Clean Code
This commit is contained in:
dsk-minchulahn
@@ -1,3 +0,0 @@
|
||||
[defaults]
|
||||
host_key_checking=False
|
||||
|
||||
@@ -1,95 +0,0 @@
|
||||
---
|
||||
- hosts: bastion
|
||||
become: true
|
||||
gather_facts: true
|
||||
roles:
|
||||
- role: bastion
|
||||
vars:
|
||||
- sshmainport: 2222
|
||||
admin_users:
|
||||
- name: "minchulahn"
|
||||
ip: "10.20.142.22"
|
||||
description: "안민철"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
|
||||
|
||||
- name: "havelight"
|
||||
ip: "10.20.142.21"
|
||||
description: "정재희"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUAppqxDLltrMsYMwIxGi0FA5STA/R+H6oy7myfiJP2Lt4woCogMi3ELVKEhFkeJx4i8y9G80lynEYCHRH1kAQ/7YaJEVFrPXTvBw+OVxYdVS/gLl0rL89ky+n0dv6A9mancrvUOMacI5aN7/W+EhoLohRjRbWlsPGNnvAmO0AZnt595aMUjFkdhusGyBVunDUFSitj9TFkjxDhr6cx8Bi0FLpvdsoAvfqiw/MVKW2pMgj56AT5UCT0wvtSHSNY/C731jP/RKrxP0fnVhIkVys/XmLV/6SVEqL1XwqMTvRfi5+Q8cPsXrnPuUFHiNN4e/MGJkYi0lg7XbX8jDXv3ybdxZ7lGiUDebxjTKBCCghFae3eAwpJADEDfrzb8DHJZFwJVVdKGXvStTWTibcs14ilRPcB4SWIBx/cFCzwOBK/iw8CfEfsbVe6WQbDc4T4LrgL8cUzHPOO8CQcC4DV/O3BuoqQExu6xTmU8rhLT9kgatIdX0K5jgGbuqz7c2lelU="
|
||||
|
||||
- name: "sa_8001"
|
||||
ip: "10.20.142.50"
|
||||
description: "변정훈"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgvFtLP7A1bR2ANxHiyTalgaI2pvxnCAzsqTAAh/+egIOi2vUIC2jRWGQXyoiTlupdNWQli2D93tEJBvG3VO5LOVocOHsFnFcV8RsiR4QGhqMeXRfMBWbf7Prby0qWv/VQ00gNWEgEjZUhOfBQeJsozGTd3dS4AgRnQkQmnvCT6TWD7+GwMg1SDlu/23y5aKLmpLkVT9kEG3yxZ3rWQfepjAubt+/saZPtyhkmc9+qhe2K+6PCZU2MCh6TYoKrcRUhVaJLvWqS35/Cv/9oxLg7lZwsasHFO9ANXWV9gBelCXLpYosN5hylUvl4JmSN+/qiOH3hpEbOtTCY/ZU0o1/xXLr0pmbYpZoT6zMKZ5fkweW7xidrg/bI1s/4+DVf4c/NJehw4PL3sqRmVdJsriFUifywh05Up5j1NQANiFlFngwEWy81cWRyvSL5q/plJHSvpd6g+WbsyC/QqYNAhxjnEosOb52QGZmLL7GqaC1hdKDOlJYZK63EBQ8YpHqGHo0="
|
||||
|
||||
allow_users:
|
||||
- name: "wkd1994"
|
||||
ip: "10.20.142.28"
|
||||
description: "김동우"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtmuAhVVyVJ87+t2xVtiS3bvTxxn0dmD7t4D2iSvSErIjRsXRCPLdc/yGWiezj+oVZtRPLJ2mjKToGUerdkcW8oqiQeL0+x/CjdlS2rQXvQa2HXCjB+MejwZyJ2bl7VDtIMdLianJBn7+XVc48+bIf7yait8yVH1aVWcS/AXOSo9LwX/uNW5VCL5BeXSGwXdwkuhjeJurR4WIVSBXuh1ql5Vy6BdSxcmLMihNlIL/DyuzfPLuQZbuSeaJ7eJKiHu63/SwBA1cPzj9tgI7zNvguapIHKXvoK8n5gNUXVRDGnD4J6xbzUQB3DbU8kaz7pDClxzgpkf3MnvP9QvnTyqV+aftYlb02as0PrwIxlTlW/sBxyEGdFe+JwoTctHkrSfp0lYRpyCv3eXJcdDu2l3dTJXAHlpcJuQRH2j9herURxML0w6re1iKJ8MAjOqUvh+B3A1U3x116zEGdsCNCRcfwehEir7fmGKaPvrmOiDOTlNswdL/OJ1RHKFuEZJPlUr8="
|
||||
|
||||
- name: "djkim"
|
||||
ip: "10.20.142.36"
|
||||
description: "김득진"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Go9pLADJUQtq+ptTAcSIpi+VYv5/Kik0lBuV8xEc++vNtix5kwi+XSsNShHM3MVeiE8J27rYfyNn79r5pVKMuasMRyP3mTDZtRKr7/piM8MXuGSu1jCsVrTBZX0Sf4wuOA1tSkG9QgjBMZfvE9jOSYozA1K85mVE28m2rTihPnL5zYsDKnx+xIcwUBTpkOCoHiAfAX9b5ADAfScJigSZDjFLvexJ1aapPV2Iajh8huIhWvCUhrqUv/ldUm+b1iiOT7GXdrM/cam3FnLZ0b5KI9CQb7084+4l0BlmtPkuFcIlTDm1K6YO7+Mewd+F9uQZwvxGuElBPg8NVgFLD7+nrf2VlJYYCAeChyDV5+ZD70pSTcvHpJbmLKMtRFGov73ZPJ3vld9XCGUCajaoZz5Kz+ANmSC9nl3FpxnYgvFWfS7iwyC+VkGRKUg96/crXz4D8fW/wIskt+3cVrW9Z66psH41ll979mC8xly0ITWwbQZv7rvbdWSDVKVRgbXQOSc="
|
||||
|
||||
- name: "sanghee1357"
|
||||
ip: "10.20.142.40"
|
||||
description: "김상희"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC45maYW137cwvdS8AE9UzNHq9AMYrkEJtoNDAOVkUXtpVQITqvBCc4B4FfR5JK2h+imnBDng5fu728YAB7q31BE3Wub8I+QWhnQgv+kH1yMWj2s329tkHvcyNWIHSBqw4z1N74Zba+7mojKioju27HdcRcN1L7tpXSCHrq5bU6++CMShpZ7a3wo20RfikFWd563Y15mE3uDqlbkcuzE0KGSNrdY6Gy9aiE3/poVQRLaCmXnUKNw9wM3UGN9DanJi6iosXrlZRkpwhV+tHh2x+BWCbyY8jj94RDJgMwoKw71tzlEp+B1k6a7g+lEo3KFP//3PQxc9fdKBdg1YzSAKGKjsqATEVclmQHVskk6wZQC/wcjFxrSOreSp6knswX9AhIvGhMtoVo9iMy9cm+F4AauzjjfszCMO484983hIYwsh321VB14Wg7NroCYMUh7krATeKmNWhK0YicYCXINVMphBAcXFhuJduPejz19ZN356t+F/LDqlCxW7kO9QfYUy0="
