nitanka/security-setup.yml

## security-setup.yml
---
- name: Fixing some security issues in Ubuntu instance
  sudo: yes
  hosts: x.x.x.x
  vars:
    ubuntu_common_ssh_port: 3992
    ubuntu_common_required_packages:
      - ufw
      - fail2ban
      - unattended-upgrades
      - logwatch
    UBUNTU_COMMON_LOGWATCH_EMAIL: <useremail>


  tasks:

    - name: Updating the System
      apt:
        update_cache: yes
        cache_valid_time: 3600

    - name: Upgrading the system
      apt:
        upgrade: safe

    - name: Install required packages
      apt:
        state: installed
        pkg: "{{ item }}"
      with_items: ubuntu_common_required_packages

    - name: Adjust APT update intervals
      copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic

    - name: Setup ufw
      ufw: state=enabled policy=deny

    - name: Allow ssh traffic
      ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp

    - name: Set up Postfix to relay mail
      debconf:
        name: postfix
        question: "{{ item.question }}"
        value: "{{ item.value }}"
        vtype: "{{ item.vtype }}"
      with_items:
        - { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
        - { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

    - name: Email log summary daily
      lineinfile: dest=/etc/cron.daily/00logwatch
                  regexp="^/usr/sbin/logwatch"
                  line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
                  state=present create=yes

    - name: Change ssh port
      lineinfile: dest=/etc/ssh/sshd_config
                  regexp="^Port\s"
                  line=Port "{{ ubuntu_common_ssh_port }}"
                  state=present
      notify: Restart ssh

  handlers:
  - name: Restart ssh
    service: name=ssh state=restarted
	---
	- name: Fixing some security issues in Ubuntu instance
	sudo: yes
	hosts: x.x.x.x
	vars:
	ubuntu_common_ssh_port: 3992
	ubuntu_common_required_packages:
	- ufw
	- fail2ban
	- unattended-upgrades
	- logwatch
	UBUNTU_COMMON_LOGWATCH_EMAIL: <useremail>


	tasks:

	- name: Updating the System
	apt:
	update_cache: yes
	cache_valid_time: 3600

	- name: Upgrading the system
	apt:
	upgrade: safe

	- name: Install required packages
	apt:
	state: installed
	pkg: "{{ item }}"
	with_items: ubuntu_common_required_packages

	- name: Adjust APT update intervals
	copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic

	- name: Setup ufw
	ufw: state=enabled policy=deny

	- name: Allow ssh traffic
	ufw: rule=allow port={{ ubuntu_common_ssh_port }} proto=tcp

	- name: Set up Postfix to relay mail
	debconf:
	name: postfix
	question: "{{ item.question }}"
	value: "{{ item.value }}"
	vtype: "{{ item.vtype }}"
	with_items:
	- { question: 'postfix/mailname', value: '{{ ansible_fqdn }}', vtype: 'string' }
	- { question: 'postfix/main_mailer_type', value: 'Internet Site', vtype: 'string' }

	- name: Email log summary daily
	lineinfile: dest=/etc/cron.daily/00logwatch
	regexp="^/usr/sbin/logwatch"
	line="/usr/sbin/logwatch --output mail --mailto {{ UBUNTU_COMMON_LOGWATCH_EMAIL }} --detail high"
	state=present create=yes

	- name: Change ssh port
	lineinfile: dest=/etc/ssh/sshd_config
	regexp="^Port\s"
	line=Port "{{ ubuntu_common_ssh_port }}"
	state=present
	notify: Restart ssh

	handlers:
	- name: Restart ssh
	service: name=ssh state=restarted