From 4fedf1eb47cd34fbb3aea68e070b1d8cf51c713b Mon Sep 17 00:00:00 2001 From: ByeonJungHun Date: Thu, 11 Jan 2024 10:53:02 +0900 Subject: [PATCH] =?UTF-8?q?=EB=B3=B4=EC=95=88=20=EC=84=A4=EC=A0=95=20Role?= =?UTF-8?q?=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/security_check/README.md | 2 +- .../security_check/tasks/create_readme.yml | 32 +++++++++---------- ansible/security_settings/invenotry | 3 +- .../tasks/all_setting_device_organize.yml | 13 ++++++++ .../tasks/all_setting_mode_change.yml | 17 ++++++++++ .../tasks/debian_setting_banner.yml | 23 ++++++++++++- .../roles/security_settings/tasks/main.yml | 11 +++++-- .../security_settings/templates/banner.j2 | 16 +++++----- .../security_settings/templates/sysinfo.j2 | 19 +++++++++++ ansible/security_settings/test | 27 +--------------- ansible/teleport_setting/teleport | 4 +-- ansible/teleport_setting/teleport_etc | 31 +----------------- 12 files changed, 111 insertions(+), 87 deletions(-) create mode 100644 ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml create mode 100644 ansible/security_settings/roles/security_settings/templates/sysinfo.j2 diff --git a/ansible/security_check/README.md b/ansible/security_check/README.md index c1b435a..57581a6 100644 --- a/ansible/security_check/README.md +++ b/ansible/security_check/README.md @@ -1,3 +1,3 @@ | 이름 | 아이피 | 상태 요약 | 상세 보기 | | --- | --- | --- | --- | -| cmoa-jaeger-master | 10.10.43.213 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt | +| cmoa-jaeger-master | 10.10.43.213 | 양호 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt | diff --git a/ansible/security_check/roles/security_check/tasks/create_readme.yml b/ansible/security_check/roles/security_check/tasks/create_readme.yml index 8ace5e0..8fce070 100644 --- a/ansible/security_check/roles/security_check/tasks/create_readme.yml +++ b/ansible/security_check/roles/security_check/tasks/create_readme.yml @@ -25,22 +25,22 @@ dest: "{{ playbook_dir }}/README.md" delegate_to: 127.0.0.1 -- name: git push - shell: | - pwd - ls -al - git config --global user.email "sa_8001@ex-em.com" - git config --global user.name "ByeonJungHun" - git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/dsk-iac - cp ./README.md ~/dsk-iac/ansible/security_check/README.md - cd ~/dsk-iac - cat README.md - pwd - ls -al - git add . - git commit -m "검사 결과 업데이트" - git push - delegate_to: 127.0.0.1 +#- name: git push +# shell: | +# pwd +# ls -al +# git config --global user.email "sa_8001@ex-em.com" +# git config --global user.name "ByeonJungHun" +# git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/dsk-iac +# cp ./README.md ~/dsk-iac/ansible/security_check/README.md +# cd ~/dsk-iac +# cat README.md +# pwd +# ls -al +# git add . +# git commit -m "검사 결과 업데이트" +# git push +# delegate_to: 127.0.0.1 - debug: msg: "결과 확인 : https://github.com/CloudMOA/dsk-iac/tree/main/ansible/security_check" \ No newline at end of file diff --git a/ansible/security_settings/invenotry b/ansible/security_settings/invenotry index 81972bd..6f2ee94 100644 --- a/ansible/security_settings/invenotry +++ b/ansible/security_settings/invenotry @@ -1,4 +1,5 @@ [all] +10.10.43.43 ansible_port=2222 ansible_user=dev2 10.10.43.100 ansible_port=2222 ansible_user=dev2 10.10.43.101 ansible_port=2222 ansible_user=dev2 10.10.43.105 ansible_port=2222 ansible_user=dev2 @@ -101,4 +102,4 @@ 10.10.43.228 ansible_port=2222 ansible_user=dev2 10.10.43.235 ansible_port=2222 ansible_user=dev2 10.10.43.236 ansible_port=2222 ansible_user=dev2 -10.10.43.252 ansible_port=2222 ansible_user=dev2 \ No newline at end of file +10.10.43.252 ansible_port=2222 ansible_user=dev2 diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml b/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml new file mode 100644 index 0000000..ce82348 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml @@ -0,0 +1,13 @@ +--- +- name: search non-existent device + shell: find /dev -type f -exec ls -l {} \; | awk '{print $NF}' + register: search_result + +- debug: + msg: "발견된 존재하지 않는 디바이스 {{ search_result.stdout_lines }}" + +- name: delete non-existent device + file: + path: "{{ item }}" + state: absent + with_items: "{{ search_result.stdout_lines }}" \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml index cc8a777..4dd1d92 100644 --- a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml +++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml @@ -40,3 +40,20 @@ - /etc/cron.weekly/man-db - /etc/cron.weekly/update-notifier-common - /etc/cron.monthly/.placeholder + +- name: cron file owner change + file: + path: /var/spool/cron/atjobs/.SEQ + owner: root + +- name: at mode change + file: + path: /usr/bin/at + mode: 640 + +- name: create at.allow file + file: + path: /etc/at.allow + state: touch + mode: 0640 + owner: root \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml index 587c1ff..9dc83e7 100644 --- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml +++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml @@ -5,4 +5,25 @@ dest: /etc/update-motd.d/00-header mode: 0755 owner: root - group: root \ No newline at end of file + group: root + +- name: Setting Sysinfo + template: + src: sysinfo.j2 + dest: /usr/share/landscape/landscape-sysinfo.wrapper + mode: 0755 + owner: root + group: root + +- name: Delete ETC file + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/update-motd.d/10-help-text + - /etc/update-motd.d/50-motd-news + - /etc/update-motd.d/85-fwupd + - /etc/update-motd.d/90-updates-available + - /etc/update-motd.d/91-release-upgrade + - /etc/update-motd.d/95-hwe-eol + - /etc/update-motd.d/98-fsck-at-reboot \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/main.yml b/ansible/security_settings/roles/security_settings/tasks/main.yml index 7d236a1..20afe1c 100644 --- a/ansible/security_settings/roles/security_settings/tasks/main.yml +++ b/ansible/security_settings/roles/security_settings/tasks/main.yml @@ -1,12 +1,19 @@ --- + +# SSH 접속 시 Banner 설정 - include: debian_setting_banner.yml when: ansible_facts.os_family == 'Debian' +# root 사용자를 사용한 ssh 접속 비활성화 - include: all_setting_root_ssh.yml +# 패스워드 정책 설정 - include: debian_setting_password_rule.yml when: ansible_facts.os_family == 'Debian' -#- include: all_setting_mode_change.yml -# crontab 관련 설정 작성중 U_22 항목 +# 일부 파일 권한 설정 +- include: all_setting_mode_change.yml # 대부분 설정은 하였으나 '/var/spool/cron/atjobs/.SEQ' 파일에 대해서 소유자를 root로 변경해야하는데 해도 상관 없는지 확인중 + +# /dev 경로의 불필요 디바이스 검색 및 제거 +- include: all_setting_device_organize.yml diff --git a/ansible/security_settings/roles/security_settings/templates/banner.j2 b/ansible/security_settings/roles/security_settings/templates/banner.j2 index d2cfb42..45009a1 100644 --- a/ansible/security_settings/roles/security_settings/templates/banner.j2 +++ b/ansible/security_settings/roles/security_settings/templates/banner.j2 @@ -1,13 +1,13 @@ #!/bin/sh echo "-------------------------------------------------------------------------------\n" -echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_" -echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒," -echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H" -echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠" -echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠" -echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠" -echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠" -echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n" +echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_" +echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒," +echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H" +echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠" +echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠" +echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠" +echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠" +echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n" echo "-------------------------------------------------------------------------------" echo "" echo " - 알 림 - " diff --git a/ansible/security_settings/roles/security_settings/templates/sysinfo.j2 b/ansible/security_settings/roles/security_settings/templates/sysinfo.j2 new file mode 100644 index 0000000..1597282 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/templates/sysinfo.j2 @@ -0,0 +1,19 @@ +#!