update

ansible/roles/node/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: echo hello
+  command: echo "Not Valid Ruby Version"
+
+- name: Update apt repo and cache on all Debian/Ubuntu boxes
+  apt: update_cache=yes cache_valid_time=3600
+
+- name: Install cifs-utils
+  apt: name=cifs-utils state=latest update_cache=yes
+
+- name: Install nfs-common
+  apt: name=nfs-common state=latest update_cache=yes

ansible/roles/security-settings/defaults/main.yml

@@ -0,0 +1,43 @@
+# Password aging settings
+os_auth_pw_max_age: 90
+os_auth_pw_min_age: 10
+os_auth_pw_warn_age: 7
+passhistory: 2
+
+# Inactivity and Failed attempts lockout settings
+fail_deny: 5
+fail_unlock: 0
+inactive_lock: 0
+shell_timeout: 300
+
+# tally settings
+onerr: 'fail'
+deny: 5
+unlock_time: 300
+
+# Password complexity settings
+pwquality_minlen: 9
+pwquality_maxrepeat: 3
+pwquality_lcredit: -1
+pwquality_ucredit: -1
+pwquality_dcredit: -1
+pwquality_ocredit: -1
+
+# SSH settings
+sshrootlogin: 'forced-commands-only'
+sshmainport: 22
+ssh_service_name: sshd
+
+# Crictl setup
+crictl_app: crictl
+crictl_version: 1.25.0
+crictl_os: linux
+crictl_arch: amd64
+crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
+crictl_bin_path: /usr/local/bin
+crictl_file_owner: root
+crictl_file_group: root
+
+# temp
+username: 
+password: 

ansible/roles/security-settings/files/containerd_default_config.toml

@@ -0,0 +1,39 @@
+version = 2
+root = "/var/lib/containerd"
+state = "/run/containerd"
+oom_score = 0
+
+[grpc]
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
+
+[debug]
+  level = "info"
+
+[metrics]
+  address = ""
+  grpc_histogram = false
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    sandbox_image = "registry.k8s.io/pause:3.7"
+    max_container_log_line_size = -1
+    enable_unprivileged_ports = false
+    enable_unprivileged_icmp = false
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      snapshotter = "overlayfs"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          runtime_engine = ""
+          runtime_root = ""
+          base_runtime_spec = "/etc/containerd/cri-base.json"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            systemdCgroup = true
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+          endpoint = ["https://registry-1.docker.io"]
+

ansible/roles/security-settings/files/containerd_dsk_config.toml

@@ -0,0 +1,60 @@
+version = 2
+root = "/var/lib/containerd"
+state = "/run/containerd"
+oom_score = 0
+
+[grpc]
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
+
+[debug]
+  level = "info"
+
+[metrics]
+  address = ""
+  grpc_histogram = false
+
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    sandbox_image = "registry.k8s.io/pause:3.7"
+    max_container_log_line_size = -1
+    enable_unprivileged_ports = false
+    enable_unprivileged_icmp = false
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      snapshotter = "overlayfs"
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          runtime_engine = ""
+          runtime_root = ""
+          base_runtime_spec = "/etc/containerd/cri-base.json"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            systemdCgroup = true
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
+          endpoint = ["https://registry-1.docker.io"]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.31.243:5000"]
+          endpoint = ["http://10.10.31.243:5000"]
+        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."10.10.43.240:30500"]
+          endpoint = ["http://10.10.43.240:30500"]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.headers]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.configs]
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".tls]
+          insecure_skip_verify = true
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.31.243:5000".auth]
+          username = "core"
+          password = "coreadmin1234"
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".tls]
+          insecure_skip_verify = true
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.43.240:30500".auth]
+          username = "dsk"
+          password = "dskadmin1234"
+        [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".auth]
+          username = "datasaker"
+          password = "dckr_pat_kQP6vcHm_jMChWd_zvgH_G3kucc"
+

