Remove follow option since (follow has been removed in version 2.5, b…

…ecause this module modifies the contents of the file so follow=no doesn’t make sense.) 🔥

defaults/main.yml

@@ -19,6 +19,18 @@ set_root_password: yes
 root_password: r00tP4ssw0rd
 
 # Section 2 Settings
+
+#Setting for systemd-timesyncd
+enable_systemdtimesyncd: yes #If you enable this make sure to disable NTP below, only one time service must be run in the server
+timesync_timezone: Etc/UTC
+timesync_fallback_ntp_hosts:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+
+#Setting for NTP
+enableNTP: no
 time_synchronization_package_name: ntp
 time_synchronization_servers:
   - uri: "time1.google.com"
@@ -29,6 +41,19 @@ time_synchronization_servers:
     config: "iburst"
   - uri: "time4.google.com"
     config: "iburst"
+
+# Setting for chrony
+chronyEnable: yes
+chrony_driftfile: /var/lib/chrony/chrony.drift
+chronyservers_preferred: []
+chronyservers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org
+chrony_keys: /etc/chrony/chrony.keys
+chrony_log_dir: /var/log/chrony
+
 web_server_name: nginx
 remove_HTTPserver: no
 remove_xinetd: yes
@@ -87,7 +112,7 @@ ssh_MACs: "[email protected],[email protected],hmac-sha2
 ## 5.2.14 Ensure only strong Key Exchange algorithms are used
 ssh_key_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
 ## 5.2.17 Ensure SSH access is limited
-allowed_users: ali saleh baker root #Put None or list of users space between each user
+allowed_users: ubuntu root #Put None or list of users space between each user
 allowed_groups: None
 deny_users: None
 deny_groups: None
@@ -101,7 +126,7 @@ pass_warn_age: 7
 pass_min_days: 1
 ## 5.4.1.1 Ensure password expiration is 365 days or less
 list_of_os_users:
-  - ali
+  - ubuntu
 ## 5.4.1.4 Ensure inactive password lock is 30 days or less
 ##Note: A value of -1 would disable this setting
 account_inactive: 30
@@ -111,7 +136,7 @@ shell_timeout_sec: 900
 # Section 6
 withoutOwnerFileDirOwner: root
 withoutGroupFilesDirGroup: root
-outputfiles: /home/ali/ #Output dir of some command
+outputfiles: /root/ #Output dir of some command
 disable_autofs: true
 disable_usb: true
 install_apparmor: true

handlers/main.yml

@@ -22,3 +22,11 @@
   service:
     name: rsyslog
     state: restarted
+- name: RestartChronyservice
+  service:
+    name: "chrony"
+    state: restarted
+- name:  reloadTimesyncd
+  service:
+    name:  systemd-timesyncd
+    state: restarted

tasks/section_1_Initial_Setup.yaml

@@ -748,35 +748,35 @@
 # overridden by the user.
 - name: 1.6.4 Ensure core dumps are restricted
   block:
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | sysctl
       sysctl:
         name: fs.suid_dumpable
         value: "0"
         state: present
         reload: true
         sysctl_set: true
         ignoreerrors: true
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | limits.conf
       lineinfile:
         dest: /etc/security/limits.conf
         line: "*                hard    core            0"
         regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+'
         state: present
         create: true
         insertbefore: "# End of file"
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | apt
       apt:
         name: systemd-coredump
         state: present
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | coredump.conf
       lineinfile:
         dest: /etc/systemd/coredump.conf
         line: "Storage=none"
         regexp: '(^#)?\s*Storage\s*='
         state: present
         create: true
         insertbefore: "# End of file"
-    - name: 1.6.4 Ensure core dumps are restricted
+    - name: 1.6.4 Ensure core dumps are restricted | coredump.conf
       lineinfile:
         dest: /etc/systemd/coredump.conf
         line: "ProcessSizeMax=0"
@@ -824,7 +824,6 @@
         dest: /etc/default/grub
         regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)'
         replace: '\1 apparmor=1 security=apparmor\2'
-        follow: true
       register: output_1_7_1_2
     - name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration | reload
       shell: |