|
||||
|
||||
- name: "jinbekim"
|
||||
ip: "10.10.142.48"
|
||||
description: "김진범"
|
||||
|
||||
- name: "bypark"
|
||||
ip: "10.20.142.26"
|
||||
description: "박병욱"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZig/9xMWR3QhwHPbkvY2b9nmHiWkJHgnztGfIyxVTmkcsr9QViIvNUINlRBlE2+I5j7R2+0qI5GkAYndJsQoZiZ3iPqxnM5KdB9bEbWS5Tv7pbGyHyzaYPMUS3g6ZRMKnbJlAmhOLuq4TNYaUSESvaiYbCbaZK2JdsfPtSC99Gez6+HNoapILeg6xkxLnMsgUG6QzGaZyRABlPRbctGfx2U7cYe/7b7T+/yNtMU2FKrAJqcy0S1IUzc/dK2m5SQ3Y2GMohuGkv8mfs16i0wi3LfgEIatsmj2KB7Y7lIYW/GEZA2I+K2uH9Pu+F/kmGvAu5jNd1ztSo9MgElyu2NMXYhM3f/eDD+PdHKjUvOtE5twNBHQooPjBpp/mja4hnxLKepTqgP1t6azncPB8m6jC6MTbkhOHpgSNXurhx0kCurLA+l9KaySidhc0mFNJZGRKAhQoMIDFgXlzkZ4GmmtbfOJ/J1k7QqHZya5x6M4mOfvlPECFKVF24vzJVEulY3E="
|
||||
|
||||
- name: "joonsoopark"
|
||||
ip: "10.20.142.33"
|
||||
description: "박준수"
|
||||
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeOzKeL4ZUXw0lEHDZoBsp7M3oobrBI0sWBHdpk0X0T"
|
||||
|
||||
- name: "baekchan1024"
|
||||
ip: "10.20.142.39"
|
||||
description: "백승찬"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaqqy9YVwxh37xOU0nytBPd6GEJe30e1L/K5UXDZToteNebyfQrtFogxB6MpMNaAzAk6qbyPuZA3rgP8Y+qXgRlx88cxje5P5yOCsMW2o3xD5PiJ7lluWQ9tlS5ti4B9EWurJOsGF27XKKuSHN+dx9ZIb4sDqLYzmycPNwFaEtH6GQ2vjqpPMfjmKAuYmKD4L7mdA8lXTiRS2uYDkUxwQ+6PU+axTauD9qsXuGDAnGkVHKNE0o9OCf1uoyOhy6EB2sDz5Pymr7fbRJauWNxuSJdYPKY33GdDKpioP/1nRLSLtr1nvLHVrG/5CSNO1x20WYXFEGoMTzW4T5nYSS61apHkQ/0Csv0LBeHPc9gsMPobNJpIYlvGwdODQ+fpgxyB4SAQJKtQR1YB4w5OVtXVZAMvZZKI9gQQHZ8wQ4Zk0erGxKeyLxnDrKKNHLRPyUrjkL7H2a0i8BGpdk8sxW9NVrJJGgmQQiPbJx0yvIi1n55mUq+ZVjiF5qPvxtc5D133k="
|
||||
|
||||
- name: "jungry"
|
||||
ip: "10.20.142.44"
|
||||
description: "서정우"
|
||||
|
||||
- name: "ose"
|
||||
ip: "10.20.142.34"
|
||||
description: "오승은"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAlYSGJZpOOEPZqIa1/CXxiaUNj1wsgkp0kEyD2SX8r7ovwmSAWCS24v/IOSgsUTFRpL64vIeCtcZ8sj4Hwzd3F2h+carQP0v+leCkzPpQ7aP/BoPS27+fSCzaOZv/QJ+eIcXWHIbWkXf6MYQ35PykDeJIO61OMOlWhpNV425VSwfZoB72xZmEH+rIZjXHHs8vYtIG2sXZE22BLiVw6PEL/C4QB2khBT5ZAjX2xGEzUoSknzva/8Uu20adQBalFTIdyLV7V6CxkIPkSgfmZh/fqXfbfPsxHLPK2o2ueGbx3fcN3kAqFrqpJgjEIZmNj6qhVPtbN5TSUyIjtoPhC4JR0heqckz1qLah+8lSiUfHSblGW89QuUcedHdwHp/RiZW6HQO0cqS/QPNcgPLTiv68voBapS9rav+j0tt1RynNY+AdhCOoo4BbGW0pXqi0vaHzbbfbzxp78kx/7/KXmUHkzGSkmlXVbKqzDm5k/kRn0q4pimDun42b+MjNYu3gZz0="
|
||||
|
||||
- name: "gurwns1540"
|
||||
ip: "10.20.142.35"
|
||||
description: "윤혁준"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1+kC8LzDxwc4gfiGzUQH+CeKGf+elX3oKciMmLQJmpddlcWuRthq1pszufHjypT/FfC/XVLZkGvjMDJUWro/Pen3RcdTcENteVZO/nzQ89nmS/D3tbg6nVWxiast6bDdSEdPF8CKSUAlA+8hTgSCWou7TtOuWGCKj+6HSHctBA41WFLpYInYHWTnC+LY1nwOurjG4qjmgdEzBXMhLWvuZDVE21oIUMEXbjW1dXhHNMKfyn/mUqSSG9zoXZSK0KB8OHhBsbxzFqu5cXC1TTpJOyX05730LUdwF9MevreUS3ws5NY8h0C6EVAOMQqeH5gkwVTHsyXQHtXB9nGI1g7sMIjEzJHkOygK17nAfapWhGFahhaaq42qdo7N3Pj8IjrY3S9EDXnPtQODROj3JVzo3Sgd2FUKDcAIWwJHMAwkaFqciPGIrj4ib81NbOoWn7oCjbIyDxgoxSp1vpW7C25rL22LtrCHyMWPbhV19FJIZqtg7f94JptzLND1pHDnsnfeNAxz9d6oKdcJW5bXUDeDCQxBio1RBF6nNzSRoiD0+FD29of9wNWRd2cBkR8uJV7P9XfXMzMK5q7Wqte/DABs3wJ3v/cth6kPrRV7j2h+4DGbEj5Mpz8XAFnGkZFmd/UiSbNqRBLKmp0lPpyxZrRU00xuqJ51pYB2wMwkQgOIVuw=="
|
||||
|
||||
- name: "yyeun"
|
||||
ip: "10.20.142.45"
|
||||
description: "이예은"
|
||||
|
||||
- name: "sujung"
|
||||
ip: "10.20.142.27"
|
||||
description: "정성락"
|
||||
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbI5DjRkABz65NnREzf5HKKIMPrIA4DrnDDXTrjnRH8"
|
||||
|
||||
- name: "antcho"
|
||||
ip: "10.20.142.46"
|
||||
description: "조혜수"
|
||||
|
||||
- name: "stdhsw"
|
||||
ip: "10.20.142.32"
|
||||
description: "한승우"
|
||||
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTMTgqbTtIKKRsZU9An9D3La9Fh1bUtiLE/Y0nL4CZ"
|
||||
|
||||
- name: "seungjinjeong"
