diff --git a/ansible/security_settings/inventory b/ansible/security_settings/inventory index 1c3c0ad..e6df01e 100644 --- a/ansible/security_settings/inventory +++ b/ansible/security_settings/inventory @@ -1,30 +1,27 @@ [all] -10.10.43.195 ansible_user=dev2-iac ansible_port=2222 -10.10.43.196 ansible_user=dev2-iac ansible_port=2222 -10.10.43.197 ansible_user=dev2-iac ansible_port=2222 -10.10.43.200 ansible_user=dev2-iac ansible_port=2222 -10.10.43.201 ansible_user=dev2-iac ansible_port=2222 -10.10.43.202 ansible_user=dev2-iac ansible_port=2222 -10.10.43.203 ansible_user=dev2-iac ansible_port=2222 -10.10.43.204 ansible_user=dev2-iac ansible_port=2222 -10.10.43.205 ansible_user=dev2-iac ansible_port=2222 -10.10.43.206 ansible_user=dev2-iac ansible_port=2222 -10.10.43.207 ansible_user=dev2-iac ansible_port=2222 -10.10.43.208 ansible_user=dev2-iac ansible_port=2222 -10.10.43.210 ansible_user=dev2-iac ansible_port=2222 -10.10.43.211 ansible_user=dev2-iac ansible_port=2222 -10.10.43.212 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.195 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.196 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.197 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.201 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.202 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.203 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.204 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.205 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.206 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.207 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.208 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.211 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.212 ansible_user=dev2-iac ansible_port=2222 10.10.43.213 ansible_user=dev2-iac ansible_port=2222 -10.10.43.214 ansible_user=dev2-iac ansible_port=2222 -10.10.43.215 ansible_user=dev2-iac ansible_port=2222 -10.10.43.216 ansible_user=dev2-iac ansible_port=2222 -10.10.43.217 ansible_user=dev2-iac ansible_port=2222 -10.10.43.218 ansible_user=dev2-iac ansible_port=2222 -10.10.43.224 ansible_user=dev2-iac ansible_port=2222 -10.10.43.225 ansible_user=dev2-iac ansible_port=2222 -10.10.43.226 ansible_user=dev2-iac ansible_port=2222 -10.10.43.227 ansible_user=dev2-iac ansible_port=2222 -10.10.43.228 ansible_user=dev2-iac ansible_port=2222 -10.10.43.235 ansible_user=dev2-iac ansible_port=2222 -10.10.43.236 ansible_user=dev2-iac ansible_port=2222 -10.10.43.252 ansible_user=dev2-iac ansible_port=2222 \ No newline at end of file +#10.10.43.214 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.215 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.216 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.217 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.218 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.224 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.225 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.226 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.227 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.228 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.235 ansible_user=dev2-iac ansible_port=2222 +#10.10.43.236 ansible_user=dev2-iac ansible_port=2222 \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/defaults/main.yml b/ansible/security_settings/roles/security_settings/defaults/main.yml new file mode 100644 index 0000000..0a6f31e --- /dev/null +++ b/ansible/security_settings/roles/security_settings/defaults/main.yml @@ -0,0 +1,8 @@ +--- + +debian_retry: 5 +debina_minlen: 8 +debian_lcredit: -1 +debian_ucredit: -1 +debian_dcredit: -1 +debian_ocredit: -1 \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml b/ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml similarity index 100% rename from ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml rename to ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml diff --git a/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml b/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml new file mode 100644 index 0000000..eac93a5 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml @@ -0,0 +1,8 @@ +--- +- name: Setting Password Rule (Debian) + template: + src: common-password.j2 + dest: /etc/pam.d/common-password + owner: root + group: root + mode: u=rw,g=r,o=r \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/main.yml b/ansible/security_settings/roles/security_settings/tasks/main.yml index 1057473..c3b1f86 100644 --- a/ansible/security_settings/roles/security_settings/tasks/main.yml +++ b/ansible/security_settings/roles/security_settings/tasks/main.yml @@ -1,5 +1,8 @@ --- - include: debian_setting_banner.yml - when: ansible_facts['os_family'] == 'Debian' + when: ansible_facts.os_family == 'Debian' -- include: setting_root_ssh.yml \ No newline at end of file +- include: all_setting_root_ssh.yml + +- include: debian_setting_password_rule.yml + when: ansible_facts.os_family == 'Debian' \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/templates/common-password.j2 b/ansible/security_settings/roles/security_settings/templates/common-password.j2 new file mode 100644 index 0000000..3fe35ee --- /dev/null +++ b/ansible/security_settings/roles/security_settings/templates/common-password.j2 @@ -0,0 +1,37 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config +password required pam_pwhistory.so remember=5 + +## Add Ansible Playbook - Securtiy_Settings ## +password requisite pam_pwquality.so retry={{ debian_retry }} minlen={{ debina_minlen }} lcredit={{ debian_lcredit }} ucredit={{ debian_ucredit }} dcredit={{ debian_dcredit }} ocredit={{ debian_ocredit }} \ No newline at end of file