rename sysctl files

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
konstruktoid · Nov 15, 2023 · 17e65e6 · 17e65e6
1 parent 87ed6aa
commit 17e65e6
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 9 deletions.
diff --git a/tasks/ipv6.yml b/tasks/ipv6.yml
@@ -30,7 +30,7 @@
 - name: Make sure we delete the ipv6 sysctl file if this machine doesn't support ipv6
   become: true
   ansible.builtin.file:
-    path: "{{ sysctl_conf_dir }}/zz-002-ipv6-hardening.conf"
+    path: "{{ sysctl_conf_dir }}/zz-ipv6-hardening.conf"
     state: absent
   when: not system_has_ipv6
   notify:

diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml
@@ -1,9 +1,15 @@
 ---
+- name: Ensure old sysctl file is removed
+  become: true
+  ansible.builtin.file:
+    path: "{{ sysctl_conf_dir }}/zz-hardening.conf"
+    state: absent
+
 - name: Template the sysctl file with general sysctl hardening settings
   become: true
   ansible.builtin.template:
     src: '{{ sysctl_main_config_template }}'
-    dest: '{{ sysctl_conf_dir }}/zz-001-main-hardening.conf'
+    dest: '{{ sysctl_conf_dir }}/zz-main-hardening.conf'
     mode: "0755"
     owner: root
     group: root
@@ -54,7 +60,7 @@
   become: true
   ansible.builtin.template:
     src: "{{ sysctl_ipv6_config_template }}"
-    dest: "{{ sysctl_conf_dir }}/zz-002-ipv6-hardening.conf"
+    dest: "{{ sysctl_conf_dir }}/zz-ipv6-hardening.conf"
     mode: "0755"
     owner: root
     group: root

diff --git a/tasks/ufw.yml b/tasks/ufw.yml
@@ -25,7 +25,7 @@
     value: "1"
     state: present
     sysctl_set: true
-    sysctl_file: "{{ sysctl_conf_dir }}/zz-003-ufw-hardening.conf"
+    sysctl_file: "{{ sysctl_conf_dir }}/zz-ufw-hardening.conf"
     reload: true
   when: conntrackliberal.stat.exists
   tags:
@@ -61,7 +61,7 @@
   become: true
   ansible.builtin.lineinfile:
     regexp: ^IPT_SYSCTL=
-    line: IPT_SYSCTL={{ sysctl_conf_dir }}/zz-003-ufw-hardening.conf
+    line: IPT_SYSCTL={{ sysctl_conf_dir }}/zz-ufw-hardening.conf
     dest: /etc/default/ufw
     mode: "0640"
     state: present
@@ -211,7 +211,7 @@
     value: "{{ item.value | int }}"
     state: present
     sysctl_set: true
-    sysctl_file: "{{ sysctl_conf_dir }}/zz-003-ufw-hardening.conf"
+    sysctl_file: "{{ sysctl_conf_dir }}/zz-ufw-hardening.conf"
   with_dict: "{{ conntrack_sysctl_settings }}"
   notify:
     - Restart sysctl

diff --git a/templates/etc/audit/rules.d/hardening.rules.j2 b/templates/etc/audit/rules.d/hardening.rules.j2
@@ -321,9 +321,9 @@
 
 # Kernel modification
 -w /etc/sysctl.conf -p wa -k sysctl
--w {{ sysctl_conf_dir }}/zz-001-main-hardening.conf -p wa -k sysctl
--w {{ sysctl_conf_dir }}/zz-002-ipv6-hardening.conf -p wa -k sysctl
--w {{ sysctl_conf_dir }}/zz-003-ufw-hardening.conf -p wa -k sysctl
+-w {{ sysctl_conf_dir }}/zz-main-hardening.conf -p wa -k sysctl
+-w {{ sysctl_conf_dir }}/zz-ipv6-hardening.conf -p wa -k sysctl
+-w {{ sysctl_conf_dir }}/zz-ufw-hardening.conf -p wa -k sysctl
 
 # Hostname changes
 -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale