600"

tasks/file_security.yaml

@@ -0,0 +1,41 @@
+---
+- name: Change grub file modes  # noqa: ignore-errors
+  file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0600"
+  ignore_errors: true
+  loop:
+    - /boot/grub2/grub.cfg
+    - /boot/grub2/grubenv
+- name: Change MOTD files security
+  file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - /etc/motd
+    - /etc/issue
+    - /etc/issue.net
+- name: Set cron file security
+  file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0600"
+  loop:
+    - /etc/crontab
+- name: Set cron.* directory security
+  file:
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "0700"
+  loop:
+    - /etc/cron.hourly
+    - /etc/cron.daily
+    - /etc/cron.weekly
+    - /etc/cron.monthly
+    - /etc/cron.d

tasks/limits.yaml

@@ -0,0 +1,8 @@
+---
+- name: Add core limits
+  pam_limits:
+    dest: /etc/security/limits.d/core.conf
+    domain: "*"
+    limit_type: hard
+    limit_item: core
+    value: "0"

tasks/main.yaml

@@ -0,0 +1,8 @@
+---
+- include: auditd.yaml
+- include: limits.yaml
+- include: sudo.yaml
+- include: file_security.yaml
+- include: ssh.yaml
+- include: sysctl.yaml
+- include: aide.yaml

tasks/ssh.yaml

@@ -0,0 +1,22 @@
+---
+- name: Set sshd_config file security
+  file:
+    path: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+- name: Set SSHD configuration values
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "^{{ item.key }}"
+    line: "{{ item.key }} {{ item.value }}"
+  notify: restart sshd
+  loop:
+    - { key: "X11Forwarding", value: "no" }
+    - { key: "MaxAuthTries", value: "4" }
+    - { key: "PermitRootLogin", value: "no" }
+    - { key: "PasswordAuthentication", value: "no" }
+    - { key: "PermitEmptyPasswords", value: "no" }
+    - { key: "PermitUserEnvironment", value: "no" }
+    - { key: "AllowTcpForwarding", value: "yes" }
+    - { key: "StreamLocalBindUnlink", value: "yes" }

tasks/sudo.yaml

@@ -0,0 +1,9 @@
+---
+- name: Ensure sudo access is logged
+  copy:
+    dest: /etc/sudoers.d/logfile.conf
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      Defaults logfile="/var/log/sudo.log"

tasks/sysctl.yaml

@@ -0,0 +1,31 @@
+---
+- name: Add disable sysctl values
+  sysctl:
+    name: "{{ item }}"
+    value: "0"
+    state: present
+    sysctl_file: /etc/sysctl.d/00-cis-rules
+  loop:
+    - net.ipv4.conf.all.accept_redirects
+    - net.ipv4.conf.default.accept_redirects
+    - net.ipv6.conf.all.accept_redirects
+    - net.ipv6.conf.default.accept_redirects
+    - net.ipv4.conf.all.secure_redirects
+    - net.ipv4.conf.default.secure_redirects
+    - net.ipv4.conf.all.send_redirects
+    - net.ipv4.conf.default.send_redirects
+    - net.ipv4.conf.all.accept_source_route
+    - net.ipv4.conf.default.accept_source_route
+    - net.ipv6.conf.all.accept_source_route
+    - net.ipv6.conf.default.accept_source_route
+    - fs.suid_dumpable
+- name: Add enable sysctl values
+  sysctl:
+    name: "{{ item }}"
+    value: "1"
+    state: present
+    sysctl_file: /etc/sysctl.d/00-cis-rules
+  loop:
+    - net.ipv4.conf.all.log_martians
+    - net.ipv4.conf.default.log_martians
+    - net.ipv4.conf.default.rp_filter