|
||||
ip: "10.20.142.41"
|
||||
description: "정승진"
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi8funYVM0eRmfplW5EdnfJOFEVDEMMw08VRn6FD9x9VuNWCEkY3iErzekBY2SRat8g6q0VXRyu7b/bhm/kD+BtI79fmz9FKxslTZCeKKN1KWfoZoXSRnvjOX1Y6NDnY2X5M+3kN40ek9ku6abN6lOtInTXJ1QOJIISa8l6vrB/j1xVVZghTYY5MBMc89cRZESGdBZWld0CtmoM+mnjh5vWCCA3VJTcDbj5LKtWllA6t58KwtGBikr8iaOpi83dQ91eXWzxTttl/LCe9bfgSxYlmvZILn0UZMu1WiWBhlIBzC6RlxorkDVRXcSRjguEt+/ys2rv6UTSkm150O4PgjgxlZPmTJt1m5y/St57LELUVbV6XGSq6+eZNTZOYBxxRkKcV0uByCBjxjsVlMmoEZoxedhSVT1Z8/AiMnjPBjXx2ease04EvtZs6rpDRd0puzcx1TKoCkyak60ymxc91X9lQg3kUl0av/G5kMKJQqW6v31GA1Vnh4K9haCVF/Ki/M="
|
||||
@@ -1,6 +0,0 @@
|
||||
[datasaker-demo]
|
||||
10.10.43.100
|
||||
10.10.43.101
|
||||
|
||||
[bastion]
|
||||
10.10.43.43 ansible_port=2222 ansible_user=havelight
|
||||
@@ -1,3 +0,0 @@
|
||||
[host]
|
||||
10.10.43.[100:101] ansible_user=root
|
||||
10.10.43.[110:153]
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: check ls
|
||||
hosts: all
|
||||
become: true
|
||||
roles:
|
||||
- node
|
||||
@@ -1,48 +0,0 @@
|
||||
# Password aging settings
|
||||
os_auth_pw_max_age: 90
|
||||
os_auth_pw_min_age: 1
|
||||
os_auth_pw_warn_age: 7
|
||||
passhistory: 2
|
||||
|
||||
# Inactivity and Failed attempts lockout settings
|
||||
fail_deny: 5
|
||||
fail_unlock: 0
|
||||
inactive_lock: 0
|
||||
shell_timeout: 300
|
||||
|
||||
# tally settings
|
||||
onerr: 'fail'
|
||||
deny: 5
|
||||
unlock_time: 300
|
||||
|
||||
# Password complexity settings
|
||||
pwquality_minlen: 9
|
||||
pwquality_maxrepeat: 3
|
||||
pwquality_lcredit: -1
|
||||
pwquality_ucredit: -1
|
||||
pwquality_dcredit: -1
|
||||
pwquality_ocredit: -1
|
||||
|
||||
# SSH settings
|
||||
sshrootlogin: 'yes'
|
||||
sshmainport: 22
|
||||
ssh_service_name: sshd
|
||||
|
||||
# Crictl setup
|
||||
crictl_app: crictl
|
||||
crictl_version: 1.25.0
|
||||
crictl_os: linux
|
||||
crictl_arch: amd64
|
||||
crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
|
||||
crictl_bin_path: /usr/local/bin
|
||||
crictl_file_owner: root
|
||||
crictl_file_group: root
|
||||
|
||||
# temp
|
||||
username: root
|
||||
password: saasadmin1234
|
||||
|
||||
# common user flag
|
||||
common_user: False
|
||||
|
||||
pause_time: 1
|
||||
@@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
printf '''
|
||||
|-----------------------------------------------------------------|
|
||||
| This system is for the use of authorized users only. |
|
||||
| Individuals using this computer system without authority, or in |
|
||||
| excess of their authority, are subject to having all of their |
|
||||
| activities on this system monitored and recorded by system |
|
||||
| personnel. |
|
||||
| |
|
||||
| In the course of monitoring individuals improperly using this |
|
||||
| system, or in the course of system maintenance, the activities |
|
||||
| of authorized users may also be monitored. |
|
||||
| |
|
||||
| Anyone using this system expressly consents to such monitoring |
|
||||
| and is advised that if such monitoring reveals possible |
|
||||
| evidence of criminal activity, system personnel may provide the |
|
||||
| evidence of such monitoring to law enforcement officials. |
|
||||
|-----------------------------------------------------------------|
|
||||
'''
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: restart sshd
|
||||
service:
|
||||
name: "{{ ssh_service_name }}"
|
||||
state: restarted
|
||||
enabled: true
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
- name: user change
|
||||
user:
|
||||
name: "{{ username }}"
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
state: present
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: Create a tar.gz archive of a single file.
