deploy-base/roles/hardening/tasks/main.yml

---

- name: include SELinux package tasks for EL (CentOS/RHEL)
  include_tasks: centos-selinux.yml
  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])

- name: include SELinux package tasks for Fedora (non-atomic)
  include_tasks: fedora-selinux.yml
  when: (ansible_distribution in ["Fedora"] and not is_atomic)

# likely to break on non-RHEL/derivatives, could use improvement.
- name: enable firewalld
  service:
    name: firewalld
    state: started
    enabled: yes

- name: SSH - disable password auth
  lineinfile:
    dest: /etc/ssh/sshd_config 
    regexp: "^PasswordAuthentication" 
    line: "PasswordAuthentication no"
    state: present
  notify: restart sshd

- name: SSH - config port 1181
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^Port '
    line: 'Port 1181'
    insertbefore: "(^|#)AddressFamily.*"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart sshd

- name: allow custom SSH port in selinux
  seport:
    ports: 1181
    proto: tcp
    setype: ssh_port_t
    state: present
  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')

# also likely to break on non-RHEL/derivatives, could use improvement too.
- name: allow custom SSH port in firewalld
  firewalld:
    port: 1181/tcp
    permanent: yes
    immediate: yes
    state: enabled
initial commit 2019-02-26 03:49:51 +00:00			`---`

hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`- name: include SELinux package tasks for EL (CentOS/RHEL)`
			`include_tasks: centos-selinux.yml`
			`when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])`
initial commit 2019-02-26 03:49:51 +00:00
hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`- name: include SELinux package tasks for Fedora (non-atomic)`
			`include_tasks: fedora-selinux.yml`
			`when: (ansible_distribution in ["Fedora"] and not is_atomic)`

			`# likely to break on non-RHEL/derivatives, could use improvement.`
			`- name: enable firewalld`
initial commit 2019-02-26 03:49:51 +00:00			`service:`
hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`name: firewalld`
			`state: started`
			`enabled: yes`
initial commit 2019-02-26 03:49:51 +00:00
hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`- name: SSH - disable password auth`
initial commit 2019-02-26 03:49:51 +00:00			`lineinfile:`
			`dest: /etc/ssh/sshd_config`
			`regexp: "^PasswordAuthentication"`
			`line: "PasswordAuthentication no"`
			`state: present`
			`notify: restart sshd`

hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`- name: SSH - config port 1181`
			`lineinfile:`
			`path: /etc/ssh/sshd_config`
			`regexp: '^Port '`
			`line: 'Port 1181'`
			`insertbefore: "(^\|#)AddressFamily.*"`
			`validate: '/usr/sbin/sshd -t -f %s'`
			`notify: restart sshd`

			`- name: allow custom SSH port in selinux`
			`seport:`
			`ports: 1181`
			`proto: tcp`
			`setype: ssh_port_t`
			`state: present`
			`when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')`
initial commit 2019-02-26 03:49:51 +00:00
hardening: add SELinux for CentOS/Fedora, firewall, and custom SSH port 2021-04-05 05:21:25 +00:00			`# also likely to break on non-RHEL/derivatives, could use improvement too.`
			`- name: allow custom SSH port in firewalld`
			`firewalld:`
			`port: 1181/tcp`
			`permanent: yes`
			`immediate: yes`
			`state: enabled`