michaelschiemer/deployment/infrastructure/roles/base-security/tasks/security-audit.yml

---
# Security Audit and Compliance Checks

- name: Install security audit tools
  package:
    name: "{{ item }}"
    state: present
  loop:
    - lynis
    - rkhunter
    - chkrootkit
    - debsums
    - aide
  tags:
    - security
    - audit
    - tools

- name: Initialize AIDE database
  command: aideinit
  args:
    creates: /var/lib/aide/aide.db.new
  tags:
    - security
    - aide
    - integrity

- name: Move AIDE database to production location
  command: mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  args:
    creates: /var/lib/aide/aide.db
  tags:
    - security
    - aide
    - integrity

- name: Configure AIDE for file integrity monitoring
  template:
    src: aide.conf.j2
    dest: /etc/aide/aide.conf
    owner: root
    group: root
    mode: '0600'
    backup: true
  tags:
    - security
    - aide
    - config

- name: Schedule AIDE integrity checks
  cron:
    name: "AIDE integrity check"
    minute: "0"
    hour: "3"
    job: "/usr/bin/aide --check 2>&1 | mail -s 'AIDE Integrity Check - {{ inventory_hostname }}' {{ ssl_email }}"
    user: root
  tags:
    - security
    - aide
    - cron

- name: Configure rkhunter
  template:
    src: rkhunter.conf.j2
    dest: /etc/rkhunter.conf
    owner: root
    group: root
    mode: '0644'
    backup: true
  tags:
    - security
    - rkhunter
    - config

- name: Update rkhunter database
  command: rkhunter --update
  changed_when: false
  tags:
    - security
    - rkhunter
    - update

- name: Configure rkhunter properties
  command: rkhunter --propupd
  changed_when: false
  tags:
    - security
    - rkhunter
    - properties

- name: Schedule rkhunter scans
  cron:
    name: "RKhunter rootkit scan"
    minute: "30"
    hour: "3"
    job: "/usr/bin/rkhunter --cronjob --report-warnings-only 2>&1 | mail -s 'RKhunter Scan - {{ inventory_hostname }}' {{ ssl_email }}"
    user: root
  tags:
    - security
    - rkhunter
    - cron

- name: Configure Lynis for system auditing
  template:
    src: lynis.conf.j2
    dest: /etc/lynis/default.prf
    owner: root
    group: root
    mode: '0644'
  tags:
    - security
    - lynis
    - config

- name: Run initial security audit with Lynis
  command: lynis audit system --quick --quiet
  register: lynis_audit
  changed_when: false
  tags:
    - security
    - lynis
    - audit

- name: Schedule weekly Lynis security audits
  cron:
    name: "Lynis security audit"
    minute: "0"
    hour: "4"
    weekday: "0"
    job: "/usr/sbin/lynis audit system --cronjob | mail -s 'Lynis Security Audit - {{ inventory_hostname }}' {{ ssl_email }}"
    user: root
  tags:
    - security
    - lynis
    - cron

- name: Create security monitoring script
  template:
    src: security-monitor.sh.j2
    dest: /usr/local/bin/security-monitor.sh
    owner: root
    group: root
    mode: '0755'
  tags:
    - security
    - monitoring
    - scripts

- name: Schedule security monitoring
  cron:
    name: "Security monitoring"
    minute: "*/15"
    job: "/usr/local/bin/security-monitor.sh"
    user: root
  tags:
    - security
    - monitoring
    - cron

- name: Create security incident response script
  template:
    src: security-incident.sh.j2
    dest: /usr/local/bin/security-incident.sh
    owner: root
    group: root
    mode: '0755'
  tags:
    - security
    - incident
    - response

- name: Verify system security configuration
  command: "{{ item.command }}"
  register: security_checks
  changed_when: false
  failed_when: security_checks.rc != 0 and item.required | default(true)
  loop:
    - { command: "sshd -t", name: "SSH configuration" }
    - { command: "ufw status", name: "UFW firewall status", required: false }
    - { command: "fail2ban-client status", name: "Fail2ban status", required: false }
    - { command: "systemctl is-active auditd", name: "Audit daemon", required: false }
  tags:
    - security
    - verification
    - validation