|
||||
archive:
|
||||
path: /etc/update-motd.d/*
|
||||
dest: /etc/update-motd.d/motd.tar.gz
|
||||
format: gz
|
||||
force_archive: true
|
||||
|
||||
- name: remove a motd.d files
|
||||
file:
|
||||
path: /etc/update-motd.d/{{ item }}
|
||||
state: absent
|
||||
with_items:
|
||||
- 10-help-text
|
||||
- 85-fwupd
|
||||
- 90-updates-available
|
||||
- 91-release-upgrade
|
||||
- 95-hwe-eol
|
||||
- 98-fsck-at-reboot
|
||||
- 50-motd-news
|
||||
- 88-esm-announce
|
||||
|
||||
- name: Create login banner
|
||||
copy:
|
||||
src: login_banner
|
||||
dest: /etc/update-motd.d/00-header
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
@@ -1,19 +0,0 @@
|
||||
---
|
||||
- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
|
||||
unarchive:
|
||||
src: "{{ crictl_dl_url }}"
|
||||
dest: "{{ crictl_bin_path }}"
|
||||
owner: "{{ crictl_file_owner }}"
|
||||
group: "{{ crictl_file_group }}"
|
||||
extra_opts:
|
||||
- crictl
|
||||
remote_src: yes
|
||||
|
||||
- name: Crictl command crontab setting
|
||||
ansible.builtin.cron:
|
||||
name: crontab command
|
||||
minute: "0"
|
||||
hour: "3"
|
||||
user: root
|
||||
job: "/usr/local/bin/crictl rmi --prune"
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
---
|
||||
- name: Set pass max days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MAX_DAYS.*$'
|
||||
line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass min days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MIN_DAYS.*$'
|
||||
line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass min length
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MIN_LEN.*$'
|
||||
line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass warn days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_WARN_AGE.*$'
|
||||
line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set password encryption to SHA512
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^ENCRYPT_METHOD\s.*$'
|
||||
line: "ENCRYPT_METHOD\tSHA512"
|
||||
backrefs: yes
|
||||
|
||||
- name: Disable MD5 crypt explicitly
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^MD5_CRYPT_ENAB.*$'
|
||||
line: "MD5_CRYPT_ENAB NO"
|
||||
backrefs: yes
|
||||
@@ -1,12 +0,0 @@
|
||||
---
|
||||
- pause:
|
||||
seconds: "{{ pause_time }}"
|
||||
|
||||
- include: sshd_config.yml
|
||||
tags: sshd_config
|
||||
|
||||
- include: sudoers.yml
|
||||
tags: sudoers
|
||||
|
||||
- include: admin_set.yml
|
||||
tags: admin_set
|
||||
@@ -1,50 +0,0 @@
|
||||
---
|
||||
- name: Add pam_tally2.so
|
||||
template:
|
||||
src: common-auth.j2
|
||||
dest: /etc/pam.d/common-auth
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Create pwquality.conf password complexity configuration
|
||||
block:
|
||||
- apt:
|
||||
name: libpam-pwquality
|
||||
state: present
|
||||
install_recommends: false
|
||||
- template:
|
||||
src: pwquality.conf.j2
|
||||
dest: /etc/security/pwquality.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Add pam_tally2.so
|
||||
block:
|
||||
- lineinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
regexp: '^account\srequisite'
|
||||
line: "account requisite pam_deny.so"
|
||||
|
||||
- lineinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
regexp: '^account\srequired'
|
||||
line: "account required pam_tally2.so"
|
||||
|
||||
- name: password reuse is limited
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
line: "password required pam_pwhistory.so remember=5"
|
||||
|
||||
- name: password hashing algorithm is SHA-512
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: '^password\s+\[success'
|
||||
line: "password [success=1 default=ignore] pam_unix.so sha512"
|
||||
|
||||
- name: Shadow Password Suite Parameters
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: '^password\s+\[success'
|
||||
line: "password [success=1 default=ignore] pam_unix.so sha512"
|
||||
@@ -1,24 +0,0 @@
|
||||
---
|
||||
- name: Set session timeout
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^TMOUT=.*'
|
||||
insertbefore: '^readonly TMOUT'
|
||||
line: 'TMOUT={{shell_timeout}}'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
|
||||
- name: Set TMOUT readonly
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^readonly TMOUT'
|
||||
insertafter: 'TMOUT={{shell_timeout}}'
|
||||
line: 'readonly TMOUT'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
|
||||
- name: Set export TMOUT
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^export TMOUT.*'
|
||||
insertafter: 'readonly TMOUT'
|
||||
line: 'export TMOUT'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
@@ -1,30 +0,0 @@
|
||||
---
|
||||
- name: Configure ssh root login to {{sshrootlogin}}
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(#)?PermitRootLogin.*'
|
||||
line: 'PermitRootLogin {{sshrootlogin}}'
|
||||
insertbefore: '^Match.*'
|
||||
state: present
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: restart sshd
|
||||
|
||||
- name: SSH Listen on Main Port
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
insertbefore: '^#*AddressFamily'
|
||||
line: 'Port {{sshmainport}}'
|
||||
state: present
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: restart sshd
|
||||
|
||||
- name: "Setting sshd allow users"
|
||||
template:
|
||||
src: allow_users.j2
|
||||
dest: "/etc/ssh/sshd_config.d/allow_users.conf"
|
||||
notify: restart sshd
|
||||
|
||||
@@ -1,107 +0,0 @@
|
||||
---
|
||||
- name: Get all ssh sessions
|
||||
shell: ps -ef | grep sshd | grep -v root | grep -v "{{ ansible_user }}" | awk '{print $2}'
|
||||
register: ssh_sessions
|
||||
ignore_errors: true
|
||||
|
||||
- name: Terminate ssh sessions
|
||||
shell: kill -9 {{ item }}
|
||||
with_items: "{{ ssh_sessions.stdout_lines }}"
|
||||
when: ssh_sessions is defined
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Create devops group"
|
||||
ansible.builtin.group:
|
||||
name: "devops"
|
||||
state: present
|
||||
|
||||
- name: "get current users"
|
||||
shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root|dev2-iac)' | awk -F: '{print $1}'"
|
||||
register: deleting_users
|
||||
|
||||
- name: "Delete users"
|
||||
ansible.builtin.user:
|
