ViKingIX · November 15, 2018 23:59
diff --git a/security.yml b/security.yml
 ---
 - hosts: test
  remote_user: idc
  become: yes
  vars:
    LOGIN_FAIL_LOCK_SECS: 1800
    LOGIN_FAIL_MAX_COUNT: 3
    PASS_HIST: 3
    PASS_MIN_LEN: 12
    SSH_ALIVE_INTERVAL: 600
    SSH_ALIVE_COUNT_MAX: 3
  tasks:
    - name: install packages
      apt: name={{ item }} state=present
      with_items:
        - libpam-pwquality
    - name: "Block {{ LOGIN_FAIL_LOCK_SECS }} after {{ LOGIN_FAIL_MAX_COUNT }} times failed login trial"
      pamd:
        path: common-auth
        type: auth
        control: '[success=1 default=ignore]'
        module_path: pam_unix.so
        new_type: auth
        new_control: requisite
        new_module_path: pam_tally2.so
        module_arguments: "deny={{ LOGIN_FAIL_MAX_COUNT }},unblock_time={{ LOGIN_FAIL_LOCK_SECS }}"
        state: before
    - name: "Enforce password to be at least {{ PASS_MIN_LEN }} characters and contains uppercase and digit and symbols"
      pamd:
        path: common-password
        type: password
        control: '[success=1 default=ignore]'
        module_path: pam_unix.so
        new_type: poassword
        new_control: requisite
        new_module_path: pam_pwquality.so
        module_arguments: "minlen={{ PASS_MIN_LEN }},retry=3,lcredit=0,ucredit=1,dcredit=1,ocredit=1"
        state: before
    - name: "Remember password for {{ PASS_HIST }} generations"
      pamd:
        path: common-password
        type: password
        control: '[success=1 default=ignore]'
        module_path: pam_unix.so
        module_arguments: "remember={{ PASS_HIST }},minlen={{ PASS_MIN_LEN }}"
        state: args_present
    - name: "Set password lifetime to {{ PASS_MAX_DAYS }} days"
      lineinfile:
        path: /etc/login.defs
        line: "PASS_MAX_DAYS {{ PASS_MAX_DAYS }}"
        regexp: "(?i)^PASS_MAX_DAYS
    - name: 'Configure ssh to disconnect idle clients after {{ SSH_ALIVE_INTERVAL}} * {{ SSH_ALIVE_COUNT_MAX }} seconds'
      lineinfile:
        path: /etc/ssh/sshd_config
        line: "{{ item.line }}"
        regexp: "{{ item.regexp }}"
      with_items:
        - { line: "ClientAliveCountInterval {{ SSH_ALIVE_INTERVAL }}", regexp: '^ClientAliveCountInterval' }
        - { line: "ClientAliveCountMax {{ SSH_ALIVE_COUNT_MAX }}", regexp: '^ClientAliveCountMax' }
    - name: Enable ufw
      command: ufw enable
	---
	- hosts: test
	remote_user: idc
	become: yes
	vars:
	LOGIN_FAIL_LOCK_SECS: 1800
	LOGIN_FAIL_MAX_COUNT: 3
	PASS_HIST: 3
	PASS_MIN_LEN: 12
	SSH_ALIVE_INTERVAL: 600
	SSH_ALIVE_COUNT_MAX: 3
	tasks:
	- name: install packages
	apt: name={{ item }} state=present
	with_items:
	- libpam-pwquality
	- name: "Block {{ LOGIN_FAIL_LOCK_SECS }} after {{ LOGIN_FAIL_MAX_COUNT }} times failed login trial"
	pamd:
	path: common-auth
	type: auth
	control: '[success=1 default=ignore]'
	module_path: pam_unix.so
	new_type: auth
	new_control: requisite
	new_module_path: pam_tally2.so
	module_arguments: "deny={{ LOGIN_FAIL_MAX_COUNT }},unblock_time={{ LOGIN_FAIL_LOCK_SECS }}"
	state: before
	- name: "Enforce password to be at least {{ PASS_MIN_LEN }} characters and contains uppercase and digit and symbols"
	pamd:
	path: common-password
	type: password
	control: '[success=1 default=ignore]'
	module_path: pam_unix.so
	new_type: poassword
	new_control: requisite
	new_module_path: pam_pwquality.so
	module_arguments: "minlen={{ PASS_MIN_LEN }},retry=3,lcredit=0,ucredit=1,dcredit=1,ocredit=1"
	state: before
	- name: "Remember password for {{ PASS_HIST }} generations"
	pamd:
	path: common-password
	type: password
	control: '[success=1 default=ignore]'
	module_path: pam_unix.so
	module_arguments: "remember={{ PASS_HIST }},minlen={{ PASS_MIN_LEN }}"
	state: args_present
	- name: "Set password lifetime to {{ PASS_MAX_DAYS }} days"
	lineinfile:
	path: /etc/login.defs
	line: "PASS_MAX_DAYS {{ PASS_MAX_DAYS }}"
	regexp: "(?i)^PASS_MAX_DAYS
	- name: 'Configure ssh to disconnect idle clients after {{ SSH_ALIVE_INTERVAL}} * {{ SSH_ALIVE_COUNT_MAX }} seconds'
	lineinfile:
	path: /etc/ssh/sshd_config
	line: "{{ item.line }}"
	regexp: "{{ item.regexp }}"
	with_items:
	- { line: "ClientAliveCountInterval {{ SSH_ALIVE_INTERVAL }}", regexp: '^ClientAliveCountInterval' }
	- { line: "ClientAliveCountMax {{ SSH_ALIVE_COUNT_MAX }}", regexp: '^ClientAliveCountMax' }
	- name: Enable ufw
	command: ufw enable