forked from ansible-lockdown/RHEL9-CIS
sysctl improvements, become usage
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
d2684c1e9d
commit
02c843f110
1 changed files with 18 additions and 38 deletions
|
|
@ -1,6 +1,11 @@
|
||||||
---
|
---
|
||||||
# handlers file for RHEL9-CIS
|
# handlers file for RHEL9-CIS
|
||||||
|
|
||||||
|
- name: reload sysctl
|
||||||
|
shell: sysctl --system
|
||||||
|
args:
|
||||||
|
warn: false
|
||||||
|
|
||||||
- name: sysctl flush ipv4 route table
|
- name: sysctl flush ipv4 route table
|
||||||
become: true
|
become: true
|
||||||
sysctl:
|
sysctl:
|
||||||
|
|
@ -8,7 +13,9 @@
|
||||||
value: '1'
|
value: '1'
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
when: ansible_virtualization_type != "docker"
|
when:
|
||||||
|
- flush_ipv4_route
|
||||||
|
- not system_is_container
|
||||||
tags:
|
tags:
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
|
@ -18,35 +25,9 @@
|
||||||
name: net.ipv6.route.flush
|
name: net.ipv6.route.flush
|
||||||
value: '1'
|
value: '1'
|
||||||
sysctl_set: true
|
sysctl_set: true
|
||||||
when: ansible_virtualization_type != "docker"
|
when:
|
||||||
|
- flush_ipv6_route
|
||||||
- name: update sysctl
|
- not system_is_container
|
||||||
template:
|
|
||||||
src: "etc/sysctl.d/{{ item }}.j2"
|
|
||||||
dest: "/etc/sysctl.d/{{ item }}"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0600
|
|
||||||
notify: reload sysctl
|
|
||||||
with_items:
|
|
||||||
- 60-kernel_sysctl.conf
|
|
||||||
- 60-disable_ipv6.conf
|
|
||||||
- 60-netipv4_sysctl.conf
|
|
||||||
- 60-netipv6_sysctl.conf
|
|
||||||
when:
|
|
||||||
- ansible_virtualization_type != "docker"
|
|
||||||
- "'procps-ng' in ansible_facts.packages"
|
|
||||||
|
|
||||||
- name: reload sysctl
|
|
||||||
sysctl:
|
|
||||||
name: net.ipv4.route.flush
|
|
||||||
value: '1'
|
|
||||||
state: present
|
|
||||||
reload: true
|
|
||||||
ignoreerrors: true
|
|
||||||
when:
|
|
||||||
- ansible_virtualization_type != "docker"
|
|
||||||
- "'systemd' in ansible_facts.packages"
|
|
||||||
|
|
||||||
- name: systemd restart tmp.mount
|
- name: systemd restart tmp.mount
|
||||||
become: true
|
become: true
|
||||||
|
|
@ -72,25 +53,21 @@
|
||||||
warn: false
|
warn: false
|
||||||
|
|
||||||
- name: restart firewalld
|
- name: restart firewalld
|
||||||
become: true
|
|
||||||
service:
|
service:
|
||||||
name: firewalld
|
name: firewalld
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart sshd
|
- name: restart sshd
|
||||||
become: true
|
|
||||||
service:
|
service:
|
||||||
name: sshd
|
name: sshd
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: restart postfix
|
- name: restart postfix
|
||||||
become: true
|
|
||||||
service:
|
service:
|
||||||
name: postfix
|
name: postfix
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: reload dconf
|
- name: reload dconf
|
||||||
become: true
|
|
||||||
shell: dconf update
|
shell: dconf update
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
|
|
@ -102,15 +79,18 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
register: auditd_template_update
|
||||||
notify: restart auditd
|
notify: restart auditd
|
||||||
|
|
||||||
- name: restart auditd
|
- name: restart auditd
|
||||||
shell: /sbin/service auditd restart
|
shell: service auditd restart
|
||||||
changed_when: false
|
|
||||||
check_mode: false
|
|
||||||
failed_when: false
|
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
|
when:
|
||||||
|
- audit_rules_updated.changed or
|
||||||
|
rule_4_1_2_1.changed or
|
||||||
|
rule_4_1_2_2.changed or
|
||||||
|
rule_4_1_2_3.changed
|
||||||
tags:
|
tags:
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue