---
# System Security Hardening

- name: Apply kernel security parameters
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    state: present
    sysctl_set: true
    reload: true
  loop: "{{ security_kernel_parameters | dict2items }}"
  tags:
    - security
    - kernel
    - sysctl

- name: Create security limits configuration
  template:
    src: security-limits.conf.j2
    dest: /etc/security/limits.d/99-security.conf
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - limits

- name: Configure login.defs for security
  lineinfile:
    path: /etc/login.defs
    regexp: "^{{ item.key }}"
    line: "{{ item.key }} {{ item.value }}"
    backup: true
  loop:
    - { key: "UMASK", value: "{{ security_umask }}" }
    - { key: "PASS_MAX_DAYS", value: "90" }
    - { key: "PASS_MIN_DAYS", value: "1" }
    - { key: "PASS_WARN_AGE", value: "7" }
    - { key: "LOGIN_TIMEOUT", value: "{{ security_login_timeout }}" }
    - { key: "ENCRYPT_METHOD", value: "SHA512" }
  tags:
    - security
    - login
    - password

- name: Secure shared memory
  mount:
    path: /dev/shm
    src: tmpfs
    fstype: tmpfs
    opts: "defaults,noexec,nosuid,nodev,size=512M"
    state: mounted
  tags:
    - security
    - memory
    - filesystem

- name: Configure audit system
  package:
    name: auditd
    state: present
  tags:
    - security
    - audit

- name: Create audit rules for security monitoring
  template:
    src: audit-rules.rules.j2
    dest: /etc/audit/rules.d/99-security.rules
    owner: root
    group: root
    mode: '0600'
    backup: true
  notify: restart auditd
  tags:
    - security
    - audit
    - rules

- name: Ensure auditd service is enabled and running
  service:
    name: auditd
    state: started
    enabled: true
  tags:
    - security
    - audit
    - service

- name: Remove unnecessary packages
  package:
    name: "{{ item }}"
    state: absent
  loop:
    - telnet
    - rsh-client
    - rsh-redone-client
    - talk
    - ntalk
    - xinetd
    - inetutils-inetd
  ignore_errors: true
  tags:
    - security
    - cleanup
    - packages

- name: Set correct permissions on critical files
  file:
    path: "{{ item.path }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
    mode: "{{ item.mode }}"
  loop:
    - { path: "/etc/passwd", mode: "0644" }
    - { path: "/etc/shadow", mode: "0640", group: "shadow" }
    - { path: "/etc/group", mode: "0644" }
    - { path: "/etc/gshadow", mode: "0640", group: "shadow" }
    - { path: "/boot", mode: "0700" }
    - { path: "/etc/ssh", mode: "0755" }
    - { path: "/etc/crontab", mode: "0600" }
    - { path: "/etc/cron.hourly", mode: "0700" }
    - { path: "/etc/cron.daily", mode: "0700" }
    - { path: "/etc/cron.weekly", mode: "0700" }
    - { path: "/etc/cron.monthly", mode: "0700" }
    - { path: "/etc/cron.d", mode: "0700" }
  tags:
    - security
    - permissions
    - files

- name: Configure process accounting
  package:
    name: acct
    state: present
  tags:
    - security
    - accounting

- name: Enable process accounting
  service:
    name: acct
    state: started
    enabled: true
  tags:
    - security
    - accounting
    - service

- name: Configure system banner
  copy:
    content: |
      Custom PHP Framework Production Server
      {{ domain_name }} - {{ environment | upper }}
      
      Unauthorized access is prohibited.
      All activities are monitored and logged.
      
      System administered by: {{ ssl_email }}
    dest: /etc/motd
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - banner
    - motd