||||
name: "{{ item }}"
|
||||
state: absent
|
||||
remove: yes
|
||||
with_items: "{{ deleting_users.stdout_lines }}"
|
||||
when: item != ansible_user
|
||||
ignore_errors: true
|
||||
|
||||
|
||||
- name: "Create admin user"
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
group: "devops"
|
||||
shell: "/bin/bash"
|
||||
system: yes
|
||||
state: present
|
||||
with_items: "{{ admin_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
ignore_errors: true
|
||||
|
||||
- name: "admin user password change"
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
state: present
|
||||
with_items: "{{ admin_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Add admin user key"
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
state: present
|
||||
key: "{{ item.key }}"
|
||||
with_items: "{{ admin_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
- item.key is defined
|
||||
- common_user == True
|
||||
ignore_errors: true
|
||||
|
||||
|
||||
- name: "Create common user"
|
||||
ansible.builtin.user:
|
||||
name: "{{ item.name }}"
|
||||
group: "users"
|
||||
shell: "/bin/bash"
|
||||
system: yes
|
||||
state: present
|
||||
with_items: "{{ allow_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
- common_user == True
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Change common user password change"
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
state: present
|
||||
with_items: "{{ allow_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
- common_user == True
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Add common user key"
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
state: present
|
||||
key: "{{ item.key }}"
|
||||
with_items: "{{ allow_users }}"
|
||||
when:
|
||||
- item.name is defined
|
||||
- item.key is defined
|
||||
- common_user == True
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Setting sudoers allow users"
|
||||
template:
|
||||
src: sudoers_users.j2
|
||||
dest: "/etc/sudoers.d/sudoers_users"
|
||||
ignore_errors: true
|
||||
@@ -1,11 +0,0 @@
|
||||
AllowUsers dev2-iac@10.10.43.*
|
||||
{% if admin_users is defined %}
|
||||
{% for user in admin_users %}
|
||||
AllowUsers {{ user.name }}@{{ user.ip }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if allow_users is defined %}
|
||||
{% for user in allow_users %}
|
||||
AllowUsers {{ user.name }}@{{ user.ip }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
@@ -1,27 +0,0 @@
|
||||
#
|
||||
# /etc/pam.d/common-auth - authentication settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authentication modules that define
|
||||
# the central authentication scheme for use on the system
|
||||
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||
# traditional Unix authentication mechanisms.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
auth [success=1 default=ignore] pam_unix.so nullok
|
||||
# here's the fallback if no module succeeds
|
||||
auth requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
auth required pam_permit.so
|
||||
# since the modules above will each just jump around
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
auth optional pam_cap.so
|
||||
# end of pam-auth-update config
|
||||
@@ -1,50 +0,0 @@
|
||||
# Configuration for systemwide password quality limits
|
||||
# Defaults:
|
||||
#
|
||||
# Number of characters in the new password that must not be present in the
|
||||
# old password.
|
||||
# difok = 5
|
||||
#
|
||||
# Minimum acceptable size for the new password (plus one if
|
||||
# credits are not disabled which is the default). (See pam_cracklib manual.)
|
||||
# Cannot be set to lower value than 6.
|
||||
minlen = {{pwquality_minlen}}
|
||||
#
|
||||
# The maximum credit for having digits in the new password. If less than 0
|
||||
# it is the minimum number of digits in the new password.
|
||||
dcredit = {{pwquality_dcredit}}
|
||||
#
|
||||
# The maximum credit for having uppercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of uppercase characters in the new
|
||||
# password.
|
||||
ucredit = {{pwquality_ucredit}}
|
||||
#
|
||||
# The maximum credit for having lowercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of lowercase characters in the new
|
||||
# password.
|
||||
lcredit = {{pwquality_lcredit}}
|
||||
#
|
||||
# The maximum credit for having other characters in the new password.
|
||||
# If less than 0 it is the minimum number of other characters in the new
|
||||
# password.
|
||||
ocredit = {{pwquality_ocredit}}
|
||||
#
|
||||
# The minimum number of required classes of characters for the new
|
||||
# password (digits, uppercase, lowercase, others).
|
||||
# minclass = 0
|
||||
#
|
||||
# The maximum number of allowed consecutive same characters in the new password.
|
||||
# The check is disabled if the value is 0.
|
||||
maxrepeat = {{pwquality_maxrepeat}}
|
||||
#
|
||||
# The maximum number of allowed consecutive characters of the same class in the
|
||||
# new password.
|
||||
# The check is disabled if the value is 0.
|
||||
# maxclassrepeat = 0
|
||||
#
|
||||
# Whether to check for the words from the passwd entry GECOS string of the user.
|
||||
# The check is enabled if the value is not 0.
|
||||
# gecoscheck = 0
|
||||
#
|
||||
# Path to the cracklib dictionaries. Default is to use the cracklib default.
|
||||
# dictpath =
|
||||
@@ -1,6 +0,0 @@
|
||||
dev2-iac ALL=(ALL) NOPASSWD: ALL
|
||||
{% if allow_users is defined %}
|
||||
{% for user in admin_users %}
|
||||
{{ user.name }} ALL=(ALL) NOPASSWD: ALL
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
@@ -1,12 +0,0 @@
|
||||
---
|
||||
- name: echo hello
|
||||
command: echo "Not Valid Ruby Version"
|
||||
|
||||
- name: Update apt repo and cache on all Debian/Ubuntu boxes
|
||||
apt: update_cache=yes cache_valid_time=3600
|
||||
|
||||
- name: Install cifs-utils
|
||||
apt: name=cifs-utils state=latest update_cache=yes
|
||||
|
||||
- name: Install nfs-common
|
||||
apt: name=nfs-common state=latest update_cache=yes
|
||||
@@ -1,43 +0,0 @@
|
||||
# Password aging settings
|
||||
os_auth_pw_max_age: 90
|
||||
os_auth_pw_min_age: 10
|
||||
