From 13cb67be198db59eb2bdb5f6f6882df0cd584a7c Mon Sep 17 00:00:00 2001 From: havelight-ee Date: Tue, 18 Oct 2022 13:40:35 +0900 Subject: [PATCH] add security setting --- ansible/bastion_roles.yaml | 6 +++ ansible/node_roles.yaml | 6 +++ ansible/roles.yaml | 7 +++ ansible/roles/bastion/README.md | 38 ++++++++++++++ ansible/roles/bastion/defaults/main.yml | 2 + ansible/roles/bastion/handlers/main.yml | 2 + ansible/roles/bastion/meta/main.yml | 52 +++++++++++++++++++ ansible/roles/bastion/tasks/main.yml | 3 ++ ansible/roles/bastion/tests/inventory | 2 + ansible/roles/bastion/tests/test.yml | 5 ++ ansible/roles/bastion/vars/main.yml | 2 + ansible/roles/node/README.md | 38 ++++++++++++++ ansible/roles/node/defaults/main.yml | 2 + ansible/roles/node/handlers/main.yml | 2 + ansible/roles/node/meta/main.yml | 52 +++++++++++++++++++ ansible/roles/node/tasks/main.yml | 12 +++++ ansible/roles/node/tests/inventory | 2 + ansible/roles/node/tests/test.yml | 5 ++ ansible/roles/node/vars/main.yml | 2 + .../roles/security-settings/defaults/main.yml | 29 +++++++++++ .../security-settings/files/login_banner | 20 +++++++ .../roles/security-settings/handlers/main.yml | 6 +++ .../roles/security-settings/tasks/banner.yml | 29 +++++++++++ .../security-settings/tasks/login_defs.yml | 48 +++++++++++++++++ .../roles/security-settings/tasks/main.yml | 15 ++++++ ansible/roles/security-settings/tasks/pam.yml | 50 ++++++++++++++++++ .../roles/security-settings/tasks/profile.yml | 24 +++++++++ .../security-settings/tasks/sshd_config.yml | 23 ++++++++ .../templates/common-auth.j2 | 27 ++++++++++ .../templates/pwquality.conf.j2 | 50 ++++++++++++++++++ ansible/test.yaml | 30 +++++++++++ .../datasaker-bastion-packer-ubuntu.pkr.hcl | 48 +++++++++++++++++ .../datasaker-node-packer-ubuntu.pkr.hcl | 51 ++++++++++++++++++ 33 files changed, 690 insertions(+) create mode 100755 ansible/bastion_roles.yaml create mode 100755 ansible/node_roles.yaml create mode 100755 ansible/roles.yaml create mode 100644 ansible/roles/bastion/README.md create mode 100644 ansible/roles/bastion/defaults/main.yml create mode 100644 ansible/roles/bastion/handlers/main.yml create mode 100644 ansible/roles/bastion/meta/main.yml create mode 100644 ansible/roles/bastion/tasks/main.yml create mode 100644 ansible/roles/bastion/tests/inventory create mode 100644 ansible/roles/bastion/tests/test.yml create mode 100644 ansible/roles/bastion/vars/main.yml create mode 100644 ansible/roles/node/README.md create mode 100644 ansible/roles/node/defaults/main.yml create mode 100644 ansible/roles/node/handlers/main.yml create mode 100644 ansible/roles/node/meta/main.yml create mode 100644 ansible/roles/node/tasks/main.yml create mode 100644 ansible/roles/node/tests/inventory create mode 100644 ansible/roles/node/tests/test.yml create mode 100644 ansible/roles/node/vars/main.yml create mode 100755 ansible/roles/security-settings/defaults/main.yml create mode 100755 ansible/roles/security-settings/files/login_banner create mode 100755 ansible/roles/security-settings/handlers/main.yml create mode 100755 ansible/roles/security-settings/tasks/banner.yml create mode 100755 ansible/roles/security-settings/tasks/login_defs.yml create mode 100755 ansible/roles/security-settings/tasks/main.yml create mode 100755 ansible/roles/security-settings/tasks/pam.yml create mode 100755 ansible/roles/security-settings/tasks/profile.yml create mode 100755 ansible/roles/security-settings/tasks/sshd_config.yml create mode 100755 ansible/roles/security-settings/templates/common-auth.j2 create mode 100755 ansible/roles/security-settings/templates/pwquality.conf.j2 create mode 100755 ansible/test.yaml create mode 100644 build_ami_security/datasaker-bastion-packer-ubuntu.pkr.hcl create mode 100644 build_ami_security/datasaker-node-packer-ubuntu.pkr.hcl diff --git a/ansible/bastion_roles.yaml b/ansible/bastion_roles.yaml new file mode 100755 index 0000000..4b2d451 --- /dev/null +++ b/ansible/bastion_roles.yaml @@ -0,0 +1,6 @@ +--- +- hosts: default + become: true + roles: + - bastion + - security-settings diff --git a/ansible/node_roles.yaml b/ansible/node_roles.yaml new file mode 100755 index 0000000..1cf3442 --- /dev/null +++ b/ansible/node_roles.yaml @@ -0,0 +1,6 @@ +--- +- hosts: default + become: true + roles: + - node + - security-settings diff --git a/ansible/roles.yaml b/ansible/roles.yaml new file mode 100755 