--- # Security Audit and Compliance Checks - name: Install security audit tools package: name: "{{ item }}" state: present loop: - lynis - rkhunter - chkrootkit - debsums - aide tags: - security - audit - tools - name: Initialize AIDE database command: aideinit args: creates: /var/lib/aide/aide.db.new tags: - security - aide - integrity - name: Move AIDE database to production location command: mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db args: creates: /var/lib/aide/aide.db tags: - security - aide - integrity - name: Configure AIDE for file integrity monitoring template: src: aide.conf.j2 dest: /etc/aide/aide.conf owner: root group: root mode: '0600' backup: true tags: - security - aide - config - name: Schedule AIDE integrity checks cron: name: "AIDE integrity check" minute: "0" hour: "3" job: "/usr/bin/aide --check 2>&1 | mail -s 'AIDE Integrity Check - {{ inventory_hostname }}' {{ ssl_email }}" user: root tags: - security - aide - cron - name: Configure rkhunter template: src: rkhunter.conf.j2 dest: /etc/rkhunter.conf owner: root group: root mode: '0644' backup: true tags: - security - rkhunter - config - name: Update rkhunter database command: rkhunter --update changed_when: false tags: - security - rkhunter - update - name: Configure rkhunter properties command: rkhunter --propupd changed_when: false tags: - security - rkhunter - properties - name: Schedule rkhunter scans cron: name: "RKhunter rootkit scan" minute: "30" hour: "3" job: "/usr/bin/rkhunter --cronjob --report-warnings-only 2>&1 | mail -s 'RKhunter Scan - {{ inventory_hostname }}' {{ ssl_email }}" user: root tags: - security - rkhunter - cron - name: Configure Lynis for system auditing template: src: lynis.conf.j2 dest: /etc/lynis/default.prf owner: root group: root mode: '0644' tags: - security - lynis - config - name: Run initial security audit with Lynis command: lynis audit system --quick --quiet register: lynis_audit changed_when: false tags: - security - lynis - audit - name: Schedule weekly Lynis security audits cron: name: "Lynis security audit" minute: "0" hour: "4" weekday: "0" job: "/usr/sbin/lynis audit system --cronjob | mail -s 'Lynis Security Audit - {{ inventory_hostname }}' {{ ssl_email }}" user: root tags: - security - lynis - cron - name: Create security monitoring script template: src: security-monitor.sh.j2 dest: /usr/local/bin/security-monitor.sh owner: root group: root mode: '0755' tags: - security - monitoring - scripts - name: Schedule security monitoring cron: name: "Security monitoring" minute: "*/15" job: "/usr/local/bin/security-monitor.sh" user: root tags: - security - monitoring - cron - name: Create security incident response script template: src: security-incident.sh.j2 dest: /usr/local/bin/security-incident.sh owner: root group: root mode: '0755' tags: - security - incident - response - name: Verify system security configuration command: "{{ item.command }}" register: security_checks changed_when: false failed_when: security_checks.rc != 0 and item.required | default(true) loop: - { command: "sshd -t", name: "SSH configuration" } - { command: "ufw status", name: "UFW firewall status", required: false } - { command: "fail2ban-client status", name: "Fail2ban status", required: false } - { command: "systemctl is-active auditd", name: "Audit daemon", required: false } tags: - security - verification - validation