diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-08 13:14:52 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-08 13:14:52 +0100 |
commit | 2df3fb06dbf2463a0fc373164861d6d7deebaa78 (patch) | |
tree | e70b4e925a4a5102eaf06859cfa0254400de4756 | |
parent | 43624798b9a5682bcaa0103b96e0858ac5fcb704 (diff) | |
download | playbooks-ansible-2df3fb06dbf2463a0fc373164861d6d7deebaa78.tar.gz playbooks-ansible-2df3fb06dbf2463a0fc373164861d6d7deebaa78.tar.xz playbooks-ansible-2df3fb06dbf2463a0fc373164861d6d7deebaa78.zip |
Update diagnostics role targeting all hosts except website-engines on raspberry
And add ssh aux port in common role
-rw-r--r-- | diagnostics.yml | 4 | ||||
-rw-r--r-- | roles/common/tasks/ssh.yml | 7 | ||||
-rwxr-xr-x | roles/diagnostics/files/selinuxresto.sh | 2 | ||||
-rw-r--r-- | roles/diagnostics/tasks/rkhunter.yml | 14 |
4 files changed, 22 insertions, 5 deletions
diff --git a/diagnostics.yml b/diagnostics.yml index 69ef2ab..50b5669 100644 --- a/diagnostics.yml +++ b/diagnostics.yml @@ -1,4 +1,6 @@ -- hosts: all +- hosts: + - dns + - proxy remote_user: root any_errors_fatal: true roles: diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml index d5ba7f8..9be8d31 100644 --- a/roles/common/tasks/ssh.yml +++ b/roles/common/tasks/ssh.yml @@ -15,3 +15,10 @@ regexp: "^#PermitRootLogin yes" line: "PermitRootLogin yes" notify: restart sshd + +- name: Ouverture du port ssh secondaire + firewalld: + port: "54444/tcp" + permanent: yes + immediate: yes + state: enabled diff --git a/roles/diagnostics/files/selinuxresto.sh b/roles/diagnostics/files/selinuxresto.sh index 22ff769..1720fef 100755 --- a/roles/diagnostics/files/selinuxresto.sh +++ b/roles/diagnostics/files/selinuxresto.sh @@ -1,2 +1,2 @@ #!/usr/bin/bash -touch /.autorelabel && echo 'SELinux: autorelabel au prochain reboot' +/usr/sbin/fixfiles -F onboot && echo 'SELinux: autorelabel au prochain reboot' diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml index 460073a..6a9a507 100644 --- a/roles/diagnostics/tasks/rkhunter.yml +++ b/roles/diagnostics/tasks/rkhunter.yml @@ -2,22 +2,30 @@ dnf: name=rkhunter state=present notify: initialize rkhunter +- name: Login SSH en root + lineinfile: + path: /etc/rkhunter.conf + state: present + backrefs: yes + regexp: "^ALLOW_SSH_ROOT_USER=unset" + line: "ALLOW_SSH_ROOT_USER=yes" + - name: Activation de tests rkhunter lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps" line="DISABLE_TESTS=deleted_files" -- name: Ajout de process en liste blanche +- name: Ajout de wpa_spplicant en liste blanche lineinfile: path: /etc/rkhunter.conf line: 'ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant' -- name: Ajout de process en liste blanche +- name: Ajout de arpwatch en liste blanche lineinfile: path: /etc/rkhunter.conf line: 'ALLOWPROCLISTEN=/usr/sbin/arpwatch' -- name: Ajout de fichier en liste blanche +- name: Ajout de fichier cache squid en liste blanche lineinfile: path: /etc/rkhunter.conf insertafter: '^ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm' |