index 0000000..4e95a8e --- /dev/null +++ b/ansible/roles.yaml @@ -0,0 +1,7 @@ +--- +- name: 'Provision Image' + hosts: default + become: true + roles: + - bastion + - security-settings diff --git a/ansible/roles/bastion/README.md b/ansible/roles/bastion/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/bastion/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/bastion/defaults/main.yml b/ansible/roles/bastion/defaults/main.yml new file mode 100644 index 0000000..f5299ef --- /dev/null +++ b/ansible/roles/bastion/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for apache diff --git a/ansible/roles/bastion/handlers/main.yml b/ansible/roles/bastion/handlers/main.yml new file mode 100644 index 0000000..f41c6b0 --- /dev/null +++ b/ansible/roles/bastion/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for apache diff --git a/ansible/roles/bastion/meta/main.yml b/ansible/roles/bastion/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/ansible/roles/bastion/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible/roles/bastion/tasks/main.yml b/ansible/roles/bastion/tasks/main.yml new file mode 100644 index 0000000..be61dd9 --- /dev/null +++ b/ansible/roles/bastion/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- name: echo hello + command: echo "Not Valid Ruby Version" diff --git a/ansible/roles/bastion/tests/inventory b/ansible/roles/bastion/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/roles/bastion/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/roles/bastion/tests/test.yml b/ansible/roles/bastion/tests/test.yml new file mode 100644 index 0000000..191e731 --- /dev/null +++ b/ansible/roles/bastion/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - apache diff --git a/ansible/roles/bastion/vars/main.yml b/ansible/roles/bastion/vars/main.yml new file mode 100644 index 0000000..2aa5032 --- /dev/null +++ b/ansible/roles/bastion/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for apache diff --git a/ansible/roles/node/README.md b/ansible/roles/node/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/node/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/node/defaults/main.yml b/ansible/roles/node/defaults/main.yml new file mode 100644 index 0000000..f5299ef --- /dev/null +++ b/ansible/roles/node/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for apache diff --git a/ansible/roles/node/handlers/main.yml b/ansible/roles/node/handlers/main.yml new file mode 100644 index 0000000..f41c6b0 --- /dev/null +++ b/ansible/roles/node/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for apache diff --git a/ansible/roles/node/meta/main.yml b/ansible/roles/node/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/ansible/roles/node/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible/roles/node/tasks/main.yml b/ansible/roles/node/tasks/main.yml new file mode 100644 index 0000000..0e344f6 --- /dev/null +++ b/ansible/roles/node/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: echo hello + command: echo "Not Valid Ruby Version" + +- name: Update apt repo and cache on all Debian/Ubuntu boxes + apt: update_cache=yes cache_valid_time=3600 + +- name: Install cifs-utils + apt: name=cifs-utils state=latest update_cache=yes + +- name: Install nfs-common + apt: name=nfs-common state=latest update_cache=yes diff --git a/ansible/roles/node/tests/inventory b/ansible/roles/node/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/roles/node/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/roles/node/tests/test.yml b/ansible/roles/node/tests/test.yml new file mode 100644 index 0000000..191e731 --- /dev/null +++ b/ansible/roles/node/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - apache diff --git a/ansible/roles/node/vars/main.yml b/ansible/roles/node/vars/main.yml new file mode 100644 index 0000000..2aa5032 --- /dev/null +++ b/ansible/roles/node/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for apache diff --git a/ansible/roles/security-settings/defaults/main.yml b/ansible/roles/security-settings/defaults/main.yml new file mode 100755 index 0000000..73936fa --- /dev/null +++ b/ansible/roles/security-settings/defaults/main.yml @@ -0,0 +1,29 @@ +# Password aging settings +os_auth_pw_max_age: 90 +os_auth_pw_min_age: 10 +os_auth_pw_warn_age: 7 +passhistory: 2 + +# Inactivity and Failed attempts lockout settings +fail_deny: 5 +fail_unlock: 0 +inactive_lock: 0 +shell_timeout: 300 + +# tally settings +onerr: 'fail' +deny: 5 +unlock_time: 300 + +# Password complexity settings +pwquality_minlen: 9 +pwquality_maxrepeat: 3 +pwquality_lcredit: -1 +pwquality_ucredit: -1 +pwquality_dcredit: -1 +pwquality_ocredit: -1 + +# SSH settings +sshrootlogin: 'no' +sshmainport: 22 +ssh_service_name: sshd diff --git a/ansible/roles/security-settings/files/login_banner b/ansible/roles/security-settings/files/login_banner new file mode 100755 index 0000000..d294eeb --- /dev/null +++ b/ansible/roles/security-settings/files/login_banner @@ -0,0 +1,20 @@ +#!