os_auth_pw_warn_age: 7
|
||||
passhistory: 2
|
||||
|
||||
# Inactivity and Failed attempts lockout settings
|
||||
fail_deny: 5
|
||||
fail_unlock: 0
|
||||
inactive_lock: 0
|
||||
shell_timeout: 300
|
||||
|
||||
# tally settings
|
||||
onerr: 'fail'
|
||||
deny: 5
|
||||
unlock_time: 300
|
||||
|
||||
# Password complexity settings
|
||||
pwquality_minlen: 9
|
||||
pwquality_maxrepeat: 3
|
||||
pwquality_lcredit: -1
|
||||
pwquality_ucredit: -1
|
||||
pwquality_dcredit: -1
|
||||
pwquality_ocredit: -1
|
||||
|
||||
# SSH settings
|
||||
sshrootlogin: 'forced-commands-only'
|
||||
sshmainport: 22
|
||||
ssh_service_name: sshd
|
||||
|
||||
# Crictl setup
|
||||
crictl_app: crictl
|
||||
crictl_version: 1.25.0
|
||||
crictl_os: linux
|
||||
crictl_arch: amd64
|
||||
crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
|
||||
crictl_bin_path: /usr/local/bin
|
||||
crictl_file_owner: root
|
||||
crictl_file_group: root
|
||||
|
||||
# temp
|
||||
username: root
|
||||
password: saasadmin1234!@#$
|
||||
@@ -1,2 +0,0 @@
|
||||
AllowUsers *@10.20.142.*
|
||||
AllowUsers *@10.10.43.*
|
||||
@@ -1,39 +0,0 @@
|
||||
version = 2
|
||||
root = "/var/lib/containerd"
|
||||
state = "/run/containerd"
|
||||
oom_score = 0
|
||||
|
||||
[grpc]
|
||||
max_recv_message_size = 16777216
|
||||
max_send_message_size = 16777216
|
||||
|
||||
[debug]
|
||||
level = "info"
|
||||
|
||||
[metrics]
|
||||
address = ""
|
||||
grpc_histogram = false
|
||||
|
||||
[plugins]
|
||||
[plugins."io.containerd.grpc.v1.cri"]
|
||||
sandbox_image = "registry.k8s.io/pause:3.7"
|
||||
max_container_log_line_size = -1
|
||||
enable_unprivileged_ports = false
|
||||
enable_unprivileged_icmp = false
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd]
|
||||
default_runtime_name = "runc"
|
||||
snapshotter = "overlayfs"
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
base_runtime_spec = "/etc/containerd/cri-base.json"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
|
||||
systemdCgroup = true
|
||||
[plugins."io.containerd.grpc.v1.cri".registry]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
|
||||
endpoint = ["https://registry-1.docker.io"]
|
||||
|
||||
@@ -1,60 +0,0 @@
|
||||
version = 2
|
||||
root = "/var/lib/containerd"
|
||||
state = "/run/containerd"
|
||||
oom_score = 0
|
||||
|
||||
[grpc]
|
||||
max_recv_message_size = 16777216
|
||||
max_send_message_size = 16777216
|
||||
|
||||
[debug]
|
||||
level = "info"
|
||||
|
||||
[metrics]
|
||||
address = ""
|
||||
grpc_histogram = false
|
||||
|
||||
[plugins]
|
||||
[plugins."io.containerd.grpc.v1.cri"]
|
||||
sandbox_image = "registry.k8s.io/pause:3.7"
|
||||
max_container_log_line_size = -1
|
||||
enable_unprivileged_ports = false
|
||||
enable_unprivileged_icmp = false
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd]
|
||||
default_runtime_name = "runc"
|
||||
snapshotter = "overlayfs"
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
|
||||
runtime_type = "io.containerd.runc.v2"
|
||||
runtime_engine = ""
|
||||
runtime_root = ""
|
||||
base_runtime_spec = "/etc/containerd/cri-base.json"
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
|
||||
systemdCgroup = true
|
||||
[plugins."io.containerd.grpc.v1.cri".registry]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
|
||||
endpoint = ["https://registry-1.docker.io"]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.31.243:5000"]
|
||||
endpoint = ["http://10.10.31.243:5000"]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.43.240:30500"]
|
||||
endpoint = ["http://10.10.43.240:30500"]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.headers]
|
||||
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs]
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".tls]
|
||||
insecure_skip_verify = true
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".auth]
|
||||
username = "core"
|
||||
password = "coreadmin1234"
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".tls]
|
||||
insecure_skip_verify = true
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".auth]
|
||||
username = "dsk"
|
||||
password = "dskadmin1234"
|
||||
[plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".auth]
|
||||
username = "datasaker"
|
||||
password = "dckr_pat_kQP6vcHm_jMChWd_zvgH_G3kucc"
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
#!/bin/sh
|
||||
printf '''
|
||||
|-----------------------------------------------------------------|
|
||||
| This system is for the use of authorized users only. |
|
||||
| Individuals using this computer system without authority, or in |
|
||||
| excess of their authority, are subject to having all of their |
|
||||
| activities on this system monitored and recorded by system |
|
||||
| personnel. |
|
||||
| |
|
||||
| In the course of monitoring individuals improperly using this |
|
||||
| system, or in the course of system maintenance, the activities |
|
||||
| of authorized users may also be monitored. |
|
||||
| |
|
||||
| Anyone using this system expressly consents to such monitoring |
|
||||
| and is advised that if such monitoring reveals possible |
|
||||
| evidence of criminal activity, system personnel may provide the |
|
||||
| evidence of such monitoring to law enforcement officials. |
|
||||
|-----------------------------------------------------------------|
|
||||
'''
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
#[Manager]
|
||||
#DefaultLimitNOFILE=65535:65535
|
||||
#DefaultLimitNPROC=65536:65536
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
- name: restart sshd
|
||||
service:
|
||||
name: "{{ ssh_service_name }}"
|
||||
state: restarted
|
||||
enabled: true
|
||||
@@ -1,14 +0,0 @@
|
||||
---
|
||||
- name: key add
|
||||
authorized_key:
|
||||
user: ubuntu
|
||||
state: present
|
||||
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
|
||||
manage_dir: False
|
||||
|
||||
- name: user change
|
||||
user:
|
||||
name: "{{ username }}"
|
||||
password: "{{ password | password_hash('sha512') }}"
|
||||
state: present
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
---
|
||||
- name: Create a tar.gz archive of a single file.