/bin/sh +# pam_motd does not carry the environment +[ -f /etc/default/locale ] && . /etc/default/locale +export LANG +cores=$(grep -c ^processor /proc/cpuinfo 2>/dev/null) +[ "$cores" -eq "0" ] && cores=1 +threshold="${cores:-1}.0" +if [ $(echo "`cut -f1 -d ' ' /proc/loadavg` < $threshold" | bc) -eq 1 ]; then + echo + echo -n " System information as of " + /bin/date + echo + /usr/bin/landscape-sysinfo +else + echo + echo " System information disabled due to load higher than $threshold" +fi + +echo "" \ No newline at end of file diff --git a/ansible/security_settings/test b/ansible/security_settings/test index e6df01e..6b24dbc 100644 --- a/ansible/security_settings/test +++ b/ansible/security_settings/test @@ -1,27 +1,2 @@ [all] -#10.10.43.195 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.196 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.197 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.201 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.202 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.203 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.204 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.205 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.206 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.207 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.208 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.211 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.212 ansible_user=dev2-iac ansible_port=2222 -10.10.43.213 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.214 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.215 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.216 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.217 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.218 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.224 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.225 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.226 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.227 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.228 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.235 ansible_user=dev2-iac ansible_port=2222 -#10.10.43.236 ansible_user=dev2-iac ansible_port=2222 \ No newline at end of file +10.10.43.213 ansible_user=dev2 ansible_port=2222 diff --git a/ansible/teleport_setting/teleport b/ansible/teleport_setting/teleport index 270f7a4..d294c95 100755 --- a/ansible/teleport_setting/teleport +++ b/ansible/teleport_setting/teleport @@ -11,10 +11,10 @@ 10.10.43.106 ansible_port=2222 ansible_user=dev2 [saas_mgmt_master] -10.10.43.240 ansible_port=2222 ansible_user=dev2 +10.10.43.240 ansible_port=2222 ansible_user=dev2-iac [saas_mgmt_node] -10.10.43.[241:243] ansible_port=2222 ansible_user=dev2 +10.10.43.[241:243] ansible_port=2222 ansible_user=dev2-iac [dsk_dev_master] 10.10.43.[111:113] ansible_port=2222 ansible_user=dev2 diff --git a/ansible/teleport_setting/teleport_etc b/ansible/teleport_setting/teleport_etc index f5cfe40..64ca114 100644 --- a/ansible/teleport_setting/teleport_etc +++ b/ansible/teleport_setting/teleport_etc @@ -1,31 +1,2 @@ [all] -#10.10.43.195 ansible_user=dev2 ansible_port=2222 -#10.10.43.196 ansible_user=dev2 ansible_port=2222 -#10.10.43.197 ansible_user=dev2 ansible_port=2222 -10.10.43.200 ansible_user=dev2 ansible_port=2222 -10.10.43.201 ansible_user=dev2 ansible_port=2222 -10.10.43.202 ansible_user=dev2 ansible_port=2222 -10.10.43.203 ansible_user=dev2 ansible_port=2222 -10.10.43.204 ansible_user=dev2 ansible_port=2222 -10.10.43.205 ansible_user=dev2 ansible_port=2222 -10.10.43.206 ansible_user=dev2 ansible_port=2222 -10.10.43.207 ansible_user=dev2 ansible_port=2222 -10.10.43.208 ansible_user=dev2 ansible_port=2222 -10.10.43.210 ansible_user=dev2 ansible_port=2222 -10.10.43.211 ansible_user=dev2 ansible_port=2222 -10.10.43.212 ansible_user=dev2 ansible_port=2222 -10.10.43.213 ansible_user=dev2 ansible_port=2222 -10.10.43.214 ansible_user=dev2 ansible_port=2222 -10.10.43.215 ansible_user=dev2 ansible_port=2222 -10.10.43.216 ansible_user=dev2 ansible_port=2222 -10.10.43.217 ansible_user=dev2 ansible_port=2222 -10.10.43.218 ansible_user=dev2 ansible_port=2222 -#10.10.43.224 ansible_user=dev2 ansible_port=2222 -#10.10.43.225 ansible_user=dev2 ansible_port=2222 -#10.10.43.226 ansible_user=dev2 ansible_port=2222 -#10.10.43.227 ansible_user=dev2 ansible_port=2222 -#10.10.43.228 ansible_user=dev2 ansible_port=2222 -#10.10.43.230 ansible_user=dev2 ansible_port=2222 -#10.10.43.235 ansible_user=dev2 ansible_port=2222 -#10.10.43.236 ansible_user=dev2 ansible_port=2222 -#10.10.43.252 ansible_user=dev2 ansible_port=2222 +10.10.43.43 ansible_port=2222 ansible_user=dev2