/bin/sh +printf ''' + |-----------------------------------------------------------------| + | This system is for the use of authorized users only. | + | Individuals using this computer system without authority, or in | + | excess of their authority, are subject to having all of their | + | activities on this system monitored and recorded by system | + | personnel. | + | | + | In the course of monitoring individuals improperly using this | + | system, or in the course of system maintenance, the activities | + | of authorized users may also be monitored. | + | | + | Anyone using this system expressly consents to such monitoring | + | and is advised that if such monitoring reveals possible | + | evidence of criminal activity, system personnel may provide the | + | evidence of such monitoring to law enforcement officials. | + |-----------------------------------------------------------------| +''' + diff --git a/ansible/roles/security-settings/handlers/main.yml b/ansible/roles/security-settings/handlers/main.yml new file mode 100755 index 0000000..abab7ef --- /dev/null +++ b/ansible/roles/security-settings/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart sshd + service: + name: "{{ ssh_service_name }}" + state: restarted + enabled: true diff --git a/ansible/roles/security-settings/tasks/banner.yml b/ansible/roles/security-settings/tasks/banner.yml new file mode 100755 index 0000000..6a172c9 --- /dev/null +++ b/ansible/roles/security-settings/tasks/banner.yml @@ -0,0 +1,29 @@ +--- +- name: Create a tar.gz archive of a single file. + archive: + path: /etc/update-motd.d/* + dest: /etc/update-motd.d/motd.tar.gz + format: gz + force_archive: true + +- name: remove a motd.d files + file: + path: /etc/update-motd.d/{{ item }} + state: absent + with_items: + - 10-help-text + - 85-fwupd + - 90-updates-available + - 91-release-upgrade + - 95-hwe-eol + - 98-fsck-at-reboot + - 50-motd-news + - 88-esm-announce + +- name: Create login banner + copy: + src: login_banner + dest: /etc/update-motd.d/00-header + owner: root + group: root + mode: 0755 diff --git a/ansible/roles/security-settings/tasks/login_defs.yml b/ansible/roles/security-settings/tasks/login_defs.yml new file mode 100755 index 0000000..f25702a --- /dev/null +++ b/ansible/roles/security-settings/tasks/login_defs.yml @@ -0,0 +1,48 @@ +--- +- name: Set pass max days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MAX_DAYS.*$' + line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}" + backrefs: yes + +- name: Set pass min days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_DAYS.*$' + line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}" + backrefs: yes + +- name: Set pass min length + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_LEN.*$' + line: "PASS_MIN_LEN\t{{pwquality_minlen}}" + backrefs: yes + +- name: Set pass warn days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_WARN_AGE.*$' + line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}" + backrefs: yes + +- name: Set password encryption to SHA512 + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^ENCRYPT_METHOD\s.*$' + line: "ENCRYPT_METHOD\tSHA512" + backrefs: yes + +- name: Disable MD5 crypt explicitly + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^MD5_CRYPT_ENAB.