ansible/roles/security-settings/files/login_banner

@@ -0,0 +1,20 @@
+#!/bin/sh
+printf '''
+  |-----------------------------------------------------------------|
+  | This system is for the use of authorized users only.            |
+  | Individuals using this computer system without authority, or in |
+  | excess of their authority, are subject to having all of their   |
+  | activities on this system monitored and recorded by system      |
+  | personnel.                                                      |
+  |                                                                 |
+  | In the course of monitoring individuals improperly using this   |
+  | system, or in the course of system maintenance, the activities  |
+  | of authorized users may also be monitored.                      |
+  |                                                                 |
+  | Anyone using this system expressly consents to such monitoring  |
+  | and is advised that if such monitoring reveals possible         |
+  | evidence of criminal activity, system personnel may provide the |
+  | evidence of such monitoring to law enforcement officials.       |
+  |-----------------------------------------------------------------|
+'''
+

ansible/roles/security-settings/files/systemd_limit.conf

@@ -0,0 +1,3 @@
+#[Manager]
+#DefaultLimitNOFILE=65535:65535
+#DefaultLimitNPROC=65536:65536

ansible/roles/security-settings/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    enabled: true

ansible/roles/security-settings/tasks/admin_set.yml

@@ -0,0 +1,14 @@
+---
+- name: key add
+  authorized_key:
+    user: ubuntu
+    state: present
+    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
+    manage_dir: False
+
+- name: user change
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+

ansible/roles/security-settings/tasks/banner.yml

@@ -0,0 +1,29 @@
+---
+- name: Create a tar.gz archive of a single file.
+  archive:
+    path: /etc/update-motd.d/*
+    dest: /etc/update-motd.d/motd.tar.gz
+    format: gz
+    force_archive: true
+
+- name: remove a motd.d files
+  file:
+    path: /etc/update-motd.d/{{ item }}
+    state: absent
+  with_items:
+    - 10-help-text
+    - 85-fwupd
+    - 90-updates-available
+    - 91-release-upgrade
+    - 95-hwe-eol
+    - 98-fsck-at-reboot
+    - 50-motd-news
+    - 88-esm-announce
+
+- name: Create login banner
+  copy:
+    src: login_banner
+    dest: /etc/update-motd.d/00-header
+    owner: root
+    group: root
+    mode: 0755

ansible/roles/security-settings/tasks/crictl.yml

@@ -0,0 +1,47 @@
+---
+
+#- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
+#  unarchive:
+#    src: "{{ crictl_dl_url }}"
+#    dest: "{{ crictl_bin_path }}"
+#    owner: "{{ crictl_file_owner }}"
+#    group: "{{ crictl_file_group }}"
+#    extra_opts:
+#      - crictl
+#    remote_src: yes
+
+- name: Change containerd config
+  copy:
+    src: containerd_dsk_config.toml
+    dest: /etc/containerd/config.toml
+    owner: root
+    group: root
+    mode: 0640
+
+- name: Restart service containerd
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: yes
+    name: containerd
+
+- name: remove all cronjobs for user root
+  command: crontab -r -u root
+  ignore_errors: true
+
+- name: Crictl command crontab setting
+  ansible.builtin.cron:
+    name: "container container prune"
+    minute: "0"
+    hour: "3"
+    user: root
+    job: "for id in `crictl ps -a | grep -i exited | awk '{print $1}'`; do crictl rm $id ; done"
+
+- name: Crictl command crontab setting
+  ansible.builtin.cron:
+    name: "container image prune"
+    minute: "10"
+    hour: "3"
+    user: root
+    job: "/usr/local/bin/crictl rmi --prune"
+
+

ansible/roles/security-settings/tasks/login_defs.yml

@@ -0,0 +1,48 @@
+---
+- name: Set pass max days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MAX_DAYS.*$'
+    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
+    backrefs: yes
+
+- name: Set pass min days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_DAYS.*$'
+    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
+    backrefs: yes
+
+- name: Set pass min length
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_LEN.*$'
+    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
+    backrefs: yes
+
+- name: Set pass warn days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_WARN_AGE.*$'
+    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
+    backrefs: yes
+
+- name: Set password encryption to SHA512
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^ENCRYPT_METHOD\s.*$'
+    line: "ENCRYPT_METHOD\tSHA512"
+    backrefs: yes
+
+- name: Disable MD5 crypt explicitly
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^MD5_CRYPT_ENAB.*$'
+    line: "MD5_CRYPT_ENAB NO"
+    backrefs: yes