|
||||
archive:
|
||||
path: /etc/update-motd.d/*
|
||||
dest: /etc/update-motd.d/motd.tar.gz
|
||||
format: gz
|
||||
force_archive: true
|
||||
|
||||
- name: remove a motd.d files
|
||||
file:
|
||||
path: /etc/update-motd.d/{{ item }}
|
||||
state: absent
|
||||
with_items:
|
||||
- 10-help-text
|
||||
- 85-fwupd
|
||||
- 90-updates-available
|
||||
- 91-release-upgrade
|
||||
- 95-hwe-eol
|
||||
- 98-fsck-at-reboot
|
||||
- 50-motd-news
|
||||
- 88-esm-announce
|
||||
|
||||
- name: Create login banner
|
||||
copy:
|
||||
src: login_banner
|
||||
dest: /etc/update-motd.d/00-header
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
@@ -1,47 +0,0 @@
|
||||
---
|
||||
|
||||
#- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
|
||||
# unarchive:
|
||||
# src: "{{ crictl_dl_url }}"
|
||||
# dest: "{{ crictl_bin_path }}"
|
||||
# owner: "{{ crictl_file_owner }}"
|
||||
# group: "{{ crictl_file_group }}"
|
||||
# extra_opts:
|
||||
# - crictl
|
||||
# remote_src: yes
|
||||
|
||||
- name: Change containerd config
|
||||
copy:
|
||||
src: containerd_dsk_config.toml
|
||||
dest: /etc/containerd/config.toml
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
|
||||
- name: Restart service containerd
|
||||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
daemon_reload: yes
|
||||
name: containerd
|
||||
|
||||
- name: remove all cronjobs for user root
|
||||
command: crontab -r -u root
|
||||
ignore_errors: true
|
||||
|
||||
- name: Crictl command crontab setting
|
||||
ansible.builtin.cron:
|
||||
name: "container container prune"
|
||||
minute: "0"
|
||||
hour: "3"
|
||||
user: root
|
||||
job: "for id in `crictl ps -a | grep -i exited | awk '{print $1}'`; do crictl rm $id ; done"
|
||||
|
||||
- name: Crictl command crontab setting
|
||||
ansible.builtin.cron:
|
||||
name: "container image prune"
|
||||
minute: "10"
|
||||
hour: "3"
|
||||
user: root
|
||||
job: "/usr/local/bin/crictl rmi --prune"
|
||||
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
---
|
||||
- name: Set pass max days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MAX_DAYS.*$'
|
||||
line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass min days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MIN_DAYS.*$'
|
||||
line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass min length
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_MIN_LEN.*$'
|
||||
line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set pass warn days
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^PASS_WARN_AGE.*$'
|
||||
line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
|
||||
backrefs: yes
|
||||
|
||||
- name: Set password encryption to SHA512
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^ENCRYPT_METHOD\s.*$'
|
||||
line: "ENCRYPT_METHOD\tSHA512"
|
||||
backrefs: yes
|
||||
|
||||
- name: Disable MD5 crypt explicitly
|
||||
lineinfile:
|
||||
dest: /etc/login.defs
|
||||
state: present
|
||||
regexp: '^MD5_CRYPT_ENAB.*$'
|
||||
line: "MD5_CRYPT_ENAB NO"
|
||||
backrefs: yes
|
||||
@@ -1,21 +0,0 @@
|
||||
---
|
||||
- include: login_defs.yml
|
||||
tags: login_defs
|
||||
|
||||
- include: pam.yml
|
||||
tags: pam
|
||||
|
||||
- include: sshd_config.yml
|
||||
tags: sshd_config
|
||||
|
||||
- include: profile.yml
|
||||
tags: profile
|
||||
|
||||
- include: banner.yml
|
||||
tags: banner
|
||||
|
||||
- include: crictl.yml
|
||||
tags: circtl
|
||||
|
||||
#- include: admin_set.yml
|
||||
# tags: admin_set
|
||||
@@ -1,82 +0,0 @@
|
||||
---
|
||||
- name: Add pam_tally2.so
|
||||
template:
|
||||
src: common-auth.j2
|
||||
dest: /etc/pam.d/common-auth
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Create pwquality.conf password complexity configuration
|
||||
block:
|
||||
- apt:
|
||||
name: libpam-pwquality
|
||||
state: present
|
||||
install_recommends: false
|
||||
- template:
|
||||
src: pwquality.conf.j2
|
||||
dest: /etc/security/pwquality.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Add pam_tally2.so
|
||||
block:
|
||||
- lineinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
regexp: '^account\srequisite'
|
||||
line: "account requisite pam_deny.so"
|
||||
|
||||
- lineinfile:
|
||||
dest: /etc/pam.d/common-account
|
||||
regexp: '^account\srequired'
|
||||
line: "account required pam_tally2.so"
|
||||
|
||||
- name: password reuse is limited
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
line: "password required pam_pwhistory.so remember=5"
|
||||
|
||||
- name: password hashing algorithm is SHA-512
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: '^password\s+\[success'
|
||||
line: "password [success=1 default=ignore] pam_unix.so sha512"
|
||||
|
||||
- name: Shadow Password Suite Parameters
|
||||
lineinfile:
|
||||
dest: /etc/pam.d/common-password
|
||||
regexp: '^password\s+\[success'
|
||||
line: "password [success=1 default=ignore] pam_unix.so sha512"
|
||||
|
||||
#- name: configure system settings, file descriptors and number of threads
|
||||
# pam_limits:
|
||||
# domain: '*'
|
||||
# limit_type: "{{item.limit_type}}"
|
||||
# limit_item: "{{item.limit_item}}"
|
||||
# value: "{{item.value}}"
|
||||
# with_items:
|
||||
# - { limit_type: '-', limit_item: 'nofile', value: 65536 }
|
||||
# - { limit_type: '-', limit_item: 'nproc', value: 65536 }
|
||||
## - { limit_type: 'soft', limit_item: 'memlock', value: unlimited }
|
||||
## - { limit_type: 'hard', limit_item: 'memlock', value: unlimited }
|
||||
|
||||
#- name: reload settings from all system configuration files
|
||||
# shell: sysctl --system
|
||||
|
||||
#- name: Creates directory systemd config
|
||||
# file:
|
||||
# path: /etc/systemd/system.conf.d
|
||||
# state: directory
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 0775
|
||||
|
||||
#- name: Create systemd limits
|
||||
# copy:
|
||||
# src: systemd_limit.conf
|
||||
# dest: /etc/systemd/system.conf.d/limits.conf
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: 644
|
||||
|
||||
@@ -1,24 +0,0 @@
|
||||
---
|
||||
- name: Set session timeout
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^TMOUT=.*'
|
||||
insertbefore: '^readonly TMOUT'
|
||||
line: 'TMOUT={{shell_timeout}}'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
|
||||
- name: Set TMOUT readonly
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^readonly TMOUT'
|
||||
insertafter: 'TMOUT={{shell_timeout}}'
|
||||
line: 'readonly TMOUT'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
|
||||
- name: Set export TMOUT
|
||||
lineinfile:
|
||||
dest: /etc/profile
|
||||
regexp: '^export TMOUT.*'
|
||||
insertafter: 'readonly TMOUT'
|
||||
line: 'export TMOUT'
|
||||
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
|
||||
@@ -1,32 +0,0 @@
|
||||
---
|
||||
- name: Configure ssh root login to {{sshrootlogin}}
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(#)?PermitRootLogin.*'
|
||||
line: 'PermitRootLogin {{sshrootlogin}}'
|
||||
insertbefore: '^Match.*'
|
||||
state: present
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: restart sshd
|
||||
|
||||
- name: SSH Listen on Main Port
|
||||
lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
insertbefore: '^#*AddressFamily'
|
||||
line: 'Port {{sshmainport}}'
|
||||
state: present
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: restart sshd
|
||||
|
||||
- name: SSH AllowUsers Setting
|
||||
copy:
|
||||
src: allow_users.conf
|
||||
dest: /etc/ssh/sshd_config.d/allow_users.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
@@ -1,27 +0,0 @@
|
||||
#
|
||||
# /etc/pam.d/common-auth - authentication settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authentication modules that define