*$' + line: "MD5_CRYPT_ENAB NO" + backrefs: yes diff --git a/ansible/roles/security-settings/tasks/main.yml b/ansible/roles/security-settings/tasks/main.yml new file mode 100755 index 0000000..554433c --- /dev/null +++ b/ansible/roles/security-settings/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- include: login_defs.yml + tags: login_defs + +- include: pam.yml + tags: pam + +- include: sshd_config.yml + tags: sshd_config + +- include: profile.yml + tags: profile + +- include: banner.yml + tags: banner diff --git a/ansible/roles/security-settings/tasks/pam.yml b/ansible/roles/security-settings/tasks/pam.yml new file mode 100755 index 0000000..ae1c637 --- /dev/null +++ b/ansible/roles/security-settings/tasks/pam.yml @@ -0,0 +1,50 @@ +--- +- name: Add pam_tally2.so + template: + src: common-auth.j2 + dest: /etc/pam.d/common-auth + owner: root + group: root + mode: 0644 + +- name: Create pwquality.conf password complexity configuration + block: + - apt: + name: libpam-pwquality + state: present + install_recommends: false + - template: + src: pwquality.conf.j2 + dest: /etc/security/pwquality.conf + owner: root + group: root + mode: 0644 + +- name: Add pam_tally2.so + block: + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequisite' + line: "account requisite pam_deny.so" + + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequired' + line: "account required pam_tally2.so" + +- name: password reuse is limited + lineinfile: + dest: /etc/pam.d/common-password + line: "password required pam_pwhistory.so remember=5" + +- name: password hashing algorithm is SHA-512 + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" + +- name: Shadow Password Suite Parameters + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" diff --git a/ansible/roles/security-settings/tasks/profile.yml b/ansible/roles/security-settings/tasks/profile.yml new file mode 100755 index 0000000..fb1b456 --- /dev/null +++ b/ansible/roles/security-settings/tasks/profile.yml @@ -0,0 +1,24 @@ +--- +- name: Set session timeout + lineinfile: + dest: /etc/profile + regexp: '^TMOUT=.*' + insertbefore: '^readonly TMOUT' + line: 'TMOUT={{shell_timeout}}' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set TMOUT readonly + lineinfile: + dest: /etc/profile + regexp: '^readonly TMOUT' + insertafter: 'TMOUT={{shell_timeout}}' + line: 'readonly TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set export TMOUT + lineinfile: + dest: /etc/profile + regexp: '^export TMOUT.*' + insertafter: 'readonly TMOUT' + line: 'export TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" diff --git a/ansible/roles/security-settings/tasks/sshd_config.yml b/ansible/roles/security-settings/tasks/sshd_config.yml new file mode 100755 index 0000000..438a65a --- /dev/null +++ b/ansible/roles/security-settings/tasks/sshd_config.yml @@ -0,0 +1,23 @@ +--- +- name: Configure ssh root login to {{sshrootlogin}} + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitRootLogin.*' + line: 'PermitRootLogin {{sshrootlogin}}' + insertbefore: '^Match.*' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd + +- name: SSH Listen on Main Port + lineinfile: + dest: /etc/ssh/sshd_config + insertbefore: '^#*AddressFamily' + line: 'Port {{sshmainport}}' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd diff --git a/ansible/roles/security-settings/templates/common-auth.j2 b/ansible/roles/security-settings/templates/common-auth.j2 new file mode 100755 index 0000000..64a603b --- /dev/null +++ b/ansible/roles/security-settings/templates/common-auth.j2 @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}} + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +auth required pam_permit.so +# since the modules above will each just jump around +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/ansible/roles/security-settings/templates/pwquality.conf.j2 b/ansible/roles/security-settings/templates/pwquality.conf.j2 new file mode 100755 index 0000000..3ec2cbe --- /dev/null +++ b/ansible/roles/security-settings/templates/pwquality.conf.j2 @@ -0,0 +1,50 @@ +# Configuration for systemwide password quality limits +# Defaults: +# +# Number of characters in the new password that must not be present in the +# old password. +# difok = 5 +# +# Minimum acceptable size for the new password (plus one if +# credits are not disabled which is the default). (See pam_cracklib manual.) +# Cannot be set to lower value than 6. +minlen = {{pwquality_minlen}} +# +# The maximum credit for having digits in the new password. If less than 0 +# it is the minimum number of digits in the new password. +dcredit = {{pwquality_dcredit}} +# +# The maximum credit for having uppercase characters in the new password. +# If less than 0 it is the minimum number of uppercase characters in the new +# password. +ucredit = {{pwquality_ucredit}} +# +# The maximum credit for having lowercase characters in the new password. +# If less than 