ansible/roles/security-settings/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- include: login_defs.yml
+  tags: login_defs
+
+- include: pam.yml
+  tags: pam
+
+- include: sshd_config.yml
+  tags: sshd_config
+
+- include: profile.yml
+  tags: profile
+
+- include: banner.yml
+  tags: banner
+
+- include: crictl.yml
+  tags: circtl
+
+#- include: admin_set.yml
+# tags: admin_set

ansible/roles/security-settings/tasks/pam.yml

@@ -0,0 +1,82 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+#- name: configure system settings, file descriptors and number of threads
+#  pam_limits:
+#    domain: '*'
+#    limit_type: "{{item.limit_type}}"
+#    limit_item: "{{item.limit_item}}"
+#    value: "{{item.value}}"
+#  with_items:
+#    - { limit_type: '-', limit_item: 'nofile', value: 65536 }
+#    - { limit_type: '-', limit_item: 'nproc', value: 65536 }
+##    - { limit_type: 'soft', limit_item: 'memlock', value: unlimited }
+##    - { limit_type: 'hard', limit_item: 'memlock', value: unlimited }
+
+#- name: reload settings from all system configuration files
+#  shell: sysctl --system
+
+#- name: Creates directory systemd config
+#  file:
+#    path: /etc/systemd/system.conf.d
+#    state: directory
+#    owner: root
+#    group: root
+#    mode: 0775
+ 
+#- name: Create systemd limits
+#  copy:
+#    src: systemd_limit.conf
+#    dest: /etc/systemd/system.conf.d/limits.conf
+#    owner: root
+#    group: root
+#    mode: 644
+ 

ansible/roles/security-settings/tasks/profile.yml

@@ -0,0 +1,24 @@
+---
+- name: Set session timeout
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^TMOUT=.*'
+    insertbefore: '^readonly TMOUT'
+    line: 'TMOUT={{shell_timeout}}'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^readonly TMOUT'
+    insertafter: 'TMOUT={{shell_timeout}}'
+    line: 'readonly TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^export TMOUT.*'
+    insertafter: 'readonly TMOUT'
+    line: 'export TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/roles/security-settings/tasks/sshd_config.yml

@@ -0,0 +1,23 @@
+---
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd

ansible/roles/security-settings/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
+
+# here are the per-package modules (the "Primary" block)
+auth    [success=1 default=ignore]      pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+auth    required                        pam_permit.so
+# since the modules above will each just jump around
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so
+# end of pam-auth-update config

ansible/roles/security-settings/templates/pwquality.conf.j2

@@ -0,0 +1,50 @@
+# Configuration for systemwide password quality limits
+# Defaults:
+#
+# Number of characters in the new password that must not be present in the
+# old password.
+# difok = 5
+#
+# Minimum acceptable size for the new password (plus one if
+# credits are not disabled which is the default). (See pam_cracklib manual.)
+# Cannot be set to lower value than 6.
+minlen = {{pwquality_minlen}}
+#
+# The maximum credit for having digits in the new password. If less than 0
+# it is the minimum number of digits in the new password.
+dcredit = {{pwquality_dcredit}}
+#
+# The maximum credit for having uppercase characters in the new password.
+# If less than 0 it is the minimum number of uppercase characters in the new
+# password.
+ucredit = {{pwquality_ucredit}}
+#
+# The maximum credit for having lowercase characters in the new password.
+# If less than 0 it is the minimum number of lowercase characters in the new
+# password.
+lcredit = {{pwquality_lcredit}}
+#
+# The maximum credit for having other characters in the new password.
+# If less than 0 it is the minimum number of other characters in the new
+# password.
+ocredit = {{pwquality_ocredit}}
+#
+# The minimum number of required classes of characters for the new
+# password (digits, uppercase, lowercase, others).
+# minclass = 0
+#
+# The maximum number of allowed consecutive same characters in the new password.
+# The check is disabled if the value is 0.
+maxrepeat = {{pwquality_maxrepeat}}
+#
+# The maximum number of allowed consecutive characters of the same class in the
+# new password.
+# The check is disabled if the value is 0.
+# maxclassrepeat = 0
+#
+# Whether to check for the words from the passwd entry GECOS string of the user.
+# The check is enabled if the value is not 0.
+# gecoscheck = 0
+#
+# Path to the cracklib dictionaries. Default is to use the cracklib default.
+# dictpath =