consolidated fedora_security

2024-07-22 17:45:11 -07:00
parent 1f4a06c883
commit 7d7ef57597
11 changed files with 224 additions and 24 deletions
--- a/roles/fedora_security/tasks/main.yml
+++ b/roles/fedora_security/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+- name: Set default firewalld zone to home
+  command:
+    cmd: firewall-cmd --set-default-zone=home
+  become: true
+
+- name: Change interface to home zone
+  command:
+    cmd: firewall-cmd --zone=home --change-interface={{ network_interface }}
+  become: true
+
+- name: Add allowed services to home zone
+  firewalld:
+    service: "{{ item }}"
+    zone: home
+    permanent: yes
+    state: enabled
+  loop: "{{ allowed_services }}"
+  become: true
+
+- name: Enable logging for denied packets
+  command:
+    cmd: firewall-cmd --set-log-denied=all
+  become: true
+
+- name: Reload firewalld
+  systemd:
+    name: firewalld
+    state: reloaded
+  become: true
+
+- name: Ensure SELinux is enabled and in enforcing mode
+  selinux:
+    policy: targeted
+    state: enforcing
+
+- name: Set SELinux to enforcing in config file
+  replace:
+    path: /etc/selinux/config
+    regexp: '^SELINUX=.*'
+    replace: 'SELINUX=enforcing'
+
+- name: Install dnf-automatic for automatic security updates
+  package:
+    name: dnf-automatic
+    state: present
+
+- name: Configure dnf-automatic
+  template:
+    src: dnf-automatic.conf.j2
+    dest: /etc/dnf/automatic.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and start dnf-automatic timer
+  systemd:
+    name: dnf-automatic.timer
+    enabled: true
+    state: started
+