michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55c04e4fd03a88abed3fc5e58bd2e09defa77b70
michaelschiemer/deployment/infrastructure/roles/base-security/tasks/service-hardening.yml
Michael Schiemer 9b74ade5b0 feat: Fix discovery system critical issues 
Resolved multiple critical discovery system issues:

## Discovery System Fixes
- Fixed console commands not being discovered on first run
- Implemented fallback discovery for empty caches
- Added context-aware caching with separate cache keys
- Fixed object serialization preventing __PHP_Incomplete_Class

## Cache System Improvements
- Smart caching that only caches meaningful results
- Separate caches for different execution contexts (console, web, test)
- Proper array serialization/deserialization for cache compatibility
- Cache hit logging for debugging and monitoring

## Object Serialization Fixes
- Fixed DiscoveredAttribute serialization with proper string conversion
- Sanitized additional data to prevent object reference issues
- Added fallback for corrupted cache entries

## Performance & Reliability
- All 69 console commands properly discovered and cached
- 534 total discovery items successfully cached and restored
- No more __PHP_Incomplete_Class cache corruption
- Improved error handling and graceful fallbacks

## Testing & Quality
- Fixed code style issues across discovery components
- Enhanced logging for better debugging capabilities
- Improved cache validation and error recovery

Ready for production deployment with stable discovery system.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-13 12:04:17 +02:00

149 lines
3.0 KiB
YAML
Raw Blame History

---
# Service Hardening and Unused Service Removal
- name: Stop and disable unused services
service:
name: "{{ item }}"
state: stopped
enabled: false
loop: "{{ disable_unused_services }}"
ignore_errors: true
tags:
- security
- services
- cleanup
- name: Remove unused service packages
package:
name: "{{ item }}"
state: absent
loop: "{{ disable_unused_services }}"
ignore_errors: true
tags:
- security
- services
- packages
- name: Mask dangerous services
systemd:
name: "{{ item }}"
masked: true
loop:
- rpcbind.service
- rpcbind.socket
- nfs-server.service
- nfs-lock.service
- nfs-idmap.service
ignore_errors: true
tags:
- security
- services
- systemd
- name: Configure service security settings
template:
src: service-security.conf.j2
dest: /etc/systemd/system/{{ item }}.service.d/security.conf
owner: root
group: root
mode: '0644'
loop:
- nginx
- php8.4-fpm
notify: reload systemd
tags:
- security
- services
- systemd
- name: Create systemd security override directory
file:
path: "/etc/systemd/system/{{ item }}.service.d"
state: directory
owner: root
group: root
mode: '0755'
loop:
- nginx
- php8.4-fpm
- docker
tags:
- security
- services
- directories
- name: Harden Docker service (if installed)
template:
src: docker-security.conf.j2
dest: /etc/systemd/system/docker.service.d/security.conf
owner: root
group: root
mode: '0644'
notify: reload systemd
ignore_errors: true
tags:
- security
- services
- docker
- name: Configure service restart policies
lineinfile:
path: /etc/systemd/system/{{ item.service }}.service.d/restart.conf
regexp: '^Restart='
line: 'Restart={{ item.policy }}'
create: true
loop:
- { service: "nginx", policy: "always" }
- { service: "php8.4-fpm", policy: "always" }
- { service: "fail2ban", policy: "always" }
notify: reload systemd
tags:
- security
- services
- reliability
- name: Set service timeouts for security
lineinfile:
path: /etc/systemd/system/{{ item.service }}.service.d/timeout.conf
regexp: '^TimeoutStopSec='
line: 'TimeoutStopSec={{ item.timeout }}'
create: true
loop:
- { service: "nginx", timeout: "30s" }
- { service: "php8.4-fpm", timeout: "30s" }
- { service: "docker", timeout: "60s" }
notify: reload systemd
tags:
- security
- services
- timeouts
- name: Enable core security services
service:
name: "{{ item }}"
state: started
enabled: true
loop:
- ufw
- fail2ban
- auditd
- unattended-upgrades
tags:
- security
- services
- enable
- name: Verify critical service status
command: systemctl is-active {{ item }}
register: service_status
changed_when: false
failed_when: service_status.rc != 0
loop:
- ssh
- ufw
- fail2ban
- auditd
tags:
- security
- services
- verification
Reference in New Issue View Git Blame Copy Permalink