0 it is the minimum number of lowercase characters in the new +# password. +lcredit = {{pwquality_lcredit}} +# +# The maximum credit for having other characters in the new password. +# If less than 0 it is the minimum number of other characters in the new +# password. +ocredit = {{pwquality_ocredit}} +# +# The minimum number of required classes of characters for the new +# password (digits, uppercase, lowercase, others). +# minclass = 0 +# +# The maximum number of allowed consecutive same characters in the new password. +# The check is disabled if the value is 0. +maxrepeat = {{pwquality_maxrepeat}} +# +# The maximum number of allowed consecutive characters of the same class in the +# new password. +# The check is disabled if the value is 0. +# maxclassrepeat = 0 +# +# Whether to check for the words from the passwd entry GECOS string of the user. +# The check is enabled if the value is not 0. +# gecoscheck = 0 +# +# Path to the cracklib dictionaries. Default is to use the cracklib default. +# dictpath = diff --git a/ansible/test.yaml b/ansible/test.yaml new file mode 100755 index 0000000..7a08705 --- /dev/null +++ b/ansible/test.yaml @@ -0,0 +1,30 @@ +--- +- name: Set session timeout + hosts: all + tasks: + - lineinfile: + dest: /etc/profile + regexp: '^TMOUT=.*' + insertbefore: '^readonly TMOUT' + line: 'TMOUT={{shell_timeout}}' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set TMOUT readonly + hosts: all + tasks: + - lineinfile: + dest: /etc/profile + regexp: '^readonly TMOUT' + insertafter: 'TMOUT={{shell_timeout}}' + line: 'readonly TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set export TMOUT + hosts: all + tasks: + - lineinfile: + dest: /etc/profile + regexp: '^export TMOUT.*' + insertafter: 'readonly TMOUT' + line: 'export TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" diff --git a/build_ami_security/datasaker-bastion-packer-ubuntu.pkr.hcl b/build_ami_security/datasaker-bastion-packer-ubuntu.pkr.hcl new file mode 100644 index 0000000..c8388c4 --- /dev/null +++ b/build_ami_security/datasaker-bastion-packer-ubuntu.pkr.hcl @@ -0,0 +1,48 @@ +packer { + required_plugins { + amazon = { + version = ">= 0.0.2" + source = "github.com/hashicorp/amazon" + } + } +} + +variable "ami_prefix" { + type = string + default = "datasaker-bastion-ubuntu2004" +} + +locals { + timestamp = regex_replace(timestamp(), "[- TZ:]", "") +} + +source "amazon-ebs" "datasaker-bastion-ubuntu2004" { + ami_name = "${var.ami_prefix}-${local.timestamp}" + instance_type = "t3.small" + region = "ap-northeast-2" + source_ami_filter { + filters = { + image-id = "ami-0ea5eb4b05645aa8a" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["099720109477"] + } + tags = { + source_ami_name = "{{ .SourceAMIName }}" + } + ssh_username = "ubuntu" +} + +build { + name = "datasaker-bastion-packer" + sources = ["source.amazon-ebs.datasaker-bastion-ubuntu2004"] + + provisioner "ansible" { + playbook_file = "../ansible/bastion_roles.yaml" + user = "ubuntu" + extra_arguments = ["--become"] + ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"] + } +} diff --git a/build_ami_security/datasaker-node-packer-ubuntu.pkr.hcl b/build_ami_security/datasaker-node-packer-ubuntu.pkr.hcl new file mode 100644 index 0000000..aecc603 --- /dev/null +++ b/build_ami_security/datasaker-node-packer-ubuntu.pkr.hcl @@ -0,0 +1,51 @@ +packer { + required_plugins { + amazon = { + version = ">= 0.0.2" + source = "github.com/hashicorp/amazon" + } + } +} + +variable "ami_prefix" { + type = string + default = "datasaker-node-ubuntu2004" +} + +locals { + timestamp = regex_replace(timestamp(), "[- TZ:]", "") +} + + + +# source 블록에는 실제 빌드할 이미지에 대한 스펙을 정의 +source "amazon-ebs" "datasaker-node-ubuntu2004" { + ami_name = "${var.ami_prefix}-${local.timestamp}" + instance_type = "t3.small" + region = "ap-northeast-2" + source_ami_filter { + filters = { + image-id = "ami-0ea5eb4b05645aa8a" + root-device-type = "ebs" + virtualization-type = "hvm" + } + most_recent = true + owners = ["099720109477"] + } + tags = { + source_ami_name = "{{ .SourceAMIName }}" + } + ssh_username = "ubuntu" +} + +build { + name = "datasaker-packer" + sources = ["source.amazon-ebs.datasaker-node-ubuntu2004"] + + provisioner "ansible" { + playbook_file = "../ansible/node_roles.yaml" + user = "ubuntu" + extra_arguments = ["--become"] + ansible_env_vars = ["ANSIBLE_HOST_KEY_CHECKING=False"] + } +}