Michael Schiemer
9b74ade5b0
Resolved multiple critical discovery system issues: ## Discovery System Fixes - Fixed console commands not being discovered on first run - Implemented fallback discovery for empty caches - Added context-aware caching with separate cache keys - Fixed object serialization preventing __PHP_Incomplete_Class ## Cache System Improvements - Smart caching that only caches meaningful results - Separate caches for different execution contexts (console, web, test) - Proper array serialization/deserialization for cache compatibility - Cache hit logging for debugging and monitoring ## Object Serialization Fixes - Fixed DiscoveredAttribute serialization with proper string conversion - Sanitized additional data to prevent object reference issues - Added fallback for corrupted cache entries ## Performance & Reliability - All 69 console commands properly discovered and cached - 534 total discovery items successfully cached and restored - No more __PHP_Incomplete_Class cache corruption - Improved error handling and graceful fallbacks ## Testing & Quality - Fixed code style issues across discovery components - Enhanced logging for better debugging capabilities - Improved cache validation and error recovery Ready for production deployment with stable discovery system. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
167 lines
3.6 KiB
YAML
167 lines
3.6 KiB
YAML
---
|
|
# System Security Hardening
|
|
|
|
- name: Apply kernel security parameters
|
|
sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
sysctl_set: true
|
|
reload: true
|
|
loop: "{{ security_kernel_parameters | dict2items }}"
|
|
tags:
|
|
- security
|
|
- kernel
|
|
- sysctl
|
|
|
|
- name: Create security limits configuration
|
|
template:
|
|
src: security-limits.conf.j2
|
|
dest: /etc/security/limits.d/99-security.conf
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- security
|
|
- limits
|
|
|
|
- name: Configure login.defs for security
|
|
lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: "^{{ item.key }}"
|
|
line: "{{ item.key }} {{ item.value }}"
|
|
backup: true
|
|
loop:
|
|
- { key: "UMASK", value: "{{ security_umask }}" }
|
|
- { key: "PASS_MAX_DAYS", value: "90" }
|
|
- { key: "PASS_MIN_DAYS", value: "1" }
|
|
- { key: "PASS_WARN_AGE", value: "7" }
|
|
- { key: "LOGIN_TIMEOUT", value: "{{ security_login_timeout }}" }
|
|
- { key: "ENCRYPT_METHOD", value: "SHA512" }
|
|
tags:
|
|
- security
|
|
- login
|
|
- password
|
|
|
|
- name: Secure shared memory
|
|
mount:
|
|
path: /dev/shm
|
|
src: tmpfs
|
|
fstype: tmpfs
|
|
opts: "defaults,noexec,nosuid,nodev,size=512M"
|
|
state: mounted
|
|
tags:
|
|
- security
|
|
- memory
|
|
- filesystem
|
|
|
|
- name: Configure audit system
|
|
package:
|
|
name: auditd
|
|
state: present
|
|
tags:
|
|
- security
|
|
- audit
|
|
|
|
- name: Create audit rules for security monitoring
|
|
template:
|
|
src: audit-rules.rules.j2
|
|
dest: /etc/audit/rules.d/99-security.rules
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
backup: true
|
|
notify: restart auditd
|
|
tags:
|
|
- security
|
|
- audit
|
|
- rules
|
|
|
|
- name: Ensure auditd service is enabled and running
|
|
service:
|
|
name: auditd
|
|
state: started
|
|
enabled: true
|
|
tags:
|
|
- security
|
|
- audit
|
|
- service
|
|
|
|
- name: Remove unnecessary packages
|
|
package:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- telnet
|
|
- rsh-client
|
|
- rsh-redone-client
|
|
- talk
|
|
- ntalk
|
|
- xinetd
|
|
- inetutils-inetd
|
|
ignore_errors: true
|
|
tags:
|
|
- security
|
|
- cleanup
|
|
- packages
|
|
|
|
- name: Set correct permissions on critical files
|
|
file:
|
|
path: "{{ item.path }}"
|
|
owner: "{{ item.owner | default('root') }}"
|
|
group: "{{ item.group | default('root') }}"
|
|
mode: "{{ item.mode }}"
|
|
loop:
|
|
- { path: "/etc/passwd", mode: "0644" }
|
|
- { path: "/etc/shadow", mode: "0640", group: "shadow" }
|
|
- { path: "/etc/group", mode: "0644" }
|
|
- { path: "/etc/gshadow", mode: "0640", group: "shadow" }
|
|
- { path: "/boot", mode: "0700" }
|
|
- { path: "/etc/ssh", mode: "0755" }
|
|
- { path: "/etc/crontab", mode: "0600" }
|
|
- { path: "/etc/cron.hourly", mode: "0700" }
|
|
- { path: "/etc/cron.daily", mode: "0700" }
|
|
- { path: "/etc/cron.weekly", mode: "0700" }
|
|
- { path: "/etc/cron.monthly", mode: "0700" }
|
|
- { path: "/etc/cron.d", mode: "0700" }
|
|
tags:
|
|
- security
|
|
- permissions
|
|
- files
|
|
|
|
- name: Configure process accounting
|
|
package:
|
|
name: acct
|
|
state: present
|
|
tags:
|
|
- security
|
|
- accounting
|
|
|
|
- name: Enable process accounting
|
|
service:
|
|
name: acct
|
|
state: started
|
|
enabled: true
|
|
tags:
|
|
- security
|
|
- accounting
|
|
- service
|
|
|
|
- name: Configure system banner
|
|
copy:
|
|
content: |
|
|
Custom PHP Framework Production Server
|
|
{{ domain_name }} - {{ environment | upper }}
|
|
|
|
Unauthorized access is prohibited.
|
|
All activities are monitored and logged.
|
|
|
|
System administered by: {{ ssl_email }}
|
|
dest: /etc/motd
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
tags:
|
|
- security
|
|
- banner
|
|
- motd |