hardening demo from will tome

playbooks/03_hardening.yml

@@ -0,0 +1,31 @@
+---
+- name: harden linux systems
+  hosts: "{{ HOSTS | default('all') }}"
+  become: yes
+  vars:
+    - harden_firewall: False
+    - harden_time: False
+    - harden_ssh: False
+    - harden_pci: False
+
+  tasks:
+  - name: Configure Firewall
+    when: harden_firewall | bool
+    include_role:
+      name: linux-system-roles.firewall
+
+  - name: Configure Timesync
+    when: harden_time | bool
+    include_role:
+      name: linux-system-roles.timesync
+
+  - name: SSH Hardening
+    when: harden_ssh | bool
+    include_role:
+       name: dev-sec.ssh-hardening
+
+  # run with --skip-tags accounts_passwords_pam_faillock_deny
+  - name: Apply PCI Baseline
+    when: harden_pci | bool
+    include_role:
+      name: redhatofficial.rhel7_pci_dss

playbooks/group_vars/all/03_hardening.yml

@@ -0,0 +1,37 @@
+---
+survey_hardening:
+  name: ''
+  description: ''
+  spec:
+  - question_name: 'Enter host to configure'
+    type: text
+    variable: HOSTS
+    required: false
+  - question_name: Configure Firewall?
+    type: multiplechoice
+    variable: harden_firewall
+    required: false
+    choices:
+      - 'Yes'
+      - 'No'
+  - question_name: Configure Time?
+    type: multiplechoice
+    variable: harden_time
+    required: false
+    choices:
+      - 'Yes'
+      - 'No'
+  - question_name: Harden SSH?
+    type: multiplechoice
+    variable: harden_ssh
+    required: false
+    choices:
+      - 'Yes'
+      - 'No'
+  - question_name: PCI Baseline?
+    type: multiplechoice
+    variable: harden_pci
+    required: false
+    choices:
+      - 'Yes'
+      - 'No'

playbooks/group_vars/all/all.yml

@@ -38,6 +38,25 @@ demos:
     workshop_type:
       - f5
       - rhel
+  hardening:
+    author: "Will Tome"
+    name: "SERVER / Hardening"
+    description: "hardening for Linux servers"
+    job_type: "run"
+    inventory: "Workshop Inventory"
+    playbook: "playbooks/03_hardening.yml"
+    credential: "Workshop Credential"
+    survey_enabled: yes
+    survey_spec: "{{survey_hardening}}"
+    project:
+      name: "Ansible official demo project"
+      description: "prescriptive demos from Red Hat Management Buisness Unit"
+      organization: "Default"
+      scm_type: git
+      scm_url: "https://github.com/ansible/product-demos"
+    workshop_type:
+      - f5
+      - rhel
   windows_iis:
     author: "Colin McNaughton"
     name: "Windows IIS Server"