|
||||
# the central authentication scheme for use on the system
|
||||
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||
# traditional Unix authentication mechanisms.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
auth [success=1 default=ignore] pam_unix.so nullok
|
||||
# here's the fallback if no module succeeds
|
||||
auth requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
auth required pam_permit.so
|
||||
# since the modules above will each just jump around
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
auth optional pam_cap.so
|
||||
# end of pam-auth-update config
|
||||
@@ -1,50 +0,0 @@
|
||||
# Configuration for systemwide password quality limits
|
||||
# Defaults:
|
||||
#
|
||||
# Number of characters in the new password that must not be present in the
|
||||
# old password.
|
||||
# difok = 5
|
||||
#
|
||||
# Minimum acceptable size for the new password (plus one if
|
||||
# credits are not disabled which is the default). (See pam_cracklib manual.)
|
||||
# Cannot be set to lower value than 6.
|
||||
minlen = {{pwquality_minlen}}
|
||||
#
|
||||
# The maximum credit for having digits in the new password. If less than 0
|
||||
# it is the minimum number of digits in the new password.
|
||||
dcredit = {{pwquality_dcredit}}
|
||||
#
|
||||
# The maximum credit for having uppercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of uppercase characters in the new
|
||||
# password.
|
||||
ucredit = {{pwquality_ucredit}}
|
||||
#
|
||||
# The maximum credit for having lowercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of lowercase characters in the new
|
||||
# password.
|
||||
lcredit = {{pwquality_lcredit}}
|
||||
#
|
||||
# The maximum credit for having other characters in the new password.
|
||||
# If less than 0 it is the minimum number of other characters in the new
|
||||
# password.
|
||||
ocredit = {{pwquality_ocredit}}
|
||||
#
|
||||
# The minimum number of required classes of characters for the new
|
||||
# password (digits, uppercase, lowercase, others).
|
||||
# minclass = 0
|
||||
#
|
||||
# The maximum number of allowed consecutive same characters in the new password.
|
||||
# The check is disabled if the value is 0.
|
||||
maxrepeat = {{pwquality_maxrepeat}}
|
||||
#
|
||||
# The maximum number of allowed consecutive characters of the same class in the
|
||||
# new password.
|
||||
# The check is disabled if the value is 0.
|
||||
# maxclassrepeat = 0
|
||||
#
|
||||
# Whether to check for the words from the passwd entry GECOS string of the user.
|
||||
# The check is enabled if the value is not 0.
|
||||
# gecoscheck = 0
|
||||
#
|
||||
# Path to the cracklib dictionaries. Default is to use the cracklib default.
|
||||
# dictpath =
|
||||
@@ -1,4 +0,0 @@
|
||||
while read line
|
||||
do
|
||||
echo ${line}
|
||||
done < ip_list
|
||||
@@ -1,37 +0,0 @@
|
||||
10.10.43.111
|
||||
10.10.43.112
|
||||
10.10.43.113
|
||||
10.10.43.114
|
||||
10.10.43.115
|
||||
10.10.43.116
|
||||
10.10.43.117
|
||||
10.10.43.118
|
||||
10.10.43.119
|
||||
10.10.43.120
|
||||
10.10.43.121
|
||||
10.10.43.122
|
||||
10.10.43.123
|
||||
10.10.43.124
|
||||
10.10.43.125
|
||||
10.10.43.126
|
||||
10.10.43.127
|
||||
10.10.43.128
|
||||
10.10.43.129
|
||||
10.10.43.130
|
||||
10.10.43.131
|
||||
10.10.43.132
|
||||
10.10.43.133
|
||||
10.10.43.134
|
||||
10.10.43.135
|
||||
10.10.43.136
|
||||
10.10.43.137
|
||||
10.10.43.138
|
||||
10.10.43.140
|
||||
10.10.43.141
|
||||
10.10.43.142
|
||||
10.10.43.143
|
||||
10.10.43.144
|
||||
10.10.43.145
|
||||
10.10.43.146
|
||||
10.10.43.147
|
||||
10.10.43.148
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/usr/bin/expect -f
|
||||
set password [lindex $argv 0]
|
||||
set host [lindex $argv 1]
|
||||
|
||||
spawn ssh-copy-id -o StrictHostKeyChecking=no root@$host
|
||||
expect "password:"
|
||||
send "$password\n"
|
||||
expect eof
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/bin/bash
|
||||
#if [ -z "$BASH_VERSION" ]; then exec bash "$0" "$@"; exit; fi
|
||||
|
||||
passwd=$1
|
||||
|
||||
while read ip
|
||||
do
|
||||
./key.sh ${passwd} ${ip}
|
||||
done < ip_list
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
- name: check ls
|
||||
hosts: all
|
||||
become: true
|
||||
roles:
|
||||
- security-settings
|
||||
vars:
|
||||
sshrootlogin: 'forced-commands-only'
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Create a new user
|
||||
user:
|
||||
name: dev2-iac
|
||||
password: "{{ 'saasadmin1234' | password_hash('sha512') }}"
|
||||
group: sudo
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Set authorized key taken from file
|
||||
authorized_key:
|
||||
user: dev2-iac
|
||||
state: present
|
||||
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsiN0I8B3UmB1mVBxVpvrSF5j0vrwUggngVrlplW8iJLllSBwarHzmSpMWv3eQtb9QQ/HKyOsS3j6UkbQK2aJ6jGeK2pQUkbb6KdMc9OrS/ILWysritcBJ3rUuITwOMvekQHtq+yKshap3uw/8ZEiM1Xn0MxVGhpAZsWbotf9n6ntmsMDXkRSQnYU5T2y4hkWlYImPkIasmbDFVkxi0Wz7I7pUX4hG3l6NJegXWO6n4OcpXxm26oZUtmpqrNRipUIUglM5xp4+YlQhu3FIa/aEZ+fuE9xnSZ8gCYnmPKwJ7AKKkEUruSTA3vhBnlh5rFYgSg5NkVte2RjdPg1SYZCTUXVwE9bbIzeGiXJ9vSe1/bhacpLeLgg48H6SSVInoCmen6W4Oo4/QlekXMBCuxfRwH2pO2K84gEKAAD0hUHBEf0Eh4rIi3K2oUdDCnMv5CD3lqiBn49hFB+bBdk+kxFNNx9iSDciFc91lIjz2IW8FO//+iLO7DEBZMrz/B8bJQ0="
|
||||
@@ -1,2 +0,0 @@
|
||||
[host]
|
||||
10.10.43.111
|
||||
Reference in New Issue
Block a user